Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

W982 05092004


Published on

& concept explained easily

Published in: Education
  • Be the first to comment

  • Be the first to like this

W982 05092004

  1. 1. 1 W982: Windows 2003/XP/2000 System and Network Security Networld+Interop - Las Vegas Wed – May 12, 2003 8:30am-4:30pm James Michael Stewart CISSP, ISSAP, TICSA, CIW SA, Security+, CTT+, MCT, CCNA, MCSA Windows Server 2003, MCSE+Security Windows 2000, MCDST, MCSE NT & W2K, MCP+I, iNet+
  2. 2. 2 UPDATED MATERIALS • This course has changed since submitted for printing • Updated slides, notes, and handouts available from: • All new or changed material is highlighted in green.
  3. 3. 3 What This Course is NOT about • How to break into Windows systems • Security issues not related directly to Windows • Installing software • Troubleshooting non-security issues • Details on Intrusion Detection • Basics of Windows architecture, administration, or operation • Other software from Microsoft or third-party vendors
  4. 4. 4 What This Course IS about • Why security is important • Native security features built into: – Windows Server 2003 – Windows 2000 Server and Professional – Windows XP Professional • How to lock down or secure a Windows system • Vulnerabilities of Windows OSes • Windows countermeasures
  5. 5. 5 Security Is Important • OS or system security does not exist in a vacuum • You must address physical security and administrative issues otherwise no amount of technical or logical security controls will suffice • Security must be driven by an organization wide security policy. • “Security is not a goal, it is a process, and Security is not a product, it's a mentality” – McClure/Scambray • Security is maintaining data integrity and providing only authorized, controlled access to that data
  6. 6. 6 Windows Security is an ART not a SCIENCE • Take my recommendations and opinions about Windows security at your own risk. • Usually, increasing security adds administrative overhead, but decreasing security reduces administrative workloads. Ultimately, you must choose what level of security you require, and manage related admin tasks. • We welcome other opinions on Windows security in the class - we will add useful information to online materials and future classes
  7. 7. 7 Windows Security Is • Build a perimeter that’s harder to cross than your neighbor’s • Controlled and monitored access • “End to end” solution, involving: clients, applications, servers, boundary devices, and all relationships between these elements • Windows 2000/NT/XP Out of the Box: Few secure defaults • Windows Server 2003 is much more secure by default • Maintaining security is never-ending process: requires vigilance, ongoing monitoring, and maintenance.
  8. 8. 8 Security: A Multi-Front Endeavor • 100% security does not exist • Implement security in layers • Security must provide protection from intrusions, internal and external attacks, accidents, malicious code, and physical destruction. • Security policies guide and direct implementation • Three Legs of Security – Physical access control » If physical security not maintained, no amount of software security can create a secure environment for your data – Human education and management – OS and software management
  9. 9. 9 Worst Security Mistakes • Opening unsolicited email attachments without verifying source and checking content first • Failing to install security patches • Installing unapproved software • Neither making nor testing backups • Connecting a modem to a phone line while computer is connected to a LAN • Relying primarily on firewalls and boundary safeguards • Connecting systems and devices to the LAN or Internet before hardening them • Using telnet or other unencrypted protocols to manage systems and network devices • Running unnecessary protocols and services • Failing to keep yourself up to date with the state of security of your OSes, software, and hardware
  10. 10. 10 Windows Sever 2003 New and Modified Features • Common Language Runtime • Internet Connection Firewall • Account behavior changes • More Secure Defaults • Administration Security • Developer enhancements • Encrypted File System enhancements • IPSEC enhancements • Authorization Manager • Software Restriction Policies • Credential Management • PKI Features • IIS 6.0 enhancements
  11. 11. 11 Common Language Runtime • Common Language Runtime (CLR) software engine – improves reliability and helps ensure a safe computing environment. – reduces the number of bugs and security holes caused by common programming mistakes – verifies that applications can run without error and checks for appropriate security permissions – making sure that code only performs appropriate operations – checks where the code was downloaded or installed from – checks whether the code has a digital signature from a trusted developer – Checks whether the code has been altered since it was digitally signed.
  12. 12. 12 Internet Connection Firewall • Simple stateful IP filter • Allows all outbound • Allows selected inbound
  13. 13. 13 Account Behavior Changes • Limiting local account misuse • Network logon prevented with blank passwords • Network logons using local accounts authenticate as guest • Administrator account can be disabled • The built-in Everyone group includes Authenticated Users and Guests, but no longer includes members of the Anonymous Logon group • Supported authentication techniques: Kerberos V5, SSL, TLS, NTLM, digest (MD5 hash), passport, two-factor (such as smart cards)
  14. 14. 14 More Secure Defaults • IIS/FTP/SMTP not installed by default • IIS must be configured before first use • Many services/interfaces/extensions are disabled by default
  15. 15. 15 Administration Security • Command line tools (e.g. netstat –o) • Smartcard authentication for common admin tools: » Net.exe » Runas » Terminal Services
  16. 16. 16 Developer Enhancements • .Net Common Language runtime » Managed code » Authentication of code origin » Authorization of operations against policy • IPSec APIs • Application access to EFS metadata • Advanced Encryption Standard & New Hash support
  17. 17. 17 EFS Enhancements • Encrypted file sharing in the UI • Encrypted files marked with alternate color • Sharing Your Encrypted Files with Other Users • Encrypted client side cache » Used for offline folders, files stored in encrypted CSC database • Support kernel-mode FIPS-compliant cryptography » 3DES algorithm, enabled with Group Policy » FIPS – Federal Information Processing Standard
  18. 18. 18 EFS Data Recovery Changes • Domain Model » Removed requirement for Data Recovery Agent » Can operate with no data recovery policy or a separate key recovery policy » Domain Administrator is DRA by default when domain is created
  19. 19. 19 EFS over WebDAV • Enable encrypted storage on Internet servers (end to end encryption) • WebDAV is a file sharing protocol over HTTP » Alternative to SMB; Internet Standard RFC 2518 » Supported by numerous independent software vendors • IIS 5.0 and IIS 6.0 support WebDAV as web folders
  20. 20. 20 IPSec Enhancements • Windows 2000/XP/Server 2003 Compatibility • Stronger security • Diagnostics and supportability • UI improvements and IPSec Monitor Snap-in • Command line management NETSH • Computer startup security – IPSec Driver Startup Modes • Persistent policy for enhanced security • Removed default traffic exemptions • NAT traversal • Improved IPSec integration with Network Load Balancing • IPSec support for Resultant Set of Policy (RSoP)
  21. 21. 21 Authorization Manager • Flexible framework • Role-based access control • Role-based administration • Support for Forest Trusts – two-way transitive trusts between every domain in both forests
  22. 22. 22 Software Restriction Policies • Group Policy can restrict software installation and execution • Can restrict by: » Hash Rule » Path Rule » Certificate Rule » Zone Rule
  23. 23. 23 Credential Manager • Provides a secure storage mechanism for user credentials, such as passwords and X.509 certificates • Provides a consistent single-sign on • Supported for local and roaming users • Simplifies and secures the methods by which server and client based applications obtain user credentials
  24. 24. 24 PKI Features • Qualified subordination – A.K.A. Cross certification – More X.509 options implemented on server and client – Define the namespace for which a subordinate CA will issue certificates – Specify the acceptable uses of certificates issued by a qualified subordinate CA – Create trust between separate certification hierarchies • Editable certificate templates • Key archive & recovery – Can configure a CA to archive the keys associated with the certificates it issues • Auto enrolment & renewal • Delta CRLs
  25. 25. 25 IIS 6.0 Enhancements • Lessons implemented • Reduced attack surface • Code security • Secure defaults • Improved ASP security • Lower privilege accounts • Improved patch management • Security features for the platform • Application isolation • FTP user isolation • Passport authentication • URL authorization
  26. 26. 26 Some Specific Windows 2003 Security Benefits • More than 20 services that were enabled by default in W2K are now disabled or operate at lower privileges • IIS 6.0 and Telnet server is not installed by default, plus both run under a new service account with lower privileges • IE has numerous limitations on its functionality • The Security Configuration Wizard which works on-top-of Configure Your Server defaults to the highest security lockdown for added services and features • Remote users will be unable to log in using blank passwords • Role-based authentication via applications • The system root drive is accessible only to Administrative group users, the Everyone group is fully restricted • Stronger VPN policies and filters
  27. 27. 27 Windows 2000 to Windows 2003 • All known problems with Windows 2000 up through approximately MS03-022 are corrected or not present in Windows 2003 • New problems since MS03-023 may be found in Windows 2000, Windows XP, and Windows 2003 – Check Windows Update and Microsoft Security Bulletins frequently to stay current with new developments
  28. 28. 28 Windows 2000 Security Features • Improved security model over Windows NT: – stronger authentication, protocols, & services • Directory Service Account Management – domain trees – Organizational Units (OUs) - directory containers • Kerberos Authentication Protocol V5 • Public Key Infrastructure (PKI) • X.509 Version 3 Certificate Services • CryptoAPI Version 2 • Encrypting File System (EFS) built into NTFS • Secure channel security protocols (SSL 3.0/PCT) • Smart card support • Private Communications Technology [PCT] 1.0 • Distributed Password Authentication (DPA) • Transport Layer Security Protocol [TLS] • Internet Security Framework: IPSec, L2TP • Transitive Trusts
  29. 29. 29 Windows XP Security Features • Most of the security benefits of Windows 2000 are found in Windows XP • Additional security features include: – Internet Connection Firewall – Internet Connection Sharing – Blank password restriction (access to local system only) – Encryption of Offline Files – Credential Management – storage of logon credentials – Fast user switching (non-domain only)
  30. 30. 30 • All passwords rendered useless on Windows XP: – Boot a Windows XP system with a Windows 2000 CD – Start the Windows 2000 Recovery Console – User is then able to operate as the administrator of the system without a password – User can connect as any user account on the system without a password – User can copy files to floppies or other removable media from any local hard drive – a capability normally restricted within the Recovery Console when used legitimately. – Only countermeasure – physical security – Windows XP IPL Vulnerability
  31. 31. 31 Coverage of Windows Clients • Windows XP Professional can be configured as the most secure client available from Microsoft • Windows 2000 Professional can be configured to be almost as secure as Windows XP Professional • Both offer different defaults, usually insecure defaults, when employed as stand-alone systems • This courseware assumes Windows XP Professional and Windows 2000 Professional are being used as Active Directory domain clients. Therefore they take on the security configurations defined by Windows 2000 Server or Windows Server 2003 GPOs assigned to their AD containers.
