W982 05092004


Published on

& concept explained easily

Published in: Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • To quote Stuart McClure and Joel Scambray, the writers of the Security Watch column in the venerable InfoWorld Magazine and two of the authors of Hacking Exposed: "Security is not a goal, it is a process, and Security is not a product, it's a mentality".
    The Ten Immutable Laws of Security – Microsoft - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/10imlaws.asp
  • Security Best Practices – Microsoft - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bestprac/Default.asp
    The Five Fundamentals of Security by Bill Van Emburg, Quadrix Solutions
    TISC Insight, Volume 4, Issue 11
  • Derived from W2Knews[tm] (the original NTools E-News) Electronic Newsletter Vol. 5, #32- July 31, 2000 - Issue #206 and material from www.sans.org.
    Gator: www.gator.com
    Microsoft Passport: http://www.passport.com/Consumer/default.asp?PPlcid=1033
    Yodlee: http://www.yodlee.com/
    JotterSAF: http://www.jottersaf.com/index.html
    Brodia: http://portal.brodia.com/brodia/service/app_Home.htm
    Keenovation: http://www.keenovation.com/
    Others: http://dir.yahoo.com/Business_and_Economy/Shopping_and_Services/Communication_and_Information_Management/Internet_and_World_Wide_Web/Personal_Information_Management/Personal_Account_Management/
  • Delivery Note
    ICF is considered a "stateful" firewall. A stateful firewall is one that monitors all aspects of the communications that cross its path and inspects the source and destination addressing of each message that it handles.
    All inbound traffic from the Internet is compared against the entries in a table. Inbound Internet traffic is only allowed to reach the computers in your network when there is a matching entry in the table that shows that the communication exchange began from within your computer or private network.
    Additional Reading
    Internet Connection Firewall
    ICF is considered a "stateful" firewall. A stateful firewall is one that monitors all aspects of the communications that cross its path and inspects the source and destination addressing of each message that it handles. To prevent unsolicited traffic from the public side of the connection from entering the private side, ICF keeps a table of all communications that have originated from the ICF computer. When used in conjunction with ICS, ICF tracks all traffic that has originated from the ICF/ICS computer and all traffic that has originated from private network computers. All inbound traffic from the Internet is compared against the entries in the table. Inbound Internet traffic is only allowed to reach the computers in your network when there is a matching entry in the table that shows that the communication exchange began from within your computer or private network.
    To thwart common hacking attempts, such as port scanning, communications that originate from the Internet are dropped by the firewall. Rather than sending you notifications about firewall activity, ICF silently discards unsolicited communications, because such notifications could be sent frequently enough to become a distraction. Instead, ICF creates a security log to track this activity.
    Services can be configured to allow unsolicited traffic from the Internet to be forwarded by the ICF computer to the private network. For example, if you are hosting an HTTP Web server service, and have enabled the HTTP service on your ICF computer, unsolicited HTTP traffic will be forwarded by the ICF computer. A set of operational information, known as a service definition, is required by ICF to allow the unsolicited Internet traffic to be forwarded to the Web server on your private network.
    The service definitions that allow services to operate across ICF also work on a per connection basis. If your network has multiple firewall connections, service definitions should be configured on all firewalled connections.
    Advanced ICF Settings
    The ICF security logging feature provides a way to create a security log of firewall activity. ICF is capable of logging either inbound and outbound traffic that is permitted or inbound and outbound traffic that is dropped (rejected). For example, by default, the firewall does not allow incoming echo requests from the Internet. If the Internet Control Message Protocol (ICMP) Allow incoming echo request is not enabled, then any inbound echo request will fail, and a log entry is generated records the failed inbound attempt.
    On networks where two or more Internet Connection Firewalls exist, the settings to the ICF security logging options are global. If you make a setting or change a setting in the Logging Options on any connection with ICF enabled, that setting will be applied to the other ICF firewalls on your network.
    ICMP allows you to modify the behaviour of the firewall by enabling various ICMP options, such as Allow incoming echo request, Allow incoming timestamp request, Allow incoming router request and Allow redirect. Brief descriptions of these options are provided on the ICMP tab.
    On networks where two or more Internet Connection Firewalls exist, the settings for the ICMP options are per connection. If you make a setting or change a setting in the ICMP options on any connection with ICF enabled, that setting will not be applied to the other ICF firewalls on your network.
    You can set the allowable size of the security log to prevent the potential overflow that could be caused by denial-of-service attacks. Event logging is generated in the Extended Log File Format as established by the World Wide Web Consortium (W3C).
  • Delivery Note
    In previous versions of Windows users could logon using a username and blank password. Within Windows Server 2003 this has been changed. Access to network shares will requires users to logon with a valid username and password.
    The Anonymous Logon group is no longer a member of the Everyone group. This change will impact anonymous users attempting to access resources hosted on computers running Windows XP Professional and Windows Server 2003 family.
    The administrator account can be disabled. Reasons for this is to secure the account because most hackers know that the RID is 500.
    Digest authentication
    An authentication mechanism that hashes user name, password, and other data before transmitting it over the network
    Additional Reading
    Differences in default security
    The Anonymous Logon group is no longer a member of the Everyone group. This change will impact anonymous users attempting to access resources hosted on computers running Windows XP Professional and Windows Server 2003 family.
    Anyone who accesses a computer and it's resources through the network without an account name, password, or domain is a member of the Anonymous Logon built-in security group. By design, in previous versions of Windows, members of the Anonymous Logon security group had access to many resources due to membership of the Everyone group. Because Administrators did not realize that anonymous users were members of the Everyone group they might have inadvertently granted them access to resources only intended for authenticated users.
    When a Windows 2000 system is upgraded to Windows Server 2003 family, resources with permission entries for the Everyone group (and not explicitly to the Anonymous Logon group) will no longer be available to anonymous users after the upgrade. In most cases, this is an appropriate restriction on anonymous access. you may need to permit anonymous access in order to support pre-existing applications that require it. If you need to grant access to the Anonymous logon group you should explicitly add the Anonymous Logon security group and its permissions.
    However, in some situations where it might be difficult to determine and modify the permission entries on resources hosted on Windows Server 2003 family or Windows XP Professional computers you can change the security setting, Network access: Let Everyone permissions apply to anonymous users.
  • Delivery Note
    The following services are not installed by default:
    Additional security component for IIS is that the IIS Lockdown is run before IIS can be used.
    Services/interfaces/extensions are disabled by default such as:
    FrontPage Server Extensions
    Secure by default. The main idea behind secure by default is to turn off unused features to reduce the "surface area" available for attack. Services and components that aren't running can't effectively be attacked. Microsoft is making its products more secure by default, so that components begin their installed life in a secure default state—turned off where possible, and locked down in all cases. Microsoft is also aggressively reducing the privileges required for services to do their jobs; this minimal-privilege approach limits the damage that an attacker can cause by limiting what a compromised service can do.
    What has to be taken into account however is any Application access that may take place via these Services running with a less-privileged account.
  • Delivery Note
    There are a myriad of new command line tools, refer to the NTCMDS.CHM file for a complete reference.
    We would like to bring to attention one particular tool – netstat.exe:
    To restrict the use of open ports, you need to know which ports are active on your system and which programs are using them. Although no single tool provides all the information you need, you can piece together the answers with a few tools and investigative skills.
    The Netstat command-line program can provide much of the detail you need about ports. The -O (owner) argument displays the process identifier that has opened the connection. Using the PID displayed by Netstat, you can look up the name of the program in Task Manager.
    Smart Cards
    Smart cards are a tamper-resistant and portable way to provide security solutions for tasks such as logging on to a Microsoft® Windows® Server 2003 family domain, client authentication, code signing, and securing e-mail.
    Support for cryptographic smart cards is a key feature of the public key infrastructure (PKI) that Microsoft has integrated into Microsoft® Windows® XP and the Windows Server 2003 family.
    Smart cards provide:
    Tamper-resistant storage for protecting private keys and other forms of personal information.
    Isolation of security-critical computations involving authentication, digital signatures, and key exchange from other parts of the computer that do not have a "need to know." These operations are all performed on the smart card.
    Portability of credentials and other private information between computers at work, home, or on the road.
    Additional Reading
    Understanding smart cards
    Logging on to a network with a smart card provides a strong form of authentication because it uses cryptography-based identification and proof of possession when authenticating a user to a domain.
    For example, if a malicious person obtains a user's password, that person can assume the user's identity on the network simply through use of the password. Many people choose passwords they can remember easily, which makes passwords inherently weak and open to attack.
    In the case of smart cards, that same malicious person would have to obtain both the user's smart card and the personal identification number (PIN) to impersonate the user. This combination is obviously more difficult to attack because an additional layer of information is needed to impersonate a user. An additional benefit is that, after a small number of unsuccessful PIN inputs occur consecutively, a smart card is locked, making a dictionary attack against a smart card extremely difficult. (Note that a PIN does not have to be a series of numbers; it can also use other alphanumeric characters.) Smart cards are also resistant to undetected attacks because the card needs to be obtained by the malicious person, which is relatively easy for a user to know about.
  • Delivery Note
    The .NET Framework provides a code access security model that allows administrators to modify security policy to meet their individual needs. While code access security generally increases the reliability and security of applications, improperly administering code access security policy can potentially create security weaknesses.
    The .NET Framework security system is governed by a configurable set of rules called security policy. This policy allows the end user or administrator to adjust the settings that determine which resources code is allowed to access, and ultimately decide which code is allowed to run at all.
    For example, suppose you are an administrator in an enterprise setting and you do not trust the software that originates from a particular company. Perhaps that company produces software that employees find entertaining, but which causes increased network traffic or causes workstations to become unstable. You can set an enterprise level security policy that restricts the access that software has to your computer resources. You can also set a policy that prevents this publisher's software from running at all.
    Evidence, Code Groups, and Permission Sets
    Code that targets the common language runtime is deployed in units called assemblies. At load time, the runtime examines each assembly for evidence, which is identifying information about the assembly (such as the digital signature of the code's author and the location where the code originates). Based on the evidence, the common language runtime security manager maps the assembly to a code group based on security policy. Code groups are defined to test for specific forms of evidence and have permission sets associated with them. Assemblies that belong to a code group receive the permissions defined by the associated permission sets.
    Permissions are simply objects created by an application that represent the right to access a protected resource. Permissions are configurable and a single permission object can assume several forms. The rights that a permission represent and that assemblies receive are fully configurable by the system administrator. While applications can construct and configure permission objects like any other object, only security policy can grant a permission to an application. Administrators ultimately control the permission grant.
    Security Policy Levels
    There are four levels of security policy defined in the security model, which correspond to the different administration and hosting scenarios.
    Enterprise Policy
    Machine Policy
    User Policy
    Application domain policy
  • Delivery Note
    Encrypted CSC (Client Side Caching)
    The offline files feature, introduced with Windows 2000, allows you to cache a copy of files from a network share on your local computer. This capability is particularly useful for a mobile computer because it allows you to continue working with your files even when your computer is not connected to the network. (When you reconnect to the network, Windows synchronizes the local and network versions of each file.) As we point out, however, mobile computers are the ones most vulnerable to theft, so it would be terrific to be able to encrypt the local versions of your offline files. With Windows XP/Windows Server 2003 (but not Windows 2000), you can.
    Sharing encrypted files
    A new feature since Windows XP allows you to share access to your encrypted files with one or more trusted users. The users you specify might share the computer with you or have access to the encrypted files over the network.
    The only prerequisite for sharing access to an encrypted file is that each user with whom you want to share the file must have an encryption certificate on your computer. The easiest way for a user who shares your computer to create a certificate is for that user to log on and encrypt a file. Network users should export their own certificate; you can then import the certificate to your computer.
    System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing
    This security setting determines if the TLS/SSL Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. In effect, this means that the provider only supports the TLS protocol as a client and as a server (if applicable). It uses only the Triple DES encryption algorithm for the TLS traffic encryption, only the RSA public key algorithm for the TLS key exchange and authentication, and only the SHA-1 hashing algorithm for the TLS hashing requirements.
    For Encrypting File System Service (EFS), it supports only the Triple DES encryption algorithm for encrypting file data supported by the Windows NTFS File System. By default, EFS uses the AES algorithm with a 256-bit key in Windows Server 2003 family and DESX algorithm in Windows XP for encrypting file data.
    Default: Disabled.
    Configuring this security setting
    You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
    Note The Federal Information Processing Standard (FIPS) 140-1 is a security implementation designed for certifying cryptographic software. FIPS 140-1 validated software is required by the U.S. Government and requested by other prominent institutions.
  • Delivery Note
    Encrypting File System overview
    Encrypting File System (EFS) provides the core file encryption technology used to store encrypted files on NTFS file system volumes. Once you encrypt a file or folder, you work with the encrypted file or folder just as you do with any other files and folders.
    Encryption is transparent to the user that encrypted the file. This means that you do not have to manually decrypt the encrypted file before you can use it. You can open and change the file as you normally do.
    Using EFS is similar to using permissions on files and folders. Both methods can be used to restrict access to data. However, an intruder who gains unauthorized physical access to your encrypted files or folders will be prevented from reading them. If the intruder tries to open or copy your encrypted file or folder he receives an access denied message. Permissions on files and folders does not protect against unauthorized physical attacks.
    You encrypt or decrypt a folder or file by setting the encryption property for folders and files just as you set any other attribute such as read-only, compressed, or hidden. If you encrypt a folder, all files and subfolders created in the encrypted folder are automatically encrypted. It is recommended that you encrypt at the folder level.
    You can also encrypt or decrypt a file or folder using the cipher command.
    When you work with encrypted files and folders, keep in mind the following information:
    Only files and folders on NTFS volumes can be encrypted. Because WebDAV works with NTFS, NTFS is required when encrypting files over WebDAV (Web distributed authoring and versioning).
    Files or folders that are compressed cannot also be encrypted. If the user marks a file or folder for encryption, that file or folder will be uncompressed.
    Encrypted files can become decrypted if you copy or move the file to a volume that is not an NTFS volume.
    Moving unencrypted files into an encrypted folder will automatically encrypt those files in the new folder. However, the reverse operation will not automatically decrypt files. Files must be explicitly decrypted.
    Files marked with the System attribute cannot be encrypted, nor can files in the systemroot directory structure.
    Encrypting a folder or file does not protect against deletion or listing files or directories. Anyone with the appropriate permissions can delete or list encrypted folders or files. For this reason, using EFS in combination with NTFS permissions is recommended.
    You can encrypt or decrypt files and folders located on a remote computer that has been enabled for remote encryption. However, if you open the encrypted file over the network, the data that is transmitted over the network by this process is not encrypted. Other protocols, such as SSL/TLS (Secure Socket Layer/Transport Layer Security) or Internet Protocol security (IPSec) must be used to encrypt data over the wire. WebDAV, however, is able to encrypt the file locally and transmit it in encrypted form.
    Additional Reading
    EFS provides a secure way to store your sensitive data. Windows creates a randomly generated file encryption key (FEK) and then transparently encrypts the data using this FEK as data is written to disk. Windows then encrypts the FEK using your public key. (Windows creates a personal encryption certificate with a public/private key pair for you the first time you use EFS.) The FEK is a symmetric key (that is, the same key is used for encrypting and decrypting data), which is orders of magnitude faster than public key encryption. The FEK, and therefore the data it protects, can be decrypted only with your certificate and its associated private key, which are available only when you log on with your user name and password. (Designated data recovery agents can also decrypt your data. Other individuals who attempt to use your encrypted files receive an "access denied" message. Even administrators and others who have permission to take ownership of files are unable to open your encrypted files.
    You can encrypt individual files, folders, or entire drives. We recommend that you encrypt folders instead of individual files. If you have hard disk volumes that contain only data (that is, drives other than the system drive and boot drive), consider encrypting the entire drive. When you encrypt a folder or drive, the existing files it contains are encrypted, and new files that you create in the folder or drive are encrypted automatically, as are temporary files that your applications create in the folder or drive. (For example, Microsoft Word creates a copy of a document in the folder where it's stored when you open the document for editing. If the document's folder isn't encrypted, the temporary copy isn't encrypted—giving prying eyes a potential opportunity to view your data.) For this reason, you should also consider encrypting your %Temp% and %Tmp% folders, which many applications use to store temporary copies of documents that are open for editing. (Note, however, that doing so might slow your system considerably, and it might prevent some installation programs from running properly.)
    Recovering data
    Data recovery is important when you need to be able to recover data encrypted by an employee after the employee leaves, or when the user loses the private key. Data recovery is available through the Encrypting File System (EFS) as a part of the overall security policy for the system. For example, if you should ever lose your file encryption certificate and associated private key through disk failure, arson, or any other reason, the person who is the designated recovery agent can recover the data. In a business environment, an organization can recover data encrypted by an employee after the employee leaves.
    In Windows XP/Windows Server 2003 the requirement for a Recovery Agent has been removed. If the RA is not implemented, only the user who initially encrypted the data can recover it. If the Administrator tries to reset the users’ password – this changes the FEK, hence this is no longer a work-around to get access to the users’ encrypted data.
    Recovery policy
    EFS uses recovery policies to provide built-in data recovery. A recovery policy is a type of public key policy that provides for one or more user accounts to be designated as recovery agents.
    A recovery policy is configured locally for stand-alone computers. For computers that are part of a network, a recovery policy is configured at the domain, organizational unit, or individual computer level, and applies to all Windows XP and Windows Server 2003 family-based computers that the policy applies to. A certification authority (CA) issues recovery certificates, and you use Certificates in MMC to manage them.
    In a domain, Windows Server 2003 family implements a default recovery policy for the domain when the first domain controller is set up. The domain administrator is issued the self-signed certificate, which designates the domain administrator as the recovery agent. To change the default recovery policy for a domain, log on to the first domain controller as an administrator. Additional recovery agents can be added to this policy and the original recovery agent can be removed at any time.
    Because the Windows XP and Windows Server 2003 family security subsystems handle enforcing, replicating, and caching of the recovery policy, users can implement file encryption on a system that is temporarily offline, such as a portable computer. This process is similar to logging on to their domain account using cached credentials.
    Recovery agents
    A recovery agent is an individual authorized to decrypt data that was encrypted by another user. Recovery agents do not need any other permissions to function in this role. Recovery agents are useful, for example, when employees leave the company and their remaining data needs to be decrypted. Before you can add a recovery agent for a domain, you must ensure that each recovery agent has been issued an X.509v3 certificate.
    Each recovery agent has a special certificate and associated private key that allows data recovery wherever the recovery policy applies. If you are the recovery agent, you should be sure to use the Export command in Certificates in the Microsoft Management Console (MMC) to back up the recovery certificate and the associated private key to a secure location. After backing them up, you should use Certificates in MMC to delete the recovery certificate. Then, when you need to perform a recovery operation for a user, you should first restore the recovery certificate and associated private key using the Import command from Certificates in MMC. After recovering the data, you should again delete the recovery certificate. You do not have to repeat the export process.
    To add recovery agents for a domain, you add their certificates to the existing recovery policy. For steps on how to add recovery agents to a domain, see To add a recovery agent for a domain.
    Recovery agent information that has been added and removed is not automatically updated on existing EFS files. The information in these files is updated the next time the file is accessed. New files always use the current recovery agent information.
    Add encryption commands to shortcut menus
    If you frequently encrypt and decrypt files and folders (for most users, it's a one-time "set it and forget it" operation), you'll find that it's rather tedious to right-click, choose Properties, click Advanced, select or clear a check box, and click OK twice every time you want to change encryption status. If you're comfortable using a command-line interface, you can use the Cipher command to perform these tasks. But if you'd prefer to work with Windows Explorer, you can use an easier way: Add encryption commands to the shortcut menu that appears when you right-click a folder or file.
    To do that, follow these steps:
    Use Registry Editor to open the HKLM\Software\Microsoft\Windows\ CurrentVersion\Explorer\Advanced key.
    Open the Edit menu, and choose New, DWORD Value.
    Name the new value EncryptionContextMenu.
    Double-click the EncryptionContextMenu value and set its data to 1.
    This change takes effect the next time you start Windows Explorer. When you right-click a folder or file that's not encrypted, the shortcut menu includes an Encrypt command; a Decrypt command appears if the target is already encrypted.
  • Delivery Note
    Web Distributed Authoring and Versioning (WebDAV), also known as Web Folders, is a file transfer protocol that supports secure file transfer over intranets and the Internet. With WebDAV, you can upload, download, and manage files on a remote computer across an intranet and the Internet. WebDAV is similar to File Transfer Protocol (FTP); however, WebDAV provides a more secure environment for transferring files over the Web.
