Windows network


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Hackers Persona – 5 minutes Rootkit Demo – 10 minutes Top Mistakes – 5 minutes Securing Windows Networks – 15 minutes Security through Group Policy Demo – 10 minutes Staying Secure – 5 minutes MBSA Demo – 10 minutes Secure Windows Initiative – 5 minutes Security Improvements in XP SP2 – 45 minutes XP SP2 Demo – 15 minutes Total: 125 minutes = 2:05 minutes out of 2:45 allotted – but Securing Windows Networks section still needs a lot of work!
  • Lame = hacked by automated malware (i.e. Agobot) Skilled = hacked by a group / “crew” of people who pick the exploit that will work against you, install malware / backdoors hidden in ‘plain site’ Sophisticated = hacked by a group of people or person, possibly using a 0-day, who hide their intrusion using a rootkit or other hard to detect software Demo a common rootkit (Hacker Defender) in action using port 80 (2 VPC’s)
  • Automated Attacks Describe how spreaders take a range of IP addresses as input, and spawn multiple threads that send exploit packets to each server in that IP address range with the goal of getting a remote command shell and running code of attackers choice in that command shell, usually running as SYSTEM. Worms like Agobot / Phatbot / Polybot family of worms that drop IRC servers, clients, backdoor trojans etc. as payload. Automated hacking ‘agents’ that notify the attacker each time a new machine is hacked. Custom Attack 0-day exploits – Talk about how some exploits may exist in the hands of the few for many months before vendors are alerted and patches are developed Give example of company having their email addresses stolen from a SQL database via an insecure ASP page that allowed the attacker to post a querystring to an ASP page with an incrementing CustomerID field to get the e-mail address to be returned by the ASP unsubscribe page
  • Talk about CoreISO crew – trading warez and movies, writing their own tools, hiding their data in c:\system volume information with directory names you can’t delete easily via the shell.
  • Talk about authors of rootkits like Holy Father and Aphex HLL = High Level Language ASM = Assembly Backdoors and hacking tools completely hidden by rootkits
  • Example: Extortion case involving hosting provider where a single IIS ISAPI was uploaded to the server that would automatically exploit vulnerable IE clients. Top secret government intrusions that the world never hears about
  • Password Policy . Windows by default stores a cryptographic hash of a users password in two forms, the LM hash and the NT hash. The LM hash is no longer considered cryptographically secure and the password it is created from is limited to 14 characters in length. The NT hash can be derived from a 128 character password that can use unicode characters. Password grinding or guessing attacks are one way to exploit weak passwords, another way is via a pre-computation attack whereby the attacker pre-computes all of the possible password hash values for a given password length and character set (the strength of a password is derived from these two inputs). What you should know about strong passwords: Password Best Practices:    Accounts Passwords and Lockout Policies:   Account Lockout and Management Tools:   Patch Policy Talk about the decreasing time to exploit and the importance of deploying critical security patches as quickly as possible or implementing workarounds if not possible Patch Management Info: Patch Management Web site: Download the Security Patch Management Guide: Firewall Policy In the hacking cases I work where a firewall is involved, in the majority of the cases the rules are not what the owner thinks they are (i.e. they were temporarily disabled and then never re-enabled etc.). This is easily verified by performing a remote port-scan of the IP address from the Internet using a variety of free port scanning tools like Superscan4 from Foundstone or nMap for Unix. In addition the vast majority of remote compromises can be prevented by performing proper egress filtering (outbound packet filtering which will usually block the remote shell from being able to connect back to the attacker). Secure OS Baseline It is critical to slipstream critical service packs and security patches into an installation source to avoid worm infections during or shortly after setup, especially if the machine being re-built is re-installed while connected directly into the Internet or a hostile network.
  • How to end the cycle of violence When any security incident or intrusion occurs, it is important to find the root cause and not just flattening a machine and rebuilding it at the first sign of compromise which prevents you from determining how the machine was hacked so that you can prevent it from getting re-hacked as soon as you bring the machine back online. PSS Security gets a fair number of cases where we are involved only after the machine has been hacked a 2 nd or 3 rd time in a row by the same people exploiting the same weakness. Tips for rebuilding Problems: How to get all of the patches onto a CD? How to keep the CD up to date when patches are released monthly (it USED to be weekly?) Solutions: Build a SUS server – keep it on an isolated build VLAN or network, only connect it to the Internet to synchronize it Use Windows Update Catalog to burn security patches to CD Create a slipstreamed OS installation that is installable via RIS (remote installation service)
  • Countermeasures Network – Encryption and Mutual authN are key to mitigating network sniffing attacks that intercept credit card numbers, authentication exchanges etc. – IPSec to the rescue. Talk about how it can be used via both the Internet and on the Intranet (most think it’s only useful on the Intranet) Talk about Microsoft’s own internal huge IPSec deployment Talk about RRAS users are the weak link in your ‘hard crunchy shell’ and talk about Network Quarantine and how Microsoft is using this to enforce security policy along with 2-factor authN Talk about 802.1x port-based authentication for the future – working on a solution, so is Cisco etc. Operating System – Use security templates to tighten default security settings of all Windows operating systems using Group Policy. Best bang for the buck achieved by: Implementing good strong password policies for all domains Disabling anonymous account enumeration (default on WS2003) Requiring NTLMv2 authN Disabling storage of LM password hash Enabling strong SYSKEY protection of password hashes where possible Enabling signing of SMB messages Turning off un-needed services Running services with low privileged accounts Enable auditing / configure the event logs to retain data – enable process tracking Having unique LOCAL administrator passwords for each machine to prevent crack once / run anywhere attacks Hardening the network stack with the TCP Syn attack settings ACL’ing dangerous system files (i.e. give SYSTEM a Deny ACE on cmd.exe and various other system utilities) Apply all critical OS security patches Applications IIS – Use the IIS Lockdown Tool and URLScan on ALL Web Servers – don’t give up just because it broke something. Open a case with PSS and make it work Talk about web application security concepts (SQL injection, XSS etc., secure cookie handling / best practices) SQL Good strong SA password Run SQL as a low privileged non-administrator account, do NOT run it as SYSTEM Drop un-necessary default / sample tables Lockdown un-necessary stored procedures (XP_Commandshell anyone?) Encrypt the contents of the database using a 3 rd party row-level encryption utility OR by EFS’ing the database files themselves Exchange Talk about Exchange Edge Services Talk about protecting Exchange with ISA server Talk about not publishing MAPI via the Internet (use OWA or RPC over HTTP)
  • Default man, Default man – doing the things the defaults can Installs as much as possible on one server (i.e. IIS, SQL, Exchange, Active Directory) Likely entry point – just about anywhere, pick something (i.e. weak admin password, missing OS patch, application specific hack etc.)
  • The router would be configured to block known-bad ports vs. allowing only known-good ports Knows not to install everything on one server Doesn’t monitor network traffic, doesn’t know what ‘normal’ looks like so they can’t spot ‘abnormal’ Likely entry point is via an easily guessed administrator password or via an application specific hack (SQL injection, application specific BO)
  • Nothing gets in or out without them knowing about it. Has proper system and network baselines – can definitely spot deviations from ‘normal’ If you can hack it – you can have it!
