W982 05092004

1
W982:
Windows 2003/XP/2000
System and Network Security
Networld+Interop - Las Vegas
Wed – May 12, 2003
8:30am-4:30pm
James Michael Stewart
CISSP, ISSAP, TICSA, CIW SA, Security+, CTT+, MCT, CCNA,
MCSA Windows Server 2003, MCSE+Security Windows 2000,
MCDST, MCSE NT & W2K, MCP+I, iNet+
www.impactonline.com
michael@impactonline.com

2
UPDATED MATERIALS
• This course has changed since submitted for printing
• Updated slides, notes, and handouts available from:
www.impactonline.com/interop/
• All new or changed material is highlighted in green.

3
What This Course is NOT
about
• How to break into Windows systems
• Security issues not related directly to Windows
• Installing software
• Troubleshooting non-security issues
• Details on Intrusion Detection
• Basics of Windows architecture, administration, or
operation
• Other software from Microsoft or third-party
vendors

4
What This Course IS about
• Why security is important
• Native security features built into:
– Windows Server 2003
– Windows 2000 Server and Professional
– Windows XP Professional
• How to lock down or secure a Windows
system
• Vulnerabilities of Windows OSes
• Windows countermeasures

5
Security Is Important
• OS or system security does not exist in a vacuum
• You must address physical security and
administrative issues otherwise no amount of
technical or logical security controls will suffice
• Security must be driven by an organization wide
security policy.
• “Security is not a goal, it is a process, and Security
is not a product, it's a mentality” –
McClure/Scambray
• Security is maintaining data integrity and providing
only authorized, controlled access to that data

6
Windows Security is
an ART not a SCIENCE
• Take my recommendations and opinions about
Windows security at your own risk.
• Usually, increasing security adds administrative
overhead, but decreasing security reduces
administrative workloads. Ultimately, you must
choose what level of security you require, and
manage related admin tasks.
• We welcome other opinions on Windows security in
the class - we will add useful information to online
materials and future classes

7
Windows Security Is
• Build a perimeter that’s harder to cross than your
neighbor’s
• Controlled and monitored access
• “End to end” solution, involving: clients,
applications, servers, boundary devices, and all
relationships between these elements
• Windows 2000/NT/XP Out of the Box: Few secure
defaults
• Windows Server 2003 is much more secure by
default
• Maintaining security is never-ending process:
requires vigilance, ongoing monitoring, and
maintenance.

8
Security:
A Multi-Front Endeavor
• 100% security does not exist
• Implement security in layers
• Security must provide protection from intrusions,
internal and external attacks, accidents, malicious
code, and physical destruction.
• Security policies guide and direct implementation
• Three Legs of Security
– Physical access control
» If physical security not maintained, no amount of software
security can create a secure environment for your data
– Human education and management
– OS and software management

9
Worst Security Mistakes
• Opening unsolicited email attachments without verifying
source and checking content first
• Failing to install security patches
• Installing unapproved software
• Neither making nor testing backups
• Connecting a modem to a phone line while computer is
connected to a LAN
• Relying primarily on firewalls and boundary safeguards
• Connecting systems and devices to the LAN or Internet
before hardening them
• Using telnet or other unencrypted protocols to manage
systems and network devices
• Running unnecessary protocols and services
• Failing to keep yourself up to date with the state of security of
your OSes, software, and hardware

10
Windows Sever 2003
New and Modified Features
• Common Language Runtime
• Internet Connection Firewall
• Account behavior changes
• More Secure Defaults
• Administration Security
• Developer enhancements
• Encrypted File System enhancements
• IPSEC enhancements
• Authorization Manager
• Software Restriction Policies
• Credential Management
• PKI Features
• IIS 6.0 enhancements

11
Common Language Runtime
• Common Language Runtime (CLR) software engine
– improves reliability and helps ensure a safe computing
environment.
– reduces the number of bugs and security holes caused by
common programming mistakes
– verifies that applications can run without error and checks for
appropriate security permissions
– making sure that code only performs appropriate operations
– checks where the code was downloaded or installed from
– checks whether the code has a digital signature from a trusted
developer
– Checks whether the code has been altered since it was digitally
signed.

12
Internet Connection Firewall
• Simple stateful IP filter
• Allows all outbound
• Allows selected inbound

13
Account Behavior Changes
• Limiting local account misuse
• Network logon prevented with blank passwords
• Network logons using local accounts authenticate
as guest
• Administrator account can be disabled
• The built-in Everyone group includes
Authenticated Users and Guests, but no longer
includes members of the Anonymous Logon
group
• Supported authentication techniques: Kerberos
V5, SSL, TLS, NTLM, digest (MD5 hash), passport,
two-factor (such as smart cards)

14
More Secure Defaults
• IIS/FTP/SMTP not installed by default
• IIS must be configured before first use
• Many services/interfaces/extensions are disabled
by default

15
Administration Security
• Command line tools (e.g. netstat –o)
• Smartcard authentication for common admin
tools:
» Net.exe
» Runas
» Terminal Services

16
Developer Enhancements
• .Net Common Language runtime
» Managed code
» Authentication of code origin
» Authorization of operations against policy
• IPSec APIs
• Application access to EFS metadata
• Advanced Encryption Standard & New Hash
support

17
EFS Enhancements
• Encrypted file sharing in the UI
• Encrypted files marked with alternate color
• Sharing Your Encrypted Files with Other
Users
• Encrypted client side cache
» Used for offline folders, files stored in encrypted CSC
database
• Support kernel-mode FIPS-compliant
cryptography
» 3DES algorithm, enabled with Group Policy
» FIPS – Federal Information Processing Standard

18
EFS Data Recovery Changes
• Domain Model
» Removed requirement for Data Recovery Agent
» Can operate with no data recovery policy or a separate
key recovery policy
» Domain Administrator is DRA by default when domain
is created

19
EFS over WebDAV
• Enable encrypted storage on Internet servers
(end to end encryption)
• WebDAV is a file sharing protocol over HTTP
» Alternative to SMB; Internet Standard RFC 2518
» Supported by numerous independent software
vendors
• IIS 5.0 and IIS 6.0 support WebDAV as web
folders

20
IPSec Enhancements
• Windows 2000/XP/Server 2003 Compatibility
• Stronger security
• Diagnostics and supportability
• UI improvements and IPSec Monitor Snap-in
• Command line management NETSH
• Computer startup security
– IPSec Driver Startup Modes
• Persistent policy for enhanced security
• Removed default traffic exemptions
• NAT traversal
• Improved IPSec integration with Network Load
Balancing
• IPSec support for Resultant Set of Policy (RSoP)

21
Authorization Manager
• Flexible framework
• Role-based access control
• Role-based administration
• Support for Forest Trusts – two-way transitive
trusts between every domain in both forests

22
Software Restriction Policies
• Group Policy can restrict software installation
and execution
• Can restrict by:
» Hash Rule
» Path Rule
» Certificate Rule
» Zone Rule

23
Credential Manager
• Provides a secure storage mechanism for user
credentials, such as passwords and X.509
certificates
• Provides a consistent single-sign on
• Supported for local and roaming users
• Simplifies and secures the methods by which
server and client based applications obtain user
credentials

24
PKI Features
• Qualified subordination
– A.K.A. Cross certification
– More X.509 options implemented on server and
client
– Define the namespace for which a subordinate CA
will issue certificates
– Specify the acceptable uses of certificates issued
by a qualified subordinate CA
– Create trust between separate certification
hierarchies
• Editable certificate templates
• Key archive & recovery
– Can configure a CA to archive the keys associated
with the certificates it issues
• Auto enrolment & renewal
• Delta CRLs

25
IIS 6.0 Enhancements
• Lessons implemented
• Reduced attack surface
• Code security
• Secure defaults
• Improved ASP security
• Lower privilege accounts
• Improved patch management
• Security features for the platform
• Application isolation
• FTP user isolation
• Passport authentication
• URL authorization

26
Some Specific Windows 2003
Security Benefits
• More than 20 services that were enabled by default in W2K
are now disabled or operate at lower privileges
• IIS 6.0 and Telnet server is not installed by default, plus both
run under a new service account with lower privileges
• IE has numerous limitations on its functionality
• The Security Configuration Wizard which works on-top-of
Configure Your Server defaults to the highest security
lockdown for added services and features
• Remote users will be unable to log in using blank passwords
• Role-based authentication via applications
• The system root drive is accessible only to Administrative
group users, the Everyone group is fully restricted
• Stronger VPN policies and filters

27
Windows 2000 to Windows 2003
• All known problems with Windows 2000 up through
approximately MS03-022 are corrected or not
present in Windows 2003
• New problems since MS03-023 may be found in
Windows 2000, Windows XP, and Windows 2003
– Check Windows Update and Microsoft Security Bulletins
frequently to stay current with new developments

28
Windows 2000 Security Features
• Improved security model over Windows NT:
– stronger authentication, protocols, & services
• Directory Service Account Management
– domain trees
– Organizational Units (OUs) - directory containers
• Kerberos Authentication Protocol V5
• Public Key Infrastructure (PKI)
• X.509 Version 3 Certificate Services
• CryptoAPI Version 2
• Encrypting File System (EFS) built into NTFS
• Secure channel security protocols (SSL 3.0/PCT)
• Smart card support
• Private Communications Technology [PCT] 1.0
• Distributed Password Authentication (DPA)
• Transport Layer Security Protocol [TLS]
• Internet Security Framework: IPSec, L2TP
• Transitive Trusts

