Title: W982: Windows 2003XP2000 System and Network Security Networld Interop Las Vegas Wed May 12, 2003 8:3
1W982Windows 2003/XP/2000 System and Network
SecurityNetworldInterop - Las VegasWed
May 12, 2003 830am-430pm
- James Michael Stewart
- CISSP, ISSAP, TICSA, CIW SA, Security, CTT,
MCT, CCNA, - MCSA Windows Server 2003, MCSESecurity Windows
2000, - MCDST, MCSE NT W2K, MCPI, iNet
- www.impactonline.com
- michael_at_impactonline.com
2UPDATED MATERIALS
- This course has changed since submitted for
printing - Updated slides, notes, and handouts available
from - www.impactonline.com/interop/
- All new or changed material is highlighted in
green.
3What This Course is NOT about
- How to break into Windows systems
- Security issues not related directly to Windows
- Installing software
- Troubleshooting non-security issues
- Details on Intrusion Detection
- Basics of Windows architecture, administration,
or operation - Other software from Microsoft or third-party
vendors
4What This Course IS about
- Why security is important
- Native security features built into
- Windows Server 2003
- Windows 2000 Server and Professional
- Windows XP Professional
- How to lock down or secure a Windows system
- Vulnerabilities of Windows OSes
- Windows countermeasures
5Security Is Important
- OS or system security does not exist in a vacuum
- You must address physical security and
administrative issues otherwise no amount of
technical or logical security controls will
suffice - Security must be driven by an organization wide
security policy. - Security is not a goal, it is a process, and
Security is not a product, it's a mentality
McClure/Scambray - Security is maintaining data integrity and
providing only authorized, controlled access to
that data
6Windows Security isan ART not a SCIENCE
- Take my recommendations and opinions about
Windows security at your own risk. - Usually, increasing security adds administrative
overhead, but decreasing security reduces
administrative workloads. Ultimately, you must
choose what level of security you require, and
manage related admin tasks. - We welcome other opinions on Windows security in
the class - we will add useful information to
online materials and future classes
7Windows Security Is
- Build a perimeter thats harder to cross than
your neighbors - Controlled and monitored access
- End to end solution, involving clients,
applications, servers, boundary devices, and all
relationships between these elements - Windows 2000/NT/XP Out of the Box Few secure
defaults - Windows Server 2003 is much more secure by
default - Maintaining security is never-ending process
requires vigilance, ongoing monitoring, and
maintenance.
8SecurityA Multi-Front Endeavor
- 100 security does not exist
- Implement security in layers
- Security must provide protection from intrusions,
internal and external attacks, accidents,
malicious code, and physical destruction. - Security policies guide and direct implementation
- Three Legs of Security
- Physical access control
- If physical security not maintained, no amount of
software security can create a secure environment
for your data - Human education and management
- OS and software management
9Worst Security Mistakes
- Opening unsolicited email attachments without
verifying source and checking content first - Failing to install security patches
- Installing unapproved software
- Neither making nor testing backups
- Connecting a modem to a phone line while computer
is connected to a LAN - Relying primarily on firewalls and boundary
safeguards - Connecting systems and devices to the LAN or
Internet before hardening them - Using telnet or other unencrypted protocols to
manage systems and network devices - Running unnecessary protocols and services
- Failing to keep yourself up to date with the
state of security of your OSes, software, and
hardware
10Windows Sever 2003New and Modified Features
- Common Language Runtime
- Internet Connection Firewall
- Account behavior changes
- More Secure Defaults
- Administration Security
- Developer enhancements
- Encrypted File System enhancements
- IPSEC enhancements
- Authorization Manager
- Software Restriction Policies
- Credential Management
- PKI Features
- IIS 6.0 enhancements
11Common Language Runtime
- Common Language Runtime (CLR) software engine
- improves reliability and helps ensure a safe
computing environment. - reduces the number of bugs and security holes
caused by common programming mistakes - verifies that applications can run without error
and checks for appropriate security permissions - making sure that code only performs appropriate
operations - checks where the code was downloaded or installed
from - checks whether the code has a digital signature
from a trusted developer - Checks whether the code has been altered since it
was digitally signed.