  • These are what I consider to be among the biggest, highest profile threats to a Windows environment today. We will discuss each of these in more detail in the following slides
  • More information Network Management API’s: Server Functions NetServerDiskEnum NetServerEnum NetServerGetInfo NetServerSetInfo Server and Workstation Transport Functions NetServerComputerNameAdd NetServerComputerNameDel NetServerTransportAdd NetServerTransportAddEx NetServerTransportDel NetServerTransportEnum NetWkstaTransportAdd NetWkstaTransportDel NetWkstaTransportEnum Session Functions NetSessionDel NetSessionEnum NetSessionGetInfo Share Functions NetConnectionEnum NetShareAdd NetShareCheck NetShareDel NetShareEnum NetShareGetInfo NetShareSetInfo Statistics Function NetStatisticsGet Use Functions NetUseAdd NetUseDel NetUseEnum NetUseGetInfo User Functions NetUserAdd NetUserChangePassword NetUserDel NetUserEnum NetUserGetGroups NetUserGetInfo NetUserGetLocalGroups NetUserSetGroups NetUserSetInfo
  • What users and administrators should know about passwords
  • PWDumpX.exe (multiple variants) and L0phtcrack all work by injecting a DLL into LSASS.EXE which has access to the un-encrypted password hashes. This requires administrator access and by definition administrators can do anything they want on a system. Doing things like ACL’ing files and creating Software Restriction Policies are no good here since they can easily be undone by code running with Administrative / SYSTEM privileges Requiring 2-factor authentication using smart-cards would be a good mitigating factor here since deriving a users password from the hash would not allow for interactive logon without the smart-card (although network logons may still be possible)
  • Man in the middle attacks have been demonstrated against NTLM, NTLMv2 (SecurityFriday) and Kerberos (Arne Vidstrom) Attacks on Kerberos:
  • What you should know about strong passwords:   Password Best Practices:       Accounts Passwords and Lockout Policies:     Account Lockout and Management Tools:    
  • Source: Tom Sullivan – Microsoft Principal Consultant
  • One of the core concepts of writing secure code involves checking all input before using it or placing it in a buffer. Don’t block known-bad, rather only allow known-good input. Windows Server 2003 introduces the new ‘local service’ and ‘network service’ accounts which are low privileged accounts that can be used to run services that don’t require SYSTEM or administrative rights. Behavioral blocking software works by either monitoring code paths that are normally taken by a process and blocking un-usual or un-expected code paths that deviate from the known-good configuration. Intrusion Prevention Systems monitor network traffic and block known-bad packets based on signatures developed by the vendor.
  • Talk about awareness for 15 minutes Demonstrate the IT Pro Security site ( Talk about Security Alert Notification Service Talk about 3 rd part Vulnerability Assessment Tools and how they are different from MBSA Demonstrate MBSA 1.2 Direct everyone to my Patch Warfare and Incident Response Tutorials on Thursday
  • Microsoft’s New Security Culture Talk about the TWC memo ( and and how it later led to the SD3+C initiative. Talk briefly about the Secure Windows Initiative and how it’s affected the product design of WS2003 Talk about how WS2003 has mitigated many of the recent ‘critical’ security vulnerabilities by default – that’s progress (specifically talk about the WebDAV exploit from MS03-007 and the PCT and LSASS exploits from MS04-011). We’ll devote 45 minutes to the SWI stuff being thrown into XP SP2
  • In January 2002, Bill Gates, our Chief Software Architect, issued a call to action challenging Microsoft ’ s employees to build a Trustworthy Computing environment for customers that is as reliable as the electricity that powers our homes and businesses today. Security is one of the four key pillars of Trustworthy Computing – security, privacy, reliability, and business integrity. To track and measure its progress, Microsoft has created a framework, known as SD3+C, for the security objectives of Trustworthy Computing: Secure by Design – products have secure architectures and features, and developers take extensive steps to avoid introducing security vulnerabilities into their code Secure by Default – products limit their exposure to attack, and disable features that are not very widely needed; and features run with minimum privilege to minimize the impact of even a successful attack. Secure in Deployment – products are complemented by tools, guides, and training that help customers operate their systems securely. Communications – Microsoft provides customers with the information they need to help them operate securely – including responses to vulnerabilities from the Microsoft Security Response Center. A detailed white paper on SD3+C was published in December 2002 and is available at: As efforts in Trustworthy Computing have progressed, customer feedback has helped Microsoft to prioritize the effort of improving patch management as a key cross-Microsoft strategy for improving customer security.
  • XP SP2 download: Changes in XP SP2:
  • In previous versions of Windows, the Messenger service is set to start automatically and the Alerter service is set to manual start. In Service Pack 2 for Windows XP, both of these services are set to Disabled. No other changes are made to these services. Bluetooth® is a wireless networking technology available in a wide variety of devices. Support for Bluetooth wireless technology is included in Service Pack 2 for Windows XP. This support was not previously available directly from Microsoft. It is included now because customers requested that this technology be added to the core Windows operating system. Some of the features that are included in this release are support for PAN (personal area networking using Internet Protocol over Bluetooth), Hard Copy Replacement Profile (HCRP) for printing, dial-up networking, Host Interface Device (HID), object push, and virtual COM ports. Support for selective suspend and boot-mode keyboards (based on specifically configured hardware) is also included. If no Bluetooth transceiver is present on the system, there is no change to the system's behavior. When a Bluetooth device that is approved by the Windows Hardware Quality Labs (WHQL) is present, Bluetooth support is enabled. When Bluetooth support is enabled, you can find changes in the Network Connections section in Control Panel. A new Control Panel item called Bluetooth Devices has also been added. In addition, you can find the new Bluetooth File Transfer Wizard by clicking Start , pointing to Accessories , and pointing to Communications . If an existing non-Microsoft Bluetooth network driver is installed, upgrading to Service Pack 2 for Windows XP does not cause the existing driver to be replaced. It can be replaced later, either manually or programmatically. For complete documentation on Bluetooth in Service Pack 2 for Windows XP, see online Help.
  • A change has been made in COM to provide computerwide access controls that govern access to all call, activation, or launch requests on the computer. The simplest way to think about these access controls is as an additional AccessCheck call that is done against a computerwide access control list (ACL) on each call, activation, or launch of any COM server on the computer. If the AccessCheck fails, the call, activation, or launch request will be denied. This is in addition to any AccessCheck that is run against the server-specific ACLs. In effect, it provides a minimum authorization bar that must be passed to access COM servers on the computer. There will be a computerwide ACL for launch permissions to cover activation and launch, and a computer-wide ACL for access permissions to cover calls. These can be configured through the Component Services Microsoft Management Console (MMC). These computerwide ACLs provide a way to override weak security settings specified by a specific application through CoInitializeSecurity or application-specific security settings. This provides a minimum security standard that must be passed, regardless of the settings of the specific server. These ACLs are checked when the interfaces exposed by RPCSS are accessed. This provides a method to control who has access to this system service. These ACLs provide a centralized location where an administrator can set general authorization policy that applies to all COM servers on the computer. By default, Windows XP computer restriction settings are: PermissionAdministratorEveryoneAnonymousLaunchLocal (Launch)Local ActivateRemote (Launch)Remote ActivateLocal (Launch)Local ActivateAccessLocal (Call)Remote (Call)Local (Call)
  • These computerwide ACLs provide a way to override weak security settings specified by a specific application through CoInitializeSecurity or application-specific security settings Access is also considered in terms of distance (i.e. local activation or remote activation) and ACL’s can be set for both local and remote activation
  • A number of changes have been made in the Remote Procedure Call (RPC) service for Service Pack 2 for Windows XP that help make RPC interfaces secure by default and reduce the attack surface of Windows XP. The most significant change is the addition of the RestrictRemoteClients registry key. This key modifies the behavior of all RPC interfaces on the system and will, by default, eliminate remote anonymous access to RPC interfaces on the system, with some exceptions. Additional changes include the EnableAuthEpResolution registry key and three new interface registration flags. When an interface is registered using RpcServerRegisterIf , RPC allows the server application to restrict access to the interface, typically through a security callback. The RestrictRemoteClients registry key forces RPC to perform additional security checks for all interfaces, even if the interface has no registered security callback. RPC clients that use the named pipe protocol sequence ( ncacn_np ) are exempt from all restrictions discussed in this section. The named pipe protocol sequence cannot be restricted by default, due to several significant backwards compatibility issues. The RestrictRemoteClients registry key can have the three values described below. If the key is not present, it is equivalent to having the RPC_RESTRICT_REMOTE_CLIENT_DEFAULT value. The RPC_RESTRICT_REMOTE_CLIENT_NONE (0) value causes the system to bypass the new RPC interface restriction. It is entirely the responsibility of the server application to impose appropriate RPC restrictions. This setting is equivalent to the behavior in previous versions of Windows. The RPC_RESTRICT_REMOTE_CLIENT_DEFAULT (1) value is the default value in Service Pack 2 for Windows XP. This value restricts access to all RPC interfaces. All remote anonymous calls are rejected by the RPC runtime. If an interface registers a security callback and provides the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag, then this restriction does not apply to that interface. The RPC_RESTRICT_REMOTE_CLIENT_HIGH (2) value is the same as the RPC_RESTRICT_REMOTE_CLIENT_DEFAULT value, except that the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag will no longer exempt an interface. With this value, a system cannot receive remote anonymous calls using RPC. Solution – Workarounds: Three new interface registration flags have been created which make it easier for an application developer to secure an RPC interface. RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH When this flag is registered, the RPC runtime invokes the registered security callback for all calls, regardless of the call security settings. Without this flag, RPC rejects all unauthenticated calls before they reach the security callback. This flag works only when a security callback is registered. RPC_IF_SEC_NO_CACHE A security callback is registered for an interface in order to restrict access to that interface. The typical security callback impersonates the client to determine if the client has sufficient rights to make a call to the interface. If a particular client identity passes a security callback once, it usually passes the same security callback every time. The RPC runtime takes advantage of this pattern by remembering when an individual client identity passes a security callback and skips the security callback for subsequent calls by that client to the same interface. This feature is called security callback caching and has existed since Windows 2000. For Service Pack 2 for Windows XP, you can use the RPC_IF_SEC_NO_CACHE flag to disable security callback caching for a given interface. This is useful if the security check might change, possibly rejecting a client identity which was previously permitted. RPC_IF_LOCAL_ONLY When an interface is registered with this flag, RPC rejects calls made by remote RPC clients. In addition, local calls over all ncadg_* protocol sequences and all ncacn_* protocol sequences (except for named pipes, using ncacn_np ) are also rejected. If a call is made on ncacn_np , RPC only allows the call if it does not come from SVR, which filters out all remote calls. Ncalrpc calls are always allowed through.