  32. 32. 32 Coverage of Windows Servers • All Windows 2000 Server and Windows Server 2003 settings are discussed from the perspective of these systems being used as domain controllers. • Domain controllers either inherit the security configuration of the domain controllers, the domain GPO, or are assigned their own unique configuration by network administrators.
  33. 33. 33 Overview of Native Security Components of Windows 2003/XP/2000 • Logon control • User accounts • Groups • Accounts policy - passwords and lockout • System policies • NTFS and Share permissions • User Rights • Auditing
  34. 34. 34 Login & Access Security • NetLogon service – restricted memory area – CTRL-ALT-DEL – cannot be spoofed – forces physical logon – communicates with security database to validate users – Requires: » user account name » password » domain name • Remote Control software bypasses via API and installed service (logon required to install service)
  35. 35. 35 Automated Logon • HKEY_LOCAL_MACHINESOFTWAREMicrosoft Windows NTCurrentVersionWinlogon – DefaultDomainName (Value: REG_SZ) – DefaultUserName (Value: REG_SZ) – DefaultPassword (Value: REG_SZ) – AutoAdminLogon (Value: REG_SZ) = 1 • Authentication still occurs, but without user input • To terminate auto-logon: – set AutoAdminLogon=0 – delete DefaultPassword • Hold SHIFT to logon with alternate user account • Used on kiosks & other access points where access level or physical security is no issue • Functions on NT, 2000, XP, 2003
  36. 36. 36 Cached Credentials (1/2) • By default, when you attempt to log on to a domain from a Windows 2003/XP/2000-based workstation or member server and a domain controller (DC) cannot be located, no error message is displayed. • Instead, you log on to the local computer using cached credentials. • By default, Windows 2003/XP/2000 caches the last 10 logons • Set through Group Policy (Security Options) or Registry (CachedLogonsCount). If set to 0, no logons are cached and if DC is not available logon is denied.
  37. 37. 37 Cached Credentials (2/2) • When logged on with cached credentials, user account has no access to updated group policies, roaming profiles, home folders, or logon scripts. • Use “set” command at Command Prompt – LOGONSERVER entry names what system authenticated you. – If local system – cached credentials, if DC – domain validation. • Appears in Event Viewer’s System log – event ID 5719 • Add ReportControllerMissing and ReportDC values to Registry to force user warning message. • Unlocking a workstation or a DC uses cached credentials by default. If you don’t disable credential caching, then set ForceUnlockLogon to 1 to require actual AD authentication to unlock systems.
  38. 38. 38 User Accounts & Groups • Users and groups key to Windows security • User Accounts: – Unique identifiers for each person – Security IDs • Groups: – Used to control resource access – Machine local, Domain local, Global, Universal (native mode) – Multiple group memberships – Combined permissions • Users > Domain Groups > Local Groups > Resources – Users are added to groups – Groups are assigned permissions for resources – Nesting of groups supported • Delete vs. Disable old user accounts
  39. 39. 39 System Controlled Groups • Pre-Windows 2000 Compatible Access • Anonymous Logon • Authenticated Users • Batch • Creator Group • Creator Owner • Dialup • Enterprise Domain Controllers • Everyone • Interactive • Network • Proxy • Restricted • Self • Membership is dynamic and managed by the OS itself • Everyone group is still required on boot partition and still includes anonymous and null sessions • Service • System • Terminal Server User 2003 specific: • Digest Authentication • Local Service • NTLM Authentication • Other Organization • Remote Interactive Logon • SChannel Authentication • This Organization
  40. 40. 40 Group Policy • GPOs can be assigned to domains, sites, or OUs. – Applied: LSDOU • Combines policies for: – general security controls – audit – user rights – passwords – accounts lockout – Kerberos – Public key policies – IPSec policies • 2000 OOB – if a user is a member of 70 to 80 groups, group policy may not be applied. Caused by Kerberos’s token size limitation, correction changes MaxTokenSize from 12000 to 100000 - (SP2) - 263693
  41. 41. 41 Group Policy SMB vulnerability • SMB signing flaw may allow group policies to be modified by unauthorized users • Affects: Windows 2000 and Windows XP • Flaw allows attackers to downgrade the settings for SMB signing so packets not signed even though systems are configured to use SMB signing. This attack occurs during negotiation process between client and server. Once exploited, attackers could modify packets sent between two systems and changes would not be detected. • Patch not included in Windows XP SP1 • MS02-070: KB:329710
  42. 42. 42 Password Policy • Set password restrictions – Min & max password age (0-999) » W2000 – Max 42 days; Min 0 days » W2003 - Max 42 days; Min 1 days – Min password length (0-14) » W2000 - 0 » W2003 - 7 – History (1 - 24 entries) » W2000 – 1 » W2003 - 24 – Passwords must meet complexity requirements » W2000 – disabled » W2003 – enabled – Store passwords using reversible encryption for all users in the domain » W2000 & W2003 - disabled
  43. 43. 43 Password Complexity • Forces minimum of 6 characters • Incorporates at least 3 character types: – Uppercase: A through Z – Lowercase: a through z – Numerals: 0 through 9 – Non-alphanumeric: !, @, #, $, [, , … • No part user account name or real name • Not foolproof: “April1999” is valid password under these restrictions, but easily guessed. • When enabled, existing passwords are grandfathered; new or changed passwords must meet restrictions • Custom password filters – see W2000 and W2003 SDK
  44. 44. 44 Failing Requirements When Changing Passwords Your new password does not meet the minimum length or password history requirements of the domain. Also, your site may require passwords that must be a combination of upper case, lower case, numbers, and non-alphanumeric characters. Your password must be at least <#> characters long. Your new password cannot be the same as any of your previous <#> passwords. Also, your site may require passwords that must be a combination of upper case, lower case, numbers, and non- alphanumeric characters.