12Internet Connection Firewall
- Simple stateful IP filter
- Allows all outbound
- Allows selected inbound
13Account Behavior Changes
- Limiting local account misuse
- Network logon prevented with blank passwords
- Network logons using local accounts authenticate
as guest - Administrator account can be disabled
- The built-in Everyone group includes
Authenticated Users and Guests, but no longer
includes members of the Anonymous Logon group - Supported authentication techniques Kerberos V5,
SSL, TLS, NTLM, digest (MD5 hash), passport,
two-factor (such as smart cards)
14More Secure Defaults
- IIS/FTP/SMTP not installed by default
- IIS must be configured before first use
- Many services/interfaces/extensions are disabled
by default
15Administration Security
- Command line tools (e.g. netstat o)
- Smartcard authentication for common admin tools
- Net.exe
- Runas
- Terminal Services
16Developer Enhancements
- .Net Common Language runtime
- Managed code
- Authentication of code origin
- Authorization of operations against policy
- IPSec APIs
- Application access to EFS metadata
- Advanced Encryption Standard New Hash support
17EFS Enhancements
- Encrypted file sharing in the UI
- Encrypted files marked with alternate color
- Sharing Your Encrypted Files with Other Users
- Encrypted client side cache
- Used for offline folders, files stored in
encrypted CSC database - Support kernel-mode FIPS-compliant cryptography
- 3DES algorithm, enabled with Group Policy
- FIPS Federal Information Processing Standard
18EFS Data Recovery Changes
- Domain Model
- Removed requirement for Data Recovery Agent
- Can operate with no data recovery policy or a
separate key recovery policy - Domain Administrator is DRA by default when
domain is created
19EFS over WebDAV
- Enable encrypted storage on Internet servers (end
to end encryption) - WebDAV is a file sharing protocol over HTTP
- Alternative to SMB Internet Standard RFC 2518
- Supported by numerous independent software
vendors - IIS 5.0 and IIS 6.0 support WebDAV as web folders
20IPSec Enhancements
- Windows 2000/XP/Server 2003 Compatibility
- Stronger security
- Diagnostics and supportability
- UI improvements and IPSec Monitor Snap-in
- Command line management NETSH
- Computer startup security
- IPSec Driver Startup Modes
- Persistent policy for enhanced security
- Removed default traffic exemptions
- NAT traversal
- Improved IPSec integration with Network Load
Balancing - IPSec support for Resultant Set of Policy (RSoP)
21Authorization Manager
- Flexible framework
- Role-based access control
- Role-based administration
- Support for Forest Trusts two-way transitive
trusts between every domain in both forests
22Software Restriction Policies
- Group Policy can restrict software installation
and execution - Can restrict by
- Hash Rule
- Path Rule
- Certificate Rule
- Zone Rule
23Credential Manager
- Provides a secure storage mechanism for user
credentials, such as passwords and X.509
certificates - Provides a consistent single-sign on
- Supported for local and roaming users
- Simplifies and secures the methods by which
server and client based applications obtain user
credentials
24PKI Features
- Qualified subordination
- A.K.A. Cross certification
- More X.509 options implemented on server and
client - Define the namespace for which a subordinate CA
will issue certificates - Specify the acceptable uses of certificates
issued by a qualified subordinate CA - Create trust between separate certification
hierarchies - Editable certificate templates
- Key archive recovery
- Can configure a CA to archive the keys associated
with the certificates it issues - Auto enrolment renewal
- Delta CRLs
25IIS 6.0 Enhancements
- Lessons implemented
- Reduced attack surface
- Code security
- Secure defaults
- Improved ASP security
- Lower privilege accounts
- Improved patch management
- Security features for the platform
- Application isolation
- FTP user isolation
- Passport authentication
- URL authorization
26Some Specific Windows 2003 Security Benefits
- More than 20 services that were enabled by
default in W2K are now disabled or operate at
lower privileges - IIS 6.0 and Telnet server is not installed by
default, plus both run under a new service
account with lower privileges - IE has numerous limitations on its functionality
- The Security Configuration Wizard which works
on-top-of Configure Your Server defaults to the
highest security lockdown for added services and
features - Remote users will be unable to log in using blank
passwords - Role-based authentication via applications
- The system root drive is accessible only to
Administrative group users, the Everyone group is
fully restricted - Stronger VPN policies and filters
27Windows 2000 to Windows 2003
- All known problems with Windows 2000 up through
approximately MS03-022 are corrected or not
present in Windows 2003 - New problems since MS03-023 may be found in
Windows 2000, Windows XP, and Windows 2003 - Check Windows Update and Microsoft Security
Bulletins frequently to stay current with new
developments
28Windows 2000 Security Features
- Improved security model over Windows NT
- stronger authentication, protocols, services
- Directory Service Account Management
- domain trees
- Organizational Units (OUs) - directory containers
- Kerberos Authentication Protocol V5
- Public Key Infrastructure (PKI)
- X.509 Version 3 Certificate Services
- CryptoAPI Version 2
- Encrypting File System (EFS) built into NTFS
- Secure channel security protocols (SSL 3.0/PCT)
- Smart card support
- Private Communications Technology PCT 1.0
- Distributed Password Authentication (DPA)
- Transport Layer Security Protocol TLS
- Internet Security Framework IPSec, L2TP
- Transitive Trusts
29Windows XPSecurity Features
- Most of the security benefits of Windows 2000 are
found in Windows XP - Additional security features include
- Internet Connection Firewall
- Internet Connection Sharing
- Blank password restriction (access to local
system only) - Encryption of Offline Files
- Credential Management storage of logon
credentials - Fast user switching (non-domain only)
30Windows XPIPL Vulnerability
- All passwords rendered useless on Windows XP
- Boot a Windows XP system with a Windows 2000 CD
- Start the Windows 2000 Recovery Console
- User is then able to operate as the administrator
of the system without a password - User can connect as any user account on the
system without a password - User can copy files to floppies or other
removable media from any local hard drive a
capability normally restricted within the
Recovery Console when used legitimately. - Only countermeasure physical security
- http//www.briansbuzz.com/w/030213/
31Coverage of Windows Clients
- Windows XP Professional can be configured as the
most secure client available from Microsoft - Windows 2000 Professional can be configured to be
almost as secure as Windows XP Professional - Both offer different defaults, usually insecure
defaults, when employed as stand-alone systems - This courseware assumes Windows XP Professional
and Windows 2000 Professional are being used as
Active Directory domain clients. Therefore they
take on the security configurations defined by
Windows 2000 Server or Windows Server 2003 GPOs
assigned to their AD containers.
32Coverage of Windows Servers
- All Windows 2000 Server and Windows Server 2003
settings are discussed from the perspective of
these systems being used as domain controllers. - Domain controllers either inherit the security
configuration of the domain controllers, the
domain GPO, or are assigned their own unique
configuration by network administrators.
