W3 Microsoft SQL Server
How to determine if you are vulnerable.
How to determine if you are vulnerable.
■■ Check the registry for the following value:Check the registry for the following value:
–– HKEY_LOCAL_MACHINE\HKEY_LOCAL_MACHINE\SOFTWARE\SOFTWARE\MicrosoftMicrosoft\\MSSQLServerMSSQLServer\\MM SSQLServer
SSQLServer
If set, it means that SQL Server or SQL Server Desktop If set, it means that SQL Server or SQL Server Desktop Engine is installed.
Engine is installed.
■■ Use the Microsoft Baseline Security Use the Microsoft Baseline Security Analizer Analizer (MBSA) to (MBSA) to check for missing patches and
check for missing patches and hotfixeshotfixes..
W3 Microsoft SQL Server W3 Microsoft SQL Server
How to Protect Against It.
How to Protect Against It.
■■ Apply the latest service pack for Microsoft SQL server.Apply the latest service pack for Microsoft SQL server.
■■ Apply the latest cumulative patch that is released after the Apply the latest cumulative patch that is released after the latest service pack.
latest service pack.
■
■ Apply any individual patches that are released after the Apply any individual patches that are released after the latest cumulative patch.
latest cumulative patch.
■■ Secure the server at system and network level.Secure the server at system and network level.
■■ Perform periodic vulnerability assessments of your SQL Perform periodic vulnerability assessments of your SQL servers.
W3 Microsoft SQL Server W3 Microsoft SQL Server
How to Protect Against It
How to Protect Against It -- Secure the server.Secure the server.
■■ Ensure that the builtEnsure that the built--in "sain "sa" account has a strong " account has a strong
password, even if your SQL server does not run using this password, even if your SQL server does not run using this account.
account.
■■ Run theRun the MSSQLServerMSSQLServer service and SQL Server Agent service and SQL Server Agent under a valid domain account with minimal privileges, not under a valid domain account with minimal privileges, not as a domain administrator or the SYSTEM (on NT) or
as a domain administrator or the SYSTEM (on NT) or LocalSystem
LocalSystem (on 2000 or XP) account. (on 2000 or XP) account.
W3 Microsoft SQL Server W3 Microsoft SQL Server
■
■ Enable Windows NT Authentication. Enable auditing for Enable Windows NT Authentication. Enable auditing for successful and failed logins. Stop and restart the
successful and failed logins. Stop and restart the MSSQLServer
MSSQLServer service. Configure your clients to use NT service. Configure your clients to use NT authentication.
authentication.
■■ Packet filtering should be performed at network borders to Packet filtering should be performed at network borders to prohibit non
prohibit non--authorized externallyauthorized externally--initiated inbound initiated inbound
connections to services. Ingress filtering of TCP ports 1433 connections to services. Ingress filtering of TCP ports 1433 and 1434 could prevent attackers outside of your network and 1434 could prevent attackers outside of your network from scanning or infecting vulnerable Microsoft SQL
from scanning or infecting vulnerable Microsoft SQL servers in the local network that are not explicitly
servers in the local network that are not explicitly authorized to provide public SQL services.
authorized to provide public SQL services.
W3 Microsoft SQL Server W3 Microsoft SQL Server
■■ If TCP ports 1433 and 1434 need to be available on your If TCP ports 1433 and 1434 need to be available on your Internet gateways, enable and customize egress/ingress Internet gateways, enable and customize egress/ingress filtering to prevent misuse of these ports.
filtering to prevent misuse of these ports.
W4 NETBIOS
W4 NETBIOS -- -- Unprotected Windows Networking Unprotected Windows Networking Shares
Shares
How to determine if you are vulnerable.
How to determine if you are vulnerable.
■■ Use the Microsoft Baseline SecurityUse the Microsoft Baseline Security AnalizerAnalizer (MBSA) to (MBSA) to check if the server is vulnerable to SMB exploits.
check if the server is vulnerable to SMB exploits.