  • Windows Firewall (previously called Internet Connection Firewall or ICF) is a stateful filtering firewall for Microsoft Windows XP and Microsoft Windows Server™ 2003. Windows Firewall provides protection for PCs that are connected to a network by preventing unsolicited inbound connections through TCP/IP version 4 (IPv4) and TCP/IP version 6 (IPv6). Configuration options include: Enabling on a per-interface basis Static port openings Configure basic ICMP options Log dropped packets and successful connections For more information about Windows Firewall for IPv4, see “Internet Connection Firewall Feature Overview” on the Microsoft website at . Support for filtering of IPv6 traffic was added with the release of IPv6 Windows Firewall in the Advanced Networking Pack for Windows XP. The Advanced Networking Pack is available through Windows Update on the Microsoft website at . Boot Time Security In earlier versions of Windows, there is a window of time between when the network stack was running and when Windows Firewall provides protection. This results in the ability for a packet to be received and delivered to a service without Windows Firewall filtering and potentially exposes the computer to vulnerabilities. This was due to the firewall driver not starting to filter until the firewall service was loaded and had applied appropriate policy. The firewall service has a number of dependencies which causes the service to wait until those dependencies are cleared before it pushes the policy down to the driver. This time period is based upon the speed of the computer. In Service Pack 2 for Windows XP, the firewall driver has a static rule to perform stateful filtering. This static rule is called a boot-time policy . This allows the computer to perform basic networking tasks such as DNS and DHCP and communicate with a domain controller to obtain policy. Once the firewall service is running, it loads and applies the run-time policy and removes the boot-time filters. The boot-time policy cannot be configured. There is no boot-time security if Windows Firewall is disabled. Global Configuration In earlier versions of Windows, Windows Firewall was configured on a per-interface basis. This meant that each network connection had its own firewall policy (for example, policy1 for wireless, policy2 for Ethernet). This made it difficult to synchronize policy between connections. Additionally, new connections would not have any of the configuration changes that had been applied to the existing connections. With global configuration, whenever a configuration change occurs, it applies to all network connections. This includes new connections, when they are created. Configuration can still be performed on a per-interface basis as well. Non-standard network connections will only have global configuration. Configuration changes also apply to both IPv4 and IPv6. This new feature applies to Windows Firewall for IPv4, as Windows Firewall for IPv6 already supports global configuration. Local Subnet Restriction By default, when a port opening is created, it is open globally—incoming traffic can come from any network location, such as a local network or the Internet. In Service Pack 2 for Windows XP, you can configure the port to only receive network traffic with a source address from the local subnet. When the file sharing ports are opened with the NetShare application programming interface (API), the Network Setup Wizard, or through the Windows Firewall user interface, the local subnet restriction will be applied by default. Additionally, when UPnP™ ports are opened, they are restricted to the local subnet. It is recommended that you apply local subnet restriction to any static port that is used for communicating on the local network. It can be done programmatically, through the Windows Firewall Netsh Helper, or the Windows Firewall user interface. This applies to IPv4 port configuration. IPv6 port configuration does not support this restriction. However, IPv6 itself supports this through the use of link local and site local addresses. Command line support: The Windows Firewall Netsh Helper was added to Windows XP in the Advanced Networking Pack. This helper only applied to IPv6 Windows Firewall. With Service Pack 2 for Windows XP, the structure of the helper changes and expands to include support for configuring IPv4 as well. With the Netsh Helper, you can: Configure the default state of Windows Firewall (Off, On, On with no exceptions) Configure which ports should be open, including whether ports allow global access or access restricted to the local subnet and whether ports are open on all interfaces or per-interface Configure the logging options Configure the Internet Control Message Protocol (ICMP) handling options Add or remove applications from the exceptions list This applies to both Windows Firewall and IPv6 Windows Firewall, except where functionality is specific to Windows Firewall. The final command-line syntax is under development and is not provided here. “ On with no exceptions” Windows Firewall might be configured to allow unsolicited incoming traffic during normal use. This is typically due to needing to enable key scenarios like file and printer sharing. If a security issue is discovered in one or more of the listening services or applications running on the computer, it might be necessary for the computer to switch into a client-only mode, which is called “On with no exceptions.” Switching into this client-only mode configures Windows Firewall to prevent unsolicited inbound traffic without having to reconfigure the firewall. When in this mode, all static holes are closed and any existing connections are dropped. Any API call to open up a static hole will be allowed and the configuration stored, but it will not be applied until the operational mode switches back to normal operation. All listen requests by applications will also be ignored. This applies to both Windows Firewall v4 and IPv6 Windows Firewall. Exception List Some applications act as both network clients and servers. When they act as servers, they need to allow unsolicited inbound traffic to come in, because they do not know who the peer will be ahead of time. In earlier versions of Windows, an application needed to call the firewall APIs to enable the necessary listening ports to be open. This proved difficult in peer-to-peer situations when the port was not known in advance. It was up to the application to close the port again once communication was completed. Without this, there would be unnecessary openings in the firewall if the application terminated unexpectedly. Additionally, these ports could only be opened if applications were running in the security context of a local administrator. This violated the principle of least privilege by requiring applications to run in an administrative context, rather than only with the minimum necessary privileges. In Service Pack 2 for Windows XP, an application that needs to listen to the network can be added to the Windows Firewall exceptions list. If an application is on the Windows Firewall exceptions list, Windows opens the necessary port automatically, regardless of the application’s security context. An application can be placed on the Windows Firewall exceptions list in three ways. First, it can be added programmatically by the application. It is recommended that ISVs place their application on the Windows Firewall exceptions list during installation. Second, you can use a notification. When an application performs a TCP listen or UDP bind to a specific port, the network stack passes the application name and port to Windows Firewall. Windows Firewall will look up the application name on the exceptions list. If the application is on the exceptions list and enabled, then the corresponding port will be opened in the firewall. If the application is on the exceptions list and disabled, then the corresponding ports will not be opened. If the application is not on the exceptions list, then users are asked to make a choice. If the user is an Administrator, they can allow the application to listen on the network (added to the exceptions list as Enabled and ports opened), not allow the application to listen on the network (added to the exceptions list as Disabled and ports not opened) or be asked again later (not added to the exceptions list and ports not opened). If the user is not an Administrator, they will be notified that the application is not allowed to listen on the network and to have an Administrator enable the application. At this point the application is listed in the exceptions list as Disabled. Third, the user can configure it manually. The user can decide to enable an application manually by selecting it from a list which is populated from the list of applications in the Start Menu, or by browsing for the application on their computer’s hard disk. Applications that work with stateful filtering do not need to be placed on the Windows Firewall exceptions list. Only administrators can add an application to the Windows Firewall exceptions list. Multiple Profiles policy: one for when the computer is connected to the corporate network and one for when the computer is not. You can specify policy that is less strict when the computer is connected to the corporate network to enable line of business applications to work. You can also have a more aggressive security policy that will be enforced when the computer leaves the corporation network, which helps to protect