29
Windows XP
Security Features
• Most of the security benefits of Windows 2000 are
found in Windows XP
• Additional security features include:
– Internet Connection Firewall
– Internet Connection Sharing
– Blank password restriction (access to local system only)
– Encryption of Offline Files
– Credential Management – storage of logon credentials
– Fast user switching (non-domain only)

30
• All passwords rendered useless on Windows XP:
– Boot a Windows XP system with a Windows 2000 CD
– Start the Windows 2000 Recovery Console
– User is then able to operate as the administrator of the system
without a password
– User can connect as any user account on the system without a
password
– User can copy files to floppies or other removable media from
any local hard drive – a capability normally restricted within the
Recovery Console when used legitimately.
– Only countermeasure – physical security
– http://www.briansbuzz.com/w/030213/
Windows XP
IPL Vulnerability

31
Coverage of Windows Clients
• Windows XP Professional can be configured as the
most secure client available from Microsoft
• Windows 2000 Professional can be configured to
be almost as secure as Windows XP Professional
• Both offer different defaults, usually insecure
defaults, when employed as stand-alone systems
• This courseware assumes Windows XP
Professional and Windows 2000 Professional are
being used as Active Directory domain clients.
Therefore they take on the security configurations
defined by Windows 2000 Server or Windows
Server 2003 GPOs assigned to their AD containers.

32
Coverage of Windows Servers
• All Windows 2000 Server and Windows Server 2003
settings are discussed from the perspective of
these systems being used as domain controllers.
• Domain controllers either inherit the security
configuration of the domain controllers, the domain
GPO, or are assigned their own unique
configuration by network administrators.

33
Overview of Native Security
Components
of Windows 2003/XP/2000
• Logon control
• User accounts
• Groups
• Accounts policy - passwords and lockout
• System policies
• NTFS and Share permissions
• User Rights
• Auditing

34
Login & Access Security
• NetLogon service
– restricted memory area
– CTRL-ALT-DEL
– cannot be spoofed
– forces physical logon
– communicates with security database to validate users
– Requires:
» user account name
» password
» domain name
• Remote Control software bypasses via API and
installed service (logon required to install service)

35
Automated Logon
• HKEY_LOCAL_MACHINESOFTWAREMicrosoft
Windows NTCurrentVersionWinlogon
– DefaultDomainName (Value: REG_SZ)
– DefaultUserName (Value: REG_SZ)
– DefaultPassword (Value: REG_SZ)
– AutoAdminLogon (Value: REG_SZ) = 1
• Authentication still occurs, but without user input
• To terminate auto-logon:
– set AutoAdminLogon=0
– delete DefaultPassword
• Hold SHIFT to logon with alternate user account
• Used on kiosks & other access points where
access level or physical security is no issue
• Functions on NT, 2000, XP, 2003

36
Cached Credentials (1/2)
• By default, when you attempt to log on to a domain from
a Windows 2003/XP/2000-based workstation or member
server and a domain controller (DC) cannot be located,
no error message is displayed.
• Instead, you log on to the local computer using cached
credentials.
• By default, Windows 2003/XP/2000 caches the last 10
logons
• Set through Group Policy (Security Options) or Registry
(CachedLogonsCount). If set to 0, no logons are cached
and if DC is not available logon is denied.

37
Cached Credentials (2/2)
• When logged on with cached credentials, user account
has no access to updated group policies, roaming
profiles, home folders, or logon scripts.
• Use “set” command at Command Prompt
– LOGONSERVER entry names what system authenticated you.
– If local system – cached credentials, if DC – domain validation.
• Appears in Event Viewer’s System log – event ID 5719
• Add ReportControllerMissing and ReportDC values to
Registry to force user warning message.
• Unlocking a workstation or a DC uses cached
credentials by default. If you don’t disable credential
caching, then set ForceUnlockLogon to 1 to require
actual AD authentication to unlock systems.

38
User Accounts & Groups
• Users and groups key to Windows security
• User Accounts:
– Unique identifiers for each person
– Security IDs
• Groups:
– Used to control resource access
– Machine local, Domain local, Global, Universal (native mode)
– Multiple group memberships
– Combined permissions
• Users > Domain Groups > Local Groups > Resources
– Users are added to groups
– Groups are assigned permissions for resources
– Nesting of groups supported
• Delete vs. Disable old user accounts

39
System Controlled Groups
• Pre-Windows 2000 Compatible Access
• Anonymous Logon
• Authenticated Users
• Batch
• Creator Group
• Creator Owner
• Dialup
• Enterprise Domain Controllers
• Everyone
• Interactive
• Network
• Proxy
• Restricted
• Self
• Membership is dynamic and managed by the OS itself
• Everyone group is still required on boot partition and still
includes anonymous and null sessions
• Service
• System
• Terminal Server User
2003 specific:
• Digest Authentication
• Local Service
• NTLM Authentication
• Other Organization
• Remote Interactive Logon
• SChannel Authentication
• This Organization

40
Group Policy
• GPOs can be assigned to domains, sites, or OUs.
– Applied: LSDOU
• Combines policies for:
– general security controls
– audit
– user rights
– passwords
– accounts lockout
– Kerberos
– Public key policies
– IPSec policies
• 2000 OOB – if a user is a member of 70 to 80
groups, group policy may not be applied. Caused
by Kerberos’s token size limitation, correction
changes MaxTokenSize from 12000 to 100000 -
(SP2) - 263693

41
Group Policy SMB vulnerability
• SMB signing flaw may allow group policies to be
modified by unauthorized users
• Affects: Windows 2000 and Windows XP
• Flaw allows attackers to downgrade the settings for
SMB signing so packets not signed even though
systems are configured to use SMB signing. This
attack occurs during negotiation process between
client and server. Once exploited, attackers could
modify packets sent between two systems and
changes would not be detected.
• Patch not included in Windows XP SP1
• MS02-070: KB:329710

42
Password Policy
• Set password restrictions
– Min & max password age (0-999)
» W2000 – Max 42 days; Min 0 days
» W2003 - Max 42 days; Min 1 days
– Min password length (0-14)
» W2000 - 0
» W2003 - 7
– History (1 - 24 entries)
» W2000 – 1
» W2003 - 24
– Passwords must meet complexity requirements
» W2000 – disabled
» W2003 – enabled
– Store passwords using reversible encryption for all users in the
domain
» W2000 & W2003 - disabled

43
Password Complexity
• Forces minimum of 6 characters
• Incorporates at least 3 character types:
– Uppercase: A through Z
– Lowercase: a through z
– Numerals: 0 through 9
– Non-alphanumeric: !, @, #, $, [, , …
• No part user account name or real name
• Not foolproof: “April1999” is valid password under
these restrictions, but easily guessed.
• When enabled, existing passwords are grandfathered;
new or changed passwords must meet restrictions
• Custom password filters – see W2000 and W2003 SDK

44
Failing Requirements When
Changing Passwords
Your new password does not meet the minimum
length or password history requirements of the
domain. Also, your site may require passwords that
must be a combination of upper case, lower case,
numbers, and non-alphanumeric characters.
Your password must be at least <#> characters long.
Your new password cannot be the same as any of
your previous <#> passwords. Also, your site may
require passwords that must be a combination of
upper case, lower case, numbers, and non-
alphanumeric characters.

45
Designing Secure Passwords
• Implement company/organization security policy
• Use cracking tools to test your password strength
– LC4, PassFilt Pro, John the Ripper, Quakenbush’s Password
Appraiser
• Allow no part of e-mail address in password
• Change every 30 - 45 days
• Maintain history of previous passwords to prevent
reuse
• Always assign passwords to all accounts
• Avoid common words – dictionary, slang, industry
acronyms, etc.
• Use ALT characters - ALT-130 for é, ALT-157 for ¥, etc.
– Avoid use on administrator accounts
• Never write passwords down

46
Password Crackers
• Require access to SAM - direct or copy
• Password auditing:
– @stake’s LC4 – http://www.atstake.com/
– Quakenbush’s Password Appraiser – http://www.quakenbush.com/
• Most perform reverse hash extraction
• Protect your SAM!
• LC4 can sniff SMB exchanges on networks to pull
passwords – use switched networks to force end to
end communications
• Several tools are available that boot from a floppy
and can change the password on any account:
– Peter Nordahl's Offline NT Password & Registry Editor tool
– Sysinternals’ Locksmith

47
Audit Password Registry Keys
• Enable auditing through Group Policy’s Audit
Policy
• Start scheduler service, set system startup
• AT <time> /interactive “regedt32.exe”
• Registry editor is launched with System level
access - SAM and SECURITY hives (Note: System
is NT’s closest equivalent to UNIX’s superuser or
root access)
• Set SAM hive auditing parameters
– at <time> /interactive "regedt32.exe"
– HKEY_LOCAL_MACHINESAM
– Set Security|Auditing per event & user/group

48
Accounts Policy
• Set Lockout parameters
– Lockout duration (0 – 99999 minutes)
– Failed logon attempts
– Counter reset after time limit
• Not enabled by default on W2K or W2K3
• “Account is locked out” checkbox on user account properties
dialog box

49
User Account Security Controls
• Logon hours
• Log On To – restricted to workstations
• Account info: expiration – never or by date
• Account Options (next slide)
• Dial-in:
– Remote Access Permission (dial-in or VPN) – allow, deny,
or controlled by Remote Access Policy
– Verify caller ID (requires supported hardware)
– Call back: pre-defined or user-supplied
• Terminal Services Sessions :
– End disconnected sessions timeout
– Time limit for active sessions
– Time limit for idle sessions
– Enable remote control/observation
– Require use’s permission to control/observe

50
Account Options
• User must change password at next logon
• User cannot change password
• Password never expires
• Store password using reversible encryption
• Account is disabled
• Smart card is required for interactive logon
• Account is trusted for delegation
• Account is sensitive and cannot be delegated
• Use DES encryption types for this account
• Do not require Kerberos pre-authentication
Direct user account settings override
group policy settings!!