33Overview of Native Security Componentsof Windows
2003/XP/2000
- Logon control
- User accounts
- Groups
- Accounts policy - passwords and lockout
- System policies
- NTFS and Share permissions
- User Rights
- Auditing
34Login Access Security
- NetLogon service
- restricted memory area
- CTRL-ALT-DEL
- cannot be spoofed
- forces physical logon
- communicates with security database to validate
users - Requires
- user account name
- password
- domain name
- Remote Control software bypasses via API and
installed service (logon required to install
service)
35Automated Logon
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon - DefaultDomainName (Value REG_SZ)
- DefaultUserName (Value REG_SZ)
- DefaultPassword (Value REG_SZ)
- AutoAdminLogon (Value REG_SZ) 1
- Authentication still occurs, but without user
input - To terminate auto-logon
- set AutoAdminLogon0
- delete DefaultPassword
- Hold SHIFT to logon with alternate user account
- Used on kiosks other access points where access
level or physical security is no issue - Functions on NT, 2000, XP, 2003
36Cached Credentials (1/2)
- By default, when you attempt to log on to a
domain from a Windows 2003/XP/2000-based
workstation or member server and a domain
controller (DC) cannot be located, no error
message is displayed. - Instead, you log on to the local computer using
cached credentials. - By default, Windows 2003/XP/2000 caches the last
10 logons - Set through Group Policy (Security Options) or
Registry (CachedLogonsCount). If set to 0, no
logons are cached and if DC is not available
logon is denied.
37Cached Credentials (2/2)
- When logged on with cached credentials, user
account has no access to updated group policies,
roaming profiles, home folders, or logon scripts. - Use set command at Command Prompt
- LOGONSERVER entry names what system authenticated
you. - If local system cached credentials, if DC
domain validation. - Appears in Event Viewers System log event ID
5719 - Add ReportControllerMissing and ReportDC values
to Registry to force user warning message. - Unlocking a workstation or a DC uses cached
credentials by default. If you dont disable
credential caching, then set ForceUnlockLogon to
1 to require actual AD authentication to unlock
systems.
38User Accounts Groups
- Users and groups key to Windows security
- User Accounts
- Unique identifiers for each person
- Security IDs
- Groups
- Used to control resource access
- Machine local, Domain local, Global, Universal
(native mode) - Multiple group memberships
- Combined permissions
- Users gt Domain Groups gt Local Groups gt Resources
- Users are added to groups
- Groups are assigned permissions for resources
- Nesting of groups supported
- Delete vs. Disable old user accounts
39System Controlled Groups
- Pre-Windows 2000 Compatible Access
- Anonymous Logon
- Authenticated Users
- Batch
- Creator Group
- Creator Owner
- Dialup
- Enterprise Domain Controllers
- Everyone
- Interactive
- Network
- Proxy
- Restricted
- Self
- Membership is dynamic and managed by the OS
itself - Everyone group is still required on boot
partition and still includes anonymous and null
sessions
- Service
- System
- Terminal Server User
- 2003 specific
- Digest Authentication
- Local Service
- NTLM Authentication
- Other Organization
- Remote Interactive Logon
- SChannel Authentication
- This Organization
40Group Policy
- GPOs can be assigned to domains, sites, or OUs.
- Applied LSDOU
- Combines policies for
- general security controls
- audit
- user rights
- passwords
- accounts lockout
- Kerberos
- Public key policies
- IPSec policies
- 2000 OOB if a user is a member of 70 to 80
groups, group policy may not be applied. Caused
by Kerbeross token size limitation, correction
changes MaxTokenSize from 12000 to 100000 - (SP2)
- 263693
41Group Policy SMB vulnerability
- SMB signing flaw may allow group policies to be
modified by unauthorized users - Affects Windows 2000 and Windows XP
- Flaw allows attackers to downgrade the settings
for SMB signing so packets not signed even though
systems are configured to use SMB signing. This
attack occurs during negotiation process between
client and server. Once exploited, attackers
could modify packets sent between two systems and
changes would not be detected. - Patch not included in Windows XP SP1
- MS02-070 KB329710
42Password Policy
- Set password restrictions
- Min max password age (0-999)
- W2000 Max 42 days Min 0 days
- W2003 - Max 42 days Min 1 days
- Min password length (0-14)
- W2000 - 0
- W2003 - 7
- History (1 - 24 entries)
- W2000 1
- W2003 - 24
- Passwords must meet complexity requirements
- W2000 disabled
- W2003 enabled
- Store passwords using reversible encryption for
all users in the domain - W2000 W2003 - disabled
43Password Complexity
- Forces minimum of 6 characters
- Incorporates at least 3 character types
- Uppercase A through Z
- Lowercase a through z
- Numerals 0 through 9
- Non-alphanumeric !, _at_, , , , \,
- No part user account name or real name
- Not foolproof April1999 is valid password
under these restrictions, but easily guessed. - When enabled, existing passwords are
grandfathered new or changed passwords must
meet restrictions - Custom password filters see W2000 and W2003 SDK
44Failing Requirements When Changing Passwords
- Your new password does not meet the minimum
length or password history requirements of the
domain. Also, your site may require passwords
that must be a combination of upper case, lower
case, numbers, and non-alphanumeric
characters.Your password must be at least ltgt
characters long. Your new password cannot be the
same as any of your previous ltgt passwords. Also,
your site may require passwords that must be a
combination of upper case, lower case, numbers,
and non-alphanumeric characters.
45Designing Secure Passwords
- Implement company/organization security policy
- Use cracking tools to test your password strength
- LC4, PassFilt Pro, John the Ripper, Quakenbushs
Password Appraiser - Allow no part of e-mail address in password
- Change every 30 - 45 days
- Maintain history of previous passwords to prevent
reuse - Always assign passwords to all accounts
- Avoid common words dictionary, slang, industry
acronyms, etc. - Use ALT characters - ALT-130 for é, ALT-157 for
, etc. - Avoid use on administrator accounts
- Never write passwords down
46Password Crackers
- Require access to SAM - direct or copy
- Password auditing
- _at_stakes LC4 http//www.atstake.com/
- Quakenbushs Password Appraiser
http//www.quakenbush.com/ - Most perform reverse hash extraction
- Protect your SAM!