–
– http://www.microsofthttp://www.microsoft.com/.com/technettechnet/security/tools/Tools//security/tools/Tools/MBSAhomeMBSAhome.a.a spsp
■
■ Use any other available network scanner. Please, be Use any other available network scanner. Please, be advised that proper testing should be performed prior to advised that proper testing should be performed prior to start using unfamiliar tools in a production environment.
start using unfamiliar tools in a production environment.
W4 NETBIOS
W4 NETBIOS -- -- Unprotected Windows Networking Unprotected Windows Networking Shares
Shares
How to Protect Against It.
How to Protect Against It.
■■ Disable sharing wherever it is not required.Disable sharing wherever it is not required.
■
■ Do not permit sharing with hosts on the Internet. Ensure all Do not permit sharing with hosts on the Internet. Ensure all Internet
Internet--facing hosts have Windows network shares facing hosts have Windows network shares disabled.
disabled.
■■ Do not permit unauthenticated shares. If file sharing is Do not permit unauthenticated shares. If file sharing is required, then don't permit unauthenticated access to a required, then don't permit unauthenticated access to a share.
share.
W4 NETBIOS
W4 NETBIOS -- -- Unprotected Windows Networking Unprotected Windows Networking Shares
Shares
■■ Restrict shares to only the minimum folders required. Restrict shares to only the minimum folders required.
Generally, only one folder and possibly sub
Generally, only one folder and possibly sub--folders of that folders of that folder.
folder.
■■ Restrict permissions on shared folders to the minimum Restrict permissions on shared folders to the minimum required. Be especially careful to only permit write access required. Be especially careful to only permit write access when it is absolutely required.
when it is absolutely required.
■■ For added security, allow sharing only to specific IP For added security, allow sharing only to specific IP addresses because DNS names can be spoofed.
addresses because DNS names can be spoofed.
W4 NETBIOS
W4 NETBIOS -- -- Unprotected Windows Networking Unprotected Windows Networking Shares
Shares
■■ Block ports used for Windows shares at your network Block ports used for Windows shares at your network perimeter. Block the NetBIOS ports commonly used by perimeter. Block the NetBIOS ports commonly used by Windows shares at your network perimeter using either Windows shares at your network perimeter using either your external router or perimeter firewall. The ports that your external router or perimeter firewall. The ports that should be blocked are 137
should be blocked are 137--139 TCP and 137139 TCP and 137--139 UDP, 139 UDP, and 445 TCP and 445 UDP.
and 445 TCP and 445 UDP.
W5 Anonymous Logon
W5 Anonymous Logon -- -- Null Sessions Null Sessions
How to determine if you are vulnerable.
How to determine if you are vulnerable.
■■ Try to establish a Null session using the following Try to establish a Null session using the following command:
command:
net use
net use \\\\a.b.c.da.b.c.d\ipc\ipc$ “” /user:””$ “” /user:””
where
where a.b.c.da.b.c.d is the IP address of the remote system.is the IP address of the remote system.
W5 Anonymous Logon
W5 Anonymous Logon -- -- Null Sessions Null Sessions
How to Protect Against It.
How to Protect Against It.
■■ Modify the RestrictAnonymousModify the RestrictAnonymous Registry key Registry key
HKLM/System/
HKLM/System/CurrentControlSetCurrentControlSet/Control/LSA//Control/LSA/RestrictAnonymousRestrictAnonymous
–– Restricts anonymous users from displaying lists of users and froRestricts anonymous users from displaying lists of users and from m viewing security permissions.
viewing security permissions.
–– Note: This setting may have a negative impact on domain controller Note: This setting may have a negative impact on domain controller operations. Test the setting BEFORE you apply it to a production operations. Test the setting BEFORE you apply it to a production network.
network.
W5 Anonymous Logon
W5 Anonymous Logon -- -- Null Sessions Null Sessions
■■ Modify the Modify the RestrictAnonymousRestrictAnonymous Registry key Registry key
–
– Available Settings:Available Settings:
•• 0 (Disabled): Anonymous users are not restricted. 0 (Disabled): Anonymous users are not restricted.
•
• 1 (Enabled): Users who log on anonymously (also known as null 1 (Enabled): Users who log on anonymously (also known as null session connections) cannot display lists of domain user names o session connections) cannot display lists of domain user names or r share names.
share names.