51
Audit Policy
• All Windows Objects can be audited
• Two controls: policy and object
• Policies:
– Account logon events
– Account management
– Directory service access
– Logon events
– Object access
– Policy change
– Privilege use
– Process tracking
– System events
• Object level controls accessed through Advanced Security
Properties
• Audit policy must be enabled in order for audited events to be
recorded in the Security log

53
Auditing for Security
• Suspect events:
– failed log on attempts
– repeated denied access to resource
– system reboots
• DumpEVT – Export event logs to text files for use in
scripts and databases - www.somarsoft.com
• As the amount of data gathered by auditing
increases, so does need to employ IDS or a data
mining tool to deal with the data load

54
Example Audit Schemes
• Random password attacks
– account logon events, logon events: Failure
• Stolen passwords: (must filter for abnormal activity)
– account logon events, logon events: Success
• Misuse of admin privileges:
– privilege use: Success
account management: Success
policy change: Success
system events: Success
• Virus infection: (track W for all .exe, .bat, and .dll)
– process tracking: Success, Failure
directory service access, object access: Success, Failure
• Access to sensitive files (track R,W for suspect
users/groups)
– directory service access, object access: Success, Failure

55
Working with User Rights
• Review defaults of User Rights
(see handout "User Rights")
• To increase security settings, make the following
changes:
– Allow Log on locally: assigned only to Administrators on Servers
– Shutdown the System: assigned only to Administrators, Power
Users
– Access computer from network: assigned to Users, revoke for
Administrators and Everyone
– Restore files/directories: revoke for Backup Operators
– Bypass traverse checking: assigned to Authenticated Users,
revoke for Everyone

56
Ownership
• Ownership grants a user Full Control over an object
• Ownership can be taken by users with:
– Take Ownership of Files or Other Objects User Right
– NTFS object level Ownership permissions.
• Administrators and Domain Admins have this user
right by default.
• Ownership can be assigned using subinacl (RK
tool):
– subinacl /subdirectories c:winntprofiles*.*
/setowner=administrator
• Ownership can be used to bypass any Deny setting.

57
NTFS Security
• Defined by object: files, directories, printers
• Set by group or user for Allow or Deny
• Standard file settings:
– Full Control (RXWDPO);
Modify (RXWD);
Read & Execute (RX);
List Folder Contents (dir only) (R);
Read (R); Write (W)
• Always check defaults on
new objects in regards to
the Everyone group
• Container rule - move vs. copy
• Inheritance is configurable,
inheritance of permissions
and auditing is distinct

58
Share Permissions
• Permissions:
– Full Control
– Change
– Read
• All permissions based
on Allow or Deny
• W2K – new share Full Control
to Everyone
• W2K3 – new share Read only
to Everyone
• On object’s Sharing tab:
– Able to set maximum
simultaneous users
– Caching
» Allow/prevent caching
» Manual - Offline Files
» Automatic

59
Managing Permissions
• NTFS - All user specific and group membership
permissions on the same resource are cumulative.
• Share - All user specific and group membership
permissions on the same share are cumulative.
• Combining NTFS and Share Permissions
– Cumulative NTFS is compared to the cumulative Share - most
restrictive applies
– Think of it as an ANDing function
• Deny always results in deny. Watch for conflicts
caused by multi-group memberships.
• Grant permissions on “as needed” basis – need to
know or least privilege
• SystemTool’s DumpSec (www.systemtools.com)
– dumps permissions (ACLs) for file system, registry, shares and
printers into a readable listbox format

60
Disk Quotas
• Disk quotas
• Configurable per volume
• Configurable per user
• Prevent file writing when limitation exceeded
• Space limitation and warning level in KB, MB, GB,
TB, or PB
• Enable log events for quota limit reach or warning
level reach
• Quota limits based on uncompressed file size
• More control and granularity through third-party
quota solutions, such as Quota Advisor and
Storage Central from www.sunbelt-software.com

61
Process Security
• Inherits parent’s Access Token
• Use Task Scheduler to launch tasks with any user
account credentials
• Services can be launched with System or any user
account credentials
• Once launched, access level of process cannot
change
• Use RunAs to execute under another user security
contents – requires username and password. Use
as command line or hold-shift then right-click
over .exe for pop-up menu

62
Windows Kerberos Policy
• Trusted third-party Authentication protocol developed at MIT
as part of Project Athena
• Kerberos V5
– Faster connections
– Mutual Authentication
– Delegated Authentication
– Simplified Trust Management
– Interoperability
• Defined at domain level controls Kerberos settings
• Implemented by domain’s Key Distribution Center (KDC)
• Stored as part of domain security policy
(may only be set by Domain Admins)
• Windows attempts to use Kerberos first to authenticate user
logons. If Kerberos fails, NTLM is attempted (if enabled)
• NTLM appears primarily for backward compatibility with non-
Kerberos supporting Windows clients

63
Kerberos
Ticket-Granting
Ticket
1111 Service
Ticket
Windows 2000–based
Computer
Computer
2222
4444
3333
TGT
Initial Logon
KDCKDC KDCKDC
1111
2222TGT
Service Request
ST
ST
Session
Established
3333
TGT
Cached
Locally
Computer
Computer Target ServerTarget Server

64
Group Policy Settings:
Kerberos
• Enforce User Logon Restrictions
• Maximum Lifetime That a User Ticket Can Be
Renewed
• Maximum Service Ticket Lifetime
• Maximum Tolerance for Synchronization of
Computer Clocks
• Maximum User Ticket Lifetime

65
Disable LM Authentication
• W2K supports:
– Kerberos
– Windows NT challenge/response v.2 (NTLM 2)
» Includes LM, NTLM 1, NTLM 2
» LM enabled by default – Security Option: LAN Manager authentication
• W2K3 supports:
– Kerberos
– Windows NT challenge/response v.2 (NTLM 2)
» Includes LM, NTLM 1, NTLM 2
» LM disabled by default – Security Option: LAN Manager authentication,
set to Send NTLM Response Only
• Windows 95, WfW, Macs, and OS/2 clients only support LM not
NTLM
• Windows 98, SE, Me can be upgraded to support NTLM v2 with
the Directory Services Client add-on
– Add NTLM 2 to W95/98: Q239869

66
Directory Services Client
• Active Directory Client Extensions for Windows 95,
Windows 98, and Windows NT Workstation 4.0
• Adds to client: AD site awareness, W2K domain
logon, Active Directory Service Interfaces, DFS
client, WAB, and NTLM v2.
• Does not add: Kerberos, Group policy or
Intellimirror support, IPSec, L2TP, SPN, nor mutual
authentication
• Windows 9x Active Directory client extension is
distributed on the Windows 2000 CD
• Active Directory client extension for Microsoft
Windows NT 4.0 (with SP6a; Microsoft Internet
Explorer 4.01 or higher) on MS Web site
• No version of Directory Services Client for
Windows Me (Millennium)

67
Public Key Infrastructure – 1/2
• PKI adds authentication & encryption services to
Windows
• How PKI Works
– PKI based on certificates managed by CA that verifies identity
– Public keys issued for widespread distribution;
private key stays with user
– Anyone can use the public key to encrypt; only the holder of the
private key can decrypt
– When a public key appears first, followed by a private key, this
supports key exchange
– When a private key appears first, followed by a public key, this is
a digital signature
– PKI thus provides both identification and authentication
• Numerous applications use Digital Certificates to
provide security:
– E-mail, Web, digital file signing, Smart Cards, IPSec, EFS
recovery agent

68
Public Key Infrastructure – 2/2
• PKI Components
– Certificate Services
– CryptoAPI & CSPs provide crypto operations & private key
management
– Certificate stores to store & manage certificates
• Certificate Services
– Process certificate requests
– Verify access qualifications for requesters
– Create & issue certificates for qualified requesters
– Generate private keys and deliver to requester’s protected store
– Manage private key cryptography services
– Distribute & publish certificates for public access
– Manage certificate revocations
– Store certificate transactions for auditing
• Works through Certification Authority Console

69
EFS Issues 1/3
• EFS (Encryption File System) is built into Windows
2000, Windows XP, and Windows 2003 NTFS
• Encrypting boot and system files will cause
problems if the system can even boot
• Issues when autoexec.bat is encrypted:
– Users are unable to log on locally
– Remote resource access fails
– Resolution:
» Decrypt
» Use Recovery Console to log on as Admin, delete file, then
recreate
» Alter Registry to bypass autoexec.bat fie, delete, then
recreate.
• EFS protects files on NTFS partitions, not when in
transport over the network or when resident in
system memory (i.e. in use by an application)

70
EFS Issues 2/3
• EFS works using a public key to encrypt files and a
private key to decrypt files. If the private key is lost,
the files cannot be decrypted
• A user can be designated as EFS recovery agents
who can recover data after the private key of another
user is lost
• Through secpol.msc a private key can be exported to
removable media and deleted from the local system
• EFS cannot be used to encrypt system files, use
alternatives: PC Guardian's Encryption Plus for Hard
Disks (EPHD)

71
EFS Issues 3/3
• EFS on Windows 2000 uses DESX for encryption. It
can only decrypt using DESX.
• EFS Windows XP pre-SP1 use 3DES for encryption.
It can decrypt using DESX or 3DES.
• EFS on Windows XP SP1 and Windows 2003 uses
AES for encryption, by default. It can decrypt using
DESX, 3DES, or AES.
• EFS Files Appear Corrupted When You Open Them
– KB:329741
– Instructions on setting XP SP1 and 2003 to use 3DES or DESX
– Do not change this setting if there are existing encrypted files
• Attempting to open AES encrypted files on
Windows 2000 or Windows XP pre-SP1 systems will
corrupt the files resulting in data loss!