    The Web Distributed Authoring and Versioning (WebDAV) redirector supports the WebDAV protocol for remote document sharing over HTTP. The WebDAV redirector supports the use of existing applications, and it supports file sharing across the Internet (through firewalls, routers, and so forth) to HTTP servers.
    You can use your encrypted files (or ones to which you've been granted access, as described in the previous section) when they're stored on another computer in your network. This, of course, makes it feasible for multiple users to access encrypted files, but it has other advantages as well; in particular, storing your network's important documents on a single server can simplify backup of these essential files. You can encrypt and decrypt files that are stored on a network share or, if you're using Windows XP/Windows Server 2003, in a Web Distributed Authoring and Versioning (WebDAV) Web folder.
  • Delivery Note
    IP Security
    Internet Protocol security (IPSec) provides the following new features for enhanced security, scalability, and availability, and ease of deployment and administration.
    Because several new IPSec features are available only in the Windows Server 2003 family, as a best practice, if you plan to apply the same IPSec policy to computers running the Windows Server 2003 family and to computers running Windows 2000 or Windows XP, test the policy thoroughly on all relevant operating systems before deployment.
    Stronger cryptographic master key (Diffie-Hellman)
    For enhanced security, IPSec now supports the use of a 2048-bit Diffie-Hellman key exchange. With a stronger Diffie-Hellman group, the secret key that is derived from the Diffie-Hellman exchange has greater strength. Strong Diffie-Hellman groups combined with longer key lengths increase the computational difficulty of determining a secret key.
    This feature is provided only with the Windows Server 2003 family. For more information see Additional reading.
    IP Security Monitor
    In Windows 2000, IP Security Monitor was implemented as an executable program (IPSecmon.exe). In Windows XP and the Windows Server 2003 family, IP Security Monitor is implemented as a Microsoft Management Console (MMC) console and includes enhancements that allow you to:
    Monitor IPSec information for your local computer and for remote computers.
    View details about active IPSec policies, including the name, description, date last modified, store, path, organizational unit, and Group Policy object name.
    View main mode and quick mode generic filters and specific filters.
    View main mode and quick mode statistics.
    View main mode and quick mode security associations.
    Customize refresh rates, and use DNS name resolution for filter and security association output.
    Search for specific main mode or quick mode filters that match any source or destination IP address, a source or destination IP address on your local computer, or a specific source or destination IP address.
    Command-line management with Netsh
    Using commands in the Netsh IPSec context, you can configure static or dynamic IPSec main mode settings, quick mode settings, rules, and configuration parameters. To enter the Netsh IPSec context, type netsh -c ipsec at a command prompt. The Netsh IPSec context replaces the Ipsecpol.exe tool, which is provided with the Windows 2000 Server Resource Kit. You can use this feature to script and automate IPSec configuration.
    This feature is provided only with the Windows Server 2003 family.
    Computer startup security
    For enhanced security, IPSec now provides stateful filtering of network traffic during computer startup. With stateful filtering, only the following traffic is permitted during computer startup: the outbound traffic that the computer initiates during startup, the inbound traffic that is sent in response to the outbound traffic, and DHCP traffic. As an alternative to stateful filtering, you can specify that all inbound and outbound traffic be blocked until an IPSec policy is applied. If you use stateful filtering, or if you specify that traffic be blocked during computer startup, you can also specify the traffic types that you want to exempt from IPSec filtering during computer startup.
    You cannot configure this feature in the IP Security Policy Management console. To configure this feature, you must use the Netsh IPSec command-line tool.
    Persistent policy for enhanced security
    You can now create and assign a persistent IPSec policy to secure a computer if a local IPSec policy or an Active Directory-based IPSec policy cannot be applied. When you create and assign a persistent policy, it is applied before the local policy or the Active Directory-based policy is applied, and it remains in effect regardless of whether the local policy or the Active Directory-based policy is applied (for example, an IPSec policy will not be applied if it is corrupted).
    You cannot configure this feature in the IP Security Policy Management console. To configure this feature, you must use the Netsh commands for IPSec.
    Removed default traffic exemptions
    In Windows 2000 and Windows XP, by default, all broadcast, multicast, Internet Key Exchange (IKE), Kerberos, and Resource Reservation Protocol (RSVP) traffic is exempt from IPSec filtering. To significantly improve security, in the Windows Server 2003 family, only IKE traffic (which is required for establishing IPSec-secured communication) is exempt from IPSec filtering. All other traffic types are now matched against IPSec filters, and you can configure, block, or permit filter actions specifically for multicast and broadcast traffic (IPSec does not negotiate security associations for multicast and broadcast traffic).
    IPSec functionality over network address translation (NAT)
    IPSec Encapsulating Security Payload (ESP) packets can now pass through NATs that allow User Datagram Protocol (UDP) traffic. The IKE protocol automatically detects the presence of a NAT and uses UDP-ESP encapsulation to allow IPSec traffic to pass through the NAT. This functionality is an implementation of the Internet Engineering Task Force (IETF) IP Security Working Group standard for IPSec.
    NATs are widely used for Internet Connection Sharing (ICS) and in locations that provide public Internet access (such as hotels and airports) and that are likely to be used by telecommuters. In addition, some Internet service providers (ISPs) use a centralized NAT to connect their clients to the Internet.
    IPSec functionality over NAT enables IPSec-secured connections to be established in the following common deployment scenarios:
    Layer Two Tunneling Protocol (L2TP)/IPSec virtual private network (VPN) clients that are behind NATs can establish IPSec-secured connections over the Internet to their corporate network, using IPSec ESP transport mode.
    Servers running Routing and Remote Access can establish gateway-to-gateway IPSec tunnels when one of the servers running Routing and Remote Access is behind a NAT.
    Clients and servers can send IPSec-secured TCP and UDP packets to other clients or servers using IPSec ESP transport mode, when one or both of the computers are behind a NAT. For example, a program running on a server on a perimeter network can be IPSec-secured when it is used to make connections to the corporate network.
    Improved IPSec integration with Network Load Balancing
    Improved IPSec integration with Network Load Balancing allows a Network Load Balancing group of servers to provide highly available IPSec-based VPN services. Network Load Balancing can accurately track IPSec-secured sessions, and the IPSec IKE protocol can detect when an IPSec-secured session is being established with a cluster server and quickly recover from a failover. Additionally, Network Load Balancing can now maintain IPSec-secured connections to the correct Network Load Balancing host, even when the number of hosts in the cluster (and the algorithm used to map clients to hosts) changes. Because the IKE protocol automatically detects the Network Load Balancing service, no additional configuration is required to use this feature.
    This feature is provided only with Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition.
    IPSec support for RSoP
    To enhance IPSec deployment and troubleshooting, IPSec now provides an extension to the Resultant Set of Policy (RSoP) console. RSoP is an addition to Group Policy that you can use to view existing IPSec policy assignments for a computer or for members of a Group Policy container. To view IPSec policy assignments for a computer, run an RSoP logging mode query. To view IPSec policy assignments for members of a Group Policy container, run an RSoP planning mode query.
    After you run an RSoP logging mode query or an RSoP planning mode query, you can view detailed settings (the filter rules, filter actions, authentication methods, tunnel endpoints, and connection types that were specified when the IPSec policy was created) for the IPSec policy that is being applied.
    Additional Reading
    Key exchange methods
    In addition to key properties, you can set security methods for main mode IKE negotiation. For example, you can specify which algorithms are used for integrity and confidentiality. The same algorithms that are available for quick mode security methods are available for main mode IKE negotiation: MD5 and SHA1 for integrity; DES and 3DES for confidentiality.
    Diffie-Hellman groups
    In addition to setting integrity and confidentiality algorithms, you can specify which Diffie-Hellman groups to use. Diffie-Hellman groups are used to determine the length of the base prime numbers used during the key exchange process. The cryptographic strength of any key derived depends, in part, on the strength of the Diffie-Hellman group upon which the prime numbers are based.
    Group 2048 (high) is stronger (more secure) than Group 2 (medium), which is stronger than Group 1 (low). Group 1 provides 768 bits of keying strength, Group 2 provides 1024 bits, and Group 2048 provides 2048 bits. If mismatched groups are specified on each peer, negotiation fails. The group cannot be switched during the negotiation.
    The Diffie-Hellman group is configured as part of the main mode key exchange settings. New session keys generated during quick mode are derived from the Diffie-Hellman main mode master key material, unless master key or session key perfect forward secrecy (PFS) is enabled. If either master key or session key PFS is enabled, a new Diffie-Hellman exchange is performed to obtain new master key keying material for each new session key that is required. The difference between master key PFS and session key PFS is that master key PFS requires a reauthentication of the main mode SA in addition to the Diffie-Hellman exchange.
    For enhanced security, do not use Diffie-Hellman Group 1. For maximum security, use Group 2048 whenever possible. Use Group 2 when required for interoperability with Windows 2000 and Windows XP.
    Diffie-Hellman Group 2048 is provided only with the Windows Server 2003 family.
    For a standard level of security, it is generally recommended that all of the IKE settings (for example, master key PFS and key lifetime) and security methods remain at their defaults.
    Computers running Windows 2000 must have the High Encryption Pack or Service Pack 2 (or later) installed in order to use the 3DES algorithm. If a computer running Windows 2000 receives a 3DES setting, but does not have the High Encryption Pack or Service Pack 2 (or later) installed, the 3DES setting in the security method is set to the weaker DES, to provide some level of confidentiality for communication, rather than blocking all communication. However, you should only use DES as a fallback option if not all computers in your environment support the use of 3DES. Computers running Windows XP or a Windows server 2003 operating system support 3DES and do not require installation of the High Encryption Pack.
  • Delivery Note
    See slide on URL authorization in IIS module
    Authorization Manager provides a flexible framework for integrating role–based access control into applications. It enables administrators who use those applications to provide access through assigned user roles that relate to job functions. Authorization Manager applications store authorization policy in the form of authorization stores that are stored in Active Directory or XML files and apply authorization policy at runtime.
    Additional Reading
    Network administrators, Information Technology specialists, and others responsible for computer-related infrastructure, are most effective when they help people do their jobs. The role–based management model enables you to assign users to roles. The settings that authorize users for specific roles are made automatically, by means of scripts. The scripts, called authorization rules, enable you to apply fine-grained control over the mapping between access control and the structure of your organization.
    Role–based administration is often used to facilitate authorization and computer configuration. Authorization and computer configuration are two categories of roles that you can manage by using role–based administration.
    Authorization roles are based on a user's job function. You can use authorization roles to authorize access, to delegate administrative privileges, or to manage interaction with computer–based resources. For example, you might define a Treasurer role that includes the right to authorize expenditures and audit account transactions. Authorization Manager enables administrators to implement this type of role–based administration through applications.
    Computer configuration roles are based on a computer's function. You can use computer configuration roles to select features that you want to install, to enable services, and to select options. For example, server roles might be defined for Web servers, domain controllers, file servers, and custom server configurations that are appropriate to your organization.
    Using developer mode and administrator mode in Authorization Manager
    With Authorization Manager, you can use the following two modes:
    Developer mode. In developer mode, you can create, deploy, and maintain applications. You have unrestricted access to all of the Authorization Manager features.
    Administrator mode. This is the default mode. In administrator mode, you can deploy and maintain applications. You have access to all Authorization Manager features, but you cannot create new applications or define operations.
    Applications that support roles usually create an authorization store, or use an existing authorization store, with pre-defined operations and tasks. In that case developer mode need not be used.
    When you use developer mode, it is recommended that you run Authorization Manager in developer mode only until the authorization store, application, and other necessary objects are created and configured. After you initially set up Authorization Manager, run Authorization Manager in administrator mode.
    Roles, tasks, and operations
    A role is a set of permissions that a user must have to do a job. Well-designed roles should correspond to a job category or responsibility (for example, receptionist, hiring manager, or archivist) and be named accordingly. With Authorization Manager, you can adds users to a role to authorize them for the job.
    A task is a collection of operations, and sometimes other tasks. Well-designed tasks are inclusive enough to represent work items that are recognizable (for example, "change password" or "submit expense").
    An operation is a set of permissions that you associate with system-level or API-level security procedures like WriteAttributes or ReadAttributes. You use operations as building blocks for tasks.
  • Delivery Note
    See section in GPO Module – already discussed
    GPO can be used to restrict software installation and execution. This is a feature that originated in Windows XP. This feature allows administrators to specify with applications can or can not be run by users on their workstations.
    Several different rules can be used to restrict users. For more information about these rules please refer to the additional reading.
    Software restriction policies integrate with the operating system and common scripting runtimes to control running of software at execution time.
    Providing a way to define a list of what is trusted code versus what is not
    Providing a flexible, policy-based approach allowing administrators to regulate scripts, executables, and ActiveX controls.
    Enforcing the policy automatically without popping dialog boxes to the user.
    Additional Reading
    Software restriction policies
    Software restriction policies address the need to regulate unknown or untrusted software. With the rise in the use of networks, the Internet, and e-mail for business computing, users find themselves exposed to new software in a variety of ways. Users must constantly make decisions about running unknown software. Viruses and Trojan horses often intentionally misrepresent themselves to trick users into running them. It is difficult for users to make safe choices about what software they should run.
    With software restriction policies, you can protect your computing environment from untrusted software by identifying and specifying what software is allowed to run. You can define a default security level of Unrestricted or Disallowed for a Group Policy object (GPO) so that software is either allowed or not allowed to run by default. You can make exceptions to this default security level by creating software restriction policies rules for specific software. For example, if the default security level is set to Disallowed, you can create rules that allow specific software to run. The types of rules are as follows:
    Hash rules
    Certificate rules
    Path rules (including registry path rules)
    Internet zone rules
    Software restriction policies consist of the default security level and all the rules that apply to a GPO. Software restriction policies can be applied across a domain, to local computers, or to individual users. Software restriction policies provide a number of ways to identify software, and they provide a policy-based infrastructure to enforce decisions about whether the identified software can run. With software restriction policies, when users execute software programs, they must adhere to the guidelines that are set up by administrators.
    With software restriction policies, you can:
    Control the ability of software to run on your system. For example, if you are concerned about users receiving viruses through e-mail, you can apply a policy setting that does not allow certain file types to run in the e-mail attachment directory of your e-mail program.
    Permit users to run only specific files on multiuser computers. For example, if you have multiple users on your computers, you can set up software restriction policies in such a way that users do not have access to any software except the specific files that are necessary for their work.
    Decide who can add trusted publishers to your computer.
    Control whether software restriction policies affect all users or just certain users on a computer.
    Prevent any files from running on your local computer, organizational unit, site, or domain. For example, if your system has a known virus, you can use software restriction policies to stop a computer from opening the file that contains the virus.
    Software restriction policies should not be used as a replacement for antivirus software.
    Additional reading
    Security levels and additional rules
    For software restriction policies, the security level options are:
    Unrestricted, which allows software to run with the full rights of the user who is logged on to the computer.
    Disallowed, which does not allow the software to run.
    You can use the following rules to make exceptions to the default security level for software restriction policies. For example, if the default security level is Disallowed, you can create a path rule that makes an exception to the default security level and allows a software program to run.
    More than one rule can be applied to software. When this happens, the rule with the highest precedence determines if the software will run or not run.
    Hash rule
    A hash is a series of bytes with a fixed length that uniquely identifies a software program or file. The hash is computed by a hash algorithm (Message Digest 5 algorithm). When a hash rule is created for a software program, software restriction policies calculate a hash of the program. When a user tries to open a software program, a hash of the program is compared to existing hash rules for software restriction policies. The hash of a software program is always the same, regardless of where the program is located on the computer. However, if a software program is altered in any way, its hash also changes, and it no longer matches the hash in the hash rule for software restriction policies.
    For example, you can create a hash rule and set the security level to Disallowed to prevent users from running a certain file. A file can be renamed or moved to another folder and still result in the same hash. However, any changes to the file itself also change its hash value and allow the file to bypass restrictions.
    Certificate rule
    Software restriction policies can also identify software by its signing certificate. You can create a certificate rule that identifies software and then allows or does not allow the software to run, depending on the security level. For example, you can use certificate rules to automatically trust software from a trusted source in a domain without prompting the user. You can also use certificate rules to run files in disallowed areas of your operating system.
    Certificate rules are not enabled by default.
    Path rule
    A path rule identifies software by its file path. For example, if you have a computer that has a default security level of Disallowed, you can still grant unrestricted access to a specific folder for each user. You can create a path rule by using the file path and setting the security level of the path rule to Unrestricted. Some common paths for this type of rule are %userprofile%, %windir%, %appdata%, %programfiles%, and %temp%. You can also create registry path rules that use the registry key of the software as its path.
    Because these rules are specified by the path, if a software program is moved, the path rule no longer applies.
    Internet zone rule
    Zone rules apply only to Windows Installer packages.
    A zone rule can identify software from a zone that is specified through Internet Explorer. These zones are Internet, Intranet, Restricted sites, Trusted sites, and My Computer.
    Precedence of software restriction policies rules
    You can apply several software restriction policies rules to the same software. The rules are applied in the following order of precedence, from highest to lowest:
    Hash rule
    Certificate rule
    Path rule
    Internet zone rule
    For example, if you create a hash rule with a security level of Unrestricted for a software program that resides in a folder that has a path rule assigned to it with a security level of Disallowed, the program will run. The hash rule takes precedence over the path rule.
    If two path rules are assigned to the same object, the more specific rule takes precedence. For example, if there is a path rule for C:\Windows\ with a security level of Disallowed, but there is also a path rule for C:\Windows\System32\ with a security level of Unrestricted, the more specific path rule takes precedence. Software programs in C:\Windows\ will not run, but programs in C:\Windows\System32\ will run.
    If two identical rules with differing security levels are applied to software, the more conservative rule takes precedence. For example, if two hash rules—one with a security level of Disallowed and one with a security level of Unrestricted—are applied to the same software program, the rule with a security level of Disallowed takes precedence, and the program will not run.
  • Delivery Note
    New Features for Certificate Services
    Windows Standard Server 2003, Windows Enterprise Server 2003, and Windows Datacenter Server 2003 have a number of new features and improvements related to Certificate Services and public key infrastructure (PKI). A few new procedures are also provided to demonstrate certificate template editing features and certificate autoenrollment for users and computers.
    New PKI Features in Windows Standard Server 2003, Windows Enterprise Server 2003, and Windows Datacenter Server 2003
    Editable certificate templates and the Certificate Templates MMC snap-in
    Certificate templates were available in Windows 2000 Certificate Services, but they could not be modified or changed. In Windows Server 2003 family, there is a new Certificate Templates MMC snap-in that enables administrators to:
    Create a new certificate template by duplicating and renaming an existing template.
    Modify template properties such as certificate validity period, renewal period, cryptographic service provider (CSP), key size, key archival
    Establish and apply enrollment policies, issuance policies and application policies.
    For example, in Windows 2000, a user can enroll themselves for a certificate or an enrollment agent certificate can enroll for a certificate on their behalf. A significant issue with this scenario is that an enrollment agent can enroll for any user in the enterprise. This means the enrollment agent certificate is very powerful and only very trusted people may have access to it. However, there are many scenarios where it is necessary to restrict which account an enrollment agent can request. For example, a manager may need to be able to enroll their reports or a local administrator may need to be able to issue smart card for people in his building. In Windows Server 2003 family it is possible to delegate who may approve a certificate enrollment and whom an enrollment agent may enroll.
    Allow for autoenrollment for certificates based on the template
    Set access control on certificate templates to establish which users or computers can enroll and autoenroll for certificates.
    There are now two different versions of certificate templates for Windows server operating systems. Windows 2000 clients and certificate services can only use version 1 templates. Windows XP and Windows Server 2003 family clients and certificate services will support both version 1 and version 2 templates. Version 1 templates are read-only, but when they are duplicated, the duplicate template is an editable version 2 template.
    Certificate autoenrollment and autorenewal for all subjects
    In Windows 2000 it was possible to autoenroll for EFS certificates and computer certificates, however, autoenrollment for users was not possible. The new autoenrollment feature improves both the user and computer enrollment experience. A member of the Enterprise Admins group can specify the types of certificates that any entity should automatically be issued. The enterprise administrator controls autoenrollment by setting security permissions on certificate templates using the Certificate Templates snap-in. A Windows XP or Windows Server 2003 family client then accesses the templates in Active Directory and, if access has been granted, then it will enroll for those certificates.
    Autorenewal is a new feature similar to autoenrollment and the same mechanism on the templates is used to control who can autorenew a certificate. Every certificate in the certificate store that has a template extension can potentially be autorenewed by the system. This means that applications no longer need to worry about certificates expiring.
