CMPT 585- Computer and Data Security
Professor: Dr Stefan Robila
Table of Contents Page
I. Abstract 3
II. Definition 3
III. Architecture (Fig1) 3
IV. Introduction 4
V. Security Within the Organization 4
i.Physical Security 4
ii.Domain Controller 4
iii.Web Server 4
iv.File Server 4
v.Mail Server 4
vi.Print Server 5
vii.Application Server 5
viii.Database Server 5
ix.Security and Monitoring Server 5
Security Components of the Intranet
VI. Security Against the Extranet
iv.NAT Connection 8
VII. Conclusion 9
Montclair State University 2 Fall2004
While much importance is given for protecting one’s data and confidential information
from outside one’s boundaries little is talked about the risks involved inside the
organization. Users inside an organization had direct physical access to confidential
information and are well aware of the resource access controls. Hence securing the
intranet from its trusted users becomes critical. Statistics show that 80% of all computer
frauds is committed by internal end users.
This paper briefly explains the definition and the architecture of the intranet and
discusses the physical security of the intranet components and also security of the
organizations data both from the internal users and also from the outside world (Internet).
The web defines intranet as a private network inside a company or organization, which
uses software like that used on the Internet, but is for internal use only, and is not
accessible to the public. Companies use Intranets to manage projects, provide employee
information, distribute and share data and information.
III. Intranet Architecture
Fig 1- Showi ng the Intranet Architecture
Montclair State University 3 Fall2004
Fig 1 shows the various components in the Intranet Architecture and how each
component is connected to various other components in the network. The security of each
component physically as well as the policies and practices that make these components
secure from within the organization and the components that protect the Intranet from the
outside world (Internet) are analyzed and discussed in detail in the rest of this paper.
V. Security within the Organization
i. Physical security
This security is easy to implement. The servers and network devices are protected in a
safe room with security locks or swipe card access and only authorized personnel are
allowed entry. On the overall the entire building is protected and guarded by a security
ii. Domain Controller
Domain Controller is a concept used in the Microsoft, UNIX, and Linux operating
systems whereby a user maybe granted access to a number of computer resources with
the use of unique user name and password combination. It also takes care of IP address
assignment for workstations and servers. This server is protected by the following
Creating domain security policy and implementing on the server. It means that
only the administrator can access this server locally and remotely.
Installing antivirus software and definitions
Installing security patches and service pack
Disabling unwanted devices like USB device, parallel port device from the server.
iii. Web server
The organizations website is hosted on the web server. Internally it is protected from the
users via folder rights. Only the administrator or the webmaster has the rights to change
the contents of the website. It is protected from the external world by firewall and the
DMZ network via web filter techniques. Symantec, MacAfee, checkpoint and etc can be
used as web filter software to monitor and prevent hackers from destroying the web
iv. File server
All the user’s files are saved on this server. Usually it has three levels of security.
(Personal single user access), group (department access) and public (access to all
departments in the company). It is protected by antivirus software, through updated
security patches, and by frequent backup. Access from outside the company is achieved
through Virtual Private Network and protected through firewall and DMZ. As always the
system administrator has full access to this server for maintenance and backup.
v. Mail server
The user’s emails are stored in some encrypted format in the mail server. Only the
administrator has the rights to access and perform maintenance on the mail server locally
or remotely. The users have access only to their email folders. The mail server is
Montclair State University 4 Fall2004
protected from the outside through the firewall and DMZ network. The mail filter in the
DMZ network filters spam and unwanted email attempts both from outside and from
inside the organization. Example if the user from the inside sends a resume or unwanted
emails or tries to visits pornographic websites it is blocked through the mail filter. The
mail filter also scans email for viruses, worms and Trojan horses thus protecting the mail
server and the user workstations.
vi. Print Server
This server networks all the printers within the organization. It monitors all activity and
keeps a log. It is protected by regular antivirus software updates and security patch
update. Only the administrator can access this system and do necessary changes.
vii. Application Server
This server holds all of the application software that are needed by the users. For example
office, visio etc. The application software can be installed on the workstations by just
mapping on to the application server. This provides for proper inventory and software
viii. Database Server
The database server holds the database software and the database files. It is protected by
antivirus software and database security updates.