72
IPSec
• IP Security (aka IPSec)
• IETF standard security protocol (RFC 2411 provides
a roadmap to all related RFCs)
• Provides authentication and encryption
• AH (Authentication Header) – integrity and
authentication
• ESP (Encapsulating Security Payload) – integrity,
authentication, confidentiality - encryption
• Operates at layer 3 as a plug-in between transport
(UDP or TCP) and network (IP and others) protocols
• Works with both IPv4 and IPv6
• Wide industry support, expected to become
predominant VPN Internet standard
• Used with Layer 2 Tunneling Protocol (L2TP) for
dial-up VPNs, uses by itself for network-to-network
VPNs

73
IP Security (IPSec) Policies
• Construct IPSec policies using Windows Security
Manager
• IPSec policies associate with default domain policy,
default local policy, or customized policy
• Includes abilities to negotiate security services
(called negotiation policies)
• IP filters let different policies apply to different
computers, based on destination & protocol
• To create IPSec policy
– Create a named Security Policy for some container
– Create negotiation policies
– Create IP filters, associate with negotiation policies

74
Locking Down Windows Systems
The first steps to locking down Windows include:
• Applying service packs
• Applying needed hot fixes and patches
• Apply security templates
• Testing for a secure configuration

75
Service Packs
• Hotfix - single issue, apply only if necessary
• Service Pack - cumulative patches & fixes
• Re-installation of Service Pack not necessarily
required after installing new drivers or software on
Windows 2000/XP/2003 as was with Windows NT
• Windows 2000: SP4 – see later slide
• Windows Server 2003: no service packs available as
of 11/14/03, SP1 beta rumored to be in testing for
release in late 2004

76
Windows 2003 SP1
• Due late 2004
• Will include numerous features and improvements
from the Springboard project
• Springboard includes elements and components
originally designed for Longhorn, for which
Microsoft has accelerated release for Windows
2003 and Windows XP
• Will include:
– Roles based Security Configuration Wizard (SCW) to quickly
configure new servers based on function or role
– Insecure network client isolation
– VPN quarantine
– Enterprise level protection features (yet unrevealed)

77
Windows 2003 Pre-SP1
Security Issues 1/2
• 23 pre-SP1 hot fixes as of 5/11/2004
• MS04-015: Vulnerability in Help and Support Center Could
Allow Remote Code Execution (840374)
• MS04-014: Vulnerability in the Microsoft Jet Database Engine
Could Allow Code Execution (837001)
• MS04-012: Cumulative Update for Microsoft RPC/DCOM
(828741)
• MS04-011: Security Update for Microsoft Windows (835732)
• MS04-007 : ASN .1 Vulnerability Could Allow Code Execution
(828028)
• MS04-006 : Vulnerability in the Windows Internet Naming
Service (WINS) Could Allow Code Execution (830352)
• MS04-003 : Buffer Overrun in MDAC Function Could Allow
Code Execution (832483)
• MS03-048 : Cumulative Security Update for Internet Explorer
(824145)

78
Windows 2003 Pre-SP1
Security Issues 2/2
• MS03-045 : Buffer Overrun in the ListBox and in the
ComboBox Control Could Allow Code Execution (824141)
• MS03-044 : Buffer Overrun in Windows Help and Support
Center Could Lead to System Compromise (825119)
• MS03-043 : Buffer Overrun in Messenger Service Could Allow
• MS03-041 : Vulnerability in Authenticode Verification Could
Allow Remote Code Execution (823182)
• MS03-039 : Buffer Overrun In RPCSS Service Could Allow
• MS03-034 : Flaw in NetBIOS Could Lead to Information
Disclosure (824105)
• MS03-030 : Unchecked Buffer in DirectX Could Enable System
Compromise (819696)
• MS03-026 : Buffer Overrun In RPC Interface Could Allow Code
Execution (823980)
• MS03-023 : Buffer Overrun In HTML Converter Could Allow

79
Windows 2000 SP5
• Due late 2004, after Windows 2003 SP1 ships
• No reliable details on elements other than existing
post-SP4 hot-fixes (17 as of 5/11/2004)
– MS03-022, MS03-023, MS03-026, MS03-034, MS03-039, MS03-041,
MS03-042, MS03-043, MS03-044, MS03-045, MS03-049, MS04-006,
MS04-007, MS04-008, MS04-011, MS04-012, MS04-014

80
Windows 2000 Service Pack 4
• Released Aug 2003 - generally stable
• Recommended for Windows 2000 Server and Pro
• Available on CD, through Windows Update, on Windows 2000 Web
area
• SP4 includes ~674 fixes (102 for security issues), see KB: Q327194
– Note: these are issues in addition to those in SP3 and earlier.
• Release notes for W2K SP4: 813432
• SP4, like SP3, upgrades the system to use 128-bit encryption. If you
uninstall SP4 (or SP3), the system will remain at 128-bit encryption.
• SP4 includes Internet Explorer 5.01 SP4 and Outlook Express 5.5
with SP2
• SP4 adds to Windows 2000: native 802.1x wireless networking
support and native USB 2.0 support
• There are 14 post SP4 security issues as of March 2004.

81
Known Issues with W2K SP4
• Local Security Policy Values Revert to the Values
That Are Stored in SecEdit.sdb (KB:827664)
• If you have Windows Update service disabled when
you install SP4, the installation program re-enables
Windows Update without notifying you.
• .Net Framework 1.0 programs won't run.
– Available hotfix or upgrade to .Net Framework 1.1 (KB:823845)
• Norton Internet Security 2001 is incompatible.
– Upgrade NIS (KB:823087)
• Exchange Server can't start its Key Management
Service.
– Workaround: database defragmentation (KB:818952)
• Other known issues: KB: 813432

82
Windows XP Service Pack 2
• To be released?? – current rumor is July 2004
• Will require significant changes to an
organization’s deployment processes and
configuration procedures
– New security and networking enforced defaults will cause
numerous applications and services to fail, reconfiguration will
be necessary
• RC1 of SP2 – not stable enough for widespread
deployment
• RC2 of SP2 due soon – may be suitable for limited
testing, I don’t recommend production environment
deployment of these test releases
• Sweeping changes to Windows XP
– Improved default security
– Improved ICF, RPC, DCOM, COM
– Better memory management and protection (i.e. buffer overflow)
– Improved IE, Outlook Express, Windows Messenger

83
Windows XP Service Pack 1a
• SP1a for Windows XP released on 2/3/2003
• There are 77+ post SP1a security issues as of
March 2004
• SP1a and SP1 are identical, except that the
Microsoft VM (Java support) is removed from SP1a.
• Generally considered stable
• We recommend installation on all XP systems
• Updates XP systems with hotfixes released through
mid-Aug 2003 (MS02-048)
• Includes IE 6 SP1 & USB 2.0
• Does not include BlueTooth
• Known issues: KB:324722
• 57 post SP1a hot fixes as of 5/11/2004

84
Windows XP
Security Rollup Package 1
• Released 10/14/2003
• As an interim release before SP2
• Contains 22 security related patches in a single
installation package
– Includes security patches from SP1 through MS03-039
• KB826939

85
Working with Service Packs
• Review documentation and KB documents
associated with Service Pack and/or hotfix before
initiating installation.
• Need sufficient free space on boot partition, ~3 times
size of SP, more if uninstall info is saved
• Move previous SP's uninstall directory from
%SystemRoot%$NTServicePackUninstall$ to
another safe location.
• Backup data, Registry, maybe entire system
• Reboot the system
• Terminate all applications, stop unneeded services,
stop debugging, stop remote control sessions
• Disable Server service to prevent network access
before starting SP/HF application
• Stop all third-party services requiring disk access,
i.e. virus protection and defragmenters/optimizers

86
Managing SPs and HFs
• Service Pack presence visible through most Help|
About screens from native utilities, WINVER tool
• Hotfix identification varies by hot-fix - typically run
HOTFIX.EXE or view Hotfix Registry key for list
• Qfecheck –management tool from Microsoft
• UpdateEXPERT – SP and HF inventory and
installation tool from Sunbelt Software
• HFNetChkPro – from Shavlik Technologies
– http://www.shavlik.com/pHFNetChkPro.aspx
• All DCs should be maintained at same SP level,
mixing can introduce problems
• Software Update Svcs (SUS) –internalizes & manages
Windows Update for private networks
• Service packs for Windows 2000, XP, and 2003 can be
slipstreamed for new installations or a pre-integrated
installation CD may be available

87
Lockdown Tools 1/2
• Microsoft Baseline Security Analyzer (MBSA) 1.2
– GUI and command line tool
– Runs on Windows 2003/XP/2000 only, but will scan Windows NT
4.0, Windows 2003, Windows 2000, Windows XP, IIS 4.0, IIS 5.0,
SQL 7.0, SQL 2000, IE 5.01+, and Office 2000/2002/2003, + more.
– Lists all necessary or applicable patches, fixes, or security
settings for each detected OS and software.
– Each issue is scored:
» Red X – missing
» Yellow X – possible vulnerability or reminder warning
» Green check – verified secured setting or control
» Blue asterisks – reminder or warning of possible
vulnerability
» Blue information icon – information about system
– Possible risk: MBSA can create a plaintext report, with clever
scripting a malicious user can create an automated attack tool
based on the results.

