The Red Badge of Clearance

When the cost of compromising security is too high

As palm trees and blue waves receded from the jet's window, I rolled a pencil between my fingers. On the pencil was the inscription "Security is Everyone's Responsibility." I was returning from a week-long trip to an Air Force base where I gave a Windows NT security seminar. The base I visited houses the US Special Operations Command and the military's Central Command. (Central Command protects the military's most sensitive information.) These organizations truly understand the importance of security.

I presented my NT security seminar to civilians and members of all four Service branches (i.e., Army, Navy, Air Force, Marines) at the community college on base. These folks are deep into NT and deep into security. The base employs security measures that demonstrate a good understanding of personal, physical, and informational security, as well as NT security strengths and weaknesses. For example, the folks at this base decided they couldn't afford a security breach, so they built two networks. I'll share what I can about the base's security in general and its security specific to NT.

Physical Security
I encountered the first security measures getting on the base. I had to register at the visitors' center just outside the main gate, where my sponsor signed for me. Getting on base was easy, which surprised me at first. After I provided personal ID and proof of car registration and insurance, the staff gave me a pass that let me enter the base for the rest of the week. The pass was a simple black and white form that a PC user could easily reproduce. But as I looked at everyone in line at the visitors' center, I realized the practicality of this somewhat loose security. Each day, scores of repair workers, students, and other visitors enter the base. The real security comes later.

Getting into the buildings was more difficult than getting on base. The base has barricades and additional gates to prevent unauthorized vehicles from getting close to buildings in the event of a car bombing. If you rush the gate, a device rams a projectile up through the front of the vehicle, effectively stopping the car and destroying its radiator and other entrails. I heard about a visiting dignitary's driver who followed an escort vehicle through a gate without letting the gate close and reopen for him. The dignitary needed a new car.

I presented my seminar on neutral ground in a college classroom. One day an attendee took me to his office during lunch to check my messages. As we walked across the base, I realized how aware everyone is of security. My escort directed my attention to the parking lot, where every car was backed in. "Notice how everyone is parked? The general calls it combat parking," he said. Immediately inside the building, I noticed entrance detectors. My escort swiped his magnetic badge through a card reader and approached a check-in counter. I self-consciously followed without authenticating myself to the detector. A brief alarm brought me to the attention of everyone in the area. At the counter, my escort signed for me and recorded the reason for my visit. I traded my driver's license for a bright red badge that declared I was a visitor and had zero clearance. The guard fastened the badge to my lapel, right over my heart--a nice target if I made a wrong move. As I followed my escort farther into the building, he said, "Stay with me the whole time. I have to escort you everywhere." He was right. When I visited the restroom, he waited dutifully outside the door.

When we reached my escort's area, he gave me a brief tour. Most employees were at lunch. Their desks were clean, and their computers were off or screen locked. "Before users leave, they must secure all papers in the digital safe," he said. "Nothing can be left out. In fact, the general policy is that nothing printed onsite leaves. In addition to department shredders, we have a huge shredding department in the basement." All the computers were NT workstations, and each had an empty drive bay and an A/B switch--which seemed insignificant at the time. A chart hung above the safe to record each user's entry and exit. Either no one had come to work in the past few weeks, or the chart wasn't up to date--the first of very few cases of noncompliance I saw. Getting people to perform mundane security procedures day after day is difficult, but this place is good.

Network Security
One day I had an opportunity to see one of the base's main computer rooms. My escort took me through building security again, down winding hallways, to the computer room's vestibule. As we signed in, my escort announced me as a red badge, and the security officer flipped a switch that produced no noticeable effect. We entered the computer room and passed a bank of nine monitors and a full battalion of Acer towers running NT Server. One monitor constantly cycled past each server's display. I noticed a red fire-engine light rotating on the ceiling, and I realized that the switch outside had turned it on, alerting everyone that a red badge was on deck.

I wondered how the base provided users with Internet access on such a critical network. I soon learned that users have Internet access at their workstations but not on the network. The mysterious A/B switches and empty drive bays I noticed before let users switch between workstation and network access.

The command and control departments on the base have two LANs: a classified LAN and an unclassified LAN. The classified LAN houses all the "I could tell you but then I'd have to kill you" information. The unclassified LAN provides Internet email and Web access. At no point does a router or other multiple-homed host connect the two LANs. For each LAN, a PC has a twisted pair cable that connects to an A/B switch on the computer. The user decides at start up time which LAN to access and selects the corresponding switch.