  45. 45. 45 Designing Secure Passwords • Implement company/organization security policy • Use cracking tools to test your password strength – LC4, PassFilt Pro, John the Ripper, Quakenbush’s Password Appraiser • Allow no part of e-mail address in password • Change every 30 - 45 days • Maintain history of previous passwords to prevent reuse • Always assign passwords to all accounts • Avoid common words – dictionary, slang, industry acronyms, etc. • Use ALT characters - ALT-130 for é, ALT-157 for ¥, etc. – Avoid use on administrator accounts • Never write passwords down
  46. 46. 46 Password Crackers • Require access to SAM - direct or copy • Password auditing: – @stake’s LC4 – – Quakenbush’s Password Appraiser – • Most perform reverse hash extraction • Protect your SAM! • LC4 can sniff SMB exchanges on networks to pull passwords – use switched networks to force end to end communications • Several tools are available that boot from a floppy and can change the password on any account: – Peter Nordahl's Offline NT Password & Registry Editor tool – Sysinternals’ Locksmith
  47. 47. 47 Audit Password Registry Keys • Enable auditing through Group Policy’s Audit Policy • Start scheduler service, set system startup • AT <time> /interactive “regedt32.exe” • Registry editor is launched with System level access - SAM and SECURITY hives (Note: System is NT’s closest equivalent to UNIX’s superuser or root access) • Set SAM hive auditing parameters – at <time> /interactive "regedt32.exe" – HKEY_LOCAL_MACHINESAM – Set Security|Auditing per event & user/group
  48. 48. 48 Accounts Policy • Set Lockout parameters – Lockout duration (0 – 99999 minutes) – Failed logon attempts – Counter reset after time limit • Not enabled by default on W2K or W2K3 • “Account is locked out” checkbox on user account properties dialog box
  49. 49. 49 User Account Security Controls • Logon hours • Log On To – restricted to workstations • Account info: expiration – never or by date • Account Options (next slide) • Dial-in: – Remote Access Permission (dial-in or VPN) – allow, deny, or controlled by Remote Access Policy – Verify caller ID (requires supported hardware) – Call back: pre-defined or user-supplied • Terminal Services Sessions : – End disconnected sessions timeout – Time limit for active sessions – Time limit for idle sessions – Enable remote control/observation – Require use’s permission to control/observe
  50. 50. 50 Account Options • User must change password at next logon • User cannot change password • Password never expires • Store password using reversible encryption • Account is disabled • Smart card is required for interactive logon • Account is trusted for delegation • Account is sensitive and cannot be delegated • Use DES encryption types for this account • Do not require Kerberos pre-authentication Direct user account settings override group policy settings!!
  51. 51. 51 Audit Policy • All Windows Objects can be audited • Two controls: policy and object • Policies: – Account logon events – Account management – Directory service access – Logon events – Object access – Policy change – Privilege use – Process tracking – System events • Object level controls accessed through Advanced Security Properties • Audit policy must be enabled in order for audited events to be recorded in the Security log
  52. 52. 52 Sample Audit Detail
  53. 53. 53 Auditing for Security • Suspect events: – failed log on attempts – repeated denied access to resource – system reboots • DumpEVT – Export event logs to text files for use in scripts and databases - • As the amount of data gathered by auditing increases, so does need to employ IDS or a data mining tool to deal with the data load
  54. 54. 54 Example Audit Schemes • Random password attacks – account logon events, logon events: Failure • Stolen passwords: (must filter for abnormal activity) – account logon events, logon events: Success • Misuse of admin privileges: – privilege use: Success account management: Success policy change: Success system events: Success • Virus infection: (track W for all .exe, .bat, and .dll) – process tracking: Success, Failure directory service access, object access: Success, Failure • Access to sensitive files (track R,W for suspect users/groups) – directory service access, object access: Success, Failure
  55. 55. 55 Working with User Rights • Review defaults of User Rights (see handout "User Rights") • To increase security settings, make the following changes: – Allow Log on locally: assigned only to Administrators on Servers – Shutdown the System: assigned only to Administrators, Power Users – Access computer from network: assigned to Users, revoke for Administrators and Everyone – Restore files/directories: revoke for Backup Operators – Bypass traverse checking: assigned to Authenticated Users, revoke for Everyone
  56. 56. 56 Ownership • Ownership grants a user Full Control over an object • Ownership can be taken by users with: – Take Ownership of Files or Other Objects User Right – NTFS object level Ownership permissions. • Administrators and Domain Admins have this user right by default. • Ownership can be assigned using subinacl (RK tool): – subinacl /subdirectories c:winntprofiles*.* /setowner=administrator • Ownership can be used to bypass any Deny setting.
  57. 57. 57 NTFS Security • Defined by object: files, directories, printers • Set by group or user for Allow or Deny • Standard file settings: – Full Control (RXWDPO); Modify (RXWD); Read & Execute (RX); List Folder Contents (dir only) (R); Read (R); Write (W) • Always check defaults on new objects in regards to the Everyone group • Container rule - move vs. copy • Inheritance is configurable, inheritance of permissions and auditing is distinct
  58. 58. 58 Share Permissions • Permissions: – Full Control – Change – Read • All permissions based on Allow or Deny • W2K – new share Full Control to Everyone • W2K3 – new share Read only to Everyone • On object’s Sharing tab: – Able to set maximum simultaneous users – Caching » Allow/prevent caching » Manual - Offline Files » Automatic
  59. 59. 59 Managing Permissions • NTFS - All user specific and group membership permissions on the same resource are cumulative. • Share - All user specific and group membership permissions on the same share are cumulative. • Combining NTFS and Share Permissions – Cumulative NTFS is compared to the cumulative Share - most restrictive applies – Think of it as an ANDing function • Deny always results in deny. Watch for conflicts caused by multi-group memberships. • Grant permissions on “as needed” basis – need to know or least privilege • SystemTool’s DumpSec ( – dumps permissions (ACLs) for file system, registry, shares and printers into a readable listbox format
  60. 60. 60 Disk Quotas • Disk quotas • Configurable per volume • Configurable per user • Prevent file writing when limitation exceeded • Space limitation and warning level in KB, MB, GB, TB, or PB • Enable log events for quota limit reach or warning level reach • Quota limits based on uncompressed file size • More control and granularity through third-party quota solutions, such as Quota Advisor and Storage Central from
  61. 61. 61 Process Security • Inherits parent’s Access Token • Use Task Scheduler to launch tasks with any user account credentials • Services can be launched with System or any user account credentials • Once launched, access level of process cannot change • Use RunAs to execute under another user security contents – requires username and password. Use as command line or hold-shift then right-click over .exe for pop-up menu
  62. 62. 62 Windows Kerberos Policy • Trusted third-party Authentication protocol developed at MIT as part of Project Athena • Kerberos V5 – Faster connections – Mutual Authentication – Delegated Authentication – Simplified Trust Management – Interoperability • Defined at domain level controls Kerberos settings • Implemented by domain’s Key Distribution Center (KDC) • Stored as part of domain security policy (may only be set by Domain Admins) • Windows attempts to use Kerberos first to authenticate user logons. If Kerberos fails, NTLM is attempted (if enabled) • NTLM appears primarily for backward compatibility with non- Kerberos supporting Windows clients
  63. 63. 63 Kerberos Ticket-Granting Ticket 1111 Service Ticket Windows 2000–based Computer Windows 2000–based Computer 2222 4444 3333 TGT Initial Logon KDCKDC KDCKDC 1111 2222TGT Service Request ST ST Session Established 3333 TGT Cached Locally Windows 2000–based Computer Windows 2000–based Computer Target ServerTarget Server
  64. 64. 64 Group Policy Settings: Kerberos • Enforce User Logon Restrictions • Maximum Lifetime That a User Ticket Can Be Renewed • Maximum Service Ticket Lifetime • Maximum Tolerance for Synchronization of Computer Clocks • Maximum User Ticket Lifetime
