|
|
|
Brad Larkin |
|
Copyright 2001, The Weston Group |
|
|
|
|
|
|
Introduction |
|
Threats |
|
Vulnerabilities |
|
Securing Vulnerabilities |
|
Resources |
|
|
|
|
Even non-technical people know that exposing a
computer to the Internet can be dangerous and that we commonly implement a
firewall or proxy server as a barrier. |
|
As IT professionals, you should understand the
specific threats posed by hackers on the Internet and how to mitigate those
threats. |
|
|
|
|
This class will focus on teaching you critical
first steps to take in modifying the default installation of NT / Win2K for
use on a computer on the Internet. |
|
|
|
|
Understand what the DMZ is. |
|
Identify the threats on the Internet and why it
is important to always take extra security precautions on Computers on the
Internet. |
|
Understand the unique vulnerabilities of Windows
computers on the Internet. |
|
Understand the first steps to securing a Windows
computer on the Internet. |
|
|
|
|
|
The term DMZ is coined form the military term,
demilitarized zone. |
|
Typically a DMZ is formed under a treaty in
which both sides agree to keep forces out of an a stated area. |
|
e.g. A buffer between two forces. |
|
In Internet terms, the DMZ is that part of the
Internet which is local to your organization and thus in front of your
firewall. |
|
|
|
|
Introduction |
|
Threats |
|
Vulnerabilities |
|
Securing Vulnerabilities |
|
Resources |
|
|
|
|
|
|
We think of the computers on our Internet as
protecting our important information behind the firewall. A hacker sees them merely as a bridge or
portal to accomplish these evils: |
|
Information Theft |
|
Mischief |
|
Denial of Service (DOS) attacks |
|
Use of resources for other purposes |
|
Spamming, DOS |
|
Destruction of Intellectual Property and
Information Systems |
|
|
|
|
Location |
|
Username |
|
Password |
|
Vulnerability |
|
|
|
|
Target Acquisition |
|
Information Gathering |
|
Initial Access |
|
Privilege Escalation |
|
Exploitation |
|
Covering Tracks |
|
Planting Back Doors |
|
Publicizing Vulnerability |
|
|
|
|
Ping scans and port scans to identify targets |
|
Anonymous Access / Null Sessions for Information
Gathering. |
|
Guessing or compromising passwords for Initial
Access and Escalation. |
|
Upload of Files, creation of accounts for
Exploitation. |
|
|
|
|
Introduction |
|
Threats |
|
Vulnerabilities |
|
Securing Vulnerabilities |
|
Resources |
|
|
|
|
|
Remote Sessions cannot execute programs on the
server. (unlike UNIX) |
|
HOWEVER, NT Resource Kit provides tools for this
and other hacking functions. |
|
Interactive console login rights are restricted
in NT server. |
|
Windows source code is not widely available. |
|
NTLM password hash is fairly strong. |
|
Vulnerabilities can be closed with knowledge and
about an hour’s work. |
|
|
|
|
|
Backward Compatibility and Ease of Use |
|
While many aspects of network security apply
across all platforms (changing passwords, auditing, etc.), these items are
special vulnerabilities of Windows: |
|
Easy NetBIOS networking / Anonymous Access |
|
Easy enumeration of computer and user names. |
|
LanManager password hash weakness. |
|
Well-established password crackers for the
Windows security account database (aka the SAM). |
|
Excessive default permissions for the Everyone
group. |
|
|
|
|
|
By default, Windows NT and 2000 computers come
ready to network, not ready to be secure on the Internet. |
|
They allow null session and anonymous access
connections to administrative shares and named pipes. |
|
They grant the Everyone group permission to
server root and system root of file system. |
|
They make RPC network functionality available to
any computer which can establish a NetBIOS session. |
|
|
|
|
|
|
Demonstration of NetBIOS null session attack: |
|
net use \\x.x.x.x\IPC$ ""
/user:"“ |
|
Establishes a named pipe session to the server
x.x.x.x as an anonymous user – part of the Everyone and Guests groups. |
|
net view \\x.x.x.x |
|
Shows what file shares are available |
|
|
|
|
|
|
The algorithm for password hash management for
LanManager technology (developed by IBM and used in Windows) has a well
known flaw. |
|
LanManager passwords can be easily broken if a
copy of the NT SAM account database file is obtained. |
|
Think seconds, not minutes, hours or days! |
|
For best protection, LanManager passwords should
be either 7 or 14 characters long. |
|
NTLM is stronger technology, NTLMv2 is even
stronger in Windows 2000. But you
must use the registry to prevent use of LanMan hash. |
|
|
|
|
|
The SAM is normally locked during NT operation
and cannot be accessed except through normal login functions. |
|