    Delta CRLs
    Many applications require up-to-date certificate revocation status information. This requires the certification authority (CA) to frequently publish a new certificate revocation list (CRL). A CRL is the entire list of revoked certificates, so for a CA with a large amount of issued certificates, this can become a very large list. Even if there are no changes, a CA has to republish the entire list so that applications have the latest information, which involves a lot of repetition. Frequent publication of large objects will in turn generates a large amount of replication traffic.
    Windows Server 2003 family has a new feature called Delta CRLs, an option in RFC 2459. Delta CRLs are CRLs which contain the list of changes in revocation status from a full "base" CRL. Because delta CRLs are a list of changes and not a restatement of the entire CRL, they are typically much smaller and generate significantly less replication traffic than large base CRLs.
    Role-based administration
    Certificate Services in Windows Standard Server 2003, Windows Enterprise Server 2003, and Windows Datacenter Server 2003 allows for the separation of roles for the management and maintenance of a CA. Role separation is not enforced by default, but you can select to enforce assigned roles.
    Key archival and recovery
    With Windows Server 2003 family, you can configure a CA to archive the keys associated with the certificates it issues. If necessary, you can then recover lost keys through the use of a key recovery agent certificate.
    Event auditing
    Event auditing provides the ability to log most events that occur on a CA. This can be useful for monitoring the activities of a CA or the administrative functions, such as certificate issuance and role changes.
    Qualified subordination
    Qualified subordination in Windows Server 2003 family is an extension of standard CA subordination that allows you to:
    Define the namespaces for which a subordinate CA will issue certificates.
    Specify the acceptable uses of certificates issued by a qualified subordinate CA.
    Enable a certificate to be used in separate certification hierarchies.
    New Certutil.exe commands
    certutil -dspublish [cert|crl]
    Publishes the CA certificate or the certificate revocation list to Active Directory
  • Delivery Note
    NOTE: More information on IIS 6.0 is available in the IIS 6.0 Module in this course.
    IIS 6.0 Security Boost
    Digest Authentication
    Digest authentication allows secure and robust authentication of users across proxy servers and firewalls. In addition, anonymous authentication, basic authentication, and integrated Windows authentication are still available.
    Advanced Digest Authentication
    Advanced digest authentication makes improvements over basic authentication because credentials are sent over the network as an MD5 hash and are stored as such in the Active Directory of the domain controller. This mechanism makes it extremely difficult for intruders to discover users' passwords and do not require you to modify your applications.
    Secure Communications
    Secure Sockets Layer (SSL) 3.0 and Transport Layer Security (TLS) provide a secure way to exchange information between clients and servers. In addition, SSL 3.0 and TLS provide a way for the server to verify whom the client is before the user logs on to the server. In IIS, client certificates are exposed to both ISAPI and Active Server Pages, so that programmers can track users through their sites. Also, IIS can map the client certificate to a Windows user account, so that administrators can control access to system resources based on the client certificate.
    Server-Gated Cryptography
    Server-Gated Cryptography (SGC) is an extension of SSL that allows financial institutions with export versions of IIS to use strong 128-bit encryption. Although SGC capabilities are built into IIS, a special SGC certificate is required to use SGC.
    Selectable Cryptographic Service Provider (CSP)
    Secure Sockets Layer provides a secure way to exchange information between clients and servers. However, the CPU has to perform intensive cryptography, which degrades performance. IIS offers the Selectable Cryptographic Service Provider which allows you to select a cryptographic provider that suits your needs. Each provider can create a public and private key for encrypting data sent to and from the Web server. The private key is stored at the server on hardware, on a PCI card, on a SmartCard, or in the registry as it is for the two default providers Microsoft installs. Storing the private key on hardware allows you to plug into hardware-based accelerator cards that perform cryptographic computations instead of the server. It is easy to select providers from IIS Manager to use Microsoft or installed third-party CryptoAPI providers. All CryptoAPIs implement the same methods so that you can switch between providers without having to change your code.
    Configurable Worker Process Identity
    To thwart system attackers and malicious users, you can configure application pools and therefore the worker process executing within to run under an account with lower privileges than LocalSystem. If you provide services to Internet users, you can allow your customers to upload static content and executable code. Erroneous code will not cause the Web service or computer to fail, only the application will fail.
    Security Wizards
    Security wizards simplify server administration tasks.
    The Web Server Certificate Wizard simplifies certificate administration tasks, such as creating certificate requests and managing the certificate life cycle.
    The CTL wizard helps you configure your certificate trust lists (CTLs). A CTL is a list of trusted certification authorities (CAs) for a particular directory. CTLs are especially useful for Internet service providers (ISPs) who have several Web sites on their server and who need to have a different list of approved certification authorities for each site.
    IP and Internet Domain Restrictions
    You can grant or deny Web access to individual computers, groups of computers, or entire domains.
    Kerberos V5 Authentication Protocol Compliance
    IIS is fully integrated with the Kerberos V5 authentication protocol implemented in members of the Windows  Server 2003 family, allowing you to pass authentication credentials among connected computers running Windows.
    Certificate Storage
    IIS certificate storage is now integrated with the Windows CryptoAPI storage. The Windows Certificate Manager provides a single point of entry that allows you to store, back up, and configure server certificates.
    Additional Reading
    One of the most important changes in IIS 6.0 addresses Web server security. In order to take a more proactive stance against malicious users and attackers, IIS is not installed by default on members of the Microsoft Windows Server 2003 family.
    Important In order to take a more proactive stance against malicious users and attackers, IIS is not installed on members of the Microsoft® Windows® Server 2003 family by default. Furthermore, when you initially install IIS, the service is installed in a highly secure and "locked" mode. By default, IIS serves only static content — meaning features like ASP, ASP.NET, Server-Side Includes, WebDAV publishing, and FrontPage® Server Extensions do not work unless enabled. If you do not enable this functionality after installing IIS, IIS returns a 404 error. You can serve dynamic content and enable these features through the Web Service Extensions node in IIS Manager. Also, if an application extension is not mapped in IIS, IIS returns a 404 error.
    With the Web Server Certificate Wizard and the CTL Wizard, you can synchronize Web and NTFS security settings, obtain and install server certificates, and create and modify certificate trust lists. You can also select a cryptographic service provider (CSP) for encrypting data with a certificate.
    Other security changes in IIS 6.0 include the following:
    Disabled on upgrades: The World Wide Web Publishing Service (WWW service) is disabled on Windows Server 2003 family upgrades, unless one of the following is true:
    You have already run the IIS Lockdown Wizard on your Windows 2000 Server before starting the upgrade process. The IIS Lockdown Wizard reduces surface attack by disabling unnecessary features, and it allows you to decide which features to enable for your site. The IIS Lockdown Wizard is available at IIS Lockdown Tool.
    Important If you use the WWW service, we strongly recommend that you run the IIS Lockdown Wizard on your Windows 2000 Server before upgrading to a product in the Windows Server 2003 family. The IIS lockdown Wizard will help secure your computer by disabling or removing unnecessary features that are present in your Windows 2000 Server installation. These features would otherwise have remained on your machine after upgrading, leaving your server vulnerable to attacks.
    The registry key RetainW3SVCStatus has been added to the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC. Under RetainW3SVCStatus, you can add any value and then assign a DWORD value to it. For example, you can create the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\RetainW3SVCStatus\do_not_disable with the DWORD value of 1.
    In the unattended install case, an entry "DisableWebServiceOnUpgrade = false" exists in the unattended install script.
    Disabling IIS through Group Policy: With members of the Windows Server 2003 family, domain administrators can prevent users from installing IIS on their machines.
    Running as an account with a low level of access rights: IIS worker processes run in a user context of few access rights. This drastically reduces the effect of potential attacks.
    Secure ASP: All ASP built-in functions always run as the account with very few access rights, IUSR_computername.
    Restriction on running executables: In order to run most executables in the system folder (such as cmd.exe) you must be a member of the Administrators group, the LocalSystem, Interactive, or Service account. This restriction limits remote access to Administrators, so anonymous users cannot run executables.
    Patch management: With patch management, administrators can get the latest security patches installed without interrupting service.
    Known extensions: IIS serves requests only to files with known file name extensions. The server rejects requests for content where the file name extension is not mapped to a known extension.
    Write protection for content: Anonymous users (running as IUSR_computername account) are denied write access to Web content by default.
    Timeouts and limits: In IIS 6.0, settings are set to aggressive and secure defaults to minimize attacks due to timeouts and limits that were previously too generous.
    Upload data limitations: Administrators can limit the data that can be uploaded to a server.
    Buffer overflow protection: Worker processes detect and exit programs if a buffer overflow is detected.
    File verification: IIS verifies whether the requested content exists before it gives the request to a request handler (ISAPI extension).
    Index this resource: This permission is now enabled by default.
    Script source access: This permission, which allows access to the source code of scripts in ASP pages and other scripts, is new and is disabled by default. It is available if either the Read or Write permission is selected.
    Sub-authentication: This is no longer enabled by default on a new installation of IIS 6.0. For more information, see the "Using Sub-Authentication" section in Anonymous Authentication.
    UNC authentication: In this version of IIS, the UNC authentication method checks for user credentials. For more information, see UNC Authentication.
    New policy: The Prevent IIS from Installing policy has been added to the Windows Server 2003 family of products. This policy allows a domain administrator to control which computers in the domain can install IIS.
    Fortezza: Support for this has been removed.
    Isolating FTP Users
    FTP user isolation is a solution for Internet service providers (ISPs) and Application service providers who want to offer their customers individual FTP directories for uploading files and Web content. FTP user isolation prevents users from viewing or overwriting other users' Web content by restricting users to their own directories. Users cannot navigate higher up the directory tree because the top-level directory appears as the root of the FTP service. Within their specific site, users have the ability to create, modify, or delete files and folders.
    FTP user isolation is a site property, not a server property. It can be turned on or off for each FTP site.
    FTP User Isolation Modes
    FTP user isolation supports three isolation modes. Each mode enables different levels of isolation and authentication:
    1. Do not isolate users
    This mode does not enable FTP user isolation. This mode is designed to work similarly to earlier versions of IIS. Because isolation is not enforced among different users logging on to your FTP server, this mode is ideal for a site that offers only download capabilities for shared content or for sites that do not require protection of data access between users.
    2. Isolate users
    This mode authenticates users against local or domain accounts before they can access the home directory that matches their user name. All user home directories are in a directory structure under a single FTP root directory where each user is placed and restricted to their home directory. Users are not permitted to navigate out of their home directory. If users need access to dedicated shared folders, you can also establish a virtual root. This mode does not authenticate against Active Directory directory service.
    Note Server performance can degrade when this mode is used to create hundreds of home directories.
    3. Isolate users using Active Directory
    This mode authenticates user credentials against a corresponding Active Directory container, rather than searching the entire Active Directory, which requires large amounts of processing time. Specific FTP server instances can be dedicated to each customer to ensure data integrity and isolation. When a user's object is located within the Active Directory container, the FTPRoot and FTPDir properties are extracted to provide the full path to the user's home directory. If the FTP service can successfully access the path, the user is placed within the home directory, which represents the FTP root location. The user sees only their FTP root location and is, therefore, restricted from navigating higher up the directory tree. The user is denied access if either the FTPRoot or FTPDir property do not exist, or, if these two together do not form a valid and accessible path.
  • Microsoft has a good white paper entitled “Security Administration Operations Guide” on TechNet, as part of the Windows Operations Guide. Likewise, the Windows 2000 Server manual includes a comprehensive chapter on security topics, including lots of useful checklists.
    The “MS Security Configuration Tool Set” and the “Group Policy” items in the Windows 2000 Technical Notes provides excellent coverage of how the OS provides account management through Active Directory services. Worth reading.
    Kerberos is covered in more detail later (and ample pointers occur in our handouts) but the Technical Notes entitled “Windows 2000 Kerberos Authentication” and “Windows 2000 Kerberos Interoperability” are especially good introductions.
    The Windows 2000 Server Product Facts include a white paper entitled “An Introduction to the Windows 2000 Public-Key Infrastructure” that’s well worth reading.
    The Windows 2000 Server manual chapter on security includes discussion of certificates and certificate services, as does the Technical Note entitled “Windows 2000 Certificate Services.”
    The Technical Note entitled “Encrypting File System for Windows 2000” brings lots of details together that are otherwise scattered among lots of other documents. A good place to start learning more about EFS.
    Buried in the Internet section of the Technologies documentation on Technet, you’ll find a paper entitled “The MS Internet Security Framework.” Though somewhat outdated, it’s still quite accurate for Windows 2000 and it offers the best discussion of Microsoft’s various secure channel protocols available anywhere, including coverage of SSL, PCT, TLS, and more. It’s too old (1997) to cover newer protocols and services like IPSec and L2TP, though.
    The Windows 2000 Server Product Facts include a paper entitled “Windows 2000 Distributed Security Features” that covers DPA and related distributed security protocols and services that are keys to their emerging .NET strategy and capabilities. DPA is already used at MSN and CompuServe; it allows users to use a single passwords across multiple sites.
    The Windows 2000 Advanced Server manuals include two sections: “Routing and Remote Access” and “Virtual Private Networks” that cover IPSec and L2TP nicely and at some length. Good places to start learning more about how these technologies work in Windows 2000.
    Transitive trusts refer to the notion that all domains in an Active Directory domain forest automatically have two-way trusts between all pairs of members. This requires creating far fewer manual trust relationships than in Windows NT, and simplifies administration greatly.
  • Logon control refers to Windows built-in, secure WinLogon subsystem, which can be replaced with alternative subsystems and authentication mechanisms—such as smart cards, biometrics, and the like.
    User accounts provide ways to manage security and other settings on an individual basis. Though inefficient for all circumstances, this mechanism provides extremely fine granularity to the system’s ability to manage user access, privileges, rights, and permissions.
    Groups provide ways to manage security and other settings for multiple individuals at once, by virtue of their memberships in one or more such groups. Microsoft and most security experts recommend that you do as much user management through group memberships as possible, to lower the number of operations required to manage security.
    Windows accounts policy settings cover password policies (history, age, length, complexity requirements, type of encryption used, etc.) and lockout behavior (duration, threshold, and reset interval). Properly applied these settings can improve overall security.
    System policies can be used to enforce external system policies to control system startup, logon banner, last logged-on user display, detect slow network connections, restrict access to Display settings in Control Panel, record and set items to run at system startup, manage color schemes, change shell and system restrictions, and disable logoff or Task Manager.
    NTFS and Share permissions provide ways to control access to NTFS file system objects locally and through file shares. Proper adjustments to basic defaults are essential to creating strong security.
    User rights apply to individual user accounts, and offer a broad range of controls over what users can and can’t do, from logging on locally or over the network to creating local users and groups. Despite the name, user rights should be managed through named groups, not individual user accounts.
    Auditing facilities are built into the Windows 2000 environment, and can be used to good effect to monitor and maintain system and network security. We discuss this topic in more detail later in this class.
  • TechNet:
    - MS Windows NT Server; MS Windows NT Server 4.0 Resource Kit; Networking Guide; Chapter 2 - Network Security and Domain Planning; Logon and Authentication Processes
  • Technet:
    1. MS Windows NT Server; Training; Windows NT Support; Setup and Configuration Issues
    2. Windows NT Workstation Resource Kit:Customizing Windows NT Logon
  • http://support.microsoft.com/support/kb/articles/Q242/5/36.asp
    See Registry entries help file from Windows 2000 Resource Kit
    See TechNet document: Technical Notes: System and Startup Settings – (Chapter 6 from Windows 2000 Registry, published by Prentice Hall)
  • KB: Q242536
    See Registry entries help file from Windows 2000 Resource Kit
    See TechNet document: Technical Notes: System and Startup Settings – (Chapter 6 from Windows 2000 Registry, published by Prentice Hall)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Winlogon\
    Value: ForceUnlockLogon
    Data type: REG_DWORD
    Value: 1
  • The following list describes what can be contained in a group that exists in a native-mode domain:
    - Universal groups can contain user accounts, computer accounts, universal groups, and global groups from any domain. This type of group exists throughout a domain forest.
    - Global groups can contain user accounts and computer accounts from the same domain, and global groups from the same domain. This type of group exists throughout a domain.
    - Domain local groups can contain user accounts, computer accounts, universal groups, and global groups from any domain. They can also contain other domain local groups from within the same domain. This type of group exists throughout a domain.
    Security groups in a mixed-mode domain can contain only the following:
    - Local groups that can contain global groups and user accounts from trusted domains. Local groups only exist on the system where they are defined.
    - Global groups that can contain only user accounts. Global groups exist throughout a domain.
    Part of the rational behind disabling old user accounts instead of deleting them allows for easy duplication of existing old accounts for new users who will have the same responsibilities and work tasks.
  • All system controlled groups are controlled exclusively by the system; Microsoft calls these groups “builtin and predefined groups”. They do not appear in the Active Directory Users and Computers, except that default groups with domain local scope are located in the Builtin folder instead. All these groups appear in all lists of groups when dealing with security and auditing.
    The default groups placed in the Builtin folder for Active Directory Users and Computers are:
    Account Operators
    Backup Operators
    Print Operators
    Server Operators
    By extension, the other groups not named in this list are those default groups that always appear, but that cannot be directly managed or manipulated (and are under the system’s control).
  • The Effective Policy is the cumulative effect of a legacy Windows NT 4.0 NTCONFIG.POL file, a unique Local group policy, site group policies, domain group policies, and OU (organizational unit) group policies. These policy objects are applied in the order listed. If they define inconsistent settings, the later object's settings take precedence by overwriting the settings for the former. Thus, all policy objects contribute to the Effective Policy.
    See whitepaper about Configuring Enterprise Security Policies: http://www.microsoft.com/windows/server/Deploy/security/entsecwt.asp
    LSDOU- Local, Site, Domain, Organizational Unit
  • W2K – mixed mode, password split into two 7 digit hashes, native mode, password encrypted as a single string.
    Passwords are limited to 14 characters by the logon interface – both NT and W2K.
    Minimum Age set to 0 – password can be changed immediately.
    Maximum age set to 0 – password never expires
    Complexity requirements – next slide
    Reversible encryption - The intent of this policy is to provide support for applications which use protocols that require knowledge of the user password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.
  • Q174076, Q174075, Q196465
  • LC4 from @Stake: http://www.atstake.com/
    PassFilt Pro: http://www.altusnet.com/passfilt/
    Guidelines for Strong Passwords:
    How to Enable Strong Password Functionality in Windows NT: Q161990
    Password Change Filtering & Notification in Windows NT: Q151082
    Add custom items to dictionaries via L0phtcrack – can even use scripts
    Windows Guide Network’s Password Generator: http://www.winguides.com/security/password.php?guide=registry
    Password patterns: http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci762279,00.html
  • L0phtcrack is an earlier version of LC4 that’s probably still kicking around somewhere on the Internet. You can grab LC4 from:
    Please note: system admins should use these password cracking utilities on their own servers to forestall their possible use by others.
    Quakenbush’s Password Appraiser:
    - automatically find weak passwords
    - Define different password policy for each user type/group
    - export accounts/passwords to other systems
    Mention of a tool used to extract passwords from Network Monitor captured packets (dated 1996)- http://www.nmrc.org/files/nt/
    SYSKEY encrypts the SAM database with a 128 bit key. The generated key should be stored on a floppy (or other external storage device) to prevent it use in decrypting the SAM database by a hacker.
    Peter Nordahl's Offline NT Password & Registry Editor tool : http://home.eunet.no/~pnordahl/ntpasswd/
    Create bootable CD’s of Nordahl’s tool: http://www.dmzs.com/tools/files/
    NT’s SP4 fixes a vulnerability with SYSKEY’s encryption, but does not automatically apply SYSKEY to SAM.
  • Source: a Microsoft Web document which has moved - http://www.microsoft.com/ntserver/guide/auditing.asp
    Other related item:
    How to Identify User Who Changed Administrator Password -KB: Q173939
    Note: Under Windows NT’s defaults, this procedure can be used to hijack an AT task, under Windows 2000’s default settings, hijacking is thwarted.
  • Lockout duration of 0 means the account remains locked out until an administrator unlocks it manually.
    Administrator account cannot be locked out or disabled
    Only under NT can RK tool passprop allow Admin lockout.
    Windows NT – password and accounts policy is on the same dialog box via the User Manager for Domains.
  • Call back - it is still possible to “highjack” a pre-defined callback number if you can convince the phone company to forward phone numbers or lines to alternate locations. Call forwarding as a service or telephone company redirection can both be used to fool predefined callback.
    Prevent Mutliple Logons:
    -can be customized to exclude Admins from the controls.
    OR – define home directories as shares with single simultaneous user restrictions.
