They say the road to hell is paved with good intentions – any sys admin would relate to this. You have nothing but the best intentions when you install a tool, set up a service, or plug in a device on your network, convinced that that these will be of benefit.
Yet how often did you find out that instead of helping to manage or improve the infrastructure, the results were disastrous, security holes were opened, making audits a nightmare and creating other major issues for everyone?
Many of the things on this list could still be a good idea under the right circumstances, and with the right controls, but the risk is still very high. To help you avoid the pain and suffering here are 10 of the most dangerous things to have on your network.
1. Anything with a DHCP service
Be it a wireless router, personal firewall, or a virtual machine instance on a bridged connection, adding anything that runs DHCP onto a production network can cause problems for everyone on that VLAN. Remember DHCP is a broadcast service, and when a client asks for a lease, it will take the first one it hears offered. What’s going to be faster, the device you just connected, or the overworked three-year-old server?
2. An open share with all the application installers
It really sounds like a great idea. Create a share, give everyone read access, and put installers for all the different applications you use in that directory so folks can easily find and install what they need, when they need it. If you have a site license for everything in that folder, it is not a bad idea. If you bought ten licenses for Adobe Acrobat, and 100 people find and install it, suddenly it is a compliance and licensing nightmare. Never leave software installers on the network where regular users can get to them unless you are prepared for a massive annual true-up bill.
3. The second, third, fourth…and Nth remote control tool
There’s nothing wrong with having a remote control application installed on your workstations and servers so you can assist users and manage systems. The problem comes in when you have eight different admins and they each have their personal favourite. Each remote control app you install on a workstation is another port listening, another memory hog, another app to patch, and another way for an attacker to break in. When you do that to a server, the potential impact is even worse. Choose one, choose wisely, and ban all the rest.
4. Bulk email tools
What’s the quickest way to get your entire IP range on a blacklist? Leave an open relay. What’s the second quickest? Let someone in marketing install a bulk mailer application that starts spewing out hundreds if not thousands of emails per hour. Seriously, get in front of this by working with marketing to ensure they have a satisfactory external bulk mailer service so you don’t have to deal with being blacklisted.
5. Password crackers
While authorised personnel working within the context of security might use a password cracking tool to either audit the network, or attempt recovery of data, a password cracking tool can easily be run improperly, resulting in the lockout of every user account on the network. These tools, in the right hands and run in closed environments, can be very useful, but so too can a blowtorch. Both can cause serious damage when used incorrectly.
6. Open Guest Networks
An open guest network may seem like a great “tool” both for your guests, and for when you need to test something outside the confines of your corporate LAN, but can be easily misused, and even when separated from your internal network, they usually use the same Internet connection as your corporate network does, which means bad traffic coming from your guest network still comes from your corporate network as far as the rest of the Internet is concerned. Use a captive portal and run IDS on your guest network so you can control who uses it, and make sure they don’t misuse it.
7. Anything that is out of support
It doesn’t matter how great a job that app does, or how much the business complains that they can neither live without it, or replace it, anything that is no longer supported needs to get the heck off your network. I have seen dozens of upgrades get 90% of the way through, only to encounter that one legacy app no one even remembers setting up, that some group has built their entire mission critical workflow around, and that cannot be upgraded to work with your new system. Make it the 11th commandment – Thou Shalt Not Run Any Unsupported App.
8. Anything that can send an unlimited number of alerts
This one kills me every time I run into it, and I run into it at practically every customer I work with. Some monitoring systems is set up to send out email alerts when something bad happens, like a server goes down or a service stops, and it is misconfigured such that it sends thousands of email alerts as quickly as it can spawn them. That in turn overwhelms your email system, which slows everything else down, and you spend more time deleting the alerts than you did fixing the problem that caused them. Alerts are good, when they have reasonable limits.
9. Bittorrent applications
Bittorrent is an extremely useful protocol, that can be used for downloading a variety of different binaries, most good. A misconfigured Bittorrent client uses up a tremendous amount of bandwidth though, so if you are going to use this tool, be very careful how you configure it, and ensure that only authorised users run these tools.
10. Security auditing software
Okay, before everyone hits the panic button on this, hear me out. Security auditing tools, when installed on a security professional’s workstation, run with the knowledge of what they are for, and the authority to use them, are just fine. When they are run by a Curious George and run against the entire network during the production day, they can wreak havoc, locking out accounts, crashing services, and generally causing everyone a bad day.
These 10 types of tools all have their place, and when implemented properly, can be of great benefit to your network, but, more often than not, I have seen each of these 10 make for a really bad day. If you have any of these already on your network, look closely to be sure you are not dealing with a ticking time bomb. If you are considering whether or not to use any of these, think carefully and choose wisely.