However, a backup copy of the SAM usually is
created by creating an Emergency repair disk. |
|
Once a SAM is copied or read, then ALL passwords
are likely exposed! |
|
Administrators (you) are usually the worst about
having |
|
weak passwords that can be guessed |
|
non-changing passwords |
|
leaving your password lying around on many
machine SAMs |
|
|
|
|
|
|
|
|
Under default installation of Windows NT or
Windows 2000, the Everyone group has rights to: |
|
Full Control on all files and folders |
|
The right to ‘traverse’ NTFS permissions |
|
e.g. Folder 1 – no rights for Everyone |
|
Folder 2 – rights for Everyone – can be accessed
by traversing |
|
Log on from the Network |
|
|
|
|
Introduction |
|
Threats |
|
Vulnerabilities |
|
Securing Vulnerabilities |
|
Resources |
|
|
|
|
|
Concealment - Deny as much information exposure
as possible. |
|
Narrow Defense -- limit potential breaches to as
few systems / services as possible. |
|
The DMZ itself is an example wherein we try to
isolate the vast majority of our computers behind it. |
|
On an Internet computer, we also want to narrow
it’s defense by eliminating all unneccessary systems, accounts, etc. |
|
Defense in Depth
-- multiple layers of security. |
|
|
|
|
|
Disable NetBIOS communication and Anonymous
Access |
|
Login, Password, and Audit security. |
|
Security patches and updates. |
|
File System and Registry Permissions. |
|
Application Security |
|
IIS, FTP, Telnet, Spooler, Alerter, SMTP |
|
|
|
|
Networking |
|
Registry |
|
File System |
|
Passwords and Security Policies |
|
Apply latest OS and Security Patches |
|
General Practices |
|
|
|
|
|
Disable NetBIOS bindings (WINS TCP/IP) on
Internet NIC. |
|
Disable vulnerable services unless they’re
needed: |
|
Alerter, Spooler, Computer Browser, Messenger,
TCP/IP NetBIOS Helper. |
|
Remove the OS2 and POSIX subsystems. (See MS
TechNet for details) |
|
|
|
Tools: Network Settings dialog, Services dialog,
net commands. |
|
See Example sheet |
|
|
|
|
|
Disable anonymous access to resources |
|
Hide last username and default domain |
|
Upgrade authentication threshold (e.g. no
LanMan) whenever possible. |
|
Secure the auto-start portion of registry |
|
HKLM\Software\Microsoft\Windows\Run &
RunOnce |
|
|
|
Tools: regedt32, Windows 2000 Security Options
MMC, Brad’s hisecnt4.reg |
|
See Example sheet |
|
|
|
|
Use complex passwords, at least 7 characters in
length. |
|
User Rights – Remove all unnecessary groups from
the “Logon from Network” right.
Remove Everyone group from “Traverse File Permissions” |
|
For more powerful options, you can force complex
passwords with passprop.exe from the NT Resource Kit. |
|
You can further encrypt the entire system by
running SysKey.exe. |
|
Tools: User Manager, passprop.exe (from NTRK),
Win2K Security Templates |
|
See Example sheet |
|
|
|
|
Use NTFS for C: drive |
|
Replace Everyone group with “Authenticated
Users” group. |
|
Tools:
convert.exe, cacls.exe |
|
|
|
|
|
Most of what we’ve talked about in this session
has been the inherent vulnerabilities and corrective actions to take for
Windows PCs on the Internet. |
|
e.g. The software working as it’s designed to. |
|
We’ll not even touch all the highly
sophisticated and sometimes automated threats such as CodeRed. |
|
e.g. The software working as it’s NOT designed
to. |
|
You must protect against these threats with the
latest patches from Microsoft. |
|
ALWAYS PATCH YOUR INTERNET MACHINES FIRST |
|
Subscribe to the MS Security Bulletin. |
|
|
|
|
|
Be careful with “test” machines deployed on the
Internet with administrative passwords and very little attention. |
|
This is the most common way to penetrate
otherwise well-secured networks. |
|
Have someone else test and check your work. |
|
Loose lips, white boards, and loose post-it
notes sink IT ships. |
|
Always point out security compromises and
vulnerabilities to the client IN ADVANCE. |
|
e.g. “We don’t want to have to change our
password” |
|
|
|
|
Introduction |
|
Threats |
|
Vulnerabilities |
|
Securing Vulnerabilities |
|
Resources |
|
|
|
|
|
hisecNT.reg |
|
Makes registry entries to disallow anonymous
access and LanMan hash exchange. |
|
Makes other security enhancements found in C2
checklist. |
|
FilePermissionsNT |
|
Removes Everyone group from C:\ root and root
folders as well as c:\winnt\system32.
Also deletes any backup copies of the SAM. |
|
Click here for zipped copy of these and other
files. |
|
|
|
|
C2 Security Checklist on MS Technet Site. |
|
Hacking Exposed by McClure et al, Osborne
Publishing |
|
MS Security Bulletin |
|
|
|
|
Quiz over the learning objectives outlined in
this presentation and the resources. |
|
Notes