  65. 65. 65 Disable LM Authentication • W2K supports: – Kerberos – Windows NT challenge/response v.2 (NTLM 2) » Includes LM, NTLM 1, NTLM 2 » LM enabled by default – Security Option: LAN Manager authentication • W2K3 supports: – Kerberos – Windows NT challenge/response v.2 (NTLM 2) » Includes LM, NTLM 1, NTLM 2 » LM disabled by default – Security Option: LAN Manager authentication, set to Send NTLM Response Only • Windows 95, WfW, Macs, and OS/2 clients only support LM not NTLM • Windows 98, SE, Me can be upgraded to support NTLM v2 with the Directory Services Client add-on – Add NTLM 2 to W95/98: Q239869
  66. 66. 66 Directory Services Client • Active Directory Client Extensions for Windows 95, Windows 98, and Windows NT Workstation 4.0 • Adds to client: AD site awareness, W2K domain logon, Active Directory Service Interfaces, DFS client, WAB, and NTLM v2. • Does not add: Kerberos, Group policy or Intellimirror support, IPSec, L2TP, SPN, nor mutual authentication • Windows 9x Active Directory client extension is distributed on the Windows 2000 CD • Active Directory client extension for Microsoft Windows NT 4.0 (with SP6a; Microsoft Internet Explorer 4.01 or higher) on MS Web site • No version of Directory Services Client for Windows Me (Millennium)
  67. 67. 67 Public Key Infrastructure – 1/2 • PKI adds authentication & encryption services to Windows • How PKI Works – PKI based on certificates managed by CA that verifies identity – Public keys issued for widespread distribution; private key stays with user – Anyone can use the public key to encrypt; only the holder of the private key can decrypt – When a public key appears first, followed by a private key, this supports key exchange – When a private key appears first, followed by a public key, this is a digital signature – PKI thus provides both identification and authentication • Numerous applications use Digital Certificates to provide security: – E-mail, Web, digital file signing, Smart Cards, IPSec, EFS recovery agent
  68. 68. 68 Public Key Infrastructure – 2/2 • PKI Components – Certificate Services – CryptoAPI & CSPs provide crypto operations & private key management – Certificate stores to store & manage certificates • Certificate Services – Process certificate requests – Verify access qualifications for requesters – Create & issue certificates for qualified requesters – Generate private keys and deliver to requester’s protected store – Manage private key cryptography services – Distribute & publish certificates for public access – Manage certificate revocations – Store certificate transactions for auditing • Works through Certification Authority Console
  69. 69. 69 EFS Issues 1/3 • EFS (Encryption File System) is built into Windows 2000, Windows XP, and Windows 2003 NTFS • Encrypting boot and system files will cause problems if the system can even boot • Issues when autoexec.bat is encrypted: – Users are unable to log on locally – Remote resource access fails – Resolution: » Decrypt » Use Recovery Console to log on as Admin, delete file, then recreate » Alter Registry to bypass autoexec.bat fie, delete, then recreate. • EFS protects files on NTFS partitions, not when in transport over the network or when resident in system memory (i.e. in use by an application)
  70. 70. 70 EFS Issues 2/3 • EFS works using a public key to encrypt files and a private key to decrypt files. If the private key is lost, the files cannot be decrypted • A user can be designated as EFS recovery agents who can recover data after the private key of another user is lost • Through secpol.msc a private key can be exported to removable media and deleted from the local system • EFS cannot be used to encrypt system files, use alternatives: PC Guardian's Encryption Plus for Hard Disks (EPHD)
  71. 71. 71 EFS Issues 3/3 • EFS on Windows 2000 uses DESX for encryption. It can only decrypt using DESX. • EFS Windows XP pre-SP1 use 3DES for encryption. It can decrypt using DESX or 3DES. • EFS on Windows XP SP1 and Windows 2003 uses AES for encryption, by default. It can decrypt using DESX, 3DES, or AES. • EFS Files Appear Corrupted When You Open Them – KB:329741 – Instructions on setting XP SP1 and 2003 to use 3DES or DESX – Do not change this setting if there are existing encrypted files • Attempting to open AES encrypted files on Windows 2000 or Windows XP pre-SP1 systems will corrupt the files resulting in data loss!
  72. 72. 72 IPSec • IP Security (aka IPSec) • IETF standard security protocol (RFC 2411 provides a roadmap to all related RFCs) • Provides authentication and encryption • AH (Authentication Header) – integrity and authentication • ESP (Encapsulating Security Payload) – integrity, authentication, confidentiality - encryption • Operates at layer 3 as a plug-in between transport (UDP or TCP) and network (IP and others) protocols • Works with both IPv4 and IPv6 • Wide industry support, expected to become predominant VPN Internet standard • Used with Layer 2 Tunneling Protocol (L2TP) for dial-up VPNs, uses by itself for network-to-network VPNs
  73. 73. 73 IP Security (IPSec) Policies • Construct IPSec policies using Windows Security Manager • IPSec policies associate with default domain policy, default local policy, or customized policy • Includes abilities to negotiate security services (called negotiation policies) • IP filters let different policies apply to different computers, based on destination & protocol • To create IPSec policy – Create a named Security Policy for some container – Create negotiation policies – Create IP filters, associate with negotiation policies
  74. 74. 74 Locking Down Windows Systems The first steps to locking down Windows include: • Applying service packs • Applying needed hot fixes and patches • Apply security templates • Testing for a secure configuration
  75. 75. 75 Service Packs • Hotfix - single issue, apply only if necessary • Service Pack - cumulative patches & fixes • Re-installation of Service Pack not necessarily required after installing new drivers or software on Windows 2000/XP/2003 as was with Windows NT • Windows 2000: SP4 – see later slide • Windows Server 2003: no service packs available as of 11/14/03, SP1 beta rumored to be in testing for release in late 2004
  76. 76. 76 Windows 2003 SP1 • Due late 2004 • Will include numerous features and improvements from the Springboard project • Springboard includes elements and components originally designed for Longhorn, for which Microsoft has accelerated release for Windows 2003 and Windows XP • Will include: – Roles based Security Configuration Wizard (SCW) to quickly configure new servers based on function or role – Insecure network client isolation – VPN quarantine – Enterprise level protection features (yet unrevealed)
  77. 77. 77 Windows 2003 Pre-SP1 Security Issues 1/2 • 23 pre-SP1 hot fixes as of 5/11/2004 • MS04-015: Vulnerability in Help and Support Center Could Allow Remote Code Execution (840374) • MS04-014: Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001) • MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) • MS04-011: Security Update for Microsoft Windows (835732) • MS04-007 : ASN .1 Vulnerability Could Allow Code Execution (828028) • MS04-006 : Vulnerability in the Windows Internet Naming Service (WINS) Could Allow Code Execution (830352) • MS04-003 : Buffer Overrun in MDAC Function Could Allow Code Execution (832483) • MS03-048 : Cumulative Security Update for Internet Explorer (824145)
  78. 78. 78 Windows 2003 Pre-SP1 Security Issues 2/2 • MS03-045 : Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141) • MS03-044 : Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (825119) • MS03-043 : Buffer Overrun in Messenger Service Could Allow Code Execution (828035) • MS03-041 : Vulnerability in Authenticode Verification Could Allow Remote Code Execution (823182) • MS03-039 : Buffer Overrun In RPCSS Service Could Allow Code Execution (824146) • MS03-034 : Flaw in NetBIOS Could Lead to Information Disclosure (824105) • MS03-030 : Unchecked Buffer in DirectX Could Enable System Compromise (819696) • MS03-026 : Buffer Overrun In RPC Interface Could Allow Code Execution (823980) • MS03-023 : Buffer Overrun In HTML Converter Could Allow Code Execution (823559)
  79. 79. 79 Windows 2000 SP5 • Due late 2004, after Windows 2003 SP1 ships • No reliable details on elements other than existing post-SP4 hot-fixes (17 as of 5/11/2004) – MS03-022, MS03-023, MS03-026, MS03-034, MS03-039, MS03-041, MS03-042, MS03-043, MS03-044, MS03-045, MS03-049, MS04-006, MS04-007, MS04-008, MS04-011, MS04-012, MS04-014
  80. 80. 80 Windows 2000 Service Pack 4 • Released Aug 2003 - generally stable • Recommended for Windows 2000 Server and Pro • Available on CD, through Windows Update, on Windows 2000 Web area • SP4 includes ~674 fixes (102 for security issues), see KB: Q327194 – Note: these are issues in addition to those in SP3 and earlier. • Release notes for W2K SP4: 813432 • SP4, like SP3, upgrades the system to use 128-bit encryption. If you uninstall SP4 (or SP3), the system will remain at 128-bit encryption. • SP4 includes Internet Explorer 5.01 SP4 and Outlook Express 5.5 with SP2 • SP4 adds to Windows 2000: native 802.1x wireless networking support and native USB 2.0 support • There are 14 post SP4 security issues as of March 2004.