    Disable inactive users - those who have not logged in after a specified length of time. Employ the JSILLD.BAT file to extract user names which have not logged in since a specified date. Use this info to create another batch file to set the disable option for each user via a NET USER command:
    W2K: similar controls via user account and group policy
    Autologoff idle stations: NetOff http://www.citadel.com/NetOFF.asp
  • DES option – RSA RC4 would be used by default
    If applications do not support Kerberos pre-authentication, it must not be required or logins won’t be possible.
  • The exact details involved in establishing and implementing an audit policy are covered in a Windows 2000 Technical Note entitled “Securing Windows 2000 Network Resources.” In that note, you’ll find a section entitled “Monitoring Security with the Event Log” that includes detailed discussion of how to set up auditing for the various classes of objects and events that the Windows audit facility can track, including information for the Event Viewer’s Security log.
  • Security Operations Guide for Windows 2000 Server - http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=9989D151-5C55-4BD3-A9D2-B95A15C73E92
  • More details on these schemes are presented in the TechNet document: “Securing Windows NT 4.0 Installations”
    Some MS products, such as SMS, will use the Administrator account to perform some functions. Keep this in mind when investigating logon audit events.
  • Advanced Security options:
    Traverse Folder / Execute File
    List Folder / Read Data
    Read Attributes
    Read Extended Attributes
    Create Files / Write Data
    Create Folders / Append Data
    Write Attributes
    Write Extended Attributes
    Delete Subfolders and Files
    Read Permissions
    Change Permissions
    Take Ownership
  • No more “No Access” here, either!
    Maximum simultaneous users is set on the Sharing tab of the folder’s Properties dialog box.
  • Combining NTFS Permissions:
    USER:R X W D ~ ~- Change USER:~ ~ ~ ~ ~ ~- None defined
    GROUP1:R X ~ ~ ~ ~- Read GROUP1:R X ~ ~ ~ ~- Read
    GROUP2:R X W ~ ~ ~-Special Access GROUP2:R X W D ~ ~- Change
    add result:R X W D ~ ~- Change add result:R X W D ~ ~- Change
    Combining Share Permissions:
    USER:R X W D P O- Full Control USER:~ ~ ~ ~ ~ ~- None defined
    GROUP1:R X ~ ~ ~ ~- Read GROUP1:R X ~ ~ ~ ~- Read
    GROUP2:R X W ~ ~ ~-Special Access GROUP2:^ ^ ^ ^ ^ ^- Denied
    add result:R X W D P O- Full Control add result:^ ^ ^ ^ ^ ^- Denied
    Combining NTFS and Share Permissions:
    NTFS:R X W D P O- Full Control NTFS:R X W D ~ ~- Change
    SHARE:R X ~ ~ ~ ~- Read SHARE:R X W D P O- Full Control
    AND result:R X ~ ~ ~ ~- Read AND result:R X W D ~ ~- Change
  • Benefits of Kerberos Authentication
    One Windows 2000’s design goals is to enable administrators to turn off NTLM authentication once all network clients support Kerberos authentication. The Kerberos protocol is more flexible and efficient than NTLM, and more secure. The benefits gained by using Kerberos authentication are:
    Faster connections. With NTLM authentication, an application server must connect to a domain controller to authenticate each client. With Kerberos authentication, the server does not need to go to a domain controller. It can authenticate a client by examining the client’s credentials itself. Clients can obtain credentials for a particular server once and reuse them throughout a network logon session.
    Mutual authentication. NTLM allows servers to verify client identities, but does not allow clients to verify a server’s identity, or one server to verify another’s identity. NTLM authentication was designed for a network environment where servers were assumed to be genuine. The Kerberos protocol makes no such assumption. Parties at both ends of a network connection can verify the other party’s identity.
    Delegated authentication. Windows services impersonate clients when accessing resources on their behalf. In many cases, a service can complete its work for the client by accessing resources on a local computer. Both NTLM and Kerberos provide the information that a service needs to impersonate its client locally. However, some distributed applications are designed so that a front-end service must impersonate clients when connecting to back-end services on other computers. The Kerberos protocol has a proxy mechanism that allows a service to impersonate its client when connecting to other services. No equivalent is available with NTLM.
    Simplified trust management. One of the benefits of mutual authentication in the Kerberos protocol is that trust between the security authorities for Windows 2000 domains is by default two-way and transitive. Networks with multiple domains no longer require a complex web of explicit, point-to-point trust relationships. Instead, the many domains of a large network can be organized in a tree of transitive, mutual trust. Credentials issued by the security authority for any domain are accepted everywhere in the tree. If the network includes more than one tree, credentials issued by a domain in any tree are accepted throughout the forest.
    Interoperability. Microsoft’s implementation of the Kerberos protocol is based on standards-track specifications recommended to the Internet Engineering Task Force (IETF). As a result, the implementation of the protocol in Windows 2000 lays a foundation for interoperability with other networks where Kerberos version 5 is used for authentication.
    Adapted from MS Technical Notes: “Windows 2000 Kerberos Authentication”
    Online details of Kerberos implementation in Windows 2000: http://www.microsoft.com/technet/security/kerberos/default.asp
  • Kerberos Policies
    Enforce User Logon Restrictions:
    When this option is enabled, the KDC validates every request for a session ticket by examining the user rights policy on the target computer to verify that the user has the right either to log on locally or to access the computer from the network. It is also a check to ensure the requesting account is still valid. Verification is optional because the extra step takes time and may slow network access to services. The default is Enabled.
    Maximum Lifetime That a User Ticket Can Be Renewed:
    This is the maximum lifetime of a ticket [either a Ticket Granting Ticket (TGT) or a session ticket, although the policy specifies this is for a "user ticket"]. No ticket can be renewed after this time. Default value: 7 days.
    Maximum Service Ticket Lifetime:
    A "service ticket" is a session ticket. Settings are in minutes. The setting must be more than ten minutes and less than the setting for "Maximum user ticket lifetime." Default value: 10 hours.
    Maximum Tolerance for Synchronization of Computer Clocks:
    When the KDC clock is this many minutes different from the Kerberos client's clock, tickets are not issued for the client. This is a deterrent in Replay attacks. Settings are in minutes. Default value: 5 minutes.
    Maximum User Ticket Lifetime:
    A "user ticket" is a TGT and must be renewed after this time. Default value: 10 hours.
    Quoted from KB Article Q231849 “Description of Kerberos Policies in Windows 2000”
    W2KS RK – kerbtray.exe
  • Removes all LM C/R messages from network. A value of 2 on NTW prevents connections with W95, W98, and WfW. A value of 2 on NTS prevents W95 and WfW systems from communicating with the server
    The NTLM authentication package in Windows 2000 supports three methods of challenge/response authentication:
    - LAN Manager (LM). This is the least secure form of challenge/response authentication. It is available so that computers running Windows 2000 Professional can connect in share level security mode to file shares on computers running Microsoft® Windows® for Workgroups, Windows 95, or Windows 98.
    - NTLM version 1. More secure than LM challenge/response authentication. It is available so that clients running W2K Professional can connect to servers in a Win NT domain that has at least one domain controller that is running Windows NT 4.0 Service Pack 3 or earlier.
    - NTLM version 2. Most secure form of challenge/response auth. It is used when clients running W2K Professional connect to servers in a Win NT domain where all domain controllers have been upgraded to Windows NT 4.0 Service Pack 4 or later. It is also used when clients running W2K connect to servers running Win NT in a W2K domain.
    By default, all three challenge/response mechanisms are enabled. You can disable authentication using weaker variants by setting the “LAN Manager authentication level” security option in local security policy for the computer.
  • Active Directory Client Extensions for Windows 95, Windows 98 and Windows NT Workstation 4.0: http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextension.asp
    Active Directory client extension for Microsoft Windows NT 4.0 with SP6a; Microsoft Internet Explorer 4.01 or higher:
    WAB – Windows Address Book
    SPN – service provider naming
  • A PKI (public key infrastructure) enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates. Although the components of a PKI are generally understood, a number of different vendor approaches and services are emerging. Meanwhile, an Internet standard for PKI is being worked on.
    The public key infrastructure assumes the use of public key cryptography, which is the most common method on the Internet for authenticating a message sender or encrypting a message. Traditional cryptography has usually involved the creation and sharing of a secret key for the encryption and decryption of messages. This secret or private key system has the significant flaw that if the key is discovered or intercepted by someone else, messages can easily be decrypted. For this reason, public key cryptography and the public key infrastructure is the preferred approach on the Internet. (The private key system is sometimes known as symmetric cryptography and the public key system as asymmetric cryptography.)
    A public key infrastructure consists of:
    * A certificate authority (CA) that issues and verifies digital certificate. A certificate includes the public key or information about the public key
    * A registration authority (RA) that acts as the verifier for the certificate authority before a digital certificate is issued to a requestor
    * One or more directories where the certificates (with their public keys) are held
    * A certificate management system
    Quoted from whatis.com, argument "PKI.“
    Best PKI resources:
    PKI: Implementing and Managing E-security. Andrew Nash, et al. RSA Press, 2001. ISBN: 0-070213123-3.
    RFC 2693 describes the elements of a secure PKI, and how it works.
    Guru Labs PKI Tutorial, references, and more: http://www.pkiguru.com/tutorial.html
    Smart Card Deployment Cookbook: http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/prodtech/smrtcard/smrtcdcb/smartc00.asp
    Public Key Interoperability whitepaper: http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/maintain/security/pkintop.asp
  • CA – Certificate AuthorityCSP – Crypto Service Provider CTL – Certificate Trust List
    The logical certificate stores include these categories for users, computers, and services:
    Personal. Contains individual certificates for user, service, or computer. For example, when an enterprise CA issues you a User certificate, the certificate is installed in the Personal store for your user account.
    Trusted Root Certification Authorities. Contains certificates for root CAs. Certificates with a certification path to a root CA certificate are trusted by the computer for all valid purposes of the certificate.
    Enterprise Trust. Contains CTLs. Certificates with a certification path to a CTL are trusted by the computer for purposes specified in the CTL.
    Intermediate Certification Authorities. Contains certificates for CAs that are not trusted root certificates (for example, certificates of subordinate CAs), but are required to validate certification paths.
    Active Directory User Object. Contains certificates that published in Active Directory for a user. This store appears in the Certificates console for users only, not computers or services.
    Request. Contains pending or rejected certificate requests. This store appears only in the Certificates console once a certificate request is made for a user, computer, or service.
    SPC. Contains certificates for software publishers trusted by the computer. Software that has been digitally signed by publishers with certificates in this store is downloaded without prompting the user. By default, this store is empty. When Microsoft Internet Explorer downloads software that is signed by a software publisher for the first time, users are prompted to choose whether they want to trust all software signed by this publisher. If a user chooses to trust all software signed by the publisher, the publisher’s software publisher certificate (SPC) is added to the SPC store. This store appears in the Certificates console for local computers only, not for users or services.
    Adapted from Win2K Server Reskit: “Windows 2000 Certificate Services and Public Key Infrastructure”
  • http://www.ntsecurity.net/go/load.asp?iD=/security/win2k-11.htm
    Q229716, Q185590
  • http://www.ntsecurity.net/go/load.asp?iD=/security/win2k-11.htm
    Q229716, Q185590, Q241201, Q223316, Q230520, Q242296
    Within a Windows 2000 domain, any user can be designated as the EFS recovery agent. On non-domain systems, the Administrator is the EFS recovery agent.
    "Encrypting File System for Windows 2000" white paper: http://www.microsoft.com/windows2000/library/howitworks/security/encrypt.asp
    PC Guardian's Encryption Plus for Hard Disks (EPHD): http://www.pcguardian.com
  • IP Security in Windows 2000: Step-by-Step by Timothy J. Rogershttp://www.sans.org/infosecFAQ/win2000/ipsec_w2k.htm
    Windows 2000 Advanced Server Manual: Internet Protocol Security (IPSec): very detailed on operational and planning issues, with some good checklists.
  • To implement the security plan for the legal department, the administrator would take the following steps:
    1. Create a security policy called Legal and assign it to the default domain policy. As each computer in the company logs on to the domain, the computer’s policy agent would pick up the legal department security policy from the directory service. The legal department security policy would have the following negotiation policies and IP filters associated with it:
    2. Create two negotiation policies and associate with the legal department security policy:
    The first negotiation policy, Legal NP 1, is set to a service that provides confidentiality when users in the legal department are communicating with non-legal department users (“Transferred data is confidential, authentic and unmodified”: ESP security protocol).
    The second negotiation policy, Legal NP 2, is set to a service that only provides authentication and protection against modification when legal department users are communicating with each other (“Transferred data is authentic and unmodified”: AH security protocol).
    3. Create two IP Filters and associate each with a negotiation policy: The users in the legal department are on network with a subnet mask of The non-legal department users are on network with a subnet mask of The first IP filter, Legal IP Filter 1, is for users in the legal department who communicate to non-legal department users. It is associated with negotiation policy Legal NP1. The administrator sets the filter properties to the following values:
    The specified IP address for the source (sender of data) is This address matches any IP address in the legal department’s network, since it is really an IP subnet address.
    The specified IP address for the destination (receiver of data) is
    Since the company’s security plan stipulates protecting all data sent over the IP protocol, the protocol type is Any.
    Legal department users communicating to other users within the department use the second IP filter, Legal IP Filter 2. It is associated with negotiation policy Legal NP 2, and the filter properties are set to the following values:
    · The specified IP address for the source (sender of data) is
    · The specified IP address for the destination (receiver of data) is
    · The protocol type is set to Any.
    Quoted from MS Technical Notes “IP Security for MS Windows 2000 Server”
  • Qchain – Microsoft tool allows hotfixes to be chained together safely to remove requirement to reboot between each applied hotfix (Q296861).
    Post-Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP): http://support.microsoft.com/support/kb/articles/q299/4/44.asp?ID=299444
    Microsoft has released a Security Rollup Package (SRP) for Windows NT 4.0 that includes the functionality from all security patches released for Windows NT 4.0 since the release of Windows NT 4.0 Service Pack 6a (SP6a) . This small, comprehensive rollup of post-SP6a fixes provides an easier mechanism for managing the rollout of security fixes. Please refer to Microsoft Knowledge Base article Q299444 for more information about this rollup package.
  • Slipstream installation: http://support.microsoft.com/support/kb/articles/Q263/1/25.ASP
    Or - http://networking.brainbuzz.com/tutorials/tutorial.asp?t=S1TU882&tn=Slipstreaming+W2K+Service+Packs&pi=S1C23&pn=Windows+2000
    Q326207: FAZAM (FullArmor Zero Administration) 2000 Program Stops responding when you connect to a large domain
    Q324644 Cannot restore access to IE, Outlook Express, or Windows Media Player after you hide them and then remove SP3
    Q326782 Cannot Request a Certificate from a CA running W2K SP 3
  • For compatibility with Windows Server 2003 platforms, SP4 adds two new security-related privileges: "impersonate a client" and "create global objects." The security policy bug occurs when Setup adds these new privileges to the local user rights list. The documentation provides no details about why the security template might not contain current security settings but does state that after an SP4 upgrade, security options might revert to previous settings. While Microsoft continues to debug this problem, you can avoid the problem by forcing a refresh of the secedit.sdb security template.
  • Service Pack Manager 2000 - http://www.securitybastion.com/
    Update Expert – www.sunbelt-software.com
    Before Installing a Service Pack: KB: Q165418
    Knowledge Base document access:
    Microsoft support and knowledge base Web site: http://support.microsoft.com/
    TechNet CD or online (http://technet.microsoft.com/)
    On the Microsoft Network or CompuServe (GO MICROSOFT)
  • Note: Hotfix.exe is not included with the Windows OS software; it’s what’s used to install hotfixes as needed, and is usually included in the compressed file download for a SP or a Hotfix. For more info, see the section entitled “The Windows 2000 Hotfix.exe Installation Program” in the Windows 2000 Service Pack Installation and Deployment Guide in the Windows 2000 section of the Technet Windows Product Family docs.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix
    SP’s and multiple hotfixes can be installed in one action using the scheme described in Q166839
    QFECHECK - Instead of just reporting the hotfix keys in the registry, the new version performs a thorough audit to ensure that the correct binary files actually exist on the system and that each file has the most current version number. http://www.microsoft.com/downloads/release.asp?ReleaseID=27333 (Note: recommended usage would be to pipe output to a text file, for later lookup and reference, since all this tool reports is the KB article number for installed HotFixes and the SP number for installed service Packs)
    UpdateEXPERT : http://www.sunbelt-software.com/product.cfm?id=357
    DC = Domain Controller: important to maintain all such systems at the same level to keep Active Directory databases completely synchronized in format and contents
    SUS - http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp
    (SUS was previously Windows Update Corporate Edition)
  • http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/tools/tools/mbsahome.asp
    Shavlik Technologies: EnterpriseInspector 2.0: http://www.shavlik.com/security/prod_ei2.asp
  • MPSA: http://www.microsoft.com/technet/mpsa/start.asp
    Wired’s reporting/reaction on the tool is pretty interesting, too:
    MBSA is Microsoft Baseline Security Analyzer: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/mbsahome.asp
    Hfnetchk - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/hfnetchk.asp
    Or: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q303215
    Or: http://www.microsoft.com/downloads/release.asp?releaseid=31154
    Windows 2000 Mag’s report on HFNetChk: http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=22148
    David Strom reports on his experiences with MPSA and HFNetChk in Issue #257 of his Web Informant newsletter. Available online at http://strom.com/awards/257.html. He reports interesting inconsistencies between the two tools that are work remarking (note also that HFNetChk has access to and knowledge of new hotfixes and updates BEFORE they get posted to the Microsoft Update site!)
    CIS benchmark security tool: http://www.cisecurity.org/bench_win2000.html
    HFNetCHK is a free command-line bare bones tool originally developed by Shavlik as the AdminSuite (aka HFNetCHK Pro): http://www.sunbelt-software.com/product.cfm?id=730
  • See “How Group Policy Works” from Windows 2000 Server Resource Kit
    See “MS Security Configuration Tool Set” from TechNet Technical Notes
  • Glossary of Windows 2000 Services: http://www.microsoft.com/windows2000/techinfo/howitworks/management/w2kservices.asp
    Process Explorer - www.sysinternals.com
    Optimizing Windows NT, by Sean K. Daily and Internet Security With Windows NT, by Mark Joseph Edwards, list several services that you may decide to disable.
    1. Windows NT Server, Technical Notes, Troubleshooting, Advanced Troubleshooting, Appendix C: Standard Groups and Associated Services
    2. Windows NT Server, Technical Notes, Troubleshooting, Advanced Troubleshooting, Appendix D: Group and Service Dependencies
    Dangerous Services - http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=16301
    Windows XP Home and Professional Service Configurations: http://www.blkviper.com/WinXP/servicecfg.htm
    Windows 2000 Professional and Server Services Configuration: http://www.blkviper.com/WIN2K/servicecfg.htm
  • KB Article Q296815 documents SNMP memory leaks that occur when querying printer-related objects
    KB Article Q234679 documents SNMP memory leaks related to SQL Server 6.5 queries
    Windows NT is subject to SNMP memory leaks from many causes, search on ‘”SNMP” NEAR “leak”’ in TechNet
  • http://grc.com/dos/winxp.htm
    With SocketLock installed in any Windows 2000 or XP system,  all SYSTEM processes continue to have complete and unrestricted access to full raw sockets, but NO USERS of any privilege have raw socket access
  • Searching on SSH and stunnel results in numerous links to information and software. Be sure to look for ports to your specific platform.
    An HTML document can be used to initiate a Telnet session on the client system and capture the crypto-protected log on credentials. – MS00-067
    URLScan: http://www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asp
  • Searching on SSH and stunnel results in numerous links to information and software. Be sure to look for ports to your specific platform.
    An HTML document can be used to initiate a Telnet session on the client system and capture the crypto-protected log on credentials. – MS00-067
    URLScan: http://www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asp
  • http://www.sans.org/newlook/alerts/NTFS.htm
    Note: The echo tool can also be used to stream files.
    HOWTO: Use NTFS Alternate Data Streams (Q105763)
  • Q258811 and http://www.computerworld.com/cwi/story/0,1199,NAV47_STO43806,00.html
  • Can be deleted manually for a session, but will be re-created by system upon reboot.
    You can create your own hidden shares simply by adding a $ to the end of your share name.