I) Internal security
Every database has several levels of security access.
i. Administrator access rights- Can install database software and
maintain the database server.
ii. Programmer access rights- Limited to their programming needs.
iii. Data entry access rights- read and write access to the database
iv. User access rights- read only access
II) External security
External access takes place through the VPN and is protected by the firewall and
ix. Security and Monitoring Server
Monitors all the components of the Intranet. It does intelligent updates of antivirus
software, security patches and service packs on all the servers and workstations. For
example if there is a service pack update from Microsoft it is installed on this server and
is then pushed to all other severs and workstations. It also gives a detail report on the user
activities on the workstation and administrative activities on the servers.
The list below gives some suggestions for security measures that should generally be
implemented on all workstations, whether new or existing. Further measures may be
implemented as resources allow. This list only gives some starting points; it is not
exhaustive. In addition, it only provides information o n what to do, not how to do it.
Montclair State University 5 Fall2004
1. Password security is one of your best defenses. Use strong Administrator
passwords — i.e. mix upper and lower case, numbers and special characters, and
make long — with Windows 2000 you can go longer than 14 characters, which
can have its advantages.
2. Default password and account policies are practically non-existent. Implement
better user password and lockout policies — consider using passfilt or an
alternative for password complexity, set a minimum password length and educate
3. Never make ordinary users members of Administrator groups.
4. Check for copies of the SAM (Security Account Manager) that everyone can read
and secure them (e.g. created by backup software.)
5. Turn on auditing and review your logs regularly.
6. If possible, implement the following registry key changes —
Restrictions for Anonymous Users
LAN Manager Authentication Level
Send Unencrypted Password to SMB Servers
7. Where time permits, review NTFS permissions and tighten file system security
(particularly on WinNT; Win2000 is better.)
8. Review Share permissions.
9. Disabled default “Guest" Username.
10. Confirm that non-common passwords are on every user account. Consider non-
common user names also.
11. The Administrator Account cannot be disabled.
12. Be careful with permissions. Do not use Guests, Everyone or other
unauthenticated users. The everyone group contains people you don't know.
Guests, if the account is enabled users from other "trusted" domains can gain
access. It is indeed better to set up permissions with "Domain Users" or even
"Authenticated Users". Everyone is a wide-open special group that you have very
little control over.
13. Disable file/printer sharing for TCP/IP and use only printer and file server.
14. When file sharing is necessary, restrict scope and time available. Turn off when
15. Review Installation and Boot Process in Event Viewer
16. Set Event Viewer Log Size and Wrap Setting
17. Disable Unnecessary Services
18. Set proper Paging File Sizing and Placement.
19. Keep operating system security hot fixes up to date (but take care and back up
before applying them.)
Montclair State University 6 Fall2004
20. Apply security patches to other major software e.g. IIS, SQL Server, Exchange,
Virus and etc
A network switch is a device that joins multiple computers together at a low- level
network protocol layer. Technically, network switches operate at layer two (Data Link
Layer) of the OSI model. Network switches look nearly identical to hubs, but a switch
generally contains more "intelligence" (and a slightly higher price tag) than a hub. Unlike
hubs, network switches are capable of inspecting the data packets as they are received,
determining the source and destination device of that packet, and forwarding that packet
appropriately. By delivering messages only to the connected device that it was intended
for, network switches conserve network bandwidth and offer generally better
performance than hubs. A network switch offers differing port configurations starting
with the four- and five-port models, and support 10 Mbps Ethernet, 100 Mbps Ethernet,
1 GB Ethernet or ALL.
VI. Security Against The Extranet
A device that forwards data packets along networks. A router is connected to at least two
networks, commonly two LANs or WANs or a LAN and its ISP’s network. Routers are
located at gateways, the places where two or more networks connect. Routers use headers
and forwarding tables to determine the best path for forwarding the packets, and they use
protocols such as ICMP to communicate with each other and configure the best route
between any two hosts. Very little filtering of data is done through routers.