against Internet-based attacks. Multiple profiles for Windows Firewall only applies to computers that are joined to a domain. Computers that are in a workgroup only have one profile. RPC Support In earlier versions of Windows, Windows Firewall blocked remote procedure call (RPC) communication. While Windows Firewall could be configured to allow network traffic to the RPC Endpoint Mapper, the port that RPC used was unknown and the application would still fail. Many enterprise applications and components fail if RPC is not allowed to communicate over the network. Some examples include, but are not limited to, the following: File and print sharing Remote administration, such as the Computer Management feature and the Select User, Computers, and Groups dialog box which is used by many applications Remote Windows Management Instrumentation (WMI) configuration Scripts that manage remote clients and servers RPC opens several ports and then exposes many different servers on those ports. Since so many RPC servers are included with Windows XP, Windows Firewall takes a different approach for RPC. When opening a port, a caller can claim that the port is to be used for RPC. Windows Firewall will only accept this claim if the caller is running in the Local System, Network Service, or Local Service security contexts. Windows Firewall supports a profile level flag that enables RPC ports to be opened even if the caller is not on the Windows Firewall exceptions list. Note, however, that the authorized application settings always override the generic RPC setting. For example, if the RPC setting is “allow local,” but the RPC server executable is also on the Windows Firewall Permissions List with the local subnet only set to False , the port of the RPC server will be opened for all subnets. Restore Defaults Previously there was no way for a user to reset the configuration of Windows Firewall. Over time, Windows Firewall might be configured to allow unsolicited incoming traffic, either through adding applications or ports to the Windows Firewall exception list. This may make it difficult for the user to easily and quickly go back to a default configuration. This option enables the user to restore Windows Firewall settings to their original defaults. In addition, the Windows Firewall defaults can be modified by OEMs and businesses to provide custom configuration options. Unattended Setup In earlier versions of Windows, it was not possible to configure Windows Firewall during installation. This made it difficult for OEMs and businesses to preconfigure Windows Firewall before distributing the computer to their end users. In Service Pack 2 for Windows XP, you can configure the following options of Windows Firewall through unattended setup: Operational mode Applications on the Windows Firewall exception list Static ports on the exception list ICMP options Logging options Multicast / Broadcast support Multicast and broadcast network traffic differ from unicast traffic because the response comes from an unknown host. As such, stateful filtering prevents the response from being accepted. This stops a number of scenarios from working, ranging from streaming media to discovery. To enable these scenarios, Windows Firewall will allow a unicast response for 3 seconds from any source address on the same port from which the multicast or broadcast traffic originated. New and improved Group Policy configuration In earlier versions of Windows, Windows Firewall had a single Group Policy object (GPO): Prohibit Use of Internet Connection Firewall on your DNS domain. With Service Pack 2 for Windows XP, every configuration option can be set through Group Policy. Examples of the new configuration options available include: Operational mode (On, On with no exceptions, Off) Allowed Programs on the exceptions list Opened static ports ICMP settings Enable RPC and DCOM Enable File and Printer Sharing Each of these objects can be set for both the corporate and standard profile. For a complete list of Group Policy options, see “Deploying Internet Connection Firewall Settings for Microsoft Windows XP with Service Pack 2” in the Microsoft Download Center at
  • Data execution prevention (DEP) marks all memory locations in a process as non-executable unless the location explicitly contains executable code. There is a class of attacks that attempt to insert and execute code from non-executable memory locations. Data execution prevention helps prevent these attacks by intercepting them and raising an exception. Data execution prevention relies on processor hardware to mark memory with an attribute that indicates that code should not be executed from that memory. Data execution prevention functions on a per-virtual memory page basis, most often changing a bit in the page table entry (PTE) to mark the memory page. The actual hardware implementation of DEP and marking of the virtual memory page varies by processor architecture. However, processors that support data execution prevention are capable of raising an exception when code is executed from a page marked with the appropriate attribute set. Both Intel and Advanced Micro Devices (AMD) have defined and shipped Windows-compatible architectures for data execution prevention. Windows supports DEP on the AMD64 platform and Intel Itanium Processor Family (IPF) processors. The 32-bit version of Windows (beginning with Windows XP Service Pack 2) utilizes the no-execute page-protection (NX) processor feature as defined by AMD. In order to use the NX processor feature, the processor must be running in Physical Address Extension (PAE) mode. The 64-bit versions of Windows uses the NX processor feature on 64-bit extensions and certain values of the access rights page table entry (PTE) field on IPF processors. It is hoped that future 32-bit and 64-bit processors will provide data execution prevention. Microsoft is addressing possible compatibility issues with existing applications and drivers while working with processor vendors to encourage the adoption and development of DEP technologies.
  • Read all e-mail as plain-text The plain text mode feature of Outlook Express provides users with the option to render incoming mail messages in plain text instead of HTML. When Outlook Express is running in plain text mode, the rich edit control is used instead of the MSHTML control. You avoid some security issues that result from the use of MSHTML by using the rich edit control. Why is this change important? The use of rich edit control provides an additional barrier to malicious code that is transmitted using e-mail. Computers running earlier versions of Windows XP had a vulnerability to malicious code because Outlook Express processes HTML header scripts in the HTML content. The MSHTML control automatically executes these scripts. The rich edit control does not execute HTML scripts, so this is mitigated. Because plain text e-mail does not require HTML header processing to be displayed properly, there is usually no visible difference from this processing change. “ Don’t download external HTML content” This Outlook Express feature helps users to avoid getting repeated spam mailings by preventing the user from unknowingly validating their e-mail address to spam originators. Businesses that use spam as a marketing technique typically include references to images that reside on their Web servers inside the e-mail message. Some of these spam e-mail messages contain single pixel images that are not visible to the recipient of the e-mail so that the recipient will not be aware that there is any content that is malicious. When the user opened an e-mail that contains the image, previous versions of Outlook Express automatically contacted the Web server to download and display the images. When the request for the image was made to the Web server, it could ascertain that a spam e-mail message was received by an active e-mail account, which validated the e-mail address in the spam originator’s mailing list. Now, when the Don’t Download External HTML Content feature is enabled, the default behavior of Outlook Express changes so that it does not contact the Web server to download external content, which prevents the verification of the e-mail address with the spam originator. This download behavior is configurable and is enabled by default when you install Service Pack 2 for Windows XP. This feature also minimizes a common problem that is experienced by people whose computers use dial-up network connections. Prior to implementing this feature, if a user downloaded their mail messages and then disconnected their network connection, when they attempted to view an HTML messages that included pictures or other external Internet content, their modem would automatically start to dial out to download the external content. AES API Description Outlook Express now integrates a new set of application programming interfaces (APIs), called the Attachment Execution Service (AES), to check e-mail attachments. This allows applications to eliminate custom code that performs similar safety checks and instead rely on this centrally-managed API set. The use of AES provides a consistent user experience across all applications that check the security of an attachment. Why is this change important? It is important to have a more unified approach for attachment security across all Windows applications. This helps to ensure that users get a consistent experience with regard to the security check performed on attachments.