    Admin Share Disable:
    HKEY_LOCAL_MACHINE - - \System - - \CurrentControlSet - - - \Services - - - \LanManServer - - - \ParametersServer -\AutoShareServerWorkstation/Professional -\AutoShareWks
    0 = Off, 1 = On
  • This command configures the server service and works on Windows NT Workstation and Server. The command creates a dword value "hidden” with the value set to 1 in the Registry key:
    This parameter works with the server service, so you can still attach to shares on the hidden machine, which is something that hiding a machine by stopping the server service wouldn't allow. And although this change hides the machine, it doesn't mask the workgroup or domain. If you don't want a suspicious-looking empty workgroup, you can put the machine in a group with other, visible members.
  • Some side effects can occur when renaming the Administrator account. These occur usually on applications which rely upon the admin account’s user name instead of its SID. These are usually identified by those applications which require you to provide the admin user account name along with its password. Always change the admin user account name early on before installing applications. Or if performed later, test for problems. Watch out for Exchange 5.5 and ARCServe, they both cause problems when the admin account is renamed.
  • The Windows NT tool – NT4ALL when run on W2K systems will render it unable to log on any user. Under NT it allows any user to log on with any password from any network client or the server itself. On W2k it breaks the lsass.exe service so it fails at bootup. Complete re-install required. Prevention disable write access to \winnt\system32 for all users but Administrator.
  • Ntpasswd works from any user account or from a boot floppy. Replaces existing passwords. Even works with SYSKEY enabled.
    ERD Commander 2002 includes Locksmith.
  • Avoid renaming the administrator accounts using word clues as to its power - create a naming convention
    Employ the same naming convention for the original Administrator account as used for every other normal user account.
  • HKLM\SYSTEM\CurrentControlSet\Control\Lsa
    Q192126, Q246261, Q143474
    Anonymous logons do not include the authentication of the IUSR_servername account for anonymous Web and FTP visitors.
  • Fport does not function on XP currently (Spring 2002).
  • http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=15476
  • http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=15476
  • NTFSDOS: www.sysinternals.com, www.winternals.com
    According to Mark Russinovich, NTFSDOS will also work with Windows 2000
  • For more details on this strategy, please consult the Technical Note from our Web site entitled “"MS Internet Information Server 4.0 Security Checklist” (included in Security Handouts). Microsoft obsoleted this article with the August edition of Technet, so we saved and reformatted it as a Word document here. The notion is that the various commands listed above give individuals ability to execute system commands, change access controls, obtain confidential information, or otherwise attempt to compromise security. Although IIS 4.0 may be becoming passe, this advice—and the list of commands that appears on the slide—are still worth restricting.
  • Jason Fossen’s text Securing Windows NT, Step-by-Step (Pg. 45).
  • Windows 2000 – need to use PCAnywhere version 9.2 or later.
    See Hacking Exposed: NetBUS Pro and NetQVC
  • A patch for the Memory Leak is available and documented at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-040.asp (Will be covered by SP3, but not covered by SP2).
    TSC – Terminal Server Client
    RDP = Remote Desktop Protocol; see Q186607 “Understanding the Remote Desktop Protocol” for good overview; for more good info search TechNet on RDP.
  • Russ Cooper’s "NoHTML" tool for Microsoft Outlook - http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=55&did=38
    Setup special accounts or systems to receive e-mail from unregulated sources and which require attachments, such as for submission of documents or resumes.
  • Possible vulnerabilities to updates:
    -DNS poisoning or re-direction
    -virus which edits the definition list before it is installed into the scanner
  • Just avoiding anonymous FTP may not block all the holes in an FTP server. In addition to allowing non-user access (anonymous, guest, and null), secured accounts are also vulnerable. It is easier to write a password cracker for a remote FTP session than it is for a NT network logon.
    New generation of tools:
    Nmap is a sophisticated portscanner that uses stealth techniques and operating system identification to obtain lists of running services on a host. Nmap allows you to scan large ranges of hosts as well as send ‘spoofed’ decoy packets to hide your true origin.
    Nlog is a set of PERL script scripts that creates flat-file databases from nmap scan logs. The CGI scripts in the package allow you to search scan logs for only hosts matching certain criteria of open ports, port states, operating system, and network.
    Legion - Win32 file share scanner
  • Laura Chappell’s article on Cyber Crime for NetWare Connections, while now a bit dated, contains excellent explanations for DoS attacks in general, and for most well-known DoS and DDoS attacks. Worth reading!
  • http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=171&TB=news
    Ontrack’s Internet Cleanup: http://www.ontrack.com/internetcleanup/
  • Detailed on subsequent slides.
    1. MS Internet Information Server; Technical Notes; MS Internet Information Server Security Overview
    2. MS Internet Information Server; Technical Notes; Building a Secure Marble OFX Gateway (Windows NT 4.0)
    NT Systems mag: NT Security issue September 1997: Securing Internet Information Server, by Tom Yager:
  • IUSR: User Rights:
    Access this computer from the network
    Log on locally
    IIS logs anonymous users onto NT with the IUSR account, anonymous users do not provide authentication name and password. Even via FTP, the N:anonymous P:anon@non.com are just placeholders to satisfy the service. They are not actually used to authenticate.
    Don’t map if possible, never map to drive root, boot partition, system partition. Where possible host all IIS content on the same system as IIS. Avoid mapping to network shares except where necessary for Web applications.
    Alternate TCP ports do not provide security, but it helps hide your sites. It can prevent “sweeping” or “crawling” attacks from locating your system.
    ADUaC = Active Directory Users and Computers
    Check Executable Code Trustworthiness: http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/acs/proddocs/ac2k/accrsc_hiisexe.asp
    IIS 5.0 Security Checklist: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/chklist/iis5chk.asp
    Banner removal/editing: http://www.securiteam.com/tools/6S00B0K3FI.html
    ID Serve: http://grc.com/id/idserve.htm
    Web Servers' Banner Removal Guide : http://www.securiteam.com/securitynews/5RP0L1540K.html
    Some IIS related add-in software may not function properly if the IUSR account is renamed.
    Rename, move, and lock-down the cmd.exe file to prevent numerous Web exploits.
    NIST: Guidelines on Securing Public Web Servers: http://csrc.nist.gov/publications/nistpubs/800-44/sp800-44.pdf
  • IIS 5.0 Security Checklist: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/chklist/iis5chk.asp
    Banner removal/editing: http://www.securiteam.com/tools/6S00B0K3FI.html
    Some IIS related add-in software may not function properly if the IUSR account is renamed.
    Rename, move, and lock-down the cmd.exe file to prevent numerous Web exploits.
  • IIS 5.0 Security Checklist: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/chklist/iis5chk.asp
    Banner removal/editing: http://www.securiteam.com/tools/6S00B0K3FI.html
    Some IIS related add-in software may not function properly if the IUSR account is renamed.
    Rename, move, and lock-down the cmd.exe file to prevent numerous Web exploits.
    A simple registry entry is all that is required to disable WebDAV (you must have at least applied the Windows 2000 Security Rollup Package 1 (SRP1), available since January 2002. If you're current with service pack application, you can make this registry entry.)
    - You must add a DWORD value called DisableWebDAV.
    - You must give it a value of 1.
    - It should be added at the registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
    Then -- this is very important -- you must stop and start the IIS services. It's not necessary to reboot the server.
  • Web in a box:
    Sun’s Netra: www.sun.com
    Cisco's Micro Webserver: www.cisco.com
    Compact Devices' Twister: www.devices.com
    Cobalt RaQ - www.cobalt.com/products/raq/
    Do you trust ISPs?
    ISP background
    Site security
    Employee background
    Sniffing, capturing, or buffering
    Are they bonded?
    Do they offer encrypted connections?
    Do they discuss security with you?
  • FTP List DoS vulnerability KB:Q188348
    ISM = Internet Services Manager (a MMC snap-in)
  • Note: only those tools which can be executed on a Windows 9x/NT/2000 system are listed. There are many other tools available for UNIX and Linux systems.
    BTW, a judge ruled that port scanning is not an illegal activity against a network since it does not damage or impair the integrity and availability of that network: http://www.securityfocus.com/news/126
  • Password Recovery can extract passwords from: PKZip, WinZip, Word, Excel, WordPerfect, Lotus1-2-3, Paradox, Q&A, Quattro-Pro, Ami Pro, Approach, QuickBooks, Act!, Pro Write, Access, Word Pro, DataPerfect, dBase, Symphony, Outlook, Express, MSMoney, Quicken, Scheduler+, Ascend, and Netware.
  • 70-220 exam objectives & info: http://www.microsoft.com/trainingandservices/exams/examasearch.asp?PageID=70-220
    70-227 exam objectives & info: http://www.microsoft.com/trainingandservices/exams/examasearch.asp?PageID=70-227
    ISC2 = International Information Systems Security Certification Consortium
    CISSP= Certified Information Systems Security Professional http://www.isc2.org/cgi/content.cgi?category=19
    SANS = Systems Administration and Network Security Institute
    GIAC = Global Information Assurance Certification http://www.giac.org/
    ICSA = International Computer Security Association & ICSA Computer Security Associate (ICSA the organization does business as TruSecure Corporation now)
    See http://www.trusecure.com/html/secsol/peoplecert01.shtml for more information about the ICSA certification.
    ASIS = American Society for Industrial Security
    CPP = Certified Protection Professional http://www.asisonline.org/cppg/cpphome.html
    Certification Landscape story:
    Pine Mountain Group: pinemountaingroup.com
    (see also vendor-specific security cert landscape story at:http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci811349,00.html)
    WildPackets: wildpackets.comNAX – www.nax2000.com
  • The Window Registry Guide is a great source of information, presented by category. Of particular interest to this class is the security category.
    DumpReg – www.somarsoft.com or www.systemtools.com
    Prism - www.picturetaker.com
  • Given the numbers of worms that have spread this year, you may find The WildList Organization International to be an excellent source for information on viruses spreading in the wild. The site's been remodeled, and has extensive and up-to-date documentation on viruses and worms.
    Denial of Service Attack Resources lists links where you can find technical information about DOS and DDOS attacks, as well as contacts for law enforcement agencies. It has a link to Daryl Cagle's Cartoon Index Home Page, where you'll find Hacker cartoons as well as daily editorial cartoons.
    The folks at DigiCrime "are pleased to offer a full range of criminal services and products to our customers. Our willing staff of ethically challenged programmers and network analysts are standing by to serve you at pay phones and IRC channels around the world."
    Kurt Seifried's column on Security Techniques and Survivability at SecurityPortal.com describes how the use of multiple security techniques--from basics like disabling unnecessary services, running up to date software and applying security patches--to more advanced practices--auditing code, buffer overflow checking, monitoring and logging--are all parts of the process, as are responses to attacks.
    Another fascinating source for security information is Peter Gutmann's web site; along with a long list of projects and accomplishments, you'll find his Encryption and Security Tutorial.
    Simovits Consulting has posted a list of Ports used by Trojans.
  • Students can locate others by using www.amazon.com or www.barnesandnoble.com
  • W982 05092004

    1. 1. 1 W982: Windows 2003/XP/2000 System and Network Security Networld+Interop - Las Vegas Wed – May 12, 2003 8:30am-4:30pm James Michael Stewart CISSP, ISSAP, TICSA, CIW SA, Security+, CTT+, MCT, CCNA, MCSA Windows Server 2003, MCSE+Security Windows 2000, MCDST, MCSE NT & W2K, MCP+I, iNet+ www.impactonline.com michael@impactonline.com
    2. 2. 2 UPDATED MATERIALS • This course has changed since submitted for printing • Updated slides, notes, and handouts available from: www.impactonline.com/interop/ • All new or changed material is highlighted in green.
    3. 3. 3 What This Course is NOT about • How to break into Windows systems • Security issues not related directly to Windows • Installing software • Troubleshooting non-security issues • Details on Intrusion Detection • Basics of Windows architecture, administration, or operation • Other software from Microsoft or third-party vendors
    4. 4. 4 What This Course IS about • Why security is important • Native security features built into: – Windows Server 2003 – Windows 2000 Server and Professional – Windows XP Professional • How to lock down or secure a Windows system • Vulnerabilities of Windows OSes • Windows countermeasures
    5. 5. 5 Security Is Important • OS or system security does not exist in a vacuum • You must address physical security and administrative issues otherwise no amount of technical or logical security controls will suffice • Security must be driven by an organization wide security policy. • “Security is not a goal, it is a process, and Security is not a product, it's a mentality” – McClure/Scambray • Security is maintaining data integrity and providing only authorized, controlled access to that data
    6. 6. 6 Windows Security is an ART not a SCIENCE • Take my recommendations and opinions about Windows security at your own risk. • Usually, increasing security adds administrative overhead, but decreasing security reduces administrative workloads. Ultimately, you must choose what level of security you require, and manage related admin tasks. • We welcome other opinions on Windows security in the class - we will add useful information to online materials and future classes
    7. 7. 7 Windows Security Is • Build a perimeter that’s harder to cross than your neighbor’s • Controlled and monitored access • “End to end” solution, involving: clients, applications, servers, boundary devices, and all relationships between these elements • Windows 2000/NT/XP Out of the Box: Few secure defaults • Windows Server 2003 is much more secure by default • Maintaining security is never-ending process: requires vigilance, ongoing monitoring, and maintenance.
    8. 8. 8 Security: A Multi-Front Endeavor • 100% security does not exist • Implement security in layers • Security must provide protection from intrusions, internal and external attacks, accidents, malicious code, and physical destruction. • Security policies guide and direct implementation • Three Legs of Security – Physical access control » If physical security not maintained, no amount of software security can create a secure environment for your data – Human education and management – OS and software management
    9. 9. 9 Worst Security Mistakes • Opening unsolicited email attachments without verifying source and checking content first • Failing to install security patches • Installing unapproved software • Neither making nor testing backups • Connecting a modem to a phone line while computer is connected to a LAN • Relying primarily on firewalls and boundary safeguards • Connecting systems and devices to the LAN or Internet before hardening them • Using telnet or other unencrypted protocols to manage systems and network devices • Running unnecessary protocols and services • Failing to keep yourself up to date with the state of security of your OSes, software, and hardware
    10. 10. 10 Windows Sever 2003 New and Modified Features • Common Language Runtime • Internet Connection Firewall • Account behavior changes • More Secure Defaults • Administration Security • Developer enhancements • Encrypted File System enhancements • IPSEC enhancements • Authorization Manager • Software Restriction Policies • Credential Management • PKI Features • IIS 6.0 enhancements
    11. 11. 11 Common Language Runtime • Common Language Runtime (CLR) software engine – improves reliability and helps ensure a safe computing environment. – reduces the number of bugs and security holes caused by common programming mistakes – verifies that applications can run without error and checks for appropriate security permissions – making sure that code only performs appropriate operations – checks where the code was downloaded or installed from – checks whether the code has a digital signature from a trusted developer – Checks whether the code has been altered since it was digitally signed.
    12. 12. 12 Internet Connection Firewall • Simple stateful IP filter • Allows all outbound • Allows selected inbound
    13. 13. 13 Account Behavior Changes • Limiting local account misuse • Network logon prevented with blank passwords • Network logons using local accounts authenticate as guest • Administrator account can be disabled • The built-in Everyone group includes Authenticated Users and Guests, but no longer includes members of the Anonymous Logon group • Supported authentication techniques: Kerberos V5, SSL, TLS, NTLM, digest (MD5 hash), passport, two-factor (such as smart cards)
    14. 14. 14 More Secure Defaults • IIS/FTP/SMTP not installed by default • IIS must be configured before first use • Many services/interfaces/extensions are disabled by default
    15. 15. 15 Administration Security • Command line tools (e.g. netstat –o) • Smartcard authentication for common admin tools: » Net.exe » Runas » Terminal Services
    16. 16. 16 Developer Enhancements • .Net Common Language runtime » Managed code » Authentication of code origin » Authorization of operations against policy • IPSec APIs • Application access to EFS metadata • Advanced Encryption Standard & New Hash support
    17. 17. 17 EFS Enhancements • Encrypted file sharing in the UI • Encrypted files marked with alternate color • Sharing Your Encrypted Files with Other Users • Encrypted client side cache » Used for offline folders, files stored in encrypted CSC database • Support kernel-mode FIPS-compliant cryptography » 3DES algorithm, enabled with Group Policy » FIPS – Federal Information Processing Standard
    18. 18. 18 EFS Data Recovery Changes • Domain Model » Removed requirement for Data Recovery Agent » Can operate with no data recovery policy or a separate key recovery policy » Domain Administrator is DRA by default when domain is created
    19. 19. 19 EFS over WebDAV • Enable encrypted storage on Internet servers (end to end encryption) • WebDAV is a file sharing protocol over HTTP » Alternative to SMB; Internet Standard RFC 2518 » Supported by numerous independent software vendors • IIS 5.0 and IIS 6.0 support WebDAV as web folders
    20. 20. 20 IPSec Enhancements • Windows 2000/XP/Server 2003 Compatibility • Stronger security • Diagnostics and supportability • UI improvements and IPSec Monitor Snap-in • Command line management NETSH • Computer startup security – IPSec Driver Startup Modes • Persistent policy for enhanced security • Removed default traffic exemptions • NAT traversal • Improved IPSec integration with Network Load Balancing • IPSec support for Resultant Set of Policy (RSoP)
    21. 21. 21 Authorization Manager • Flexible framework • Role-based access control • Role-based administration • Support for Forest Trusts – two-way transitive trusts between every domain in both forests
    22. 22. 22 Software Restriction Policies • Group Policy can restrict software installation and execution • Can restrict by: » Hash Rule » Path Rule » Certificate Rule » Zone Rule
    23. 23. 23 Credential Manager • Provides a secure storage mechanism for user credentials, such as passwords and X.509 certificates • Provides a consistent single-sign on • Supported for local and roaming users • Simplifies and secures the methods by which server and client based applications obtain user credentials
    24. 24. 24 PKI Features • Qualified subordination – A.K.A. Cross certification – More X.509 options implemented on server and client – Define the namespace for which a subordinate CA will issue certificates – Specify the acceptable uses of certificates issued by a qualified subordinate CA – Create trust between separate certification hierarchies • Editable certificate templates • Key archive & recovery – Can configure a CA to archive the keys associated with the certificates it issues • Auto enrolment & renewal • Delta CRLs
    25. 25. 25 IIS 6.0 Enhancements • Lessons implemented • Reduced attack surface • Code security • Secure defaults • Improved ASP security • Lower privilege accounts • Improved patch management • Security features for the platform • Application isolation • FTP user isolation • Passport authentication • URL authorization
    26. 26. 26 Some Specific Windows 2003 Security Benefits • More than 20 services that were enabled by default in W2K are now disabled or operate at lower privileges • IIS 6.0 and Telnet server is not installed by default, plus both run under a new service account with lower privileges • IE has numerous limitations on its functionality • The Security Configuration Wizard which works on-top-of Configure Your Server defaults to the highest security lockdown for added services and features • Remote users will be unable to log in using blank passwords • Role-based authentication via applications • The system root drive is accessible only to Administrative group users, the Everyone group is fully restricted • Stronger VPN policies and filters
    27. 27. 27 Windows 2000 to Windows 2003 • All known problems with Windows 2000 up through approximately MS03-022 are corrected or not present in Windows 2003 • New problems since MS03-023 may be found in Windows 2000, Windows XP, and Windows 2003 – Check Windows Update and Microsoft Security Bulletins frequently to stay current with new developments
    28. 28. 28 Windows 2000 Security Features • Improved security model over Windows NT: – stronger authentication, protocols, & services • Directory Service Account Management – domain trees – Organizational Units (OUs) - directory containers • Kerberos Authentication Protocol V5 • Public Key Infrastructure (PKI) • X.509 Version 3 Certificate Services • CryptoAPI Version 2 • Encrypting File System (EFS) built into NTFS • Secure channel security protocols (SSL 3.0/PCT) • Smart card support • Private Communications Technology [PCT] 1.0 • Distributed Password Authentication (DPA) • Transport Layer Security Protocol [TLS] • Internet Security Framework: IPSec, L2TP • Transitive Trusts
    29. 29. 29 Windows XP Security Features • Most of the security benefits of Windows 2000 are found in Windows XP • Additional security features include: – Internet Connection Firewall – Internet Connection Sharing – Blank password restriction (access to local system only) – Encryption of Offline Files – Credential Management – storage of logon credentials – Fast user switching (non-domain only)
    30. 30. 30 • All passwords rendered useless on Windows XP: – Boot a Windows XP system with a Windows 2000 CD – Start the Windows 2000 Recovery Console – User is then able to operate as the administrator of the system without a password – User can connect as any user account on the system without a password – User can copy files to floppies or other removable media from any local hard drive – a capability normally restricted within the Recovery Console when used legitimately. – Only countermeasure – physical security – http://www.briansbuzz.com/w/030213/ Windows XP IPL Vulnerability
    31. 31. 31 Coverage of Windows Clients • Windows XP Professional can be configured as the most secure client available from Microsoft • Windows 2000 Professional can be configured to be almost as secure as Windows XP Professional • Both offer different defaults, usually insecure defaults, when employed as stand-alone systems • This courseware assumes Windows XP Professional and Windows 2000 Professional are being used as Active Directory domain clients. Therefore they take on the security configurations defined by Windows 2000 Server or Windows Server 2003 GPOs assigned to their AD containers.