  81. 81. 81 Known Issues with W2K SP4 • Local Security Policy Values Revert to the Values That Are Stored in SecEdit.sdb (KB:827664) • If you have Windows Update service disabled when you install SP4, the installation program re-enables Windows Update without notifying you. • .Net Framework 1.0 programs won't run. – Available hotfix or upgrade to .Net Framework 1.1 (KB:823845) • Norton Internet Security 2001 is incompatible. – Upgrade NIS (KB:823087) • Exchange Server can't start its Key Management Service. – Workaround: database defragmentation (KB:818952) • Other known issues: KB: 813432
  82. 82. 82 Windows XP Service Pack 2 • To be released?? – current rumor is July 2004 • Will require significant changes to an organization’s deployment processes and configuration procedures – New security and networking enforced defaults will cause numerous applications and services to fail, reconfiguration will be necessary • RC1 of SP2 – not stable enough for widespread deployment • RC2 of SP2 due soon – may be suitable for limited testing, I don’t recommend production environment deployment of these test releases • Sweeping changes to Windows XP – Improved default security – Improved ICF, RPC, DCOM, COM – Better memory management and protection (i.e. buffer overflow) – Improved IE, Outlook Express, Windows Messenger
  83. 83. 83 Windows XP Service Pack 1a • SP1a for Windows XP released on 2/3/2003 • There are 77+ post SP1a security issues as of March 2004 • SP1a and SP1 are identical, except that the Microsoft VM (Java support) is removed from SP1a. • Generally considered stable • We recommend installation on all XP systems • Updates XP systems with hotfixes released through mid-Aug 2003 (MS02-048) • Includes IE 6 SP1 & USB 2.0 • Does not include BlueTooth • Known issues: KB:324722 • 57 post SP1a hot fixes as of 5/11/2004
  84. 84. 84 Windows XP Security Rollup Package 1 • Released 10/14/2003 • As an interim release before SP2 • Contains 22 security related patches in a single installation package – Includes security patches from SP1 through MS03-039 • KB826939
  85. 85. 85 Working with Service Packs • Review documentation and KB documents associated with Service Pack and/or hotfix before initiating installation. • Need sufficient free space on boot partition, ~3 times size of SP, more if uninstall info is saved • Move previous SP's uninstall directory from %SystemRoot%$NTServicePackUninstall$ to another safe location. • Backup data, Registry, maybe entire system • Reboot the system • Terminate all applications, stop unneeded services, stop debugging, stop remote control sessions • Disable Server service to prevent network access before starting SP/HF application • Stop all third-party services requiring disk access, i.e. virus protection and defragmenters/optimizers
  86. 86. 86 Managing SPs and HFs • Service Pack presence visible through most Help| About screens from native utilities, WINVER tool • Hotfix identification varies by hot-fix - typically run HOTFIX.EXE or view Hotfix Registry key for list • Qfecheck –management tool from Microsoft • UpdateEXPERT – SP and HF inventory and installation tool from Sunbelt Software • HFNetChkPro – from Shavlik Technologies – • All DCs should be maintained at same SP level, mixing can introduce problems • Software Update Svcs (SUS) –internalizes & manages Windows Update for private networks • Service packs for Windows 2000, XP, and 2003 can be slipstreamed for new installations or a pre-integrated installation CD may be available
  87. 87. 87 Lockdown Tools 1/2 • Microsoft Baseline Security Analyzer (MBSA) 1.2 – GUI and command line tool – Runs on Windows 2003/XP/2000 only, but will scan Windows NT 4.0, Windows 2003, Windows 2000, Windows XP, IIS 4.0, IIS 5.0, SQL 7.0, SQL 2000, IE 5.01+, and Office 2000/2002/2003, + more. – Lists all necessary or applicable patches, fixes, or security settings for each detected OS and software. – Each issue is scored: » Red X – missing » Yellow X – possible vulnerability or reminder warning » Green check – verified secured setting or control » Blue asterisks – reminder or warning of possible vulnerability » Blue information icon – information about system – Possible risk: MBSA can create a plaintext report, with clever scripting a malicious user can create an automated attack tool based on the results.
  88. 88. 88 Lockdown Tools 2/2 • MBSA was developed with Shavlik Technologies – Commercial versions are available: » HFNetChkPro » EnterpriseInspector » Both are free for use on up to 10 workstations and 1 server – • HFNetChk – command line tool which scans for installed hotfixes – Excellent for scanning local and networked systems – Does not download or install necessary patches • CIS benchmark security tool – Evaluates a Windows systems for compliance against pre- defined security benchmarks
  89. 89. 89 Security Configuration and Analysis • MMC snap-ins: – Security Configuration and Analysis – Security Templates • Used to customize Group Policies a.k.a. security templates. • Several pre-defined security templates for client, server, and DC systems of basic, compatible, secure, and high security. • Analyze current security state • Impose a pre-defined or customized security template • Create custom templates
  90. 90. 90 Well-known Vulnerabilities • Windows is at risk to a wide number of well-known and oft-exploited vulnerabilities. • The following slides discuss many of these along with workarounds and countermeasures
  91. 91. 91 Services and Security • Only install necessary services • Unbind unneeded protocols • Candidate services to disable/remove: Alerter Clipbook Server Computer Browser DHCP client Directory Replicator Messenger NetLogon Network DDE Plug and Play RPC locator Server SNMP Trap service Spooler TCP/IP NetBIOS Helper Telephony service Workstation • Unnecessary services offer information gathering “holes” or access points • Test service removal on non-production systems • Sysinternals’ Process Explorer - displays DLL dependencies • See the BlkViper Web site on removing/disabling services
  92. 92. 92 SNMP Problems • If using SNMP, remove or alter public default community • Anyone with an SNMP browser can poll this community • Snmputil from Resource Kit: – Snmputil walk <IP address> public <OID> – OIDs identifies a specific branch in the MIB • IP Browser from Solar Winds (www.cerberus- offers GUI exploration of public community • Don’t deploy SNMP unless you use it
  93. 93. 93 Raw Sockets • Windows 2003, Windows XP, Windows 2000, UNIX, and Linux, support administrative or root only access to full raw sockets • However, on stand-alone Windows XP Professional and Home systems, all local users are administrators by default • Full raw sockets is a means by which the TCP/IP stack is bypassed to allow direct access to underlying network data transport • Full raw sockets were originally designed as research tools, not for real-world OSes • Full raw sockets allow spoofed IP addresses and SYN floods • IE’s defaults download and install software without user’s knowledge • Use’s SocketToMe and SocketLock to detect and close down raw sockets to users and restrict it to SYSTEM access only
  94. 94. 94 Enumeration Using Telnet Client (1/2) • Use any telnet client: – telnet <domain name or IP> port – Followed by pressing Enter several times • Test common ports: 80 (Web), 21 (FTP), 25 (SMTP), etc. • Many services respond with error msg (a.k.a. banner) listing information about service on that port • For example: HTTP/1.1 400 Bad Request Server: Microsoft-IIS/6.0 Date: Wed, 23 Aug 2000 16:19:04 GMT […] • Web server enumeration tool: ID Serve from GRC –
  95. 95. 95 Enumeration Using Telnet Client (2/2) • Protection: – remove default banners where possible – check open ports with scanner (nmap) – prevent remote Registry access – Don’t rely on obscurity as your only means of security • IIS’s URLScan utility disables banners on any version of IIS by refusing invalid service requests. Knowledge Base: 317741 - HOW TO: Mask IIS Version Information from Network Trace and Telnet • Avoid telnet service whenever possible, use secure alternatives such as remote control software (such as PCAnywhere), SSH (secure shell), or stunnel.
  96. 96. 96 File Streaming • A method for hiding executables • Requires NTFS’s POSIX capabilities and RK “cp” tool – cp <file> <hostfile>:<file>S • Streamed files can be executed without extraction using: – Start <hostfile>:<file> • Can be used on files and directories • Great way for hackers to hide toolkits • Locate streamed files with: – LADS – Locate Alternate Data Streams – – Streams - • SANS warning: • If POSIX is removed/disabled, existing streams still function but no new streams possible.