- LC4 can sniff SMB exchanges on networks to pull
passwords use switched networks to force end to
end communications - Several tools are available that boot from a
floppy and can change the password on any
account - Peter Nordahl's Offline NT Password Registry
Editor tool - Sysinternals Locksmith
47Audit Password Registry Keys
- Enable auditing through Group Policys Audit
Policy - Start scheduler service, set system startup
- AT lttimegt /interactive regedt32.exe
- Registry editor is launched with System level
access - SAM and SECURITY hives (Note System is
NTs closest equivalent to UNIXs superuser or
root access) - Set SAM hive auditing parameters
- at lttimegt /interactive "regedt32.exe"
- HKEY_LOCAL_MACHINE\SAM
- Set SecurityAuditing per event user/group
48Accounts Policy
- Set Lockout parameters
- Lockout duration (0 99999 minutes)
- Failed logon attempts
- Counter reset after time limit
- Not enabled by default on W2K or W2K3
- Account is locked out checkbox on user account
properties dialog box
49User Account Security Controls
- Logon hours
- Log On To restricted to workstations
- Account info expiration never or by date
- Account Options (next slide)
- Dial-in
- Remote Access Permission (dial-in or VPN)
allow, deny, or controlled by Remote Access
Policy - Verify caller ID (requires supported hardware)
- Call back pre-defined or user-supplied
- Terminal Services Sessions
- End disconnected sessions timeout
- Time limit for active sessions
- Time limit for idle sessions
- Enable remote control/observation
- Require uses permission to control/observe
50Account Options
- User must change password at next logon
- User cannot change password
- Password never expires
- Store password using reversible encryption
- Account is disabled
- Smart card is required for interactive logon
- Account is trusted for delegation
- Account is sensitive and cannot be delegated
- Use DES encryption types for this account
- Do not require Kerberos pre-authentication
- Direct user account settings override group
policy settings!!
51Audit Policy
- All Windows Objects can be audited
- Two controls policy and object
- Policies
- Account logon events
- Account management
- Directory service access
- Logon events
- Object access
- Policy change
- Privilege use
- Process tracking
- System events
- Object level controls accessed through Advanced
Security Properties - Audit policy must be enabled in order for audited
events to be recorded in the Security log
52Sample Audit Detail
53Auditing for Security
- Suspect events
- failed log on attempts
- repeated denied access to resource
- system reboots
- DumpEVT Export event logs to text files for use
in scripts and databases - www.somarsoft.com - As the amount of data gathered by auditing
increases, so does need to employ IDS or a data
mining tool to deal with the data load
54Example Audit Schemes
- Random password attacks
- account logon events, logon events Failure
- Stolen passwords (must filter for abnormal
activity) - account logon events, logon events Success
- Misuse of admin privileges
- privilege use Success account management
Success policy change Success system events
Success - Virus infection (track W for all .exe, .bat, and
.dll) - process tracking Success, Failure directory
service access, object access Success, Failure - Access to sensitive files (track R,W for suspect
users/groups) - directory service access, object access Success,
Failure
55Working with User Rights
- Review defaults of User Rights (see handout
"User Rights") - To increase security settings, make the following
changes - Allow Log on locally assigned only to
Administrators on Servers - Shutdown the System assigned only to
Administrators, Power Users - Access computer from network assigned to Users,
revoke for Administrators and Everyone - Restore files/directories revoke for Backup
Operators - Bypass traverse checking assigned to
Authenticated Users, revoke for Everyone
56Ownership
- Ownership grants a user Full Control over an
object - Ownership can be taken by users with
- Take Ownership of Files or Other Objects User
Right - NTFS object level Ownership permissions.
- Administrators and Domain Admins have this user
right by default. - Ownership can be assigned using subinacl (RK
tool) - subinacl /subdirectories c\winnt\profiles\.
/setowneradministrator - Ownership can be used to bypass any Deny setting.
57NTFS Security
- Defined by object files, directories, printers
- Set by group or user for Allow or Deny
- Standard file settings
- Full Control (RXWDPO)Modify (RXWD)Read
Execute (RX)List Folder Contents (dir only)
(R)Read (R) Write (W) - Always check defaults on new objects in regards
tothe Everyone group - Container rule - move vs. copy
- Inheritance is configurable,inheritance of
permissionsand auditing is distinct
58Share Permissions
- Permissions
- Full Control
- Change
- Read
- All permissions basedon Allow or Deny
- W2K new share Full Controlto Everyone
- W2K3 new share Read onlyto Everyone
- On objects Sharing tab
- Able to set maximumsimultaneous users
- Caching
- Allow/prevent caching
- Manual - Offline Files
- Automatic
59Managing Permissions
- NTFS - All user specific and group membership
permissions on the same resource are cumulative. - Share - All user specific and group membership
permissions on the same share are cumulative. - Combining NTFS and Share Permissions
- Cumulative NTFS is compared to the cumulative
Share - most restrictive applies - Think of it as an ANDing function
- Deny always results in deny. Watch for conflicts
caused by multi-group memberships. - Grant permissions on as needed basis need to
know or least privilege - SystemTools DumpSec (www.systemtools.com)
- dumps permissions (ACLs) for file system,
registry, shares and printers into a readable
listbox format
60Disk Quotas
- Disk quotas
- Configurable per volume
- Configurable per user
- Prevent file writing when limitation exceeded
- Space limitation and warning level in KB, MB, GB,
TB, or PB - Enable log events for quota limit reach or