  • What does Internet Explorer Add-on Management and Crash Detection do? These are two new, closely-related features that are included in Internet Explorer. Internet Explorer Add-on Management allows users to view and control the list of add-ons that can be loaded by Internet Explorer with more detailed control than before. It also shows the presence of some add-ons that were previously not shown and could be very difficult to detect. Internet Explorer Add-on Crash Detection attempts to detect crashes in Internet Explorer that are related to an add-on. When the add-on is successfully identified, this information is presented to the user. The user has the option of disabling add-ons to diagnose frequent crashes and improve the overall stability of Internet Explorer. Who does this feature apply to? Users will be able to view, enable, and disable the add-ons used by Internet Explorer, and identify add-ons that might be related to Internet Explorer crashes. Administrators can enforce a list of add-ons that are allowed or disallowed and restrict the ability of users to manage add-ons. What does Binary Behaviors Security Setting do? Internet Explorer contains dynamic binary behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. These binary behaviors not are controlled by any Internet Explorer security setting which allows them to work on Web pages in the Restricted Sites zone. In Service Pack 2 for Windows XP, there is a new Internet Explorer security setting for binary behaviors. This new setting disables binary behaviors in the Restricted Sites zone by default. This new binary behaviors security setting provides a general mitigation to vulnerabilities in Internet Explorer binary behaviors. For more information on binary behaviors, such as how they work, and how to implement them, see “Cutting Edge: Binary Behaviors in Internet Explorer 5.5” on the Microsoft website at . Note that binary behaviors, which are defined in C++ and compiled, are different from Attached Behaviors and Element Behaviors, which are defined in script. What does BindToObject Mitigation do? In Service Pack 2 for Windows XP, the ActiveX security model is applied in all cases where URL binding is used to instantiate and initialize an object. The ActiveX security model allows controls to be marked as “safe for scripting” and “safe for initialization” and provides users with the ability to block or allow ActiveX controls by security zone, based on those settings. This allows greater flexibility and control of active content in Internet Explorer. The most effective way to remove ActiveX safety vulnerabilities is to apply security policies consistently at the source of the URL binding: URLMON. Declaring an ActiveX control in an HTML page using the <object> tag and CODEBASE attribute is one commonly known example of using BindToObject . The same functionality is used by any component that wants to resolve an URL and get back a stream or object. The ActiveX security model is now applied to all object initializations with a URL as a source. What does Local Machine Zone Lockdown do? When Internet Explorer opens a Web page, it places restrictions on what the page can do, based on the location of the Web page. For example, Web pages that are located on the Internet might not be able to perform some operations, such as accessing information from the local hard drive. On the other hand, Web pages on the local computer are in the Local Machine security zone, where they have the fewest security restrictions. The Local Machine zone is an Internet Explorer security zone, but is not displayed in the settings for Internet Explorer. The Local Machine zone allows Web content to run with fewer restrictions. Unfortunately, attackers also try to take advantage of the Local Machine zone to elevate their privileges and compromise a computer. In Service Pack 2 for Windows XP, all local files and content that is processed by Internet Explorer has the security of the Local Machine zone applied to it. This differs from previous versions, where local content was considered to be secure and no zone-based security was placed on it. This feature dramatically restricts HTML in the Local Machine zone and HTML that is hosted in Internet Explorer. This helps to mitigate attacks where the Local Machine zone is used as an attack vector to load malicious HTML code. Who does this feature apply to? All application developers should review this feature. Applications that host local HTML files in Internet Explorer are likely to be impacted. Developers of stand-alone applications should plan to adopt changes in their applications that host Internet Explorer. Local Machine Lockdown is not enabled for non-Internet Explorer processes by default and developers will need to register their applications to take advantage of the changes. Applications that do not use this mitigation should independently review their applications for Local Machine zone attack vectors. Software developers with applications that host Internet Explorer should use this feature and add their process name into the registry as described in this document. In the future, Microsoft might implement this feature using an opt-out policy rather than an opt-in policy. Applications that host Internet Explorer should be tested to ensure that they function properly with Local Machine Zone Lockdown enabled for their process. Network Administrators might use local scripts that will be impacted by these restrictions. Administrators should review the available solutions to enable their local scripts without compromising the security of their user’s desktops. Web developers of sites hosted on the Internet or Local Intranet zones should not be impacted by these changes. Users could be impacted by applications that are not compatible with these stricter rules and settings. When Internet Explorer runs in the Local Machine zone, the default security settings for the security zones, known as URLActions , are overridden by settings that are even more restrictive than those of the Internet zone. Specifically, these settings are: URLACTION_ACTIVEX_RUN resolves to Disallow. URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY resolves to Disallow. URLACTION_SCRIPT_RUN resolves to Prompt. URLACTION_CROSS_DOMAIN_DATA resolves to Prompt. URLACTION_BINARY_BEHAVIORS_BLOCK resolves to Disallow. URLACTION_JAVA_PERMISSIONS resolves to Disallow.
  • MIME-handling file type agreement enforcement Detailed description When files are served to the client, Internet Explorer uses the following pieces of information to decide how to handle the file: File name extension Content-Type from the HTTP header (MIME type) Content-Disposition from the HTTP header Results of the MIME sniff In Service Pack 2 for Windows XP, Internet Explorer requires that all file-type information that is provided by Web servers is consistent. For example, if the MIME type of a file is “text/plain” but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving the file in the Internet Explorer cache and changes its extension. (In a MIME sniff, Internet Explorer examines, or sniffs, a file to recognize the bit signatures of certain types of files.) Object Caching In previous versions of Windows with Internet Explorer, some Web pages could access objects cached from another website. In Service Pack 2 for Windows XP, a reference to an object is no longer accessible when the user navigates to a new domain. Blocked Publisher Detailed description Through Authenticode, the user can block content for a given publisher from installing or running. To do this, the user selects the Never trust content from PublisherName check box in the Authenticode dialog box. If selected, the user is never prompted when code that is identified with the publisher’s digital signature is trying to install itself on their system. It will be automatically blocked without showing the Authenticode dialog box. Why is this change important? What threats does it mitigate? This feature was designed to help users block ActiveX controls and other signed file formats from repeatedly prompting them on the Web. Users had no way of saying, “I don’t want content from this publisher. Do not ask me again.” Because they didn’t have this feature, many users installed applications or content just to keep from encountering repeated prompts. One prompt per control per page Detailed description Internet Explorer only prompts once per ActiveX control per page. Why is this change important? What threats does it mitigate? It mitigates the social engineering trick of prompting the user a number of times for the same control. Even though users repeatedly refuse, they cannot get out of the loop, and they might eventually accept the installation out of frustration.
  • Ellipsis placed on text for application description and publisher name Detailed description When the text that is given for the application description, file name, or publisher name is wider than the dialog box in width, Internet Explorer places an ellipsis on the text. This helps indicate to the user that there is more text that they are not seeing. Why is this change important? What threats does it mitigate? This reduces the ability of control authors from placing marketing text and EULAs in the dialog box or using other social engineering tricks to overwhelm the users and get them to install the control. What breaks or works differently? Application description, file names, and publisher names will contain an ellipsis if the text is longer than the width of the dialog box. No applications or Web pages should need to be modified. Internet Explorer Window Restrictions What does Window Restrictions do? Internet Explorer provides the capability for scripts to programmatically open additional windows of various types, and to resize and reposition existing windows. The Window Restrictions security feature, formerly called UI Spoofing Mitigation, restricts two types of script-initiated windows that have been used by malicious persons to deceive users: popup windows (which do not have components such as the address bar, title bar, status bar, and toolbars) and windows that include the title bar and status bar. Who does this feature apply to? Web developers should be aware of these new restrictions to plan changes or workarounds for any possible impact to their website. Application developers should review this feature to plan to adopt changes in their applications. This feature is only enabled by default for Internet Explorer processes. Developers must register non-Internet Explorer applications to take advantage of the changes Script repositioning of Internet Explorer windows Detailed description Script-initiated windows with the title bar and status bar are constrained in scripted movement to ensure that these important and informative bars remain visible after the operation completes. Scripts cannot position windows so that the title bar or address bar are above the visible top of the display. Scripts cannot position windows such that the status bar is below the visible bottom of the display. Why is this change important? What threats does it mitigate? Without this change, windows that are created by the method can be called by scripts and spoof a user interface or desktop or hide malicious information or activity by one of the three following methods: Positioning the window such that the title bar, status bar, or address bar are offscreen. Positioning the window to hide important elements of the user interface from the user. Positioning the window so that it is entirely offscreen. The visible security features of Internet Explorer windows provide information to the user to help them ascertain the source of the Web page and the security of the communication that uses that page. When these elements are hidden from view, the user might think they are on a more trusted page or interacting with a system process when they are actually interfacing with a malicious host. Malicious use of window relocation can present false information to the user, obscure important information, or otherwise “spoof” important elements of the user interface in an attempt to motivate the user to take unsafe actions or to divulge sensitive information. What breaks or works differently? Are there any dependencies? This change places constraints on positioning of script-initiated windows with a title bar and status bar, to ensure that the title bar and status bar in these windows are always visible to the user. Scripts cannot move a window offscreen, although the user can still move a window offscreen. If you maintain a script that creates offscreen windows in Internet Explorer, you need to change your code. How do I fix the breaks? If your script creates or moves a window offscreen, you should examine this requirement and choose another way to accomplish your goal. You cannot bypass or disable this security feature. Script sizing of Internet Explorer windows Detailed description Script-initiated windows that include a title bar and status bar are constrained in scripted sizing to ensure that the title bar and status bar remain visible after the operation completes. Scripts cannot resize windows such that the title bar, address bar, or status bar cannot be seen. When creating a window, the definition of the fullscreen=yes specification is changed to mean “show the window as maximized,” which will keep the title bar, address bar, and status bar visible. Why is this change important? What threats does it mitigate? Without this change, windows that are created using the method can be called by scripts and spoof a user interface or desktop or hide malicious information or activity by sizing the window so that the status bar is not visible. Internet Explorer windows provide visible security information to the user to help them ascertain the source of the Web page and the security of the communication with that page. When these elements are not in view, the user might think they are on a more trusted page or interacting with a system process when they are actually interacting with a malicious host. Malicious uses of window sizing can obscure important security-related information, and otherwise “spoof” important elements of the user interface in an attempt to motivate the user to take unsafe actions or to divulge sensitive information Script management of Internet Explorer status bar Detailed description Internet Explorer has been modified to not turn off the status bar for any windows. The status bar is always visible for all Internet Explorer windows.