    32. 32. 32 Coverage of Windows Servers • All Windows 2000 Server and Windows Server 2003 settings are discussed from the perspective of these systems being used as domain controllers. • Domain controllers either inherit the security configuration of the domain controllers, the domain GPO, or are assigned their own unique configuration by network administrators.
    33. 33. 33 Overview of Native Security Components of Windows 2003/XP/2000 • Logon control • User accounts • Groups • Accounts policy - passwords and lockout • System policies • NTFS and Share permissions • User Rights • Auditing
    34. 34. 34 Login & Access Security • NetLogon service – restricted memory area – CTRL-ALT-DEL – cannot be spoofed – forces physical logon – communicates with security database to validate users – Requires: » user account name » password » domain name • Remote Control software bypasses via API and installed service (logon required to install service)
    35. 35. 35 Automated Logon • HKEY_LOCAL_MACHINESOFTWAREMicrosoft Windows NTCurrentVersionWinlogon – DefaultDomainName (Value: REG_SZ) – DefaultUserName (Value: REG_SZ) – DefaultPassword (Value: REG_SZ) – AutoAdminLogon (Value: REG_SZ) = 1 • Authentication still occurs, but without user input • To terminate auto-logon: – set AutoAdminLogon=0 – delete DefaultPassword • Hold SHIFT to logon with alternate user account • Used on kiosks & other access points where access level or physical security is no issue • Functions on NT, 2000, XP, 2003
    36. 36. 36 Cached Credentials (1/2) • By default, when you attempt to log on to a domain from a Windows 2003/XP/2000-based workstation or member server and a domain controller (DC) cannot be located, no error message is displayed. • Instead, you log on to the local computer using cached credentials. • By default, Windows 2003/XP/2000 caches the last 10 logons • Set through Group Policy (Security Options) or Registry (CachedLogonsCount). If set to 0, no logons are cached and if DC is not available logon is denied.
    37. 37. 37 Cached Credentials (2/2) • When logged on with cached credentials, user account has no access to updated group policies, roaming profiles, home folders, or logon scripts. • Use “set” command at Command Prompt – LOGONSERVER entry names what system authenticated you. – If local system – cached credentials, if DC – domain validation. • Appears in Event Viewer’s System log – event ID 5719 • Add ReportControllerMissing and ReportDC values to Registry to force user warning message. • Unlocking a workstation or a DC uses cached credentials by default. If you don’t disable credential caching, then set ForceUnlockLogon to 1 to require actual AD authentication to unlock systems.
    38. 38. 38 User Accounts & Groups • Users and groups key to Windows security • User Accounts: – Unique identifiers for each person – Security IDs • Groups: – Used to control resource access – Machine local, Domain local, Global, Universal (native mode) – Multiple group memberships – Combined permissions • Users > Domain Groups > Local Groups > Resources – Users are added to groups – Groups are assigned permissions for resources – Nesting of groups supported • Delete vs. Disable old user accounts
    39. 39. 39 System Controlled Groups • Pre-Windows 2000 Compatible Access • Anonymous Logon • Authenticated Users • Batch • Creator Group • Creator Owner • Dialup • Enterprise Domain Controllers • Everyone • Interactive • Network • Proxy • Restricted • Self • Membership is dynamic and managed by the OS itself • Everyone group is still required on boot partition and still includes anonymous and null sessions • Service • System • Terminal Server User 2003 specific: • Digest Authentication • Local Service • NTLM Authentication • Other Organization • Remote Interactive Logon • SChannel Authentication • This Organization
    40. 40. 40 Group Policy • GPOs can be assigned to domains, sites, or OUs. – Applied: LSDOU • Combines policies for: – general security controls – audit – user rights – passwords – accounts lockout – Kerberos – Public key policies – IPSec policies • 2000 OOB – if a user is a member of 70 to 80 groups, group policy may not be applied. Caused by Kerberos’s token size limitation, correction changes MaxTokenSize from 12000 to 100000 - (SP2) - 263693
    41. 41. 41 Group Policy SMB vulnerability • SMB signing flaw may allow group policies to be modified by unauthorized users • Affects: Windows 2000 and Windows XP • Flaw allows attackers to downgrade the settings for SMB signing so packets not signed even though systems are configured to use SMB signing. This attack occurs during negotiation process between client and server. Once exploited, attackers could modify packets sent between two systems and changes would not be detected. • Patch not included in Windows XP SP1 • MS02-070: KB:329710
    42. 42. 42 Password Policy • Set password restrictions – Min & max password age (0-999) » W2000 – Max 42 days; Min 0 days » W2003 - Max 42 days; Min 1 days – Min password length (0-14) » W2000 - 0 » W2003 - 7 – History (1 - 24 entries) » W2000 – 1 » W2003 - 24 – Passwords must meet complexity requirements » W2000 – disabled » W2003 – enabled – Store passwords using reversible encryption for all users in the domain » W2000 & W2003 - disabled
    43. 43. 43 Password Complexity • Forces minimum of 6 characters • Incorporates at least 3 character types: – Uppercase: A through Z – Lowercase: a through z – Numerals: 0 through 9 – Non-alphanumeric: !, @, #, $, [, , … • No part user account name or real name • Not foolproof: “April1999” is valid password under these restrictions, but easily guessed. • When enabled, existing passwords are grandfathered; new or changed passwords must meet restrictions • Custom password filters – see W2000 and W2003 SDK
    44. 44. 44 Failing Requirements When Changing Passwords Your new password does not meet the minimum length or password history requirements of the domain. Also, your site may require passwords that must be a combination of upper case, lower case, numbers, and non-alphanumeric characters. Your password must be at least <#> characters long. Your new password cannot be the same as any of your previous <#> passwords. Also, your site may require passwords that must be a combination of upper case, lower case, numbers, and non- alphanumeric characters.
    45. 45. 45 Designing Secure Passwords • Implement company/organization security policy • Use cracking tools to test your password strength – LC4, PassFilt Pro, John the Ripper, Quakenbush’s Password Appraiser • Allow no part of e-mail address in password • Change every 30 - 45 days • Maintain history of previous passwords to prevent reuse • Always assign passwords to all accounts • Avoid common words – dictionary, slang, industry acronyms, etc. • Use ALT characters - ALT-130 for é, ALT-157 for ¥, etc. – Avoid use on administrator accounts • Never write passwords down
    46. 46. 46 Password Crackers • Require access to SAM - direct or copy • Password auditing: – @stake’s LC4 – http://www.atstake.com/ – Quakenbush’s Password Appraiser – http://www.quakenbush.com/ • Most perform reverse hash extraction • Protect your SAM! • LC4 can sniff SMB exchanges on networks to pull passwords – use switched networks to force end to end communications • Several tools are available that boot from a floppy and can change the password on any account: – Peter Nordahl's Offline NT Password & Registry Editor tool – Sysinternals’ Locksmith
    47. 47. 47 Audit Password Registry Keys • Enable auditing through Group Policy’s Audit Policy • Start scheduler service, set system startup • AT <time> /interactive “regedt32.exe” • Registry editor is launched with System level access - SAM and SECURITY hives (Note: System is NT’s closest equivalent to UNIX’s superuser or root access) • Set SAM hive auditing parameters – at <time> /interactive "regedt32.exe" – HKEY_LOCAL_MACHINESAM – Set Security|Auditing per event & user/group
    48. 48. 48 Accounts Policy • Set Lockout parameters – Lockout duration (0 – 99999 minutes) – Failed logon attempts – Counter reset after time limit • Not enabled by default on W2K or W2K3 • “Account is locked out” checkbox on user account properties dialog box
    49. 49. 49 User Account Security Controls • Logon hours • Log On To – restricted to workstations • Account info: expiration – never or by date • Account Options (next slide) • Dial-in: – Remote Access Permission (dial-in or VPN) – allow, deny, or controlled by Remote Access Policy – Verify caller ID (requires supported hardware) – Call back: pre-defined or user-supplied • Terminal Services Sessions : – End disconnected sessions timeout – Time limit for active sessions – Time limit for idle sessions – Enable remote control/observation – Require use’s permission to control/observe
    50. 50. 50 Account Options • User must change password at next logon • User cannot change password • Password never expires • Store password using reversible encryption • Account is disabled • Smart card is required for interactive logon • Account is trusted for delegation • Account is sensitive and cannot be delegated • Use DES encryption types for this account • Do not require Kerberos pre-authentication Direct user account settings override group policy settings!!
    51. 51. 51 Audit Policy • All Windows Objects can be audited • Two controls: policy and object • Policies: – Account logon events – Account management – Directory service access – Logon events – Object access – Policy change – Privilege use – Process tracking – System events • Object level controls accessed through Advanced Security Properties • Audit policy must be enabled in order for audited events to be recorded in the Security log
    52. 52. 52 Sample Audit Detail
    53. 53. 53 Auditing for Security • Suspect events: – failed log on attempts – repeated denied access to resource – system reboots • DumpEVT – Export event logs to text files for use in scripts and databases - www.somarsoft.com • As the amount of data gathered by auditing increases, so does need to employ IDS or a data mining tool to deal with the data load
    54. 54. 54 Example Audit Schemes • Random password attacks – account logon events, logon events: Failure • Stolen passwords: (must filter for abnormal activity) – account logon events, logon events: Success • Misuse of admin privileges: – privilege use: Success account management: Success policy change: Success system events: Success • Virus infection: (track W for all .exe, .bat, and .dll) – process tracking: Success, Failure directory service access, object access: Success, Failure • Access to sensitive files (track R,W for suspect users/groups) – directory service access, object access: Success, Failure
    55. 55. 55 Working with User Rights • Review defaults of User Rights (see handout "User Rights") • To increase security settings, make the following changes: – Allow Log on locally: assigned only to Administrators on Servers – Shutdown the System: assigned only to Administrators, Power Users – Access computer from network: assigned to Users, revoke for Administrators and Everyone – Restore files/directories: revoke for Backup Operators – Bypass traverse checking: assigned to Authenticated Users, revoke for Everyone
    56. 56. 56 Ownership • Ownership grants a user Full Control over an object • Ownership can be taken by users with: – Take Ownership of Files or Other Objects User Right – NTFS object level Ownership permissions. • Administrators and Domain Admins have this user right by default. • Ownership can be assigned using subinacl (RK tool): – subinacl /subdirectories c:winntprofiles*.* /setowner=administrator • Ownership can be used to bypass any Deny setting.
    57. 57. 57 NTFS Security • Defined by object: files, directories, printers • Set by group or user for Allow or Deny • Standard file settings: – Full Control (RXWDPO); Modify (RXWD); Read & Execute (RX); List Folder Contents (dir only) (R); Read (R); Write (W) • Always check defaults on new objects in regards to the Everyone group • Container rule - move vs. copy • Inheritance is configurable, inheritance of permissions and auditing is distinct
    58. 58. 58 Share Permissions • Permissions: – Full Control – Change – Read • All permissions based on Allow or Deny • W2K – new share Full Control to Everyone • W2K3 – new share Read only to Everyone • On object’s Sharing tab: – Able to set maximum simultaneous users – Caching » Allow/prevent caching » Manual - Offline Files » Automatic
    59. 59. 59 Managing Permissions • NTFS - All user specific and group membership permissions on the same resource are cumulative. • Share - All user specific and group membership permissions on the same share are cumulative. • Combining NTFS and Share Permissions – Cumulative NTFS is compared to the cumulative Share - most restrictive applies – Think of it as an ANDing function • Deny always results in deny. Watch for conflicts caused by multi-group memberships. • Grant permissions on “as needed” basis – need to know or least privilege • SystemTool’s DumpSec (www.systemtools.com) – dumps permissions (ACLs) for file system, registry, shares and printers into a readable listbox format
    60. 60. 60 Disk Quotas • Disk quotas • Configurable per volume • Configurable per user • Prevent file writing when limitation exceeded • Space limitation and warning level in KB, MB, GB, TB, or PB • Enable log events for quota limit reach or warning level reach • Quota limits based on uncompressed file size • More control and granularity through third-party quota solutions, such as Quota Advisor and Storage Central from www.sunbelt-software.com
    61. 61. 61 Process Security • Inherits parent’s Access Token • Use Task Scheduler to launch tasks with any user account credentials • Services can be launched with System or any user account credentials • Once launched, access level of process cannot change • Use RunAs to execute under another user security contents – requires username and password. Use as command line or hold-shift then right-click over .exe for pop-up menu
    62. 62. 62 Windows Kerberos Policy • Trusted third-party Authentication protocol developed at MIT as part of Project Athena • Kerberos V5 – Faster connections – Mutual Authentication – Delegated Authentication – Simplified Trust Management – Interoperability • Defined at domain level controls Kerberos settings • Implemented by domain’s Key Distribution Center (KDC) • Stored as part of domain security policy (may only be set by Domain Admins) • Windows attempts to use Kerberos first to authenticate user logons. If Kerberos fails, NTLM is attempted (if enabled) • NTLM appears primarily for backward compatibility with non- Kerberos supporting Windows clients
    63. 63. 63 Kerberos Ticket-Granting Ticket 1111 Service Ticket Windows 2000–based Computer Windows 2000–based Computer 2222 4444 3333 TGT Initial Logon KDCKDC KDCKDC 1111 2222TGT Service Request ST ST Session Established 3333 TGT Cached Locally Windows 2000–based Computer Windows 2000–based Computer Target ServerTarget Server
    64. 64. 64 Group Policy Settings: Kerberos • Enforce User Logon Restrictions • Maximum Lifetime That a User Ticket Can Be Renewed • Maximum Service Ticket Lifetime • Maximum Tolerance for Synchronization of Computer Clocks • Maximum User Ticket Lifetime
    65. 65. 65 Disable LM Authentication • W2K supports: – Kerberos – Windows NT challenge/response v.2 (NTLM 2) » Includes LM, NTLM 1, NTLM 2 » LM enabled by default – Security Option: LAN Manager authentication • W2K3 supports: – Kerberos – Windows NT challenge/response v.2 (NTLM 2) » Includes LM, NTLM 1, NTLM 2 » LM disabled by default – Security Option: LAN Manager authentication, set to Send NTLM Response Only • Windows 95, WfW, Macs, and OS/2 clients only support LM not NTLM • Windows 98, SE, Me can be upgraded to support NTLM v2 with the Directory Services Client add-on – Add NTLM 2 to W95/98: Q239869
    66. 66. 66 Directory Services Client • Active Directory Client Extensions for Windows 95, Windows 98, and Windows NT Workstation 4.0 • Adds to client: AD site awareness, W2K domain logon, Active Directory Service Interfaces, DFS client, WAB, and NTLM v2. • Does not add: Kerberos, Group policy or Intellimirror support, IPSec, L2TP, SPN, nor mutual authentication • Windows 9x Active Directory client extension is distributed on the Windows 2000 CD • Active Directory client extension for Microsoft Windows NT 4.0 (with SP6a; Microsoft Internet Explorer 4.01 or higher) on MS Web site • No version of Directory Services Client for Windows Me (Millennium)
    67. 67. 67 Public Key Infrastructure – 1/2 • PKI adds authentication & encryption services to Windows • How PKI Works – PKI based on certificates managed by CA that verifies identity – Public keys issued for widespread distribution; private key stays with user – Anyone can use the public key to encrypt; only the holder of the private key can decrypt – When a public key appears first, followed by a private key, this supports key exchange – When a private key appears first, followed by a public key, this is a digital signature – PKI thus provides both identification and authentication • Numerous applications use Digital Certificates to provide security: – E-mail, Web, digital file signing, Smart Cards, IPSec, EFS recovery agent
    68. 68. 68 Public Key Infrastructure – 2/2 • PKI Components – Certificate Services – CryptoAPI & CSPs provide crypto operations & private key management – Certificate stores to store & manage certificates • Certificate Services – Process certificate requests – Verify access qualifications for requesters – Create & issue certificates for qualified requesters – Generate private keys and deliver to requester’s protected store – Manage private key cryptography services – Distribute & publish certificates for public access – Manage certificate revocations – Store certificate transactions for auditing • Works through Certification Authority Console
    69. 69. 69 EFS Issues 1/3 • EFS (Encryption File System) is built into Windows 2000, Windows XP, and Windows 2003 NTFS • Encrypting boot and system files will cause problems if the system can even boot • Issues when autoexec.bat is encrypted: – Users are unable to log on locally – Remote resource access fails – Resolution: » Decrypt » Use Recovery Console to log on as Admin, delete file, then recreate » Alter Registry to bypass autoexec.bat fie, delete, then recreate. • EFS protects files on NTFS partitions, not when in transport over the network or when resident in system memory (i.e. in use by an application)
    70. 70. 70 EFS Issues 2/3 • EFS works using a public key to encrypt files and a private key to decrypt files. If the private key is lost, the files cannot be decrypted • A user can be designated as EFS recovery agents who can recover data after the private key of another user is lost • Through secpol.msc a private key can be exported to removable media and deleted from the local system • EFS cannot be used to encrypt system files, use alternatives: PC Guardian's Encryption Plus for Hard Disks (EPHD)
    71. 71. 71 EFS Issues 3/3 • EFS on Windows 2000 uses DESX for encryption. It can only decrypt using DESX. • EFS Windows XP pre-SP1 use 3DES for encryption. It can decrypt using DESX or 3DES. • EFS on Windows XP SP1 and Windows 2003 uses AES for encryption, by default. It can decrypt using DESX, 3DES, or AES. • EFS Files Appear Corrupted When You Open Them – KB:329741 – Instructions on setting XP SP1 and 2003 to use 3DES or DESX – Do not change this setting if there are existing encrypted files • Attempting to open AES encrypted files on Windows 2000 or Windows XP pre-SP1 systems will corrupt the files resulting in data loss!
    72. 72. 72 IPSec • IP Security (aka IPSec) • IETF standard security protocol (RFC 2411 provides a roadmap to all related RFCs) • Provides authentication and encryption • AH (Authentication Header) – integrity and authentication • ESP (Encapsulating Security Payload) – integrity, authentication, confidentiality - encryption • Operates at layer 3 as a plug-in between transport (UDP or TCP) and network (IP and others) protocols • Works with both IPv4 and IPv6 • Wide industry support, expected to become predominant VPN Internet standard • Used with Layer 2 Tunneling Protocol (L2TP) for dial-up VPNs, uses by itself for network-to-network VPNs
    73. 73. 73 IP Security (IPSec) Policies • Construct IPSec policies using Windows Security Manager • IPSec policies associate with default domain policy, default local policy, or customized policy • Includes abilities to negotiate security services (called negotiation policies) • IP filters let different policies apply to different computers, based on destination & protocol • To create IPSec policy – Create a named Security Policy for some container – Create negotiation policies – Create IP filters, associate with negotiation policies
    74. 74. 74 Locking Down Windows Systems The first steps to locking down Windows include: • Applying service packs • Applying needed hot fixes and patches • Apply security templates • Testing for a secure configuration
    75. 75. 75 Service Packs • Hotfix - single issue, apply only if necessary • Service Pack - cumulative patches & fixes • Re-installation of Service Pack not necessarily required after installing new drivers or software on Windows 2000/XP/2003 as was with Windows NT • Windows 2000: SP4 – see later slide • Windows Server 2003: no service packs available as of 11/14/03, SP1 beta rumored to be in testing for release in late 2004
    76. 76. 76 Windows 2003 SP1 • Due late 2004 • Will include numerous features and improvements from the Springboard project • Springboard includes elements and components originally designed for Longhorn, for which Microsoft has accelerated release for Windows 2003 and Windows XP • Will include: – Roles based Security Configuration Wizard (SCW) to quickly configure new servers based on function or role – Insecure network client isolation – VPN quarantine – Enterprise level protection features (yet unrevealed)
    77. 77. 77 Windows 2003 Pre-SP1 Security Issues 1/2 • 23 pre-SP1 hot fixes as of 5/11/2004 • MS04-015: Vulnerability in Help and Support Center Could Allow Remote Code Execution (840374) • MS04-014: Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001) • MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) • MS04-011: Security Update for Microsoft Windows (835732) • MS04-007 : ASN .1 Vulnerability Could Allow Code Execution (828028) • MS04-006 : Vulnerability in the Windows Internet Naming Service (WINS) Could Allow Code Execution (830352) • MS04-003 : Buffer Overrun in MDAC Function Could Allow Code Execution (832483) • MS03-048 : Cumulative Security Update for Internet Explorer (824145)
    78. 78. 78 Windows 2003 Pre-SP1 Security Issues 2/2 • MS03-045 : Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141) • MS03-044 : Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (825119) • MS03-043 : Buffer Overrun in Messenger Service Could Allow Code Execution (828035) • MS03-041 : Vulnerability in Authenticode Verification Could Allow Remote Code Execution (823182) • MS03-039 : Buffer Overrun In RPCSS Service Could Allow Code Execution (824146) • MS03-034 : Flaw in NetBIOS Could Lead to Information Disclosure (824105) • MS03-030 : Unchecked Buffer in DirectX Could Enable System Compromise (819696) • MS03-026 : Buffer Overrun In RPC Interface Could Allow Code Execution (823980) • MS03-023 : Buffer Overrun In HTML Converter Could Allow Code Execution (823559)
    79. 79. 79 Windows 2000 SP5 • Due late 2004, after Windows 2003 SP1 ships • No reliable details on elements other than existing post-SP4 hot-fixes (17 as of 5/11/2004) – MS03-022, MS03-023, MS03-026, MS03-034, MS03-039, MS03-041, MS03-042, MS03-043, MS03-044, MS03-045, MS03-049, MS04-006, MS04-007, MS04-008, MS04-011, MS04-012, MS04-014
    80. 80. 80 Windows 2000 Service Pack 4 • Released Aug 2003 - generally stable • Recommended for Windows 2000 Server and Pro • Available on CD, through Windows Update, on Windows 2000 Web area • SP4 includes ~674 fixes (102 for security issues), see KB: Q327194 – Note: these are issues in addition to those in SP3 and earlier. • Release notes for W2K SP4: 813432 • SP4, like SP3, upgrades the system to use 128-bit encryption. If you uninstall SP4 (or SP3), the system will remain at 128-bit encryption. • SP4 includes Internet Explorer 5.01 SP4 and Outlook Express 5.5 with SP2 • SP4 adds to Windows 2000: native 802.1x wireless networking support and native USB 2.0 support • There are 14 post SP4 security issues as of March 2004.