88
Lockdown Tools 2/2
• MBSA was developed with Shavlik Technologies
– Commercial versions are available:
» HFNetChkPro
» EnterpriseInspector
» Both are free for use on up to 10 workstations and 1 server
– www.shavlik.com
• HFNetChk
– command line tool which scans for installed hotfixes
– Excellent for scanning local and networked systems
– Does not download or install necessary patches
• CIS benchmark security tool
– Evaluates a Windows systems for compliance against pre-
defined security benchmarks

89
Security Configuration and
Analysis
• MMC snap-ins:
– Security Configuration and Analysis
– Security Templates
• Used to customize Group Policies a.k.a. security
templates.
• Several pre-defined security templates for client,
server, and DC systems of basic, compatible,
secure, and high security.
• Analyze current security state
• Impose a pre-defined or customized security
template
• Create custom templates

90
Well-known Vulnerabilities
• Windows is at risk to a wide number of well-known
and oft-exploited vulnerabilities.
• The following slides discuss many of these along
with workarounds and countermeasures

91
Services and Security
• Only install necessary services
• Unbind unneeded protocols
• Candidate services to disable/remove:
Alerter Clipbook Server
Computer Browser DHCP client
Directory Replicator Messenger
NetLogon Network DDE
Plug and Play RPC locator
Server SNMP Trap service
Spooler TCP/IP NetBIOS Helper
Telephony service Workstation
• Unnecessary services offer information gathering “holes” or
access points
• Test service removal on non-production systems
• Sysinternals’ Process Explorer - displays DLL dependencies
• See the BlkViper Web site on removing/disabling services

92
SNMP Problems
• If using SNMP, remove or alter public default
community
• Anyone with an SNMP browser can poll this
community
• Snmputil from Resource Kit:
– Snmputil walk <IP address> public <OID>
– OIDs identifies a specific branch in the MIB
• IP Browser from Solar Winds (www.cerberus-
infosec.co.uk) offers GUI exploration of public
community
• Don’t deploy SNMP unless you use it

93
Raw Sockets
• Windows 2003, Windows XP, Windows 2000, UNIX, and Linux,
support administrative or root only access to full raw sockets
• However, on stand-alone Windows XP Professional and Home
systems, all local users are administrators by default
• Full raw sockets is a means by which the TCP/IP stack is
bypassed to allow direct access to underlying network data
transport
• Full raw sockets were originally designed as research tools,
not for real-world OSes
• Full raw sockets allow spoofed IP addresses and SYN floods
• IE’s defaults download and install software without user’s
knowledge
• Use GRC.com’s SocketToMe and SocketLock to detect and
close down raw sockets to users and restrict it to SYSTEM
access only

94
Enumeration Using
Telnet Client (1/2)
• Use any telnet client:
– telnet <domain name or IP> port
– Followed by pressing Enter several times
• Test common ports: 80 (Web), 21 (FTP), 25 (SMTP), etc.
• Many services respond with error msg (a.k.a. banner)
listing information about service on that port
• For example:
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/6.0
Date: Wed, 23 Aug 2000 16:19:04 GMT
[…]
• Web server enumeration tool: ID Serve from GRC
– http://grc.com/id/idserve.htm

95
Enumeration Using
Telnet Client (2/2)
• Protection:
– remove default banners where possible
– check open ports with scanner (nmap)
– prevent remote Registry access
– Don’t rely on obscurity as your only means of security
• IIS’s URLScan utility disables banners on any version of
IIS by refusing invalid service requests. Knowledge
Base: 317741 - HOW TO: Mask IIS Version Information
from Network Trace and Telnet
• Avoid telnet service whenever possible, use secure
alternatives such as remote control software (such as
PCAnywhere), SSH (secure shell), or stunnel.

96
File Streaming
• A method for hiding executables
• Requires NTFS’s POSIX capabilities and RK “cp” tool
– cp <file> <hostfile>:<file>S
• Streamed files can be executed without extraction using:
– Start <hostfile>:<file>
• Can be used on files and directories
• Great way for hackers to hide toolkits
• Locate streamed files with:
– LADS – Locate Alternate Data Streams – www.heysoft.de/nt/ntfs-ads.htm
– Streams - www.sysinternals.com/misc.htm
• SANS warning: http://www.sans.org/newlook/alerts/NTFS.htm
• If POSIX is removed/disabled, existing streams still function
but no new streams possible.

97
Boot Partition Conversion
Problem
• If Windows 2000 is installed onto FAT/FAT32
formatted boot partition, then converted to NTFS
• Correct default security permissions not applied to
files on boot partition
• Use SECEDIT tool to apply correct permissions
• Q237399
• If NT 4.0 was installed with SYSPREP, a bug
prevents the Win2K upgrade from converting a FAT
boot partition to NTFS
• Must manually convert drive, no other MS fix
• Q256917

98
51 IP Addresses
• A Windows 2000 Server as a domain server cannot
support more than 51 IP addresses OOB
• Bug in Active Directory causes error
• Attempting to add 52nd address renders system
unable to:
– Authenticate users
– Launch and use administrative tools
• Limitation is per server, not per NIC
• Corrected in SP2
• Only workarounds:
– add a second system
– use W2K as a non-domain controller

99
Administrative shares
• C$, D$, …
• Hidden/system shares
• Accessed from any client on network
• Can be accessed
over VPN, RAS,
PPTP
• Only require
admin name
and password

100
Hidden Systems
• NET CONFIG SERVER /HIDDEN:yes|no
• Removes system from browse lists
• Prevents Server service from being tuned via the
Network applet
• Disables auto-tuning
• To restore auto-tuning, edit the Registry and
correct the entries in the LanmanServer Parameters
section
• See KB: 128167; 321710; 314498

101
Predefined accounts
• Administrator
– Can be renamed
– Requires non-blank password on Domain Controllers
– Cannot be locked out or disabled
– Cannot be deleted
– Password never expires
– Password cannot be stored with reversible encryption
– Smart card cannot be required
– Cannot be delegated
– DES cannot be used and Kerberos is required
• Guest
– Can be renamed
– Blank password by default
– Can be locked out and disabled
– Cannot be deleted
– Disabled by default
• Remember: everyone knows these accounts exist

102
The IIS Accounts
• IUSR_computername
– Created by IIS for anonymous Web & FTP access
– “Log on Locally” right
– Member of Guests and Domain Users (DCs only)
– Non-blank random password
– Access enabled by default
• Can be renamed, requires change in Active
Directory Users and Computers as well as in both
IIS’s Web and FTP server Properties
• Remove from Domain Users and Guests groups to
force local and Web access only

103
SAM Deletion
• Deleting the winntsystem32configsam file
destroys all user accounts and assigns blank
password to administrator
• Use only as last resort
• All domain and security settings related to uses
and groups are destroyed

104
Replace Passwords
• Winternals Locksmith
• Used to replace user account password
• Works on any account, including Administrator
• Requires physical access
• Requires NTRecover or Remote Recover
• NTRecover allows data from one system to be
moved across a serial cable to another system. The
source system is booted with a floppy to bypass
security or to recover a failed system.
• Winternals: www.winternals.com
• Similar tool: ntpasswd:
http://home.eunet.no/~pnordahl/ntpasswd/

105
Who is the Admin?
• List admins with:
– NET GROUP "Domain Admins" /DOMAIN
• Get more details on each listed user with:
– NET USER username /DOMAIN | more
• Decoys are for external users
• Any valid user can exploit NetBIOS to extract
information about users and systems

106
Administrator Decoy
• Rename real Administrator account with subtle
non-obvious name - avoid admin, sysop, root, master
• Create new decoy account named “Administrator”
with simple password
• Remove all or most access privileges and group
memberships
• Audit every action and logon attempt
• Consider creating fake confidential content to snag
intruders long enough to be detected and located (I.e.
a honeypot)
• Method only isolates Admin account from external
intruders, Domain Admins can always discover
accounts

107
Double Admin Accounts
• Each administrator needs two accounts:
– Administrative account for management work
– Normal user account for daily work
• No two admins should ever share an account
• Restrict/Delegate each admin to his or her
segment/resource responsibilities
• Only grant Admin access to trusted users
• Keep local Admins out of Domain Admins global group
to control access levels
• Audit admin account activities
• Be pessimistic about offering admin access
• Revoke “log on from network” User Right for all admin
accounts - requires physical presence at system to log
on and manage

108
Anonymous & Null Connections
• By default, all anonymous connections and null sessions can
enumerate domain user names and share names.
• A null session can connect to any share or printer which the
Everyone group has access to.
• Set RestrictAnonymous to 1 to prevent un-authorized users
from gaining access to user and share names.
• RestrictNullSessAccess can be set to 1 to prevent null
sessions from connecting to a system.
• Some network services use null sessions to enumerate
systems, perform tasks, or contact other systems on the
network. Disabling null sessions may cause these services to
fail.
• The NullSessionPipes contains a list of the named pipes that
can be accessed by null sessions. Named pipes can be
removed from this list, but they may adversely affect some
networking services.