A router is often included as part of a network switch. Routing is a function associated
with the Network layer (layer 3) in the standard model of network programming, the
Open Systems Interconnection (OSI) model. A layer-3 switch is a switch that can
perform routing functions. An edge router is a router that interfaces with an asynchronous
transfer mode (ATM) network. A brouter is a network bridge combined with a router. For
home and business computer users who have high-speed Internet connections such as
cable, satellite, or DSL, a router can act as a hardware firewall. This is true even if the
home or business has only one computer. Many engineers believe that the use of a router
provides better protection against hacking than a software firewall, because no computer
Internet Protocol address are directly exposed to the Internet. This makes port scans (a
technique for exploring weaknesses) essentially impossible. In addition, a router does not
consume computer resources as a software firewall does. Commercially manufactured
routers are easy to install, reasonably priced, and available for hard-wired or wireless
ii. Fire wall
The term "Firewall" originally meant, and still means, a fireproof wall intended to
prevent the spread of fire from one room or area of a building to another. The Internet is a
volatile and unsafe environment when viewed from a computer-security perspective
therefore "Firewall" is an excellent metaphor for network security. Some of the very
Montclair State University 7 Fall2004
famous commercial products available are Checkpoint firewall, Cisco Pix fire wall, Nokia
Firewall and Symantec firewall. Firewall can be configured by the administrator using
security policy option in it to block traffics like FTP, HTTP, TCP/IP ports and protocols
depending on the requirement. Some of the enterprise version of the firewall provide
options to filter and block Trojans. Adwares, spamware and spyware.
iii. DMZ Zone
Short for demilitarized zone, is a computer or a small sub network that sits between a
trusted internal network, such as a corporate private LAN, and an un trusted external
network, such as the public Internet. Typically, the DMZ contains devices accessible to
Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (e- mail) servers and
DNS servers. The term comes from military use, meaning a buffer area between two
iv. NAT Connection
Network Address Translation (NAT) is a network standard that enables a local area
network (LAN) to use one set of IP addresses for intranet traffic and a second set of
addresses for external traffic (Extranet Traffic). All necessary IP address translations
occur where the LAN interfaces with the broader Internet. NAT converts the packet
headers (and in some cases the port numbers in the headers) for incoming and outgoing
traffic and keeps track of each session. This does mean, however, that NAT overrides
"Internet transparency", a practice in which packets remain intact throughout their
transmission. NAT is also provided with Windows Internet Connection Sharing.
NAT accomplishes these key purposes:
It acts as a firewall by hiding internal IP addresses.
It enables an enterprise to use more internal IP addresses, since there is no
possibility of conflict between its internal-only IP addresses and those used by
other organizations. Essentially, an organization can present itself to the Internet
with fewer IP addresses than used on its internal network, which conserves public
It allows an enterprise to bundle multiple ISDN/T1 connections into one Internet
Montclair State University 8 Fall2004
All the security features and policies described in this paper are some of the preventive
measures that must be taken to protect an organization from the disaster of losing its
valuable information. Apart from having all these policies and security features it
becomes necessary to educate the users about the value of the information because
security frauds often happen because of neglect and lack of knowledge of the user about
the importance of securing of information.
By securing the Intranet the organization can
o Minimize potential economic loss
o Decrease potential exposures
o Ensure organizational stability
o Provide an orderly recovery
o Minimize insurance premiums
o Reduce reliance on certain key individuals
o Protect the assets of the organization
o Ensure safety of personnel
o Minimize decision-making during a disastrous event
o Minimize legal liability
Montclair State University 9 Fall2004