  • Internet Explorer pop-up window placement Detailed description Script-initiated popup windows are now constrained so that they: Do not extend above the top or below the bottom of the parent Internet Explorer Web Object Control (WebOC) window. Are smaller in height than the parent WebOC window. Overlap the parent window horizontally. Stay with the parent window if the parent window moves. Appear above its parent so other windows (such as a dialog box) cannot be hidden. Why is this change important? What threats does it mitigate? Popup windows are created by the window.createPopup() method and also called chromeless windows because they do not have the border “chrome” components, such as the address bar, title bar, status bar, and toolbars. These windows: Can be opened on top of a dialog box and obscure or replace important elements. Can be used to overlay the address bar with a different address. Can simulate a full-screen Windows desktop with a password dialog box. Unrestricted chromeless windows can deceive the user in several ways: A chromeless popup window that is opened on top of a dialog box can obscure or replace important elements of the dialog box, such as warning text and selection or action controls. (These include check boxes, option buttons, and so on.) This might lead the user to a response that might be inappropriate or harmful. A chromeless popup window can overlay the address bar with an address that is different from the actual address of the page, which gives the user a false sense of security. In the same way, it can overlay the status notification area, so it might indicate that Internet Explorer is displaying a secure Web page (which displays a URL beginning with https:// ) Because of this, the user might think that security is in effect for the page when no such security exists. A chromeless popup can use the entire display. With this method, a malicious user can simulate a full-screen Windows desktop with a password dialog box, with a malicious script that captures the user’s private authentication information.
  • Zone Elevation Blocks Detailed description Internet Explorer prevents the overall security context for any link on a page from being higher than the security context of the root URL. This means, for example, that a page in the Internet zone cannot navigate to a page in the Local Intranet zone, except as the result of a user-initiated action. A script, for example, could not cause this navigation. For the purpose of this mitigation, the security context ranking of the zones, from highest security context to lowest, is: Restricted Sites zone, Internet zone, Local Intranet zone, Trusted Sites zone, and Local Machine zone. Zone Elevation Blocks also disables JavaScript navigation if there is no security context. Why is this change important? What threats does it mitigate? Elevation of privilege is one of the most exploited vulnerabilities in Internet Explorer, with the ultimate goal of running malicious code in the Local Machine zone. Zone Elevation Blocks helps mitigate many privilege escalation attacks
  • What does Windows Installer 3.0 do? The Windows Installer service defines and manages a standard format for application setup, installation, and upgrades. It tracks components such as groups of files, registry entries, and shortcuts. Windows Installer is a system-resident installation service that provides consistent deployment, enabling administrators and users to manage shared resources, customize installation processes, make decisions on application usage, and resolve configuration problems. Windows Installer 3.0 is a new version of the service that is included in Service Pack 2 for Windows XP. Detailed description Setup authors can use Windows Installer 3.0 to create patch packages (which have the .msp file name extension) that use Microsoft’s delta compression technology. Delta compression uses binary file differences instead of using the full file, which significantly reduces the patch payload. In previous releases of Windows Installer, the use of delta compression sometimes caused the installer to prompt the user for the application’s original installation media (for example, the application’s original CD), which was often unavailable. Windows Installer 3.0 caches the baseline version of files that are modified by a patch and retrieves the baseline as a target for subsequent delta compression patches. Setup authors should create patches that use baseline product versions. By doing this, users should no longer be required to supply the original installation media to successfully apply patches. Why is this change important? Users are more likely to keep their application patches current if patch packages are small, easy to download, and don’t require the user to perform difficult procedures to install.
  • Windows network

    1. 1. Securing Windows Networks Security Advice From The Front Line Presented by Jithesh Nair – Networking Specialist People Institute of Management Studies Munnad,Kasaragod
    2. 2. Agenda  Revealing Hacker Personas  Top Security Mistakes Everyone Seems To Make  Securing Windows Networks  Staying Secure  Secure Windows Initiative  Security Improvements in XP Service Pack 2
    3. 3. Revealing Hacker Personas
    4. 4. Overview – Revealing Hackers Personas  Automated vs. Targeted Attacks  Revealing Hacker Personas  Lame  Skilled  Sophisticated  Why YOU Were Selected and How You Got 0wn3d
    5. 5. Hacker Personas  Automated Attacks  “Spreaders” or “Scan’n Sploit Tools” or “auto- rooters”  Worms That Drop Bots or Trojans  Targeted Attacks  0-day Exploits  Custom Attacks that Exploit Weakness of Your Internet Presence
    6. 6. Hacker Personas  Lame - ~75% of all intrusions  Motive: Wants your storage and bandwidth  Method: Use of spreaders, bots, well known exploits  Abilities: Limited high level language ability  Payload: Usually FTP servers, backdoors disguised as a ‘clever’ service name  “TCP/IP” service or “System Security” service  “Microsoft ISA Server Common Files” service
    7. 7. Hacker Personas  Skilled - ~24% of all intrusions?  Motive: Wants to explore your network and use your storage and bandwidth, wants to avoid discovery as much as possible.  Method: Customized intrusion based on identified vulnerabilities for multiple operating systems or applications  Abilities: Advanced HLL, some ASM  Payload: FTP servers, keyloggers, backdoors, sniffers, password dumpers
    8. 8. Hacker Personas  Sophisticated - < 1% of all intrusions?  Motive: Wants your money or your secret / confidential data  Method: Can customize intrusion based on any number of identified vulnerabilities for a variety of operating systems and applications, possibly using 0-day exploits  Abilities: Advanced HLL, Advanced ASM  Payload: Rootkits, a single backdoor DLL, extortion letter!
    9. 9. Hacker Personas  Why you were selected and how you got 0wn3d . . .  Odds are great you were 0wn3d by a lamer  You were easily identified as a Windows host through a simple port-scan (no firewall)  You are on a big fat pipe (possibly hosted)  You have weak passwords or missing security patches due to missing or ineffective security policy
    10. 10. Demonstration Windows Rootkit – Hacker Defender
    11. 11. Top Security Mistakes Everyone Seems To Make
    12. 12. Top Security Mistakes  Weak or non-existent password policy  No audit policy  Sporadic security patch policy  Patching the OS, but not the apps  Weak or non-existent firewall policy  No egress filtering  No knowledge of securely building a new box which leads to  Hacked? Rebuild! Hacked Again!?
    13. 13. How To End The Cycle of Violence  Install from slipstreamed source  Don’t have one? Make one!  Patch or enable a host based firewall (or both) and then connect to the network  Don’t use the previous admin password  Including the SQL SA password  Don’t share local admin passwords across OS installations  Leads to exploit once, run everywhere  Patch the applications (SQL, IIS, Exchange etc.)
    14. 14. Securing Windows Networks
    15. 15. Overview – Securing Windows Networks  System Administrator Personas  An example of what not to do  Threats & Countermeasures – Pruning The Low Hanging Fruit
    16. 16. System Admin Personas  Default  Skilled  Sophisticated
    17. 17. System Admin Personas  Default  Puts servers right on the Internet with no firewall  Runs a couple service packs behind (N-2) and doesn’t know how to keep up to date with security patches  No password policy  No audit policy  All default configurations and settings (all defaults, all the time)
    18. 18. System Admin Personas  Skilled  Uses Internet IP’s, but has router ACL’s  Latest OS SP, all OS critical updates, hasn’t patched the applications in a while if at all  6 character passwords with account lockouts  Only audits logon events and monitors for account lockouts by checking event logs periodically  Suspicious of default settings  Performed some OS hardening by hand – didn’t harden the applications though
    19. 19. System Admin Personas  Sophisticated  Uses a firewall with NAT and ingress / egress filtering  Uses an IDS / IPS in the DMZ network  Ensures critical security patches tested and deployed in 24 hours with rollback plan  12 character passwords, not shared anywhere, no account lockout, may use 2-factor authN  Audits everything, archives audit logs daily  Hardened OS using security templates / group policy, hardened applications
    20. 20. What Not To Do . . .  Configure your system with an Internet routable IP address  Run multiple applications / services on one box  Active Directory, IIS, SQL, Exchange, PCAnywhere, 3rd party software  Avoid installing patches  Don’t have a password policy  What are the odds that someone would guess ‘666’ is my admin password?