    81. 81. 81 Known Issues with W2K SP4 • Local Security Policy Values Revert to the Values That Are Stored in SecEdit.sdb (KB:827664) • If you have Windows Update service disabled when you install SP4, the installation program re-enables Windows Update without notifying you. • .Net Framework 1.0 programs won't run. – Available hotfix or upgrade to .Net Framework 1.1 (KB:823845) • Norton Internet Security 2001 is incompatible. – Upgrade NIS (KB:823087) • Exchange Server can't start its Key Management Service. – Workaround: database defragmentation (KB:818952) • Other known issues: KB: 813432
    82. 82. 82 Windows XP Service Pack 2 • To be released?? – current rumor is July 2004 • Will require significant changes to an organization’s deployment processes and configuration procedures – New security and networking enforced defaults will cause numerous applications and services to fail, reconfiguration will be necessary • RC1 of SP2 – not stable enough for widespread deployment • RC2 of SP2 due soon – may be suitable for limited testing, I don’t recommend production environment deployment of these test releases • Sweeping changes to Windows XP – Improved default security – Improved ICF, RPC, DCOM, COM – Better memory management and protection (i.e. buffer overflow) – Improved IE, Outlook Express, Windows Messenger
    83. 83. 83 Windows XP Service Pack 1a • SP1a for Windows XP released on 2/3/2003 • There are 77+ post SP1a security issues as of March 2004 • SP1a and SP1 are identical, except that the Microsoft VM (Java support) is removed from SP1a. • Generally considered stable • We recommend installation on all XP systems • Updates XP systems with hotfixes released through mid-Aug 2003 (MS02-048) • Includes IE 6 SP1 & USB 2.0 • Does not include BlueTooth • Known issues: KB:324722 • 57 post SP1a hot fixes as of 5/11/2004
    84. 84. 84 Windows XP Security Rollup Package 1 • Released 10/14/2003 • As an interim release before SP2 • Contains 22 security related patches in a single installation package – Includes security patches from SP1 through MS03-039 • KB826939
    85. 85. 85 Working with Service Packs • Review documentation and KB documents associated with Service Pack and/or hotfix before initiating installation. • Need sufficient free space on boot partition, ~3 times size of SP, more if uninstall info is saved • Move previous SP's uninstall directory from %SystemRoot%$NTServicePackUninstall$ to another safe location. • Backup data, Registry, maybe entire system • Reboot the system • Terminate all applications, stop unneeded services, stop debugging, stop remote control sessions • Disable Server service to prevent network access before starting SP/HF application • Stop all third-party services requiring disk access, i.e. virus protection and defragmenters/optimizers
    86. 86. 86 Managing SPs and HFs • Service Pack presence visible through most Help| About screens from native utilities, WINVER tool • Hotfix identification varies by hot-fix - typically run HOTFIX.EXE or view Hotfix Registry key for list • Qfecheck –management tool from Microsoft • UpdateEXPERT – SP and HF inventory and installation tool from Sunbelt Software • HFNetChkPro – from Shavlik Technologies – http://www.shavlik.com/pHFNetChkPro.aspx • All DCs should be maintained at same SP level, mixing can introduce problems • Software Update Svcs (SUS) –internalizes & manages Windows Update for private networks • Service packs for Windows 2000, XP, and 2003 can be slipstreamed for new installations or a pre-integrated installation CD may be available
    87. 87. 87 Lockdown Tools 1/2 • Microsoft Baseline Security Analyzer (MBSA) 1.2 – GUI and command line tool – Runs on Windows 2003/XP/2000 only, but will scan Windows NT 4.0, Windows 2003, Windows 2000, Windows XP, IIS 4.0, IIS 5.0, SQL 7.0, SQL 2000, IE 5.01+, and Office 2000/2002/2003, + more. – Lists all necessary or applicable patches, fixes, or security settings for each detected OS and software. – Each issue is scored: » Red X – missing » Yellow X – possible vulnerability or reminder warning » Green check – verified secured setting or control » Blue asterisks – reminder or warning of possible vulnerability » Blue information icon – information about system – Possible risk: MBSA can create a plaintext report, with clever scripting a malicious user can create an automated attack tool based on the results.
    88. 88. 88 Lockdown Tools 2/2 • MBSA was developed with Shavlik Technologies – Commercial versions are available: » HFNetChkPro » EnterpriseInspector » Both are free for use on up to 10 workstations and 1 server – www.shavlik.com • HFNetChk – command line tool which scans for installed hotfixes – Excellent for scanning local and networked systems – Does not download or install necessary patches • CIS benchmark security tool – Evaluates a Windows systems for compliance against pre- defined security benchmarks
    89. 89. 89 Security Configuration and Analysis • MMC snap-ins: – Security Configuration and Analysis – Security Templates • Used to customize Group Policies a.k.a. security templates. • Several pre-defined security templates for client, server, and DC systems of basic, compatible, secure, and high security. • Analyze current security state • Impose a pre-defined or customized security template • Create custom templates
    90. 90. 90 Well-known Vulnerabilities • Windows is at risk to a wide number of well-known and oft-exploited vulnerabilities. • The following slides discuss many of these along with workarounds and countermeasures
    91. 91. 91 Services and Security • Only install necessary services • Unbind unneeded protocols • Candidate services to disable/remove: Alerter Clipbook Server Computer Browser DHCP client Directory Replicator Messenger NetLogon Network DDE Plug and Play RPC locator Server SNMP Trap service Spooler TCP/IP NetBIOS Helper Telephony service Workstation • Unnecessary services offer information gathering “holes” or access points • Test service removal on non-production systems • Sysinternals’ Process Explorer - displays DLL dependencies • See the BlkViper Web site on removing/disabling services
    92. 92. 92 SNMP Problems • If using SNMP, remove or alter public default community • Anyone with an SNMP browser can poll this community • Snmputil from Resource Kit: – Snmputil walk <IP address> public <OID> – OIDs identifies a specific branch in the MIB • IP Browser from Solar Winds (www.cerberus- infosec.co.uk) offers GUI exploration of public community • Don’t deploy SNMP unless you use it
    93. 93. 93 Raw Sockets • Windows 2003, Windows XP, Windows 2000, UNIX, and Linux, support administrative or root only access to full raw sockets • However, on stand-alone Windows XP Professional and Home systems, all local users are administrators by default • Full raw sockets is a means by which the TCP/IP stack is bypassed to allow direct access to underlying network data transport • Full raw sockets were originally designed as research tools, not for real-world OSes • Full raw sockets allow spoofed IP addresses and SYN floods • IE’s defaults download and install software without user’s knowledge • Use GRC.com’s SocketToMe and SocketLock to detect and close down raw sockets to users and restrict it to SYSTEM access only
    94. 94. 94 Enumeration Using Telnet Client (1/2) • Use any telnet client: – telnet <domain name or IP> port – Followed by pressing Enter several times • Test common ports: 80 (Web), 21 (FTP), 25 (SMTP), etc. • Many services respond with error msg (a.k.a. banner) listing information about service on that port • For example: HTTP/1.1 400 Bad Request Server: Microsoft-IIS/6.0 Date: Wed, 23 Aug 2000 16:19:04 GMT […] • Web server enumeration tool: ID Serve from GRC – http://grc.com/id/idserve.htm
    95. 95. 95 Enumeration Using Telnet Client (2/2) • Protection: – remove default banners where possible – check open ports with scanner (nmap) – prevent remote Registry access – Don’t rely on obscurity as your only means of security • IIS’s URLScan utility disables banners on any version of IIS by refusing invalid service requests. Knowledge Base: 317741 - HOW TO: Mask IIS Version Information from Network Trace and Telnet • Avoid telnet service whenever possible, use secure alternatives such as remote control software (such as PCAnywhere), SSH (secure shell), or stunnel.
    96. 96. 96 File Streaming • A method for hiding executables • Requires NTFS’s POSIX capabilities and RK “cp” tool – cp <file> <hostfile>:<file>S • Streamed files can be executed without extraction using: – Start <hostfile>:<file> • Can be used on files and directories • Great way for hackers to hide toolkits • Locate streamed files with: – LADS – Locate Alternate Data Streams – www.heysoft.de/nt/ntfs-ads.htm – Streams - www.sysinternals.com/misc.htm • SANS warning: http://www.sans.org/newlook/alerts/NTFS.htm • If POSIX is removed/disabled, existing streams still function but no new streams possible.
    97. 97. 97 Boot Partition Conversion Problem • If Windows 2000 is installed onto FAT/FAT32 formatted boot partition, then converted to NTFS • Correct default security permissions not applied to files on boot partition • Use SECEDIT tool to apply correct permissions • Q237399 • If NT 4.0 was installed with SYSPREP, a bug prevents the Win2K upgrade from converting a FAT boot partition to NTFS • Must manually convert drive, no other MS fix • Q256917
    98. 98. 98 51 IP Addresses • A Windows 2000 Server as a domain server cannot support more than 51 IP addresses OOB • Bug in Active Directory causes error • Attempting to add 52nd address renders system unable to: – Authenticate users – Launch and use administrative tools • Limitation is per server, not per NIC • Corrected in SP2 • Only workarounds: – add a second system – use W2K as a non-domain controller
    99. 99. 99 Administrative shares • C$, D$, … • Hidden/system shares • Accessed from any client on network • Can be accessed over VPN, RAS, PPTP • Only require admin name and password
    100. 100. 100 Hidden Systems • NET CONFIG SERVER /HIDDEN:yes|no • Removes system from browse lists • Prevents Server service from being tuned via the Network applet • Disables auto-tuning • To restore auto-tuning, edit the Registry and correct the entries in the LanmanServer Parameters section • See KB: 128167; 321710; 314498
    101. 101. 101 Predefined accounts • Administrator – Can be renamed – Requires non-blank password on Domain Controllers – Cannot be locked out or disabled – Cannot be deleted – Password never expires – Password cannot be stored with reversible encryption – Smart card cannot be required – Cannot be delegated – DES cannot be used and Kerberos is required • Guest – Can be renamed – Blank password by default – Can be locked out and disabled – Cannot be deleted – Disabled by default • Remember: everyone knows these accounts exist
    102. 102. 102 The IIS Accounts • IUSR_computername – Created by IIS for anonymous Web & FTP access – “Log on Locally” right – Member of Guests and Domain Users (DCs only) – Non-blank random password – Access enabled by default • Can be renamed, requires change in Active Directory Users and Computers as well as in both IIS’s Web and FTP server Properties • Remove from Domain Users and Guests groups to force local and Web access only
    103. 103. 103 SAM Deletion • Deleting the winntsystem32configsam file destroys all user accounts and assigns blank password to administrator • Use only as last resort • All domain and security settings related to uses and groups are destroyed
    104. 104. 104 Replace Passwords • Winternals Locksmith • Used to replace user account password • Works on any account, including Administrator • Requires physical access • Requires NTRecover or Remote Recover • NTRecover allows data from one system to be moved across a serial cable to another system. The source system is booted with a floppy to bypass security or to recover a failed system. • Winternals: www.winternals.com • Similar tool: ntpasswd: http://home.eunet.no/~pnordahl/ntpasswd/
    105. 105. 105 Who is the Admin? • List admins with: – NET GROUP "Domain Admins" /DOMAIN • Get more details on each listed user with: – NET USER username /DOMAIN | more • Decoys are for external users • Any valid user can exploit NetBIOS to extract information about users and systems
    106. 106. 106 Administrator Decoy • Rename real Administrator account with subtle non-obvious name - avoid admin, sysop, root, master • Create new decoy account named “Administrator” with simple password • Remove all or most access privileges and group memberships • Audit every action and logon attempt • Consider creating fake confidential content to snag intruders long enough to be detected and located (I.e. a honeypot) • Method only isolates Admin account from external intruders, Domain Admins can always discover accounts
    107. 107. 107 Double Admin Accounts • Each administrator needs two accounts: – Administrative account for management work – Normal user account for daily work • No two admins should ever share an account • Restrict/Delegate each admin to his or her segment/resource responsibilities • Only grant Admin access to trusted users • Keep local Admins out of Domain Admins global group to control access levels • Audit admin account activities • Be pessimistic about offering admin access • Revoke “log on from network” User Right for all admin accounts - requires physical presence at system to log on and manage
    108. 108. 108 Anonymous & Null Connections • By default, all anonymous connections and null sessions can enumerate domain user names and share names. • A null session can connect to any share or printer which the Everyone group has access to. • Set RestrictAnonymous to 1 to prevent un-authorized users from gaining access to user and share names. • RestrictNullSessAccess can be set to 1 to prevent null sessions from connecting to a system. • Some network services use null sessions to enumerate systems, perform tasks, or contact other systems on the network. Disabling null sessions may cause these services to fail. • The NullSessionPipes contains a list of the named pipes that can be accessed by null sessions. Named pipes can be removed from this list, but they may adversely affect some networking services.
    109. 109. 109 Leaky Ports • Windows communicates confidential information over many ports, including: • NetBIOS – 135 – 139 • Kerberos – 88 • LDAP – 389 • Microsoft Directory Services – 445 • Kerberos kpasswd (v5) - 464 • Secure LDAP– 636 • Global Catalog – 3268 • Global Catalog SSL – 3269 • Always block on border systems! • Disable NetBIOS interface via bindings • Use Firewall/Proxy with port filtering
    110. 110. 110 NetBIOS Cache Pollution (1/2) • Vulnerable to NetBIOS cache corruption via unicast or broadcast UDP datagrams • Allows a man-in-the-middle attack (among other activities) by corrupting the cache with altered NetBIOS Name-to-IP address mappings • Microsoft is aware of this problem, however according to the discoverers, Microsoft will not issue a patch because it feels the problem resides in the unauthenticated nature of NetBIOS
    111. 111. 111 NetBIOS Cache Pollution (2/2) • Possible protection measures: – Block NetBIOS TCP and UDP ports (135-139, and 445) at all network borders. – Do not rely on NetBIOS to perform hostname-to-IP address lookups. – Disable all services that register a NetBIOS name as seen with the "nbtstat -n" command. Be sure to unbind the "WINS Client" and other related services that employ NetBIOS. – Upgrade to Windows 2000 and disable "NetBIOS Over TCP/IP" functionality
    112. 112. 112 NTFSDOS • Enables NTFS volume access from any version of DOS or Windows • Bypasses all NTFS security settings (ACLs) • Loadable from a boot floppy • Read-only access • Protection: – Restrict physical access to machine – Remove or lock floppy drives • Commercial version: write, rename • Companion utility: NTRecover - copy files from NTFS drives across a serial cable • Protection: remove floppy drive, no DOS boot partition, restrict physical access • www.sysinternals.com, www.winternals.com
    113. 113. 113 System Tools • Consider moving these common administrator tools into separate directory, set for admin access only: • xcopy net arp wscript • telnet arp ping route • finger at rcp cscript • posix atsvc qbasic runonce • syskey cacls ipconfig secfixup • nbtstat rdisk debug cmd • edit.com netstat tracert nslookup • rexec regedt32 regedit edlin • ftp rsh tftp
    114. 114. 114 Windows 2000 OS/2 and POSIX • Windows 2000 natively supports OS/2 v.1 and POSIX.1. In most cases, these are useless, and pose security threat for Internet accessible systems. • These subsystems can be removed from most configurations without problems: 1. Delete following folder and all of its contents: %systemroot %system32os2 2. Delete all Registry subkeys underneath HKLMSoftwareMicrosoftOS/2 Subsystem for NT 3. Delete Registry value Os2LibPath in HKLMSystemCurrentControlSetControlSession ManagerEnvironment 4. Clear contents of Optional in Registry: HKLMSystemCurrentControlSetControlSession ManagerSubsystems (but leave the value named Optional itself in place) 5. Delete Os2 and Posix Registry subkeys in HKLMSystemCurrentControlSetControlSession ManagerSubSystems 6. Reboot.
    115. 115. 115 Remote Control and Terminal Services • Use system in a host/terminal configuration • Local display, keyboard, and mouse control remote system • Installs as service, similar to RAS • Still requires logon authentication • Operates over POTS, network, or Internet • Products: PCAnywhere, Carbon Copy, Timbuktu, Remote DT, WinFrame, Terminal Server, Back Orifice 2000, Windows XP’s Remote Desktop Connection, Tridia VNC • Most require user accounts to have Log On Locally User Right
    116. 116. 116 Terminal Server • Terminal Server clients can perform a brute force password attacks against any account without triggering lockout – such connections are considered interactive logons. Fortunately, TSC automatically disconnects after 5 failed attempts • Configure Terminal Server to log out user on disconnect. Otherwise, a hacker could usurp a valid user by connecting and taking over a session
    117. 117. 117 Detecting Remote Control Software • Remote Control software may be present because: – User attempting to simplify work tasks – Used by administrators – Trial or demo – Trojaned (e.g Back Orifice) – Unsuspected user executes or installs – Deposited by hacker after break-in • Use a port scanner (such as nmap, fport) • Keep your anti-virus scanner updated • Use a malicious code or spy ware scanner, such as AdAware, SpySubtract, PestPatrol, trojanscan.com • While Remote Control products have default ports, most can use any port
    118. 118. 118 Security & Viruses • Virus protection is a mandatory element of network and Internet security • Protect your systems from any type of malicious code: virus, worm, trojan, logic bomb, etc. • Any information pathway is susceptible • Active prevention and monitoring is required • Virus protection is only as reliable as your tools: – Integration – Central Management – Automated – Multi-layered • Microsoft via STPP now offers free virus-related tech support at 1-866-PC SAFETY (1-866-727-2338)
    119. 119. 119 Develop Anti-Virus Policy • Solution is software, not user behavior modification • Establish emergency response team • Automate prevention and detection • Backup, Backup, Backup • 100% virus free servers • Isolate risk takers, revoke privileges • Eliminate unapproved software • Don’t allow users to perform manual virus cleaning • Don’t accept as valid any unverified e-mails about viruses • Train users about safe e-mail practices • Understand the risk in active and downloadable content
    120. 120. 120 Virus Updates • Automatic patch and update installation available on most products • Engine updates can cause system crashes • Have updates pushed/pulled to single system • After testing, deploy engine upgrades
    121. 121. 121 Recovering Infected Documents • CanOpener from Abbot Systems • Able to open and extract data from infected files without launching/activating attached virus • Not virus checker, but complementary tool • Developed in response to Melissa • Abbott Systems Inc – http://www.abbottsys.com/products.html (CanOpener) • Recover damaged or corrupted Office documents: – http://www.officerecovery.com/
    122. 122. 122 E-mail as a Virus Carrier • E-mail is the most common carrier of viruses • Virus scanners: only as good as definition lists • Don’t rely upon scanners as your only protection • Up to date virus scanners still miss 3% of known viruses! • New viruses often get past virus protected borders • The rate of virus borne e-mail is increasing: – 1999 – one per hour – 2000 – one per 3 minutes – 2001 – one per 30 seconds – 2002 – more than one per second • MessageLabs (www.messagelabs.com) offers guaranteed delivery of 100% virus free e-mail.