109
Leaky Ports
• Windows communicates confidential information
over many ports, including:
• NetBIOS – 135 – 139
• Kerberos – 88
• LDAP – 389
• Microsoft Directory Services – 445
• Kerberos kpasswd (v5) - 464
• Secure LDAP– 636
• Global Catalog – 3268
• Global Catalog SSL – 3269
• Always block on border systems!
• Disable NetBIOS interface via bindings
• Use Firewall/Proxy with port filtering

110
NetBIOS Cache Pollution (1/2)
• Vulnerable to NetBIOS cache corruption via unicast or
broadcast UDP datagrams
• Allows a man-in-the-middle attack (among other
activities) by corrupting the cache with altered
NetBIOS Name-to-IP address mappings
• Microsoft is aware of this problem, however according
to the discoverers, Microsoft will not issue a patch
because it feels the problem resides in the
unauthenticated nature of NetBIOS

111
NetBIOS Cache Pollution (2/2)
• Possible protection measures:
– Block NetBIOS TCP and UDP ports (135-139, and 445) at all network
borders.
– Do not rely on NetBIOS to perform hostname-to-IP address lookups.
– Disable all services that register a NetBIOS name as seen with the
"nbtstat -n" command. Be sure to unbind the "WINS Client" and
other related services that employ NetBIOS.
– Upgrade to Windows 2000 and disable "NetBIOS Over TCP/IP"
functionality

112
NTFSDOS
• Enables NTFS volume access from any version of
DOS or Windows
• Bypasses all NTFS security settings (ACLs)
• Loadable from a boot floppy
• Read-only access
• Protection:
– Restrict physical access to machine
– Remove or lock floppy drives
• Commercial version: write, rename
• Companion utility: NTRecover - copy files from
NTFS drives across a serial cable
• Protection: remove floppy drive, no DOS boot
partition, restrict physical access
• www.sysinternals.com, www.winternals.com

113
System Tools
• Consider moving these common administrator
tools into separate directory, set for admin access
only:
• xcopy net arp wscript
• telnet arp ping route
• finger at rcp cscript
• posix atsvc qbasic runonce
• syskey cacls ipconfig secfixup
• nbtstat rdisk debug cmd
• edit.com netstat tracert nslookup
• rexec regedt32 regedit edlin
• ftp rsh tftp

114
Windows 2000
OS/2 and POSIX
• Windows 2000 natively supports OS/2 v.1 and POSIX.1. In most
cases, these are useless, and pose security threat for Internet
accessible systems.
• These subsystems can be removed from most configurations
without problems:
1. Delete following folder and all of its contents: %systemroot
%system32os2
2. Delete all Registry subkeys underneath
HKLMSoftwareMicrosoftOS/2 Subsystem for NT
3. Delete Registry value Os2LibPath in
HKLMSystemCurrentControlSetControlSession
ManagerEnvironment
4. Clear contents of Optional in Registry:
ManagerSubsystems (but leave the value named Optional itself in
place)
5. Delete Os2 and Posix Registry subkeys in
ManagerSubSystems
6. Reboot.

115
Remote Control and
Terminal Services
• Use system in a host/terminal configuration
• Local display, keyboard, and mouse control
remote system
• Installs as service, similar to RAS
• Still requires logon authentication
• Operates over POTS, network, or Internet
• Products: PCAnywhere, Carbon Copy,
Timbuktu, Remote DT, WinFrame, Terminal
Server, Back Orifice 2000, Windows XP’s
Remote Desktop Connection, Tridia VNC
• Most require user accounts to have Log On
Locally User Right

116
Terminal Server
• Terminal Server clients can perform a brute force
password attacks against any account without
triggering lockout – such connections are
considered interactive logons. Fortunately, TSC
automatically disconnects after 5 failed attempts
• Configure Terminal Server to log out user on
disconnect. Otherwise, a hacker could usurp a valid
user by connecting and taking over a session

117
Detecting Remote Control
Software
• Remote Control software may be present because:
– User attempting to simplify work tasks
– Used by administrators
– Trial or demo
– Trojaned (e.g Back Orifice)
– Unsuspected user executes or installs
– Deposited by hacker after break-in
• Use a port scanner (such as nmap, fport)
• Keep your anti-virus scanner updated
• Use a malicious code or spy ware scanner, such as
AdAware, SpySubtract, PestPatrol, trojanscan.com
• While Remote Control products have default ports,
most can use any port

118
Security & Viruses
• Virus protection is a mandatory element of network
and Internet security
• Protect your systems from any type of malicious code:
virus, worm, trojan, logic bomb, etc.
• Any information pathway is susceptible
• Active prevention and monitoring is required
• Virus protection is only as reliable as your tools:
– Integration
– Central Management
– Automated
– Multi-layered
• Microsoft via STPP now offers free virus-related tech support at
1-866-PC SAFETY (1-866-727-2338)

119
Develop Anti-Virus Policy
• Solution is software, not user behavior modification
• Establish emergency response team
• Automate prevention and detection
• Backup, Backup, Backup
• 100% virus free servers
• Isolate risk takers, revoke privileges
• Eliminate unapproved software
• Don’t allow users to perform manual virus cleaning
• Don’t accept as valid any unverified e-mails about
viruses
• Train users about safe e-mail practices
• Understand the risk in active and downloadable content

120
Virus Updates
• Automatic patch and update installation
available on most products
• Engine updates can cause system crashes
• Have updates pushed/pulled to single system
• After testing, deploy engine upgrades

121
Recovering Infected Documents
• CanOpener from Abbot Systems
• Able to open and extract data from infected files
without launching/activating attached virus
• Not virus checker, but complementary tool
• Developed in response to Melissa
• Abbott Systems Inc
– http://www.abbottsys.com/products.html (CanOpener)
• Recover damaged or corrupted Office
documents:
– http://www.officerecovery.com/

122
E-mail as a Virus Carrier
• E-mail is the most common carrier of viruses
• Virus scanners: only as good as definition lists
• Don’t rely upon scanners as your only protection
• Up to date virus scanners still miss 3% of known
viruses!
• New viruses often get past virus protected borders
• The rate of virus borne e-mail is increasing:
– 1999 – one per hour
– 2000 – one per 3 minutes
– 2001 – one per 30 seconds
– 2002 – more than one per second
• MessageLabs (www.messagelabs.com) offers
guaranteed delivery of 100% virus free e-mail.

123
Internet Security Issues
• Requirements to gain access:
– valid user account
– password
– name of domain
– name of the domain controller or IP address of WINS server
• Avoid Telnet and other UNIX daemon ports:
susceptible to DoS attacks
• FTP - more susceptible to password attacks
than system logons
• Guest account and anonymous access
• New generations of tools: nmap, nlog, legion

124
Denial of Service
• Any Internet connected server is vulnerable
• Any system is vulnerable, even Microsoft’s own Web sites
• DoS information:
– FBI Web site
» http://www.fbi.gov/nipc/trinoo.htm
– CERT Web site
» http://www.cert.org/advisories/CA-2000-01.html
– NetWare Connections: April 2000: Cyber Crime:
» http://www.nwconnection.com/2000_04/cyber40/index.html
• Many well-known Distributed Denial of Service (DDOS) tools
exist on the Internet:
– Tribal Flood Network (TFN), trinoo, shaft, stacheldracht, mstream, naptha,
zombie
• Five Registry modifications to harden the TCP/IP stack
against DoS attacks - Q315669

125
Internet Connection
Vulnerabilities
• Your network, proxy, router, gateway, notebook, or
workstation system may be open to Internet attacks
• All Windows OSes offer information and access to
external anonymous connections
• Must unbind NetBIOS from all external interfaces
• Test NetBIOS vulnerabilities at: http://grc.com/
– Use the Shields UP online tests to look for services and
ProbeMyPorts to look for open ports
• Security Audits from SecuritySpace.com –monthly
subscription service scans for vulnerabilities

126
Web Bugs
• 1 x 1 graphic: tracks Web usage without your
knowledge
• Often used to profile current or perspective
customers
• Some detection tools have become available:
– Grc.com’s OptOut, Spyware Analyzer, and NetFilter
– Regnow.com’s SpyCop
• Often rely on cookies – disabling cookies will stop
some of them
• Ad-aware can detect and remove some Web bugs:
http://www.lavasoftusa.com/
• Bugnosis – Web bug detector – www.bugnosis.com