warning level reach - Quota limits based on uncompressed file size
- More control and granularity through third-party
quota solutions, such as Quota Advisor and
Storage Central from www.sunbelt-software.com
61Process Security
- Inherits parents Access Token
- Use Task Scheduler to launch tasks with any user
account credentials - Services can be launched with System or any user
account credentials - Once launched, access level of process cannot
change - Use RunAs to execute under another user security
contents requires username and password. Use as
command line or hold-shift then right-click over
.exe for pop-up menu
62Windows Kerberos Policy
- Trusted third-party Authentication protocol
developed at MIT as part of Project Athena - Kerberos V5
- Faster connections
- Mutual Authentication
- Delegated Authentication
- Simplified Trust Management
- Interoperability
- Defined at domain level controls Kerberos
settings - Implemented by domains Key Distribution Center
(KDC) - Stored as part of domain security policy(may
only be set by Domain Admins) - Windows attempts to use Kerberos first to
authenticate user logons. If Kerberos fails, NTLM
is attempted (if enabled) - NTLM appears primarily for backward compatibility
with non-Kerberos supporting Windows clients
63Kerberos
Initial Logon
Service Request
KDC
KDC
Ticket-GrantingTicket
2
1
2
TGT
TGT
ST
Service Ticket
1
3
3
ST
TGT Cached Locally
Session Established
4
Windows 2000based Computer
Windows 2000based Computer
Target Server
64Group Policy SettingsKerberos
- Enforce User Logon Restrictions
- Maximum Lifetime That a User Ticket Can Be
Renewed - Maximum Service Ticket Lifetime
- Maximum Tolerance for Synchronization of Computer
Clocks - Maximum User Ticket Lifetime
65Disable LM Authentication
- W2K supports
- Kerberos
- Windows NT challenge/response v.2 (NTLM 2)
- Includes LM, NTLM 1, NTLM 2
- LM enabled by default Security Option LAN
Manager authentication - W2K3 supports
- Kerberos
- Windows NT challenge/response v.2 (NTLM 2)
- Includes LM, NTLM 1, NTLM 2
- LM disabled by default Security Option LAN
Manager authentication, set to Send NTLM Response
Only - Windows 95, WfW, Macs, and OS/2 clients only
support LM not NTLM - Windows 98, SE, Me can be upgraded to support
NTLM v2 with the Directory Services Client add-on - Add NTLM 2 to W95/98 Q239869
66Directory Services Client
- Active Directory Client Extensions for Windows
95, Windows 98, and Windows NT Workstation 4.0 - Adds to client AD site awareness, W2K domain
logon, Active Directory Service Interfaces, DFS
client, WAB, and NTLM v2. - Does not add Kerberos, Group policy or
Intellimirror support, IPSec, L2TP, SPN, nor
mutual authentication - Windows 9x Active Directory client extension is
distributed on the Windows 2000 CD - Active Directory client extension for Microsoft
Windows NT 4.0 (with SP6a Microsoft Internet
Explorer 4.01 or higher) on MS Web site - No version of Directory Services Client for
Windows Me (Millennium)
67Public Key Infrastructure 1/2
- PKI adds authentication encryption services to
Windows - How PKI Works
- PKI based on certificates managed by CA that
verifies identity - Public keys issued for widespread distribution
private key stays with user - Anyone can use the public key to encrypt only
the holder of the private key can decrypt - When a public key appears first, followed by a
private key, this supports key exchange - When a private key appears first, followed by a
public key, this is a digital signature - PKI thus provides both identification and
authentication - Numerous applications use Digital Certificates to
provide security - E-mail, Web, digital file signing, Smart Cards,
IPSec, EFS recovery agent
68Public Key Infrastructure 2/2
- PKI Components
- Certificate Services
- CryptoAPI CSPs provide crypto operations
private key management - Certificate stores to store manage certificates
- Certificate Services
- Process certificate requests
- Verify access qualifications for requesters
- Create issue certificates for qualified
requesters - Generate private keys and deliver to requesters
protected store - Manage private key cryptography services
- Distribute publish certificates for public
access - Manage certificate revocations
- Store certificate transactions for auditing
- Works through Certification Authority Console
69EFS Issues 1/3
- EFS (Encryption File System) is built into
Windows 2000, Windows XP, and Windows 2003 NTFS - Encrypting boot and system files will cause
problems if the system can even boot - Issues when autoexec.bat is encrypted
- Users are unable to log on locally
- Remote resource access fails
- Resolution
- Decrypt
- Use Recovery Console to log on as Admin, delete
file, then recreate - Alter Registry to bypass autoexec.bat fie,
delete, then recreate. - EFS protects files on NTFS partitions, not when
in transport over the network or when resident in
system memory (i.e. in use by an application)
70EFS Issues 2/3
- EFS works using a public key to encrypt files and
a private key to decrypt files. If the private
key is lost, the files cannot be decrypted - A user can be designated as EFS recovery agents
who can recover data after the private key of
another user is lost - Through secpol.msc a private key can be exported
to removable media and deleted from the local
system - EFS cannot be used to encrypt system files, use
alternatives PC Guardian's Encryption Plus for
Hard Disks (EPHD)
71EFS Issues 3/3
- EFS on Windows 2000 uses DESX for encryption. It
can only decrypt using DESX. - EFS Windows XP pre-SP1 use 3DES for encryption.
It can decrypt using DESX or 3DES. - EFS on Windows XP SP1 and Windows 2003 uses AES
for encryption, by default. It can decrypt using
DESX, 3DES, or AES. - EFS Files Appear Corrupted When You Open Them
KB329741 - Instructions on setting XP SP1 and 2003 to use
3DES or DESX - Do not change this setting if there are existing
encrypted files - Attempting to open AES encrypted files on Windows
2000 or Windows XP pre-SP1 systems will corrupt
the files resulting in data loss!