  97. 97. 97 Boot Partition Conversion Problem • If Windows 2000 is installed onto FAT/FAT32 formatted boot partition, then converted to NTFS • Correct default security permissions not applied to files on boot partition • Use SECEDIT tool to apply correct permissions • Q237399 • If NT 4.0 was installed with SYSPREP, a bug prevents the Win2K upgrade from converting a FAT boot partition to NTFS • Must manually convert drive, no other MS fix • Q256917
  98. 98. 98 51 IP Addresses • A Windows 2000 Server as a domain server cannot support more than 51 IP addresses OOB • Bug in Active Directory causes error • Attempting to add 52nd address renders system unable to: – Authenticate users – Launch and use administrative tools • Limitation is per server, not per NIC • Corrected in SP2 • Only workarounds: – add a second system – use W2K as a non-domain controller
  99. 99. 99 Administrative shares • C$, D$, … • Hidden/system shares • Accessed from any client on network • Can be accessed over VPN, RAS, PPTP • Only require admin name and password
  100. 100. 100 Hidden Systems • NET CONFIG SERVER /HIDDEN:yes|no • Removes system from browse lists • Prevents Server service from being tuned via the Network applet • Disables auto-tuning • To restore auto-tuning, edit the Registry and correct the entries in the LanmanServer Parameters section • See KB: 128167; 321710; 314498
  101. 101. 101 Predefined accounts • Administrator – Can be renamed – Requires non-blank password on Domain Controllers – Cannot be locked out or disabled – Cannot be deleted – Password never expires – Password cannot be stored with reversible encryption – Smart card cannot be required – Cannot be delegated – DES cannot be used and Kerberos is required • Guest – Can be renamed – Blank password by default – Can be locked out and disabled – Cannot be deleted – Disabled by default • Remember: everyone knows these accounts exist
  102. 102. 102 The IIS Accounts • IUSR_computername – Created by IIS for anonymous Web & FTP access – “Log on Locally” right – Member of Guests and Domain Users (DCs only) – Non-blank random password – Access enabled by default • Can be renamed, requires change in Active Directory Users and Computers as well as in both IIS’s Web and FTP server Properties • Remove from Domain Users and Guests groups to force local and Web access only
  103. 103. 103 SAM Deletion • Deleting the winntsystem32configsam file destroys all user accounts and assigns blank password to administrator • Use only as last resort • All domain and security settings related to uses and groups are destroyed
  104. 104. 104 Replace Passwords • Winternals Locksmith • Used to replace user account password • Works on any account, including Administrator • Requires physical access • Requires NTRecover or Remote Recover • NTRecover allows data from one system to be moved across a serial cable to another system. The source system is booted with a floppy to bypass security or to recover a failed system. • Winternals: • Similar tool: ntpasswd:
  105. 105. 105 Who is the Admin? • List admins with: – NET GROUP "Domain Admins" /DOMAIN • Get more details on each listed user with: – NET USER username /DOMAIN | more • Decoys are for external users • Any valid user can exploit NetBIOS to extract information about users and systems
  106. 106. 106 Administrator Decoy • Rename real Administrator account with subtle non-obvious name - avoid admin, sysop, root, master • Create new decoy account named “Administrator” with simple password • Remove all or most access privileges and group memberships • Audit every action and logon attempt • Consider creating fake confidential content to snag intruders long enough to be detected and located (I.e. a honeypot) • Method only isolates Admin account from external intruders, Domain Admins can always discover accounts
  107. 107. 107 Double Admin Accounts • Each administrator needs two accounts: – Administrative account for management work – Normal user account for daily work • No two admins should ever share an account • Restrict/Delegate each admin to his or her segment/resource responsibilities • Only grant Admin access to trusted users • Keep local Admins out of Domain Admins global group to control access levels • Audit admin account activities • Be pessimistic about offering admin access • Revoke “log on from network” User Right for all admin accounts - requires physical presence at system to log on and manage
  108. 108. 108 Anonymous & Null Connections • By default, all anonymous connections and null sessions can enumerate domain user names and share names. • A null session can connect to any share or printer which the Everyone group has access to. • Set RestrictAnonymous to 1 to prevent un-authorized users from gaining access to user and share names. • RestrictNullSessAccess can be set to 1 to prevent null sessions from connecting to a system. • Some network services use null sessions to enumerate systems, perform tasks, or contact other systems on the network. Disabling null sessions may cause these services to fail. • The NullSessionPipes contains a list of the named pipes that can be accessed by null sessions. Named pipes can be removed from this list, but they may adversely affect some networking services.
  109. 109. 109 Leaky Ports • Windows communicates confidential information over many ports, including: • NetBIOS – 135 – 139 • Kerberos – 88 • LDAP – 389 • Microsoft Directory Services – 445 • Kerberos kpasswd (v5) - 464 • Secure LDAP– 636 • Global Catalog – 3268 • Global Catalog SSL – 3269 • Always block on border systems! • Disable NetBIOS interface via bindings • Use Firewall/Proxy with port filtering
  110. 110. 110 NetBIOS Cache Pollution (1/2) • Vulnerable to NetBIOS cache corruption via unicast or broadcast UDP datagrams • Allows a man-in-the-middle attack (among other activities) by corrupting the cache with altered NetBIOS Name-to-IP address mappings • Microsoft is aware of this problem, however according to the discoverers, Microsoft will not issue a patch because it feels the problem resides in the unauthenticated nature of NetBIOS
  111. 111. 111 NetBIOS Cache Pollution (2/2) • Possible protection measures: – Block NetBIOS TCP and UDP ports (135-139, and 445) at all network borders. – Do not rely on NetBIOS to perform hostname-to-IP address lookups. – Disable all services that register a NetBIOS name as seen with the "nbtstat -n" command. Be sure to unbind the "WINS Client" and other related services that employ NetBIOS. – Upgrade to Windows 2000 and disable "NetBIOS Over TCP/IP" functionality
  112. 112. 112 NTFSDOS • Enables NTFS volume access from any version of DOS or Windows • Bypasses all NTFS security settings (ACLs) • Loadable from a boot floppy • Read-only access • Protection: – Restrict physical access to machine – Remove or lock floppy drives • Commercial version: write, rename • Companion utility: NTRecover - copy files from NTFS drives across a serial cable • Protection: remove floppy drive, no DOS boot partition, restrict physical access •,
  113. 113. 113 System Tools • Consider moving these common administrator tools into separate directory, set for admin access only: • xcopy net arp wscript • telnet arp ping route • finger at rcp cscript • posix atsvc qbasic runonce • syskey cacls ipconfig secfixup • nbtstat rdisk debug cmd • netstat tracert nslookup • rexec regedt32 regedit edlin • ftp rsh tftp
  114. 114. 114 Windows 2000 OS/2 and POSIX • Windows 2000 natively supports OS/2 v.1 and POSIX.1. In most cases, these are useless, and pose security threat for Internet accessible systems. • These subsystems can be removed from most configurations without problems: 1. Delete following folder and all of its contents: %systemroot %system32os2 2. Delete all Registry subkeys underneath HKLMSoftwareMicrosoftOS/2 Subsystem for NT 3. Delete Registry value Os2LibPath in HKLMSystemCurrentControlSetControlSession ManagerEnvironment 4. Clear contents of Optional in Registry: HKLMSystemCurrentControlSetControlSession ManagerSubsystems (but leave the value named Optional itself in place) 5. Delete Os2 and Posix Registry subkeys in HKLMSystemCurrentControlSetControlSession ManagerSubSystems 6. Reboot.
  115. 115. 115 Remote Control and Terminal Services • Use system in a host/terminal configuration • Local display, keyboard, and mouse control remote system • Installs as service, similar to RAS • Still requires logon authentication • Operates over POTS, network, or Internet • Products: PCAnywhere, Carbon Copy, Timbuktu, Remote DT, WinFrame, Terminal Server, Back Orifice 2000, Windows XP’s Remote Desktop Connection, Tridia VNC • Most require user accounts to have Log On Locally User Right
  116. 116. 116 Terminal Server • Terminal Server clients can perform a brute force password attacks against any account without triggering lockout – such connections are considered interactive logons. Fortunately, TSC automatically disconnects after 5 failed attempts • Configure Terminal Server to log out user on disconnect. Otherwise, a hacker could usurp a valid user by connecting and taking over a session
  117. 117. 117 Detecting Remote Control Software • Remote Control software may be present because: – User attempting to simplify work tasks – Used by administrators – Trial or demo – Trojaned (e.g Back Orifice) – Unsuspected user executes or installs – Deposited by hacker after break-in • Use a port scanner (such as nmap, fport) • Keep your anti-virus scanner updated • Use a malicious code or spy ware scanner, such as AdAware, SpySubtract, PestPatrol, • While Remote Control products have default ports, most can use any port
  118. 118. 118 Security & Viruses • Virus protection is a mandatory element of network and Internet security • Protect your systems from any type of malicious code: virus, worm, trojan, logic bomb, etc. • Any information pathway is susceptible • Active prevention and monitoring is required • Virus protection is only as reliable as your tools: – Integration – Central Management – Automated – Multi-layered • Microsoft via STPP now offers free virus-related tech support at 1-866-PC SAFETY (1-866-727-2338)
  119. 119. 119 Develop Anti-Virus Policy • Solution is software, not user behavior modification • Establish emergency response team • Automate prevention and detection • Backup, Backup, Backup • 100% virus free servers • Isolate risk takers, revoke privileges • Eliminate unapproved software • Don’t allow users to perform manual virus cleaning • Don’t accept as valid any unverified e-mails about viruses • Train users about safe e-mail practices • Understand the risk in active and downloadable content
  120. 120. 120 Virus Updates • Automatic patch and update installation available on most products • Engine updates can cause system crashes • Have updates pushed/pulled to single system • After testing, deploy engine upgrades
  121. 121. 121 Recovering Infected Documents • CanOpener from Abbot Systems • Able to open and extract data from infected files without launching/activating attached virus • Not virus checker, but complementary tool • Developed in response to Melissa • Abbott Systems Inc – (CanOpener) • Recover damaged or corrupted Office documents: –
  122. 122. 122 E-mail as a Virus Carrier • E-mail is the most common carrier of viruses • Virus scanners: only as good as definition lists • Don’t rely upon scanners as your only protection • Up to date virus scanners still miss 3% of known viruses! • New viruses often get past virus protected borders • The rate of virus borne e-mail is increasing: – 1999 – one per hour – 2000 – one per 3 minutes – 2001 – one per 30 seconds – 2002 – more than one per second • MessageLabs ( offers guaranteed delivery of 100% virus free e-mail.