•
• 2 (Enabled): Anonymous users have no access without explicit 2 (Enabled): Anonymous users have no access without explicit anonymous permissions. (only in W2K/ XP versions).
anonymous permissions. (only in W2K/ XP versions).
■■ Block TCP and UDP ports 135, 137, 138, 139 and 445 at Block TCP and UDP ports 135, 137, 138, 139 and 445 at the external router or firewall.
the external router or firewall.
W6 LAN Manager Authentication W6 LAN Manager Authentication
How to determine if you are vulnerable.
How to determine if you are vulnerable.
■■ If you are running a default installation of NT, 2000 or XP, If you are running a default installation of NT, 2000 or XP, you are vulnerable since LAN Manager hashes are stored you are vulnerable since LAN Manager hashes are stored locally by default.
locally by default.
■■ If you have legacy operating systems in your environment If you have legacy operating systems in your environment that require LM authentication in order to communicate to that require LM authentication in order to communicate to servers, then you are vulnerable because those machines servers, then you are vulnerable because those machines send LM hashes which can be sniffed off the network.
send LM hashes which can be sniffed off the network.
W6 LAN Manager Authentication W6 LAN Manager Authentication
How to Protect Against It.
How to Protect Against It.
■■ Disable LM Authentication across the network.Disable LM Authentication across the network.
Set the
Set the LMCompatibilityLevel Registry key (in LMCompatibilityLevel Registry key (in HKLM/System
HKLM/System\\CurrentControlSetCurrentControlSet\\ControlControl\\LSA) to:LSA) to:
–
– If all of your systems are Windows NT SP4 or later, you can set If all of your systems are Windows NT SP4 or later, you can set this this to 3 on all clients and 5 on all domain controllers to prevent a
to 3 on all clients and 5 on all domain controllers to prevent any ny transmission of LM hashes on the network.
transmission of LM hashes on the network.
–– Legacy systems (such as Windows 95/98) will not use NTLMv2 with Legacy systems (such as Windows 95/98) will not use NTLMv2 with the default Microsoft Network Client. To get NTLMv2 capability,
the default Microsoft Network Client. To get NTLMv2 capability, install the Directory Services Client. Once installed, the regis install the Directory Services Client. Once installed, the registry try value name is "
value name is "LMCompatibilityLMCompatibility," and the allowed values are 0 or 3.," and the allowed values are 0 or 3.
W6 LAN Manager Authentication W6 LAN Manager Authentication
■■ Prevent the LM Hash from Being Stored.Prevent the LM Hash from Being Stored.
–
– One major problem with simply removing the LM hashes being One major problem with simply removing the LM hashes being passed over the network is that the hashes are still created and passed over the network is that the hashes are still created and stored in the SAM or Active Directory.
stored in the SAM or Active Directory.
Microsoft has a mechanism available for turning off the creation Microsoft has a mechanism available for turning off the creation of of the LM hashes altogether, but only in Windows 2000 and XP.
the LM hashes altogether, but only in Windows 2000 and XP.
•• Windows 2000: Windows 2000:
HKLM\HKLM\SystemSystem\\CurentControlSetCurentControlSet\Control\Control\\LSALSA\\NoLMHashNoLMHash
•• Windows XP: HKLM\Windows XP: HKLM\SystemSystem\\CurentControlSetCurentControlSet\Control\Control\\LSA (Value: LSA (Value:
W6 LAN Manager Authentication W6 LAN Manager Authentication
How to Protect Against It
How to Protect Against It –– additional references.additional references.