72IPSec
- IP Security (aka IPSec)
- IETF standard security protocol (RFC 2411
provides a roadmap to all related RFCs) - Provides authentication and encryption
- AH (Authentication Header) integrity and
authentication - ESP (Encapsulating Security Payload) integrity,
authentication, confidentiality - encryption - Operates at layer 3 as a plug-in between
transport (UDP or TCP) and network (IP and
others) protocols - Works with both IPv4 and IPv6
- Wide industry support, expected to become
predominant VPN Internet standard - Used with Layer 2 Tunneling Protocol (L2TP) for
dial-up VPNs, uses by itself for
network-to-network VPNs
73IP Security (IPSec) Policies
- Construct IPSec policies using Windows Security
Manager - IPSec policies associate with default domain
policy, default local policy, or customized
policy - Includes abilities to negotiate security services
(called negotiation policies) - IP filters let different policies apply to
different computers, based on destination
protocol - To create IPSec policy
- Create a named Security Policy for some container
- Create negotiation policies
- Create IP filters, associate with negotiation
policies
74Locking Down Windows Systems
- The first steps to locking down Windows include
- Applying service packs
- Applying needed hot fixes and patches
- Apply security templates
- Testing for a secure configuration
75Service Packs
- Hotfix - single issue, apply only if necessary
- Service Pack - cumulative patches fixes
- Re-installation of Service Pack not necessarily
required after installing new drivers or software
on Windows 2000/XP/2003 as was with Windows NT - Windows 2000 SP4 see later slide
- Windows Server 2003 no service packs available
as of 11/14/03, SP1 beta rumored to be in testing
for release in late 2004
76Windows 2003 SP1
- Due late 2004
- Will include numerous features and improvements
from the Springboard project - Springboard includes elements and components
originally designed for Longhorn, for which
Microsoft has accelerated release for Windows
2003 and Windows XP - Will include
- Roles based Security Configuration Wizard (SCW)
to quickly configure new servers based on
function or role - Insecure network client isolation
- VPN quarantine
- Enterprise level protection features (yet
unrevealed)
77Windows 2003 Pre-SP1Security Issues 1/2
- 23 pre-SP1 hot fixes as of 5/11/2004
- MS04-015 Vulnerability in Help and Support
Center Could Allow Remote Code Execution (840374) - MS04-014 Vulnerability in the Microsoft Jet
Database Engine Could Allow Code Execution
(837001) - MS04-012 Cumulative Update for Microsoft
RPC/DCOM (828741) - MS04-011 Security Update for Microsoft Windows
(835732) - MS04-007 ASN .1 Vulnerability Could Allow Code
Execution (828028) - MS04-006 Vulnerability in the Windows Internet
Naming Service (WINS) Could Allow Code Execution
(830352) - MS04-003 Buffer Overrun in MDAC Function Could
Allow Code Execution (832483) - MS03-048 Cumulative Security Update for
Internet Explorer (824145)
78Windows 2003 Pre-SP1Security Issues 2/2
- MS03-045 Buffer Overrun in the ListBox and in
the ComboBox Control Could Allow Code Execution
(824141) - MS03-044 Buffer Overrun in Windows Help and
Support Center Could Lead to System Compromise
(825119) - MS03-043 Buffer Overrun in Messenger Service
Could Allow Code Execution (828035) - MS03-041 Vulnerability in Authenticode
Verification Could Allow Remote Code Execution
(823182) - MS03-039 Buffer Overrun In RPCSS Service Could
Allow Code Execution (824146) - MS03-034 Flaw in NetBIOS Could Lead to
Information Disclosure (824105) - MS03-030 Unchecked Buffer in DirectX Could
Enable System Compromise (819696) - MS03-026 Buffer Overrun In RPC Interface Could
Allow Code Execution (823980) - MS03-023 Buffer Overrun In HTML Converter Could
Allow Code Execution (823559)
79Windows 2000 SP5
- Due late 2004, after Windows 2003 SP1 ships
- No reliable details on elements other than
existing post-SP4 hot-fixes (17 as of 5/11/2004) - MS03-022, MS03-023, MS03-026, MS03-034, MS03-039,
MS03-041, MS03-042, MS03-043, MS03-044, MS03-045,
MS03-049, MS04-006, MS04-007, MS04-008, MS04-011,
MS04-012, MS04-014
80Windows 2000 Service Pack 4
- Released Aug 2003 - generally stable
- Recommended for Windows 2000 Server and Pro
- Available on CD, through Windows Update, on
Windows 2000 Web area - SP4 includes 674 fixes (102 for security
issues), see KB Q327194 - Note these are issues in addition to those in
SP3 and earlier. - Release notes for W2K SP4 813432
- SP4, like SP3, upgrades the system to use 128-bit
encryption. If you uninstall SP4 (or SP3), the
system will remain at 128-bit encryption. - SP4 includes Internet Explorer 5.01 SP4 and
Outlook Express 5.5 with SP2 - SP4 adds to Windows 2000 native 802.1x wireless
networking support and native USB 2.0 support - There are 14 post SP4 security issues as of March
2004.
81Known Issues with W2K SP4
- Local Security Policy Values Revert to the Values
That Are Stored in SecEdit.sdb (KB827664) - If you have Windows Update service disabled when
you install SP4, the installation program
re-enables Windows Update without notifying you. - .Net Framework 1.0 programs won't run.
- Available hotfix or upgrade to .Net Framework 1.1
(KB823845) - Norton Internet Security 2001 is incompatible.