  123. 123. 123 Internet Security Issues • Requirements to gain access: – valid user account – password – name of domain – name of the domain controller or IP address of WINS server • Avoid Telnet and other UNIX daemon ports: susceptible to DoS attacks • FTP - more susceptible to password attacks than system logons • Guest account and anonymous access • New generations of tools: nmap, nlog, legion
  124. 124. 124 Denial of Service • Any Internet connected server is vulnerable • Any system is vulnerable, even Microsoft’s own Web sites • DoS information: – FBI Web site » – CERT Web site » – NetWare Connections: April 2000: Cyber Crime: » • Many well-known Distributed Denial of Service (DDOS) tools exist on the Internet: – Tribal Flood Network (TFN), trinoo, shaft, stacheldracht, mstream, naptha, zombie • Five Registry modifications to harden the TCP/IP stack against DoS attacks - Q315669
  125. 125. 125 Internet Connection Vulnerabilities • Your network, proxy, router, gateway, notebook, or workstation system may be open to Internet attacks • All Windows OSes offer information and access to external anonymous connections • Must unbind NetBIOS from all external interfaces • Test NetBIOS vulnerabilities at: – Use the Shields UP online tests to look for services and ProbeMyPorts to look for open ports • Security Audits from –monthly subscription service scans for vulnerabilities
  126. 126. 126 Web Bugs • 1 x 1 graphic: tracks Web usage without your knowledge • Often used to profile current or perspective customers • Some detection tools have become available: –’s OptOut, Spyware Analyzer, and NetFilter –’s SpyCop • Often rely on cookies – disabling cookies will stop some of them • Ad-aware can detect and remove some Web bugs: • Bugnosis – Web bug detector –
  127. 127. 127 IIS Security Issues • Basic IIS Protection • IIS Protocol Protection • Securing IIS Web • Securing IIS FTP • Use with proxy or firewall
  128. 128. 128 Locking Down IIS Web 1/4 • First, locked down the host OS! • Install IIS into its own partition • Use a packet filtering firewall/router to block all unused ports • Avoid using FrontPage Server Extensions or WebDev on production IIS systems • IUSR: User Rights, authentication, member of Everyone & Authenticated Users groups • Specify No Access for IUSR_ account on everything, then grant IUSR_ account access only as needed • Change name of IUSR account - duplicate changes in ADUaC and IIS
  129. 129. 129 Locking Down IIS Web 2/4 • Use alternate TCP port for private information service use • Do not include sensitive or confidential information in ASP files. • Set minimum possible or application appropriate IIS permissions on virtual directories, folders, and files. Avoid script/executable permissions as much as possible. • Set minimum possible or application appropriate NTFS ACLs on folders and files. • Isolate IIS from DCs, file servers, other sensitive data - don’t host IIS on sensitive systems • Enable and configure logging/auditing
  130. 130. 130 Locking Down IIS Web 3/4 • Update root CA certificates – add new CAs you trust, remove CAs you no longer trust • Remove the IISADMPWD Virtual Directory • Disable or remove all IIS sample applications: • IISSamples, IISHelp, and MSADC • Disable or remove unneeded COM components • Inspect all ISAPI scripts for RevertToSelf(); - which changes execution context to system level – use dumpbin (a Win32 API developer tool)
  131. 131. 131 Locking Down IIS Web 4/4 • Remove Unused Script Mappings, especially for ISAPI • Check <FORM> and Querystring Input in Your ASP Code for validity before processing • Disable parent paths (i.e. “..”) (294807 – pre-6.0) • Disable IP Address in Content-Location (218180) • Disable WebDAV (post SPR1) - Unchecked Buffer In Windows Component Could Cause Web Server Compromise (KB:815021; 241520) – MS03-007
  132. 132. 132 Unsuspecting Web Servers • IIS and PWS automatically installs and runs on many OSes • If IIS/PWS is running, you are vulnerable to all un- patched exploits • Open IE, in the Address field, type "http://localhost" and press Enter. If you get a Web page or a dialog box asking you to enter your name, password, and domain, then you are running IIS/PWS. • To uninstall IIS/PWS, use Add/Remove Windows Components. • To disable, use IIS MMC snap-in or Services applet
  133. 133. 133 IIS Host Protection • Isolation domain • Reverse Proxy – “port forwarding” – Can slow access due to proxy activities • Web in a box solutions • Co-locate at an ISP – Requires use of remote control software • Outsource Web/FTP hosting to third-party • Maintain an internal backup of hosted Web/FTP resources to insure all IIS/FTP solutions
  134. 134. 134 IIS Isolation Domain • Configure IIS in own distinct domain • Define trust to administer IIS domain • Enables control of IIS while protecting LAN • Consider an IPX LAN where only IIS host uses TCP/IP - deploy MS Proxy Server & use IPX-to-IP gateway for client Internet access • Deploy a firewall between IIS and main domains to filter traffic
  135. 135. 135 Securing IIS FTP • Don’t rely on ISM’s access rights, use NTFS (Think of IIS FTP as shares) • Offer minimal access to users • Avoid mapping drives or directories: – across the network – of root – whose children should not be FTP accessible • Log FTP activity and check Event log frequently for access denials - audit access failures • Block IPs where break-ins originate • Remember that passwords are passed in clear by FTP protocol • Disable anonymous user uploads
  136. 136. 136 Hackers Do It With Subtlety • Footprinting – Profiling an organization’s security structure – Discovering network addresses and domain names • Scanning – Determining active services and applications – Locating active or open ports – Determining OS • Enumeration – Extract account information – Connecting to shares – Connecting to services or applications • Exploitation – Taking advantage of security holes
  137. 137. 137 Hacking Tools - 1/4 • VisualRoute - GUI tracert - • SolarWinds 2000 - ping, subnet, traceroute, DNS, and more - • Genius - traceroute and more - • Nmap - port scanner - • PortPro - port scanner - • Legion - connects to open shares - • Epdump - port and service scanner - • LC4 – (formerly L0phtCrack) password grabber/cracker -
  138. 138. 138 Hacking Tools - 2/4 • getmac - identifies MAC and device name of NICs on remote systems - RK tool • netdom - domain management tool, list domain membership and BDCs - W2K Support tool • Netviewx - lists nodes and services in a domain - • Netcat (nc) - port connector, DNS checking, port scanning, and more - • Sam Spade - multi-function tool: DNS query, website search, IP block identifier, SMTP verify, etc. - • NetBus - a remote control package -
  139. 139. 139 Hacking Tools - 3/4 • Revelation - reveals passwords behind asterisks - • Password Recovery - recover passwords from various file types - • Password crackers - • Cerberus Internet Scanner – scan for ports, services, and common vulnerabilities - • Invisible KeyLogger – records keystrokes - • remote – used to regain access to breached systems - RK
  140. 140. 140 Hacking Tools - 4/4 • Pippa or datapipe – perl scripts used to redirect ports - and h.html • Grinder – searches out Web servers on IP addresses - • Foundstone tools – a wide assortment of utitlies - • Nessus port scanner - • Fscan - • NetScanTools -
  141. 141. 141 Security Certifications • SANS GIAC • MCSE + Security: • ISC2 CISSP • Security+ • TruSecure ICSA (TICSA) • CIW Security Analyst • NAX – Network Analysis Expert (WildPackets) • “The vendor-neutral security certification landscape, May 2003 update” • “Update: Survey of vendor-specific security certs, May 2003”
  142. 142. 142 Online Resources Intro • URL Safety - We’ve endeavored not to include any high-risk Web sites in our list of recommended URLs (except as noted). However, access sites at your own risk. • KB – Knowledge Base documents which can be found on TechNet (CD or Web site: and at Knowledge Base documents may or may not be preceded by a Q, as in Q260694. • Free Email Alerts every time Microsoft Publishes NEW Support or Knowledge Base Articles by product/technology: • RK – Resource Kit – available as a standalone product or as part of TechNet
  143. 143. 143 TechNet • Monthly publication • Documentation for every major MS product • White papers, FAQs, troubleshooting documents, book excerpts, articles, utilities, patches, fixes, upgrades, drivers, and demonstration software •
  144. 144. 144 Database of Registry Entries • W2K3: part of Microsoft Windows Server 2003 Deployment Kit as the Registry Reference for Windows Server 2003. Also available online nfo/reskit/deploykit.mspx • W2K RK utility: REGENTRY.CHM • NT RK utility: REGENTRY.HLP • Lists all standard or default entries of Registry • Locate by topic, alphabetically, or search • Excellent resource for security or any type of maintenance requiring Registry manipulation • Windows Registry Guide: • The viewable Registry is collection of exceptions, not exhaustive collection of configuration settings.