    123. 123. 123 Internet Security Issues • Requirements to gain access: – valid user account – password – name of domain – name of the domain controller or IP address of WINS server • Avoid Telnet and other UNIX daemon ports: susceptible to DoS attacks • FTP - more susceptible to password attacks than system logons • Guest account and anonymous access • New generations of tools: nmap, nlog, legion
    124. 124. 124 Denial of Service • Any Internet connected server is vulnerable • Any system is vulnerable, even Microsoft’s own Web sites • DoS information: – FBI Web site » http://www.fbi.gov/nipc/trinoo.htm – CERT Web site » http://www.cert.org/advisories/CA-2000-01.html – NetWare Connections: April 2000: Cyber Crime: » http://www.nwconnection.com/2000_04/cyber40/index.html • Many well-known Distributed Denial of Service (DDOS) tools exist on the Internet: – Tribal Flood Network (TFN), trinoo, shaft, stacheldracht, mstream, naptha, zombie • Five Registry modifications to harden the TCP/IP stack against DoS attacks - Q315669
    125. 125. 125 Internet Connection Vulnerabilities • Your network, proxy, router, gateway, notebook, or workstation system may be open to Internet attacks • All Windows OSes offer information and access to external anonymous connections • Must unbind NetBIOS from all external interfaces • Test NetBIOS vulnerabilities at: http://grc.com/ – Use the Shields UP online tests to look for services and ProbeMyPorts to look for open ports • Security Audits from SecuritySpace.com –monthly subscription service scans for vulnerabilities
    126. 126. 126 Web Bugs • 1 x 1 graphic: tracks Web usage without your knowledge • Often used to profile current or perspective customers • Some detection tools have become available: – Grc.com’s OptOut, Spyware Analyzer, and NetFilter – Regnow.com’s SpyCop • Often rely on cookies – disabling cookies will stop some of them • Ad-aware can detect and remove some Web bugs: http://www.lavasoftusa.com/ • Bugnosis – Web bug detector – www.bugnosis.com
    127. 127. 127 IIS Security Issues • Basic IIS Protection • IIS Protocol Protection • Securing IIS Web • Securing IIS FTP • Use with proxy or firewall
    128. 128. 128 Locking Down IIS Web 1/4 • First, locked down the host OS! • Install IIS into its own partition • Use a packet filtering firewall/router to block all unused ports • Avoid using FrontPage Server Extensions or WebDev on production IIS systems • IUSR: User Rights, authentication, member of Everyone & Authenticated Users groups • Specify No Access for IUSR_ account on everything, then grant IUSR_ account access only as needed • Change name of IUSR account - duplicate changes in ADUaC and IIS
    129. 129. 129 Locking Down IIS Web 2/4 • Use alternate TCP port for private information service use • Do not include sensitive or confidential information in ASP files. • Set minimum possible or application appropriate IIS permissions on virtual directories, folders, and files. Avoid script/executable permissions as much as possible. • Set minimum possible or application appropriate NTFS ACLs on folders and files. • Isolate IIS from DCs, file servers, other sensitive data - don’t host IIS on sensitive systems • Enable and configure logging/auditing
    130. 130. 130 Locking Down IIS Web 3/4 • Update root CA certificates – add new CAs you trust, remove CAs you no longer trust • Remove the IISADMPWD Virtual Directory • Disable or remove all IIS sample applications: • IISSamples, IISHelp, and MSADC • Disable or remove unneeded COM components • Inspect all ISAPI scripts for RevertToSelf(); - which changes execution context to system level – use dumpbin (a Win32 API developer tool)
    131. 131. 131 Locking Down IIS Web 4/4 • Remove Unused Script Mappings, especially for ISAPI • Check <FORM> and Querystring Input in Your ASP Code for validity before processing • Disable parent paths (i.e. “..”) (294807 – pre-6.0) • Disable IP Address in Content-Location (218180) • Disable WebDAV (post SPR1) - Unchecked Buffer In Windows Component Could Cause Web Server Compromise (KB:815021; 241520) – MS03-007
    132. 132. 132 Unsuspecting Web Servers • IIS and PWS automatically installs and runs on many OSes • If IIS/PWS is running, you are vulnerable to all un- patched exploits • Open IE, in the Address field, type "http://localhost" and press Enter. If you get a Web page or a dialog box asking you to enter your name, password, and domain, then you are running IIS/PWS. • To uninstall IIS/PWS, use Add/Remove Windows Components. • To disable, use IIS MMC snap-in or Services applet
    133. 133. 133 IIS Host Protection • Isolation domain • Reverse Proxy – “port forwarding” – Can slow access due to proxy activities • Web in a box solutions • Co-locate at an ISP – Requires use of remote control software • Outsource Web/FTP hosting to third-party • Maintain an internal backup of hosted Web/FTP resources to insure all IIS/FTP solutions
    134. 134. 134 IIS Isolation Domain • Configure IIS in own distinct domain • Define trust to administer IIS domain • Enables control of IIS while protecting LAN • Consider an IPX LAN where only IIS host uses TCP/IP - deploy MS Proxy Server & use IPX-to-IP gateway for client Internet access • Deploy a firewall between IIS and main domains to filter traffic
    135. 135. 135 Securing IIS FTP • Don’t rely on ISM’s access rights, use NTFS (Think of IIS FTP as shares) • Offer minimal access to users • Avoid mapping drives or directories: – across the network – of root – whose children should not be FTP accessible • Log FTP activity and check Event log frequently for access denials - audit access failures • Block IPs where break-ins originate • Remember that passwords are passed in clear by FTP protocol • Disable anonymous user uploads
    136. 136. 136 Hackers Do It With Subtlety • Footprinting – Profiling an organization’s security structure – Discovering network addresses and domain names • Scanning – Determining active services and applications – Locating active or open ports – Determining OS • Enumeration – Extract account information – Connecting to shares – Connecting to services or applications • Exploitation – Taking advantage of security holes
    137. 137. 137 Hacking Tools - 1/4 • VisualRoute - GUI tracert - www.visualroute.com • SolarWinds 2000 - ping, subnet, traceroute, DNS, and more - www.solarwinds.net • Genius - traceroute and more - www.indiesoft.com • Nmap - port scanner - www.insecure.org/nmap/ • PortPro - port scanner - www.securityfocus.com • Legion - connects to open shares - packetstorm.securify.com/groups/rhino9/ • Epdump - port and service scanner - packetstorm.securify.com/NT/audit/ • LC4 – (formerly L0phtCrack) password grabber/cracker - http://stake.com/research/lc/
    138. 138. 138 Hacking Tools - 2/4 • getmac - identifies MAC and device name of NICs on remote systems - RK tool • netdom - domain management tool, list domain membership and BDCs - W2K Support tool • Netviewx - lists nodes and services in a domain - www.ibt.ku.dk/jesper/NetViewX/default.htm • Netcat (nc) - port connector, DNS checking, port scanning, and more - www.l0pht.com/~weld/netcat/ • Sam Spade - multi-function tool: DNS query, website search, IP block identifier, SMTP verify, etc. - samspade.org/ssw/ • NetBus - a remote control package - www.netbus.org/
    139. 139. 139 Hacking Tools - 3/4 • Revelation - reveals passwords behind asterisks - www.snadboy.com • Password Recovery - recover passwords from various file types - www.accessdata.com • Password crackers - users.aol.com/jpeschel/crack.htm • Cerberus Internet Scanner – scan for ports, services, and common vulnerabilities - www.cerberus-infosec.co.uk • Invisible KeyLogger – records keystrokes - www.amecisco.com • remote – used to regain access to breached systems - RK
    140. 140. 140 Hacking Tools - 4/4 • Pippa or datapipe – perl scripts used to redirect ports - www.s0ftpj.org/tools/pippa_v1.txt and www.geog.psu.edu/~qian/libgfc/src-gdatapipe- h.html • Grinder – searches out Web servers on IP addresses - packetstorm.securify.com/groups/rhino9/ • Foundstone tools – a wide assortment of utitlies - www.foundstone.com/rdlabs/tools.php • Nessus port scanner - http://www.nessus.org/ • Fscan - http://www.foundstone.com/resources/tools.html • NetScanTools - http://www.nwpsw.com/
    141. 141. 141 Security Certifications • SANS GIAC • MCSE + Security: • ISC2 CISSP • Security+ • TruSecure ICSA (TICSA) • CIW Security Analyst • NAX – Network Analysis Expert (WildPackets) • “The vendor-neutral security certification landscape, May 2003 update” SearchSecurity.com • “Update: Survey of vendor-specific security certs, May 2003” SearchSecurity.com
    142. 142. 142 Online Resources Intro • URL Safety - We’ve endeavored not to include any high-risk Web sites in our list of recommended URLs (except as noted). However, access sites at your own risk. • KB – Knowledge Base documents which can be found on TechNet (CD or Web site: www.microsoft.com/technet/) and at support.microsoft.com. Knowledge Base documents may or may not be preceded by a Q, as in Q260694. • Free Email Alerts every time Microsoft Publishes NEW Support or Knowledge Base Articles by product/technology: http://www.kbalertz.com/ • RK – Resource Kit – available as a standalone product or as part of TechNet
    143. 143. 143 TechNet • Monthly publication • Documentation for every major MS product • White papers, FAQs, troubleshooting documents, book excerpts, articles, utilities, patches, fixes, upgrades, drivers, and demonstration software • http://www.microsoft.com/technet/
    144. 144. 144 Database of Registry Entries • W2K3: part of Microsoft Windows Server 2003 Deployment Kit as the Registry Reference for Windows Server 2003. Also available online http://www.microsoft.com/windowsserver2003/techi nfo/reskit/deploykit.mspx • W2K RK utility: REGENTRY.CHM • NT RK utility: REGENTRY.HLP • Lists all standard or default entries of Registry • Locate by topic, alphabetically, or search • Excellent resource for security or any type of maintenance requiring Registry manipulation • Windows Registry Guide: http://www.winguides.com/registry/ • The viewable Registry is collection of exceptions, not exhaustive collection of configuration settings.
    145. 145. 145 Online Resources 1/5 • Microsoft Security Advisor & Notification Service – http://www.microsoft.com/security/ • Various Windows Security Guides: – http://www.microsoft.com/technet/treeview/default.asp? url=/technet/security/prodtech/windows/default.asp • Department of Homeland Security – Information Analysis and Infrastructure Protection Directorate CyberNotes: http://www.nipc.gov/ » Bi-weekly list of all bugs, holes, and patches for software (including OSes), exploit scripts and techniques, Internet trends, viruses, and Trojans • Microsoft Security – Trustworthy Computing for IT – http://www.microsoft.com/technet/treeview/default.asp? url=/technet/security/default.asp • Windows & .NET Magazine – http://www.win2000mag.net/ • ENT News: Maximizing the Enterprise Windows Experience – http://www.entmag.com/ • Windows & .NET Magazine: Security Administrator – http://www.ntsecurity.net/ • Windows NT/2000/XP/Server 2003 Tips and Tricks – http://www.jsiinc.com/reghack.htm • SANS Institute – http://www.sans.org/
    146. 146. 146 Online Resources 2/5 • Hacking Exposed book companion Web site – http://www.hackingexposed.com/ • TISC Security Web site – http://tisc.corecom.com/ • CERT – http://www.cert.org/ • Somarsoft – http://www.somarsoft.com/ • Securityfocus – http://www.securityfocus.com/ • NSA’s Security Recommendation Guides – http://www.nsa.gov/ • Microsoft’s Security Operations Guide for Windows 2000 Server – http://www.microsoft.com/downloads/release.asp?releaseid=37123 • NTSecurity.nu’s Security Toolbox – http://www.ntsecurity.nu/toolbox/ • Foundstone’s Free Tools – http://www.foundstone.com/resources/free_tools.html
    147. 147. 147 Online Resources 3/5 • Security Mailing lists – http://www.cert.org/other_sources/usenet.html • @Stake/l0pht (where crackers congregate!) – http://www.atstake.com/ • Beverly Hills Software – http://www.bhs.com/ • SERVERxtras, Inc. – http://www.serverxtras.com/ • Sunbelt Software (nt-admin list) – http://www.sunbelt-software.com/ • Windows NT/2000 FAQ – http://www.ntfaq.com/ • Search Windows 2000 – http://www.searchwin2000.com/ • Security Administrator – Windows & .NET Mag – http://www.secadministrator.com/ • Hammer of God – tools – http://www.hammerofgod.com/download.htm
    148. 148. 148 Online Resources 4/5 • NTBugTraq – http://www.ntbugtraq.com/ • Computer Incident Advisory Capability (CIAC): – http://www.ciac.org/ • Federal Computer Incident Response Capability (FedCIRC): – http://www.fedcirc.gov/ • AntiOnline : – http://www.antionline.com/ • Security News Network: – http://www.atstake.com/security_news/ • NSA’s W2K Security Recommendation Guides – http://nsa1.www.conxion.com/win2k/download.htm • Encryption and Security-related Resources – http://www.cs.auckland.ac.nz/~pgut001/links.html • Event ID.net – http://eventid.net/ • NIST - CSRC – http://csrc.nist.gov/publications/nistpubs/
    149. 149. 149 Online Resources 5/5 • Microsoft Patch and Hotfix Download Center: – http://www.microsoft.com/downloads/ • Microsoft KnowledgeBase, TechNet – http://support.microsoft.com/ – http://www.microsoft.com/technet/ • MSNEWS.MICROSOFT.COM - NNTP server: – microsoft.public.inetexplorer.ie4.security – microsoft.public.java.security – microsoft.public.win2000.security – HINT: use newsgroup search on “security” for complete list! • Microsoft Security reporting email – secure@microsoft.com • NTSecurity mailing list – Majordomo@iss.net - subscribe ntsecurity • MCP Mag: April 2000: Security Advisor – http://www.mcpmag.com/members/00apr/col3main.asp • Netware Connection: April 2000: Cyber Crime – http://www.nwconnection.com/2000_04/cyber40/index.html
    150. 150. 150 Vulnerability Scanners 1/2 • Security Space: Security Audits: http://www.securityspace.com/ • Qualys: Free online scanner for the SANS Top 20 vulnerabilities: https://sans20.qualys.com/ • Foundstone: FoundScan Enterprise Vulnerability Management System (EVMS): http://www.foundstone.com/ • Harris Corporation: STAT Scanner: http://www.statonline.com/ • Internet Security Systems: Internet Scanner: http://www.iss.net/ • SAINT Corporation: http://www.saintcorporation.com/ • Advanced Research Corporation: SARA-4.1.1: http://www-arc.com/sara/ • Nessus: Nessus Security Scanner: http://www.nessus.org/
    151. 151. 151 Vulnerability Scanners 2/2 • eEye Digital Security's Retina: http://www.eeye.com/ • Cerberus Information Scanner: http://www.cerberus-infosec.co.uk/cis.shtml • Winfingerprint: http://winfingerprint.sourceforge.net/ • ExtremeTech’s Syscheck: collection of scanners: – http://www.extremetech.com/print_article/0,3428,a=25758,00.asp • Hacker Whacker: – http://hackerwhacker.com/ • Evaluation of vulnerability scanners: – http://img.cmpnet.com/nc/1201/graphics/f1-detect-results.pdf
    152. 152. 152 Security Audit Tools • ISS RealSecure – http://www.iss.net/ • RSA’s Security Analyst – http://www.rsa.com/ • Network Associates’ CyberCop – http://www.nai.com/ • Blue Lance’s LT Auditor+ – http://www.bluelance.com / • CyberSafe’s Centrax – http://www.cybersafe.com/ • Sunbelt’s STAT, QualysGuard, Enterprise Security Reporter – http://www.sunbelt-software.com/ • Marcus Ranum’s Network Flight Recorder – http://www.nfr.com/ • Somarsoft’s DumpSec, DumpEvt, DumpReg – http://www.somarsoft.com/ • Raytheon’s SilentRunner – http://www.silentrunner.com/
    153. 153. 153 Virus Protection Tools • Symantec’s Norton Anti-Virus – http://www.symantec.com/avcenter/ • Computer Associates’ InocuLAN and IncoulateIT – http://www.cai.com/virusinfo/ • Network Associates’ Anti-Virus – http://www.nai.com/products/antivirus/ • Trend Micro’s IntraScan Anti-virus – http://www.antivirus.com/ • Data Fellow’s F-Prot – http://www.datafellows.com/download-purchase/tools.html • McAfee’s VirusScan – http://www.mcafee.com/centers/anti-virus/ • Moosoft’s The Cleaner - trojan scanner – http//www.moosoft.com/thecleaner/ • PestPatrol - trojan, hacker tool, and spyware scanner – http://www.pestpatrol.com • Locate other options: – Server Xtras, Inc.: http://www.serverxtras.com/ – Sunbelt Software: http://www.sunbelt-software.com/ – Beverly Hills Software: http://www.bhs.com/
    154. 154. 154 Virus Information Resources • The WildList Organization International – http://www.wildlist.org/ • Denial of Service Attack Resources – http://www.denialinfo.com/ • Digicrime, Inc. – http://www.digicrime.com • Peter Gutmann's Web site on Security Weaknesses – http://www.cs.auckland.ac.nz/~pgut001/ • Simovits Consulting: Ports used by Trojans – http://www.simovits.com/nyheter9902.html
    155. 155. 155 Firewall/Proxy Online Resources • Security Panel’s Firewall List – http://www.securitypanel.org/firewalls.html • Phil Cox’s “Hardening Windows 2000 Guide” – http://www.systemexperts.com/win2k.html • Hammering out a secure framework: – http://www.networkcomputing.com/1101/1101f3.html • NIST Guideslines on Firewalls and Firewall Policy – http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf • Yahoo - search on Firewall
    156. 156. 156 Print Resources 1/2 • Windows 2000 Security, by Roberta Bragg. New Riders, 2001. ISBN 0735709912. • Windows 2000 Security Handbook, by Philip Cox and Tom Sheldon. Osborne McGraw-Hill, 2000. ISBN 0072124334 • Windows 2000 Security: Little Black Book, by Ian McLean. The Coriolis Group, 2000. ISBN 1576103870. • Microsoft Windows 2000 Security Handbook. By Jeff Schmidt, Que, 2000. ISBN: 0789719991. • Windows 2000 Security Technical Reference. John Hayday (ISS named as “Editor”), Microsoft Press, 2000. ISBN 073560858X • Hacking Exposed, 4th Edition: Network Security Secrets and Solutions. Stuart McClure, Joel Scambray, George Kurtz. Computing McGraw-Hill, 2003. ISBN: 0072227427. See also Hacking Exposed Windows 2000 (ISBN: 0072182623). • Intrusion Signatures and Analysis. Stephen Northcutt, et al. New Riders, 2001. ISBN 0735710635.
    157. 157. 157 Print Resources 2/2 • Firewalls and Internet Security: Repelling the Wily Hacker. William R. Cheswick & Steven M. Bellovin. Addison-Wesley, 1994. ISBN: 0201633574. 2nd Edition due whenever it’s finished! • Building Internet Firewalls, 2nd Edition. Elizabeth Zwicky, et al. O’Reilly & Associates, 2000. ISBN: 1565928717. • Configuring Windows 2000 Server Security. Thomas Shinder, et al. Syngress Media, 1999. ISBN 1928994024 (See also ISA Server and Beyond, ISBN 1981836663) • Network Intrusion Detection: An Analyst’s Handbook, 2nd Ed. Stephen Northcutt and Judy Novak. New Riders, 2000. ISBN: 0735710082. • Computer Security. Dieter Gollman. J Wiley & Sons, 1999. ISBN: 0471978442.
    158. 158. 158 Security Bookshelf • Identified Top 50-plus security books for InformIT.com relevant to information security • Updated March, 2003 online! • Initially designed for comprehensive CISSP preparation, now includes best of breed infosec titles • To locate: – Go to www.informit.com – Search on “Tittel bookshelf” – Produces pointers to 2 related articles The Computer Security Bookshelf, Part 1 The Computer Security Bookshelf, Part 2