■■ How to Disable LM Authentication on Windows NT How to Disable LM Authentication on Windows NT [Q147706]
[Q147706]
–
– http://support.microsofthttp://support.microsoft.com/default..com/default.aspx?aspx?scidscid=kb%3Ben=kb%3Ben- -us%3B147706
us%3B147706
■
■ LMCompatibilityLevelLMCompatibilityLevel and Its Effects [Q175641]and Its Effects [Q175641]
–– http://support.microsofthttp://support.microsoft.com/default..com/default.aspx?aspx?scidscid=kb%3Ben=kb%3Ben- -us%3B175641
us%3B175641
W6 LAN Manager Authentication W6 LAN Manager Authentication
■■ How to Enable NTLMv2 Authentication for Windows How to Enable NTLMv2 Authentication for Windows 95/98/2000/NT [Q239869]
95/98/2000/NT [Q239869]
–– http://support.microsofthttp://support.microsoft.com/default..com/default.aspx?aspx?scidscid=kb%3Ben=kb%3Ben- -us%3B239869
us%3B239869
■■ New Registry Key to Remove LM Hashes from Active New Registry Key to Remove LM Hashes from Active Directory and Security Account Manager
Directory and Security Account Manager
–
– http://support.microsofthttp://support.microsoft.com/default..com/default.aspx?aspx?scidscid=kb%3Ben=kb%3Ben- -us%3B299656
us%3B299656
W7 General Windows Authentication W7 General Windows Authentication
How to determine if you are vulnerable.
How to determine if you are vulnerable.
■■ Test the passwords using a known password cracker.Test the passwords using a known password cracker.
■
■ Note: Note: Never run a password scanner, even on systems for Never run a password scanner, even on systems for which you have administrative access, without explicit and which you have administrative access, without explicit and preferably written permission from your employer.
preferably written permission from your employer.
Administrators with the most benevolent of intentions have Administrators with the most benevolent of intentions have been fired for running password cracking tools without
been fired for running password cracking tools without authority to do so.
authority to do so.
W7 General Windows Authentication W7 General Windows Authentication
How to Protect Against It.
How to Protect Against It.
■■ Ensure that passwords are strong.Ensure that passwords are strong.
■
■ Protect strong passwords.Protect strong passwords.
■■ Tightly control accounts.Tightly control accounts.
■■ Maintain a strong password policy for the enterprise.Maintain a strong password policy for the enterprise.
W7 General Windows Authentication W7 General Windows Authentication
How to Protect Against It
How to Protect Against It –– Tools.Tools.
■■ LC4 (l0phtcrack version 4)LC4 (l0phtcrack version 4)
–– http://www.atstakehttp://www.atstake.com/research/.com/research/lclc//
■■ John the RipperJohn the Ripper
–
– http://www.openwallhttp://www.openwall.com/john/.com/john/
■
■ Symantec NetReconSymantec NetRecon
–– http://enterprisesecurityhttp://enterprisesecurity..symantec.com/products/products.symantec.com/products/products.cfmcfm??ProdProd uctID
uctID=46=46
W8 Internet Explorer W8 Internet Explorer
How to determine if you are vulnerable.
How to determine if you are vulnerable.
■■ Make sure the latest service packs, Make sure the latest service packs, hotfixes hotfixes and patches and patches are installed. This could be done by:
are installed. This could be done by:
–
– Windows Update serviceWindows Update service
–
– Network Security Hotfix Network Security Hotfix Checker (Checker (NFNetChkNFNetChk))
–
– Microsoft Baseline Security Analyzer (MBSA)Microsoft Baseline Security Analyzer (MBSA)
W8 Internet Explorer W8 Internet Explorer
How to Protect Against It.
How to Protect Against It.
■■ Apply the latest service pack for Internet Explorer.Apply the latest service pack for Internet Explorer.
■
■ Apply the latest cumulative patch that is released after the Apply the latest cumulative patch that is released after the latest service pack.
latest service pack.
■■ Apply any individual patches that are released after the Apply any individual patches that are released after the latest cumulative patch.
latest cumulative patch.
W9 Remote Registry Access W9 Remote Registry Access
How to determine if you are vulnerable.
How to determine if you are vulnerable.
■■ NT Resource Kit (NTRK) available from Microsoft contains an NT Resource Kit (NTRK) available from Microsoft contains an executable file entitled "
executable file entitled "regdumpregdump.exe" that will passively test remote .exe" that will passively test remote registry access permissions from a Windows NT host against other registry access permissions from a Windows NT host against other Windows NT/Windows 2000 or Windows XP hosts on the Internet or Windows NT/Windows 2000 or Windows XP hosts on the Internet or internal network.
internal network.