    21. 21. If you do this, here’s what the hackers see . . .
    22. 22. Threats – Low Hanging Fruit Overview  NULL Session Enumeration  Password / Account Lockout Attacks  Password Hash Attacks  Remote Code Execution Vulnerabilities  Physical Attacks  Unauthorized Network Access  The VPN “firewall bypass” Server
    23. 23. Threat - NULL Session Enumeration  Understanding the ‘NULL’ user  Network connection, usually using NetBIOS TCP139 in which no credentials have been passed.  Network token gets created on the server for the client, ‘Everyone’ SID gets added to the token  Token can now enumerate sensitive information using the Net* API’s the ‘Everyone’ SID has permissions to!  Countermeasures  RestrictAnonymous=2  Block access to TCP 139/445  Stop server service
    24. 24. Threat – Password Attacks / Account Lockout Attacks  Any services that exposes authN protocols are at risk for password guessing attacks  NetBIOS, SMB, RDP, IIS, FTP etc.  Countermeasures  Use strong passwords instead of an account lockout policy (which only protects weak passwords)  Educate administrators and users on how to create strong passwords.  Block access to ports that allow authentication from unauthorized networks (i.e. the Internet) with a firewall or IPSec port filtering policy  Shutdown un-needed services (Server service, FTP service etc.)
    25. 25. Threat – Password Hash Attacks  Online attacks  Dumping password hashes from LSASS while the operating system is running  Pwdump*.exe, L0phtCrack 5  Countermeasure  Require 2-factor authentication  Prevent malicious code from running in context of administrator or SYSTEM  Since this attack requires elevated privileges, any steps taken to counter this can be un-done by the code running with these elevated privileges  Arriving at this point means your security posture has failed elsewhere and you have other security issues to deal with
    26. 26. Threat – Password Hash Attacks  Man In the Middle Attacks  Sniffing shared-secret authentication exchanges based on a users password between client / server (LM, NTLMv2, Kerberos)  Everyone seems to think Kerberos solved the MITM password-cracking attack!  It did not, per the Kerberos v5 RFC:  "Password guessing" attacks are not solved by Kerberos. If a user chooses a poor password, it is possible for an attacker to successfully mount an offline dictionary attack by repeatedly attempting to decrypt, with successive entries from a dictionary, messages obtained which are encrypted under a key derived from the user's password.
    27. 27. Threat – Password Hash Attacks  Man In the Middle Attacks  Tools available for LM/NTLM and Kerberos v5  ScoopLM / BeatLM / Kerbcrack / LC5  Security Friday demonstrated NTLMv2 at Blackhat on a 16-node Beowolf cluster in 2002!  All researchers agree the solution is strong passwords!  Countermeasures  Use 2-factor authentication on Windows 2000 and later networks  Allows the use of the PKINIT Kerberos extension which replaces passwords with public/private keys for initial TGT at logon  Use strong 10 character or greater passwords  Use IPSec ESP to encrypt network all network traffic  Use 802.1x authentication to keep rogue users off your network
    28. 28. Threat – Password Hash Attacks  Assume password hashes will eventually be obtained allowing  Brute-force attacks  Dictionary attacks  Hybrid attacks (use a dictionary word then brute-force a few chars)  Pre-computation attacks (rainbow tables) – the latest craze . . .  L0phtCrack5 utilizes all these methods for cracking hashes  Countermeasures  Don’t worry about your hashes being stolen – make them immune to reversing in any reasonable amount of time!  Use 10 character or stronger complex passwords  Or better yet pass-phrases!  NT based operating systems support 128 character pass-phrases  Change them every 60 days or less.  Minimum time before password can be changed 1 day  Number of previous passwords remembered: at least 24
    29. 29. Subsecond Subsecond Subsecond 1.4 Hours 137 Days 1,878 Years TimetoCrack(Days) RainbowCrack Password Cracking Effort vs Password Length Threat – Password Hash Attacks 6 7 8 9 10 11 Password Length 60DayPasswords Data from Microsoft calculations based on Phillipe Ochslin’s algorithms with a 1 Terabyte RainbowCrack database (research that is the basis for the new attack).
    30. 30. Threat – Password Hash Attacks
    31. 31. Threat - Remote Code Execution  RCE vulnerabilities in exposed network services allow malicious attackers to run code of their choice on a remote system  Stack & Heap overflows  Integer under/overflows  Format string vulnerabilities  Countermeasures  Disable unnecessary services  Block unnecessary ports  Install all critical security updates within 24 hours  Write secure code.   Run critical services using the new built-in low-privileged accounts  Compile C++ code with the VC7 compiler /GS switch  Use behavioral blocking software  Sana Security Products  Use Intrusion Prevention Systems
    32. 32. Threat – Physical Attacks  Assume the worst – physical theft of machine  Countermeasures  SYSKEY in mode 2 or 3  Key stored in your head (mode 2)  Key stored on a floppy (mode 3)  Protects password hashes with 128 bit symmetric encryption  Either mode prevents ‘Nordahl’ boot-disk attack  Also prevents the DS Restore mode style attacks  EFS  Can be used to encrypt sensitive information
    33. 33. Threat – Unauthorized Network Access  Applies to both wired and wireless networks  Unauthorized user connects or associates with network and receives IP address  Starts scanning, enumerating and hacking  Countermeasure  Use 802.1x to authenticate network clients before allowing them to use the network  Port-based authentication (requires supporting hardware infrastructure)
    34. 34. Threat – VPN Servers  VPN servers usually allow users un- filtered access to the corporate intranet  Users contaminate the intranet with malware they’ve collected while surfing the Internet (worms, etc.)  Countermeasure  Employ a network quarantine solution  Quarantines VPN users in a DMZ network while machine is checked for security policy compliance  After machine checks, packets are routed  If machine fails check, connection is dropped
    35. 35. Countermeasures - Summary  The vast majority of security threats can be fully mitigated by doing two things well:  Passwords  Security updates  Security should not be ‘bolted on’  Design security into the solution from the beginning
    36. 36. Microsoft Solutions for Security  Review the new Security Guidance Center  Windows 2000 Security Hardening Guide  Windows 2000 Solution for Securing Windows 2000 Server  Windows Server 2003 Security Guide  Covers environments running Win9x and later!  This is our best solution for securing Windows networks!
    37. 37. Windows Server 2003 Security Guide  Theme  Group Policy can be used to automate the application of security hardening and threat countermeasures through the use of pre- defined security templates applied to GPO’s  Automated – policy applied as machines join the domain / moved into organizational units  The Windows 2000 and Windows Server 2003 Solutions for Security come with pre- configured ready to deploy templates  Obviously you should test them before deploying them in a production environment  They WILL break something
    38. 38. Windows Server 2003 Security Guide  Provides 3 different security levels for the enterprise  Legacy Client (Compatible with Win9x – XP)  Enterprise Client (Compatible with 2000 & XP only)  High Security Client (Compatible with 2000 & XP only)
    39. 39. Demonstration Securing Windows Servers using Group Policy
    40. 40. Staying Secure
    41. 41. Overview – Staying Secure  Awareness  Security Alert Notification Services  Vulnerability Assessment  Responding to Security Events  Patch Warfare – Thursday, Tutorial 6  Incident Response – Thursday, Tutorial 6
    42. 42. Staying Secure  Security Alert Notification Service  Get e-mail alerts of Microsoft security bulletins for all Microsoft products  Plain-text e-mail, PGP signed with the MSRC PGP key 
    43. 43. Staying Secure  Vulnerability Assessment  Microsoft Baseline Security Analyzer 1.2  Local or Remote Vulnerability & Patch scanner  Scans for Windows, IE, IIS, SQL, MSDE, Exchange, Office, Commerce, Biztalk, SNA, and HIS vulnerabilities / patches.  English, German, French or Japanese builds!