127
IIS Security Issues
• Basic IIS Protection
• IIS Protocol Protection
• Securing IIS Web
• Securing IIS FTP
• Use with proxy or firewall

128
Locking Down IIS Web 1/4
• First, locked down the host OS!
• Install IIS into its own partition
• Use a packet filtering firewall/router to block all
unused ports
• Avoid using FrontPage Server Extensions or
WebDev on production IIS systems
• IUSR: User Rights, authentication, member of
Everyone & Authenticated Users groups
• Specify No Access for IUSR_ account on
everything, then grant IUSR_ account access only
as needed
• Change name of IUSR account - duplicate changes
in ADUaC and IIS

129
• Use alternate TCP port for private information
service use
• Do not include sensitive or confidential information
in ASP files.
• Set minimum possible or application appropriate
IIS permissions on virtual directories, folders, and
files. Avoid script/executable permissions as much
as possible.
• Set minimum possible or application appropriate
NTFS ACLs on folders and files.
• Isolate IIS from DCs, file servers, other sensitive
data - don’t host IIS on sensitive systems
• Enable and configure logging/auditing

130
• Update root CA certificates – add new CAs you
trust, remove CAs you no longer trust
• Remove the IISADMPWD Virtual Directory
• Disable or remove all IIS sample applications:
• IISSamples, IISHelp, and MSADC
• Disable or remove unneeded COM components
• Inspect all ISAPI scripts for RevertToSelf(); - which
changes execution context to system level – use
dumpbin (a Win32 API developer tool)

131
• Remove Unused Script Mappings, especially for
ISAPI
• Check <FORM> and Querystring Input in Your ASP
Code for validity before processing
• Disable parent paths (i.e. “..”) (294807 – pre-6.0)
• Disable IP Address in Content-Location (218180)
• Disable WebDAV (post SPR1) - Unchecked Buffer In
Windows Component Could Cause Web Server
Compromise (KB:815021; 241520) – MS03-007

132
Unsuspecting Web Servers
• IIS and PWS automatically installs and runs on
many OSes
• If IIS/PWS is running, you are vulnerable to all un-
patched exploits
• Open IE, in the Address field, type "http://localhost"
and press Enter. If you get a Web page or a dialog
box asking you to enter your name, password, and
domain, then you are running IIS/PWS.
• To uninstall IIS/PWS, use Add/Remove Windows
Components.
• To disable, use IIS MMC snap-in or Services applet

133
IIS Host Protection
• Isolation domain
• Reverse Proxy – “port forwarding”
– Can slow access due to proxy activities
• Web in a box solutions
• Co-locate at an ISP
– Requires use of remote control software
• Outsource Web/FTP hosting to third-party
• Maintain an internal backup of hosted Web/FTP
resources to insure all IIS/FTP solutions

134
IIS Isolation Domain
• Configure IIS in own distinct domain
• Define trust to administer IIS domain
• Enables control of IIS while protecting LAN
• Consider an IPX LAN where only IIS host uses TCP/IP -
deploy MS Proxy
Server & use
IPX-to-IP
gateway for
client Internet
access
• Deploy a
firewall between
IIS and main
domains to
filter traffic

135
Securing IIS FTP
• Don’t rely on ISM’s access rights, use NTFS (Think
of IIS FTP as shares)
• Offer minimal access to users
• Avoid mapping drives or directories:
– across the network
– of root
– whose children should not be FTP accessible
• Log FTP activity and check Event log frequently
for access denials - audit access failures
• Block IPs where break-ins originate
• Remember that passwords are passed in clear by
FTP protocol
• Disable anonymous user uploads

136
Hackers Do It With Subtlety
• Footprinting
– Profiling an organization’s security structure
– Discovering network addresses and domain names
• Scanning
– Determining active services and applications
– Locating active or open ports
– Determining OS
• Enumeration
– Extract account information
– Connecting to shares
– Connecting to services or applications
• Exploitation
– Taking advantage of security holes

137
Hacking Tools - 1/4
• VisualRoute - GUI tracert - www.visualroute.com
• SolarWinds 2000 - ping, subnet, traceroute, DNS,
and more - www.solarwinds.net
• Genius - traceroute and more - www.indiesoft.com
• Nmap - port scanner - www.insecure.org/nmap/
• PortPro - port scanner - www.securityfocus.com
• Legion - connects to open shares -
packetstorm.securify.com/groups/rhino9/
• Epdump - port and service scanner -
packetstorm.securify.com/NT/audit/
• LC4 – (formerly L0phtCrack) password
grabber/cracker - http://stake.com/research/lc/

138
Hacking Tools - 2/4
• getmac - identifies MAC and device name of NICs
on remote systems - RK tool
• netdom - domain management tool, list domain
membership and BDCs - W2K Support tool
• Netviewx - lists nodes and services in a domain -
www.ibt.ku.dk/jesper/NetViewX/default.htm
• Netcat (nc) - port connector, DNS checking, port
scanning, and more - www.l0pht.com/~weld/netcat/
• Sam Spade - multi-function tool: DNS query,
website search, IP block identifier, SMTP verify, etc.
- samspade.org/ssw/
• NetBus - a remote control package -
www.netbus.org/

139
Hacking Tools - 3/4
• Revelation - reveals passwords behind asterisks -
www.snadboy.com
• Password Recovery - recover passwords from
various file types - www.accessdata.com
• Password crackers -
users.aol.com/jpeschel/crack.htm
• Cerberus Internet Scanner – scan for ports,
services, and common vulnerabilities -
www.cerberus-infosec.co.uk
• Invisible KeyLogger – records keystrokes -
www.amecisco.com
• remote – used to regain access to breached
systems - RK

140
Hacking Tools - 4/4
• Pippa or datapipe – perl scripts used to redirect
ports - www.s0ftpj.org/tools/pippa_v1.txt and
www.geog.psu.edu/~qian/libgfc/src-gdatapipe-
h.html
• Grinder – searches out Web servers on IP
addresses -
packetstorm.securify.com/groups/rhino9/
• Foundstone tools – a wide assortment of utitlies -
www.foundstone.com/rdlabs/tools.php
• Nessus port scanner - http://www.nessus.org/
• Fscan -
http://www.foundstone.com/resources/tools.html
• NetScanTools - http://www.nwpsw.com/

141
Security Certifications
• SANS GIAC
• MCSE + Security:
• ISC2 CISSP
• Security+
• TruSecure ICSA (TICSA)
• CIW Security Analyst
• NAX – Network Analysis Expert (WildPackets)
• “The vendor-neutral security certification landscape, May
2003 update” SearchSecurity.com
• “Update: Survey of vendor-specific security certs, May 2003”
SearchSecurity.com

142
Online Resources Intro
• URL Safety - We’ve endeavored not to include any
high-risk Web sites in our list of recommended
URLs (except as noted). However, access sites at
your own risk.
• KB – Knowledge Base documents which can be
found on TechNet (CD or Web site:
www.microsoft.com/technet/) and at
support.microsoft.com. Knowledge Base
documents may or may not be preceded by a Q, as
in Q260694.
• Free Email Alerts every time Microsoft Publishes
NEW Support or Knowledge Base Articles by
product/technology: http://www.kbalertz.com/
• RK – Resource Kit – available as a standalone
product or as part of TechNet

143
TechNet
• Monthly publication
• Documentation for every major MS product
• White papers, FAQs, troubleshooting
documents, book excerpts, articles, utilities,
patches, fixes, upgrades, drivers, and
demonstration software
• http://www.microsoft.com/technet/

144
Database of Registry Entries
• W2K3: part of Microsoft Windows Server 2003
Deployment Kit as the Registry Reference for
Windows Server 2003. Also available online
http://www.microsoft.com/windowsserver2003/techi
nfo/reskit/deploykit.mspx
• W2K RK utility: REGENTRY.CHM
• NT RK utility: REGENTRY.HLP
• Lists all standard or default entries of Registry
• Locate by topic, alphabetically, or search
• Excellent resource for security or any type of
maintenance requiring Registry manipulation
• Windows Registry Guide:
http://www.winguides.com/registry/
• The viewable Registry is collection of exceptions,
not exhaustive collection of configuration settings.