- Upgrade NIS (KB823087)
- Exchange Server can't start its Key Management
Service. - Workaround database defragmentation (KB818952)
- Other known issues KB 813432
82Windows XP Service Pack 2
- To be released?? current rumor is July 2004
- Will require significant changes to an
organizations deployment processes and
configuration procedures - New security and networking enforced defaults
will cause numerous applications and services to
fail, reconfiguration will be necessary - RC1 of SP2 not stable enough for widespread
deployment - RC2 of SP2 due soon may be suitable for limited
testing, I dont recommend production environment
deployment of these test releases - Sweeping changes to Windows XP
- Improved default security
- Improved ICF, RPC, DCOM, COM
- Better memory management and protection (i.e.
buffer overflow) - Improved IE, Outlook Express, Windows Messenger
83Windows XP Service Pack 1a
- SP1a for Windows XP released on 2/3/2003
- There are 77 post SP1a security issues as of
March 2004 - SP1a and SP1 are identical, except that the
Microsoft VM (Java support) is removed from SP1a.
- Generally considered stable
- We recommend installation on all XP systems
- Updates XP systems with hotfixes released through
mid-Aug 2003 (MS02-048) - Includes IE 6 SP1 USB 2.0
- Does not include BlueTooth
- Known issues KB324722
- 57 post SP1a hot fixes as of 5/11/2004
84Windows XPSecurity Rollup Package 1
- Released 10/14/2003
- As an interim release before SP2
- Contains 22 security related patches in a single
installation package - Includes security patches from SP1 through
MS03-039 - KB826939
85Working with Service Packs
- Review documentation and KB documents associated
with Service Pack and/or hotfix before initiating
installation. - Need sufficient free space on boot partition, 3
times size of SP, more if uninstall info is saved - Move previous SP's uninstall directory from
SystemRoot\NTServicePackUninstall\ to another
safe location. - Backup data, Registry, maybe entire system
- Reboot the system
- Terminate all applications, stop unneeded
services, stop debugging, stop remote control
sessions - Disable Server service to prevent network access
before starting SP/HF application - Stop all third-party services requiring disk
access, i.e. virus protection and
defragmenters/optimizers
86Managing SPs and HFs
- Service Pack presence visible through most
HelpAbout screens from native utilities, WINVER
tool - Hotfix identification varies by hot-fix -
typically run HOTFIX.EXE or view Hotfix Registry
key for list - Qfecheck management tool from Microsoft
- UpdateEXPERT SP and HF inventory and
installation tool from Sunbelt Software - HFNetChkPro from Shavlik Technologies
- http//www.shavlik.com/pHFNetChkPro.aspx
- All DCs should be maintained at same SP level,
mixing can introduce problems - Software Update Svcs (SUS) internalizes
manages Windows Update for private networks - Service packs for Windows 2000, XP, and 2003 can
be slipstreamed for new installations or a
pre-integrated installation CD may be available
87Lockdown Tools 1/2
- Microsoft Baseline Security Analyzer (MBSA) 1.2
- GUI and command line tool
- Runs on Windows 2003/XP/2000 only, but will scan
Windows NT 4.0, Windows 2003, Windows 2000,
Windows XP, IIS 4.0, IIS 5.0, SQL 7.0, SQL 2000,
IE 5.01, and Office 2000/2002/2003, more. - Lists all necessary or applicable patches, fixes,
or security settings for each detected OS and
software. - Each issue is scored
- Red X missing
- Yellow X possible vulnerability or reminder
warning - Green check verified secured setting or control
- Blue asterisks reminder or warning of possible
vulnerability - Blue information icon information about system
- Possible risk MBSA can create a plaintext
report, with clever scripting a malicious user
can create an automated attack tool based on the
results.
88Lockdown Tools 2/2
- MBSA was developed with Shavlik Technologies
- Commercial versions are available
- HFNetChkPro
- EnterpriseInspector
- Both are free for use on up to 10 workstations
and 1 server - www.shavlik.com
- HFNetChk
- command line tool which scans for installed
hotfixes - Excellent for scanning local and networked
systems - Does not download or install necessary patches
- CIS benchmark security tool
- Evaluates a Windows systems for compliance
against pre-defined security benchmarks
89Security Configuration and Analysis
- MMC snap-ins
- Security Configuration and Analysis
- Security Templates
- Used to customize Group Policies a.k.a. security
templates. - Several pre-defined security templates for
client, server, and DC systems of basic,
compatible, secure, and high security. - Analyze current security state
- Impose a pre-defined or customized security
template - Create custom templates
90Well-known Vulnerabilities
- Windows is at risk to a wide number of well-known
and oft-exploited vulnerabilities. - The following slides discuss many of these along
with workarounds and countermeasures
91Services and Security
- Only install necessary services
- Unbind unneeded protocols
- Candidate services to disable/remove
- Alerter Clipbook Server
- Computer Browser DHCP client
- Directory Replicator Messenger
- NetLogon Network DDE
- Plug and Play RPC locator
- Server SNMP Trap service
- Spooler TCP/IP NetBIOS Helper
- Telephony service Workstation
- Unnecessary services offer information gathering
holes or access points - Test service removal on non-production systems
- Sysinternals Process Explorer - displays DLL
dependencies - See the BlkViper Web site on removing/disabling
services
92SNMP Problems
- If using SNMP, remove or alter public default
community - Anyone with an SNMP browser can poll this
community - Snmputil from Resource Kit
- Snmputil walk ltIP addressgt public ltOIDgt
- OIDs identifies a specific branch in the MIB
- IP Browser from Solar Winds (www.cerberus-infosec.
co.uk) offers GUI exploration of public community - Dont deploy SNMP unless you use it
93Raw Sockets
- Windows 2003, Windows XP, Windows 2000, UNIX, and
Linux, support administrative or root only access
to full raw sockets - However, on stand-alone Windows XP Professional
and Home systems, all local users are
administrators by default - Full raw sockets is a means by which the TCP/IP
stack is bypassed to allow direct access to
underlying network data transport - Full raw sockets were originally designed as
research tools, not for real-world OSes - Full raw sockets allow spoofed IP addresses and
SYN floods - IEs defaults download and install software
without users knowledge - Use GRC.coms SocketToMe and SocketLock to detect
and close down raw sockets to users and restrict
it to SYSTEM access only
94Enumeration UsingTelnet Client (1/2)
- Use any telnet client
- telnet ltdomain name or IPgt port
- Followed by pressing Enter several times
- Test common ports 80 (Web), 21 (FTP), 25 (SMTP),
etc. - Many services respond with error msg (a.k.a.