Security engineers went to great lengths to ensure that no information can flow from one LAN to the other. No computers or routers connect to both LANs, and you can't bring laptops or other computers into the building unless they have clearance. You also can't bring in or take out network cards, hard disks, or 3.5" disks without special authorization. Even the network cable is color-coded for each LAN to prevent accidental connection in technology rooms. The workstations have no disk drives, which prevents users from saving information from the classified LAN and later copying it to the unclassified LAN. All computers have password-enabled BIOSs to help prevent a user from adding a hard disk or disk drive that slips past security.

The Department of Defense (DoD) uses full NT functionality, including domains. Each workstation in a domain has an implicit trust relationship with the domain controller and trusts the domain controller when it authenticates a user. The trust relationship between a workstation and a domain controller is based on the rule that an NT computer can belong to only one domain. But each workstation must participate in the classified and unclassified domains. A simple method of providing this access is to install NT twice on the system's hard disk--once for each LAN or domain. During the initial NT installation, you can run winnt32.exe and install NT to a new directory such as c:winntalt. A startup menu appears with two entries: one pointing to winnt and the other to winntalt. Unfortunately, this method creates a security risk. Running two installations of NT Workstation on one hard disk lets a user easily save a file to the local hard disk while on the classified LAN and later copy the file to the other LAN after startup. Each NT installation can see the entire disk, including files someone created previously with another copy of NT.

To let users access the classified and unclassified LANs without creating security risks, the base's security engineers use removable hard disks. Each user has two hard disks with a copy of NT on each. When accessing the classified LAN, the user inserts the appropriate disk, flips the A/B switch to the appropriate LAN, and turns on the computer. At night, users remove the disks and store them in the local safe.

A problem occurs with this system if a user inserts the wrong hard disk or selects the wrong LAN. Because the computer is booting with the wrong NT installation, the workstation can't find the domain controller it trusts and the user can't log on to the domain. However, the user can still log on and access the local computer. This situation is possible because an NT computer that belongs to a domain caches the credentials of the past 10 successful logons. Thus, you can use your local computer with your domain account even if the network or all the domain controllers are down.

This feature introduces a host of security risks. In this dual LAN environment, you could use the A/B switch to select the classified LAN and boot your unclassified disk. Then you could log on to the local computer using your unclassified domain account. The local computer would authenticate you. At that point, you could perform normal activities involving only your local computer. But the security risks don't stop there. The implicit trust relationship between a workstation and the domain controller provides easy, centralized authentication, but you aren't limited by NT's default configuration. You can connect to resources on any NT computer on a physical network regardless of domain boundaries and implicit or explicit trust relationships. The Connect As field on explorer.exe and the /user: parameter on the NET USE command provide this capability. You can connect to a server in the classified domain by supplying your credentials for that domain. You can then copy classified information to the unclassified local hard disk and later switch to the other LAN and leak the information. Or you can work in the opposite direction, and download a network sniffer or other hacking tool from the Internet via the unclassified LAN, and use it on the classified LAN.

Base security engineers use two policies to solve this problem. First, they use a Registry tweak to disable the caching of previous logons. (For more information about disabling logon caches, see the Microsoft Support Online article "Cached Logon Information" at http://support.microsoft.com/support/kb/articles/q172/9/31.asp.) Second, security engineers ensure that users are not members of the Administrators group on their local computer and can't access any local user account. The domain controller that the local computer trusts must authenticate a user online before the user can access the local computer. If a user boots with the wrong hard disk, the user can't access any system, including the local computer. With the other measures taken, such as no disk drives, the classified LAN is effectively isolated.

The Central Command personnel are a security-conscious group. They run NTCrack weekly to monitor password strength, and they have a sophisticated program filter that prevents users from executing unauthorized programs. They load service packs and hotfixes promptly, which is a simple measure that many organizations in the IS community neglect, often with tragic consequences.

I wondered about a few other security items. When I asked how difficult tapping into the LAN between buildings would be, I learned that the network outside any building on the base is encrypted with special National Security Agency (NSA) algorithms. I also asked about the use of Dynamic Host Configuration Protocol. DHCP lets an unauthorized computer connect to a network and obtain a valid IP address, the first step in penetration. Both of the base's LANs use DHCP. Security might be tighter without DHCP and with a tightly controlled range of manually assigned IP addresses instead. Administrators could set up routers and hosts to disregard source addresses outside the valid range. An intruder would then have to spoof an existing IP address to penetrate. This method would be a nightmare to administer in a LAN of any size, so I can understand why this base relies on physical security.

An old security adage is, "Don't spend more protecting something than it will cost you if security is compromised." For most organizations, this adage means living with links to untrusted networks (such as the Internet) on the network where you keep proprietary information. If your LAN connects to the Internet, hackers can and will access your network. Your containment and response measures need to acknowledge this fact. However, no lock is impenetrable. If you can't afford an intrusion, don't get a better lock--replace the door with a wall.