145
Online Resources 1/5
• Microsoft Security Advisor & Notification Service
– http://www.microsoft.com/security/
• Various Windows Security Guides:
– http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/prodtech/windows/default.asp
• Department of Homeland Security
– Information Analysis and Infrastructure Protection Directorate CyberNotes:
http://www.nipc.gov/
» Bi-weekly list of all bugs, holes, and patches for software (including OSes),
exploit scripts and techniques, Internet trends, viruses, and Trojans
• Microsoft Security – Trustworthy Computing for IT
– http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/default.asp
• Windows & .NET Magazine
– http://www.win2000mag.net/
• ENT News: Maximizing the Enterprise Windows Experience
– http://www.entmag.com/
• Windows & .NET Magazine: Security Administrator
– http://www.ntsecurity.net/
• Windows NT/2000/XP/Server 2003 Tips and Tricks
– http://www.jsiinc.com/reghack.htm
• SANS Institute
– http://www.sans.org/

146
• Hacking Exposed book companion Web site
– http://www.hackingexposed.com/
• TISC Security Web site
– http://tisc.corecom.com/
• CERT
– http://www.cert.org/
• Somarsoft
– http://www.somarsoft.com/
• Securityfocus
– http://www.securityfocus.com/
• NSA’s Security Recommendation Guides
– http://www.nsa.gov/
• Microsoft’s Security Operations Guide for Windows 2000 Server
– http://www.microsoft.com/downloads/release.asp?releaseid=37123
• NTSecurity.nu’s Security Toolbox
– http://www.ntsecurity.nu/toolbox/
• Foundstone’s Free Tools
– http://www.foundstone.com/resources/free_tools.html

147
• Security Mailing lists
– http://www.cert.org/other_sources/usenet.html
• @Stake/l0pht (where crackers congregate!)
– http://www.atstake.com/
• Beverly Hills Software
– http://www.bhs.com/
• SERVERxtras, Inc.
– http://www.serverxtras.com/
• Sunbelt Software (nt-admin list)
– http://www.sunbelt-software.com/
• Windows NT/2000 FAQ
– http://www.ntfaq.com/
• Search Windows 2000
– http://www.searchwin2000.com/
• Security Administrator – Windows & .NET Mag
– http://www.secadministrator.com/
• Hammer of God – tools
– http://www.hammerofgod.com/download.htm

148
• NTBugTraq
– http://www.ntbugtraq.com/
• Computer Incident Advisory Capability (CIAC):
– http://www.ciac.org/
• Federal Computer Incident Response Capability (FedCIRC):
– http://www.fedcirc.gov/
• AntiOnline :
– http://www.antionline.com/
• Security News Network:
– http://www.atstake.com/security_news/
• NSA’s W2K Security Recommendation Guides
– http://nsa1.www.conxion.com/win2k/download.htm
• Encryption and Security-related Resources
– http://www.cs.auckland.ac.nz/~pgut001/links.html
• Event ID.net
– http://eventid.net/
• NIST - CSRC
– http://csrc.nist.gov/publications/nistpubs/

149
• Microsoft Patch and Hotfix Download Center:
– http://www.microsoft.com/downloads/
• Microsoft KnowledgeBase, TechNet
– http://support.microsoft.com/
– http://www.microsoft.com/technet/
• MSNEWS.MICROSOFT.COM - NNTP server:
– microsoft.public.inetexplorer.ie4.security
– microsoft.public.java.security
– microsoft.public.win2000.security
– HINT: use newsgroup search on “security” for complete list!
• Microsoft Security reporting email
– secure@microsoft.com
• NTSecurity mailing list
– Majordomo@iss.net - subscribe ntsecurity
• MCP Mag: April 2000: Security Advisor
– http://www.mcpmag.com/members/00apr/col3main.asp
• Netware Connection: April 2000: Cyber Crime
– http://www.nwconnection.com/2000_04/cyber40/index.html

150
Vulnerability Scanners 1/2
• Security Space: Security Audits:
http://www.securityspace.com/
• Qualys: Free online scanner for the SANS Top 20
vulnerabilities: https://sans20.qualys.com/
• Foundstone: FoundScan Enterprise Vulnerability
Management System (EVMS):
http://www.foundstone.com/
• Harris Corporation: STAT Scanner:
http://www.statonline.com/
• Internet Security Systems: Internet Scanner:
http://www.iss.net/
• SAINT Corporation: http://www.saintcorporation.com/
• Advanced Research Corporation: SARA-4.1.1:
http://www-arc.com/sara/
• Nessus: Nessus Security Scanner:
http://www.nessus.org/

151
Vulnerability Scanners 2/2
• eEye Digital Security's Retina:
http://www.eeye.com/
• Cerberus Information Scanner:
http://www.cerberus-infosec.co.uk/cis.shtml
• Winfingerprint:
http://winfingerprint.sourceforge.net/
• ExtremeTech’s Syscheck: collection of scanners:
– http://www.extremetech.com/print_article/0,3428,a=25758,00.asp
• Hacker Whacker:
– http://hackerwhacker.com/
• Evaluation of vulnerability scanners:
– http://img.cmpnet.com/nc/1201/graphics/f1-detect-results.pdf

152
Security Audit Tools
• ISS RealSecure
– http://www.iss.net/
• RSA’s Security Analyst
– http://www.rsa.com/
• Network Associates’ CyberCop
– http://www.nai.com/
• Blue Lance’s LT Auditor+
– http://www.bluelance.com /
• CyberSafe’s Centrax
– http://www.cybersafe.com/
• Sunbelt’s STAT, QualysGuard, Enterprise Security Reporter
– http://www.sunbelt-software.com/
• Marcus Ranum’s Network Flight Recorder
– http://www.nfr.com/
• Somarsoft’s DumpSec, DumpEvt, DumpReg
– http://www.somarsoft.com/
• Raytheon’s SilentRunner
– http://www.silentrunner.com/

153
Virus Protection Tools
• Symantec’s Norton Anti-Virus
– http://www.symantec.com/avcenter/
• Computer Associates’ InocuLAN and IncoulateIT
– http://www.cai.com/virusinfo/
• Network Associates’ Anti-Virus
– http://www.nai.com/products/antivirus/
• Trend Micro’s IntraScan Anti-virus
– http://www.antivirus.com/
• Data Fellow’s F-Prot
– http://www.datafellows.com/download-purchase/tools.html
• McAfee’s VirusScan
– http://www.mcafee.com/centers/anti-virus/
• Moosoft’s The Cleaner - trojan scanner
– http//www.moosoft.com/thecleaner/
• PestPatrol - trojan, hacker tool, and spyware scanner
– http://www.pestpatrol.com
• Locate other options:
– Server Xtras, Inc.: http://www.serverxtras.com/
– Sunbelt Software: http://www.sunbelt-software.com/
– Beverly Hills Software: http://www.bhs.com/

154
Virus Information Resources
• The WildList Organization International
– http://www.wildlist.org/
• Denial of Service Attack Resources
– http://www.denialinfo.com/
• Digicrime, Inc.
– http://www.digicrime.com
• Peter Gutmann's Web site on Security Weaknesses
– http://www.cs.auckland.ac.nz/~pgut001/
• Simovits Consulting: Ports used by Trojans
– http://www.simovits.com/nyheter9902.html

155
Firewall/Proxy Online
Resources
• Security Panel’s Firewall List
– http://www.securitypanel.org/firewalls.html
• Phil Cox’s “Hardening Windows 2000 Guide”
– http://www.systemexperts.com/win2k.html
• Hammering out a secure framework:
– http://www.networkcomputing.com/1101/1101f3.html
• NIST Guideslines on Firewalls and Firewall Policy
– http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf
• Yahoo - search on Firewall

156
Print Resources 1/2
• Windows 2000 Security, by Roberta Bragg. New Riders, 2001.
ISBN 0735709912.
• Windows 2000 Security Handbook, by Philip Cox and Tom
Sheldon. Osborne McGraw-Hill, 2000. ISBN 0072124334
• Windows 2000 Security: Little Black Book, by Ian McLean. The
Coriolis Group, 2000. ISBN 1576103870.
• Microsoft Windows 2000 Security Handbook. By Jeff Schmidt, Que,
2000. ISBN: 0789719991.
• Windows 2000 Security Technical Reference. John Hayday (ISS
named as “Editor”), Microsoft Press, 2000. ISBN 073560858X
• Hacking Exposed, 4th Edition: Network Security Secrets and
Solutions. Stuart McClure, Joel Scambray, George Kurtz.
Computing McGraw-Hill, 2003. ISBN: 0072227427. See also
Hacking Exposed Windows 2000 (ISBN: 0072182623).
• Intrusion Signatures and Analysis. Stephen Northcutt, et al. New
Riders, 2001. ISBN 0735710635.

157
Print Resources 2/2
• Firewalls and Internet Security: Repelling the Wily
Hacker. William R. Cheswick & Steven M. Bellovin.
Addison-Wesley, 1994. ISBN: 0201633574. 2nd
Edition
due whenever it’s finished!
• Building Internet Firewalls, 2nd
Edition. Elizabeth Zwicky,
et al. O’Reilly & Associates, 2000. ISBN: 1565928717.
• Configuring Windows 2000 Server Security. Thomas
Shinder, et al. Syngress Media, 1999. ISBN 1928994024
(See also ISA Server and Beyond, ISBN 1981836663)
• Network Intrusion Detection: An Analyst’s Handbook, 2nd
Ed. Stephen Northcutt and Judy Novak. New Riders,
2000. ISBN: 0735710082.
• Computer Security. Dieter Gollman. J Wiley & Sons,
1999. ISBN: 0471978442.

158
Security Bookshelf
• Identified Top 50-plus security books for
InformIT.com relevant to information security
• Updated March, 2003 online!
• Initially designed for comprehensive CISSP
preparation, now includes best of breed infosec
titles
• To locate:
– Go to www.informit.com
– Search on “Tittel bookshelf”
– Produces pointers to 2 related articles
The Computer Security Bookshelf, Part 1
The Computer Security Bookshelf, Part 2

W982 05092004

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (13)

Similaire à W982 05092004

Similaire à W982 05092004 (20)

Dernier

Dernier (20)

W982 05092004

Notes de l'éditeur