banner) listing information about service on that
port - For example
- HTTP/1.1 400 Bad Request
- Server Microsoft-IIS/6.0
- Date Wed, 23 Aug 2000 161904 GMT
-
- Web server enumeration tool ID Serve from GRC
- http//grc.com/id/idserve.htm
95Enumeration UsingTelnet Client (2/2)
- Protection
- remove default banners where possible
- check open ports with scanner (nmap)
- prevent remote Registry access
- Dont rely on obscurity as your only means of
security - IISs URLScan utility disables banners on any
version of IIS by refusing invalid service
requests. Knowledge Base 317741 - HOW TO Mask
IIS Version Information from Network Trace and
Telnet - Avoid telnet service whenever possible, use
secure alternatives such as remote control
software (such as PCAnywhere), SSH (secure
shell), or stunnel.
96File Streaming
- A method for hiding executables
- Requires NTFSs POSIX capabilities and RK cp
tool - cp ltfilegt lthostfilegtltfilegtS
- Streamed files can be executed without extraction
using - Start lthostfilegtltfilegt
- Can be used on files and directories
- Great way for hackers to hide toolkits
- Locate streamed files with
- LADS Locate Alternate Data Streams
www.heysoft.de/nt/ntfs-ads.htm - Streams - www.sysinternals.com/misc.htm
- SANS warning http//www.sans.org/newlook/alerts/N
TFS.htm - If POSIX is removed/disabled, existing streams
still function but no new streams possible.
97Boot Partition Conversion Problem
- If Windows 2000 is installed onto FAT/FAT32
formatted boot partition, then converted to NTFS - Correct default security permissions not applied
to files on boot partition - Use SECEDIT tool to apply correct permissions
- Q237399
- If NT 4.0 was installed with SYSPREP, a bug
prevents the Win2K upgrade from converting a FAT
boot partition to NTFS - Must manually convert drive, no other MS fix
- Q256917
9851 IP Addresses
- A Windows 2000 Server as a domain server cannot
support more than 51 IP addresses OOB - Bug in Active Directory causes error
- Attempting to add 52nd address renders system
unable to - Authenticate users
- Launch and use administrative tools
- Limitation is per server, not per NIC
- Corrected in SP2
- Only workarounds
- add a second system
- use W2K as a non-domain controller
99Administrative shares
- C, D,
- Hidden/system shares
- Accessed from any client on network
- Can be accessedover VPN, RAS,PPTP
- Only requireadmin nameand password
100Hidden Systems
- NET CONFIG SERVER /HIDDENyesno
- Removes system from browse lists
- Prevents Server service from being tuned via the
Network applet - Disables auto-tuning
- To restore auto-tuning, edit the Registry and
correct the entries in the LanmanServer
Parameters section - See KB 128167 321710 314498
101Predefined accounts
- Administrator
- Can be renamed
- Requires non-blank password on Domain Controllers
- Cannot be locked out or disabled
- Cannot be deleted
- Password never expires
- Password cannot be stored with reversible
encryption - Smart card cannot be required
- Cannot be delegated
- DES cannot be used and Kerberos is required
- Guest
- Can be renamed
- Blank password by default
- Can be locked out and disabled
- Cannot be deleted
- Disabled by default
- Remember everyone knows these accounts exist
102The IIS Accounts
- IUSR_computername
- Created by IIS for anonymous Web FTP access
- Log on Locally right
- Member of Guests and Domain Users (DCs only)
- Non-blank random password
- Access enabled by default
- Can be renamed, requires change in Active
Directory Users and Computers as well as in both
IISs Web and FTP server Properties - Remove from Domain Users and Guests groups to
force local and Web access only
103SAM Deletion
- Deleting the \winnt\system32\config\sam file
destroys all user accounts and assigns blank
password to administrator - Use only as last resort
- All domain and security settings related to uses
and groups are destroyed
104Replace Passwords
- Winternals Locksmith
- Used to replace user account password
- Works on any account, including Administrator
- Requires physical access
- Requires NTRecover or Remote Recover
- NTRecover allows data from one system to be moved
across a serial cable to another system. The
source system is booted with a floppy to bypass
security or to recover a failed system. - Winternals www.winternals.com
- Similar tool ntpasswd http//home.eunet.no/pnor
dahl/ntpasswd/
105Who is the Admin?
- List admins with
- NET GROUP "Domain Admins" /DOMAIN
- Get more details on each listed user with
- NET USER username /DOMAIN more
- Decoys are for external users
- Any valid user can exploit NetBIOS to extract
information about users and systems
106Administrator Decoy
- Rename real Administrator account with
subtlenon-obvious name - avoid admin, sysop,
root, master - Create new decoy account named Administrator
with simple password - Remove all or most access privileges and group
memberships - Audit every action and logon attempt
- Consider creating fake confidential content to
snag intruders long enough to be detected and
located (I.e. a honeypot) - Method only isolates Admin account from external
intruders, Domain Admins can always discover
accounts
107Double Admin Accounts
- Each administrator needs two accounts
- Administrative account for management work
- Normal user account for daily work
- No two admins should ever share an account
- Restrict/Delegate each admin to his or her
segment/resource responsibilities - Only grant Admin access to trusted users
- Keep local Admins out of Domain Admins global
group to control access levels - Audit admin account activities
- Be pessimistic about offering admin access
- Revoke log on from network User Right for all
admin accounts - requires physical presence at
syst