    44. 44. Staying Secure  MBSA Pro’s and Con’s  Pro’s  Free  Great product coverage  Agent-less  Con’s  Requires Authentication with remote machine and the Remote Registry and Server Services  Slow when scanning large networks  No easy way to aggregate XML output
    45. 45. Staying Secure  3rd Party vulnerability assessment software  ISS Internet Scanner – System Scanner  Foundstone FoundScan  Much more in-depth than MBSA 1.2
    46. 46. Secure Windows Initiative
    47. 47. Secure Windows Initiative  Microsoft’s New Security Culture  Started with Bill Gates Trustworthy Computing Memo  Lead to SD3+C  Secure By Design, Secure By Default, Secure in Deployment + Communications  Secure Windows Initiative  Windows Server 2003 first product to result from SWI, makes use of many Attack Surface Reductions (ASR’s)
    48. 48. Secure by DefaultSecure by Default ► 60% less attack surface area by default compared to Windows NT 4.0 SP3 ► Services off by default ► Services run at lower privilege ► Code reviews ► IIS re-architecture ► Threat models ► $200M investment Secure by DesignSecure by Design CommunicationsCommunicationsSecure by DesignSecure by Design ► Code reviewsCode reviews ► IIS re-architectureIIS re-architecture ► Threat modelsThreat models ► $200M investment$200M investment Secure in DeploymentSecure in Deployment ► Configuration automation ► Identity management ► Monitoring infrastructure ► Prescriptive guidance ► Community investment ► Architecture webcasts ► Writing Secure Code 2.0 Secure Windows Initiative SD3+C
    49. 49. Secure Windows Initiative  Does SWI work? Let’s have a look . . .  MS03-007, vulnerability exploited through IIS 5.0 + WebDAV  WS2003 / IIS 6 not affected because:  IIS6 not installed by default  If it was installed, WebDAV disabled by default  If it was enabled, IIS6 rejects long URL’s by default  If it didn’t reject long URL’s, BO would occur in low privilege process not a process running as SYSTEM
    50. 50. Secure Windows Initiative  Are there other examples?  MS04-011, fixes 14 Windows vulnerabilities  Of these 14 vulnerabilities the LSASS and PCT vulnerabilities are critical on Windows 2000 and exploits were in the wild days after the patch was released!
    51. 51. Secure Windows Initiative  These vulnerabilities were rated as ‘Low’ on Windows Server 2003 – why?  Attack Surface Reductions (ASR’s) as a result of SWI  PCT is not enabled by default!  LSASS vulnerability not remotely exploitable by default!
    52. 52. Secure Windows Initiative  Want more? Coming soon:  Secure Server Roles for Windows Server 2003  Task based security wizard to further automate hardening WS2003 server roles  Windows XP Service Pack 2  The most secure consumer operating system to date!
    53. 53. Security Improvements in XP Service Pack 2
    54. 54. Security Improvements in XP SP2  Overview  Network Protection Technologies  Memory Protection Technologies  Safer E-Mail  Safer Browsing  Windows Installer 3.0
    55. 55. Network Protection Technologies  Alerter & Messenger – GONE! (Okay, disabled)  Universal Plug & Play also disabled by default  Bluetooth network stack included by default  Disabled unless WHQL Bluetooth device is present
    56. 56. Network Protection Technologies  DCOM – Locked down by default!  Previously, no way for administrators to enforce machine-wide access policy for all DCOM applications  XP has over 150 DCOM servers OOB!  Many DCOM applications have weak “Launch” and “Access” permissions that allow anonymous remote activation / access!  Administrators had no way to centrally manage / override these settings!
    57. 57. Network Protection Technologies DCOM Solution: Machine-wide access check performed before any server-specific access checks are performed.  Starting with XP SP2, only administrators can remotely launch / activate DCOM servers!  Everyone is granted local launch, activation and call permissions
    58. 58. Network Protection Technologies  RPC – Locked down by default (RPC Interface Restriction)  Previously RPC interfaces were wide open for anonymous access  SP2 adds RestrictRemoteClients setting and enables it by default  Requires all remote RPC clients to authenticate  The EPM now requires AuthN  Must set EnableAuthEpResolution to 1 on clients to get the EPM working again.
    59. 59. Network Protection Technologies Windows Firewall (the software formerly known as ICF)  Boot time security  On by default for all interfaces, global configuration (all interfaces can share same configuration)  Local subnet restriction  Command line support (via netsh) for scriptomatic configuration (think logon scripts)  “On with no exceptions”  Exception List  Multiple Profiles  RPC Support  Restore Defaults  Unattended Setup for OEM’s  Multicast / Broadcast support  New and improved Group Policy configuration (via System.adm)
    60. 60. Memory Protection Technologies  Introducing Data Execution Protection (NX)  Buffer overflows usually place ‘shellcode’ on the stack or in the heap and cause execution to jump to this location  NX marks areas of the stack / heap as non- executable preventing this mal-code from running  Usermode apps that attempt to run code will AV  Kernelmode drivers that attempt to run code will bluescreen  Supported on AMD64, IA64 and forthcoming x64 Intel CPU’s for both 32bit and 64bit Windows XP
    61. 61. Memory Protection Technologies  /GS  Stack based buffer overflow protection  Places ‘canary’ value on the stack before / after stack allocations  Value is checked when values are read from the stack to make sure the stack hasn’t been overwritten  If canary value has changed, process crashes vs. allowing code to execute
    62. 62. Safer E-Mail  Outlook Express will read all e-mail as plain- text by default  Blocks HTML e-mail exploits  “Don’t download external HTML content  If you chose to render HTML e-mail, external HTML is not rendered / downloaded  Blocks “web bugs” etc.  AES API (Attachment Execution Service)  Apps no longer have to roll their own attachment handling code (can be shared by IM, e-mail etc)
    63. 63. Safer Browsing  Internet Explorer  Add-On Management / Crash Protection  Binary Behaviors locked down now  Option appears in each zone for configuring  BindToObject mitigation  ActiveX security model now applied to URL binding  Microsoft Java VM can be disabled per zone  Local Machine Zone lockdown  All local files / content processed by IE run in LMZ  No ActiveX objects allowed  Scripts set to Prompt  Binary Behaviors – disallowed  No Java!
    64. 64. Safer Browsing  Internet Explorer  Improved MIME handling  4 different checks performed (file extension, Content- Type/Disposition from header and MIME sniff)  Object caching / Scope  Objects lose scope when browsing to a different domain /FQDN  Sites can no longer access cached objects from other sites  POP UP BLOCKER!!!!!  “Never trust content from Publishername”  One Prompt Per Control Per Page  Endless loop attack
    65. 65. Safer Browsing  Internet Explorer  Authenticode Dialog box supports ellipses  Annoying Active X controls with overly long descriptions can now be viewed  Window Restrictions  Prevents UI spoofing attacks  Script Sizing / Repositioning restrictions  Prevents scripts from moving windows to hide URL bars / status bars etc  Status bar always visible  Scripts can no longer disable it
    66. 66. Safer Browsing  Internet Explorer  Script Pop-up Window Placement, pop-ups now constrained so that they  Do not extend above the top or below the bottom of the parent Internet Explorer Web Object Control (WebOC) window.  Are smaller in height than the parent WebOC window.  Overlap the parent window horizontally.  Stay with the parent window if the parent window moves.  Appear above its parent so other windows (such as a dialog box) cannot be hidden.  Mitigates chromeless window attacks
    67. 67. Safer Browsing  Internet Explorer  Zone Elevation blocks  Internet Explorer prevents the overall security context for any link on a page from being higher than the security context of the root URL  Scripts can not navigate from Internet Zone to Local Machine Zone  AND Local Machine Zone is locked down by default now even if it could happen!  Zone Elevation Attacks are one of the most exploited IE attack vectors
    68. 68. Windows Installer 3.0  SUS 2.0 will utilize MSI 3.0  Improved inventory functions across user and installation contexts  Support for binary delta compression  Makes patches smaller / quicker to download  Patch Sequencing  Authors can provide explicit installation order  Supports WinHTTP (vs. WinInet) for web downloads  No longer interactive  Runs as SYSTEM, Interactive SYSTEM services can be “shattered”
    69. 69. Demonstration (time permitting) Out of Box Experience Automatic Updates Security Center Windows Firewall RPC Hardening Internet Explorer Add-ons Manager
    70. 70. For More Details Contact Me :9961731733For More Details Contact Me :9961731733 So are we there yet?So are we there yet? We’re getting there, stay tuned . . .We’re getting there, stay tuned . . .