  145. 145. 145 Online Resources 1/5 • Microsoft Security Advisor & Notification Service – • Various Windows Security Guides: – url=/technet/security/prodtech/windows/default.asp • Department of Homeland Security – Information Analysis and Infrastructure Protection Directorate CyberNotes: » Bi-weekly list of all bugs, holes, and patches for software (including OSes), exploit scripts and techniques, Internet trends, viruses, and Trojans • Microsoft Security – Trustworthy Computing for IT – url=/technet/security/default.asp • Windows & .NET Magazine – • ENT News: Maximizing the Enterprise Windows Experience – • Windows & .NET Magazine: Security Administrator – • Windows NT/2000/XP/Server 2003 Tips and Tricks – • SANS Institute –
  146. 146. 146 Online Resources 2/5 • Hacking Exposed book companion Web site – • TISC Security Web site – • CERT – • Somarsoft – • Securityfocus – • NSA’s Security Recommendation Guides – • Microsoft’s Security Operations Guide for Windows 2000 Server – •’s Security Toolbox – • Foundstone’s Free Tools –
  147. 147. 147 Online Resources 3/5 • Security Mailing lists – • @Stake/l0pht (where crackers congregate!) – • Beverly Hills Software – • SERVERxtras, Inc. – • Sunbelt Software (nt-admin list) – • Windows NT/2000 FAQ – • Search Windows 2000 – • Security Administrator – Windows & .NET Mag – • Hammer of God – tools –
  148. 148. 148 Online Resources 4/5 • NTBugTraq – • Computer Incident Advisory Capability (CIAC): – • Federal Computer Incident Response Capability (FedCIRC): – • AntiOnline : – • Security News Network: – • NSA’s W2K Security Recommendation Guides – • Encryption and Security-related Resources – • Event – • NIST - CSRC –
  149. 149. 149 Online Resources 5/5 • Microsoft Patch and Hotfix Download Center: – • Microsoft KnowledgeBase, TechNet – – • MSNEWS.MICROSOFT.COM - NNTP server: – – – – HINT: use newsgroup search on “security” for complete list! • Microsoft Security reporting email – • NTSecurity mailing list – - subscribe ntsecurity • MCP Mag: April 2000: Security Advisor – • Netware Connection: April 2000: Cyber Crime –
  150. 150. 150 Vulnerability Scanners 1/2 • Security Space: Security Audits: • Qualys: Free online scanner for the SANS Top 20 vulnerabilities: • Foundstone: FoundScan Enterprise Vulnerability Management System (EVMS): • Harris Corporation: STAT Scanner: • Internet Security Systems: Internet Scanner: • SAINT Corporation: • Advanced Research Corporation: SARA-4.1.1: • Nessus: Nessus Security Scanner:
  151. 151. 151 Vulnerability Scanners 2/2 • eEye Digital Security's Retina: • Cerberus Information Scanner: • Winfingerprint: • ExtremeTech’s Syscheck: collection of scanners: –,3428,a=25758,00.asp • Hacker Whacker: – • Evaluation of vulnerability scanners: –
  152. 152. 152 Security Audit Tools • ISS RealSecure – • RSA’s Security Analyst – • Network Associates’ CyberCop – • Blue Lance’s LT Auditor+ – / • CyberSafe’s Centrax – • Sunbelt’s STAT, QualysGuard, Enterprise Security Reporter – • Marcus Ranum’s Network Flight Recorder – • Somarsoft’s DumpSec, DumpEvt, DumpReg – • Raytheon’s SilentRunner –
  153. 153. 153 Virus Protection Tools • Symantec’s Norton Anti-Virus – • Computer Associates’ InocuLAN and IncoulateIT – • Network Associates’ Anti-Virus – • Trend Micro’s IntraScan Anti-virus – • Data Fellow’s F-Prot – • McAfee’s VirusScan – • Moosoft’s The Cleaner - trojan scanner – http// • PestPatrol - trojan, hacker tool, and spyware scanner – • Locate other options: – Server Xtras, Inc.: – Sunbelt Software: – Beverly Hills Software:
  154. 154. 154 Virus Information Resources • The WildList Organization International – • Denial of Service Attack Resources – • Digicrime, Inc. – • Peter Gutmann's Web site on Security Weaknesses – • Simovits Consulting: Ports used by Trojans –
  155. 155. 155 Firewall/Proxy Online Resources • Security Panel’s Firewall List – • Phil Cox’s “Hardening Windows 2000 Guide” – • Hammering out a secure framework: – • NIST Guideslines on Firewalls and Firewall Policy – • Yahoo - search on Firewall
  156. 156. 156 Print Resources 1/2 • Windows 2000 Security, by Roberta Bragg. New Riders, 2001. ISBN 0735709912. • Windows 2000 Security Handbook, by Philip Cox and Tom Sheldon. Osborne McGraw-Hill, 2000. ISBN 0072124334 • Windows 2000 Security: Little Black Book, by Ian McLean. The Coriolis Group, 2000. ISBN 1576103870. • Microsoft Windows 2000 Security Handbook. By Jeff Schmidt, Que, 2000. ISBN: 0789719991. • Windows 2000 Security Technical Reference. John Hayday (ISS named as “Editor”), Microsoft Press, 2000. ISBN 073560858X • Hacking Exposed, 4th Edition: Network Security Secrets and Solutions. Stuart McClure, Joel Scambray, George Kurtz. Computing McGraw-Hill, 2003. ISBN: 0072227427. See also Hacking Exposed Windows 2000 (ISBN: 0072182623). • Intrusion Signatures and Analysis. Stephen Northcutt, et al. New Riders, 2001. ISBN 0735710635.
  157. 157. 157 Print Resources 2/2 • Firewalls and Internet Security: Repelling the Wily Hacker. William R. Cheswick & Steven M. Bellovin. Addison-Wesley, 1994. ISBN: 0201633574. 2nd Edition due whenever it’s finished! • Building Internet Firewalls, 2nd Edition. Elizabeth Zwicky, et al. O’Reilly & Associates, 2000. ISBN: 1565928717. • Configuring Windows 2000 Server Security. Thomas Shinder, et al. Syngress Media, 1999. ISBN 1928994024 (See also ISA Server and Beyond, ISBN 1981836663) • Network Intrusion Detection: An Analyst’s Handbook, 2nd Ed. Stephen Northcutt and Judy Novak. New Riders, 2000. ISBN: 0735710082. • Computer Security. Dieter Gollman. J Wiley & Sons, 1999. ISBN: 0471978442.
  158. 158. 158 Security Bookshelf • Identified Top 50-plus security books for relevant to information security • Updated March, 2003 online! • Initially designed for comprehensive CISSP preparation, now includes best of breed infosec titles • To locate: – Go to – Search on “Tittel bookshelf” – Produces pointers to 2 related articles The Computer Security Bookshelf, Part 1 The Computer Security Bookshelf, Part 2