–– http://http://msdnmsdn..microsoftmicrosoft.com/library/default.asp?.com/library/default.asp?urlurl=/library/en=/library/en- -us/apcguideus/apcguide//htmhtm/utilities_10.asp/utilities_10.asp
■■ A collection of command line shell scripts that will test for reA collection of command line shell scripts that will test for registry gistry access permissions and a range of other related security concern access permissions and a range of other related security concerns.s.
W9 Remote Registry Access W9 Remote Registry Access
How to Protect Against It.
How to Protect Against It.
■■ Restrict Network Access. Restrict Network Access.
–– To restrict network access to the registry create the following To restrict network access to the registry create the following Registry key:Registry key:
•• HKEY_LOCAL_MACHINE\HKEY_LOCAL_MACHINE\SYSTEMSYSTEM\\CurrentControlSetCurrentControlSet\\ControlControl\\SecurePipeServSecurePipeServ ersers\winreg\winreg
•• Description: REG_SZDescription: REG_SZ
•
• Value: Registry ServerValue: Registry Server
–
– Security permissions set on this key define the Users or Groups that are Security permissions set on this key define the Users or Groups that are permitted remote Registry access. Default Windows installations
permitted remote Registry access. Default Windows installations define this define this key and set the Access Control List to provide full privileges t
key and set the Access Control List to provide full privileges to the system o the system Administrator and Administrators Group (and Backup Operators in
Administrator and Administrators Group (and Backup Operators in
W9 Remote Registry Access W9 Remote Registry Access
■■ Limit the authorized remote access.Limit the authorized remote access.
–
– Enforcing strict restrictions upon the registry can have adverseEnforcing strict restrictions upon the registry can have adverse side side effects upon dependent services, such as the Directory Replicato effects upon dependent services, such as the Directory Replicator r and the network printer Spooler service.
and the network printer Spooler service.
–
– It is therefore possible to add a degree of granularity to the It is therefore possible to add a degree of granularity to the
permissions, by adding either the account name that the service permissions, by adding either the account name that the service is is running under to the access list of the "
running under to the access list of the "winregwinreg" key, or by " key, or by
configuring Windows to bypass the access restriction to certain configuring Windows to bypass the access restriction to certain keys by listing them in the Machine or Users value under the keys by listing them in the Machine or Users value under the AllowedPaths
AllowedPaths key.key.
W9 Remote Registry Access W9 Remote Registry Access
■■ For Windows NT: For Windows NT:
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\\SYSTEMSYSTEM\CurrentControlSet\CurrentControlSet\\ControlControl\\SecureSecure PipeServers
PipeServers\\winreg\winreg\AllowedPathsAllowedPaths
–– Value: MachineValue: Machine
•• Value Type: REG_MULTI_SZ Value Type: REG_MULTI_SZ -- Multi stringMulti string
•
• Default Data: System\Default Data: System\CurrentControlSetCurrentControlSet\\ControlControl\\ProductOptions ProductOptions System
System\\CurrentControlSetCurrentControlSet\\ControlControl\Print\Print\Printers \Printers System
System\\CurrentControlSetCurrentControlSet\\ServicesServices\\EventlogEventlog Software
Software\\MicrosoftMicrosoft\\WindowsNTWindowsNT\\CurrentVersionCurrentVersion System
System\\CurrentControlSetCurrentControlSet\\ServicesServices\\ReplicatorReplicator
•• Valid Range: (A valid path to a location in the registry)Valid Range: (A valid path to a location in the registry)
Description: Allow machines access to listed locations in the re
Description: Allow machines access to listed locations in the registry provided gistry provided
W9 Remote Registry Access W9 Remote Registry Access
–
– Value: UsersValue: Users
•• Value Type: REG_MULTI_SZ Value Type: REG_MULTI_SZ -- Multi stringMulti string
•
• Default Data: (none)Default Data: (none)
•
• Valid Range: (A valid path to a location in the registry)Valid Range: (A valid path to a location in the registry)
•• Description: Allow users access to listed locations in the regisDescription: Allow users access to listed locations in the registry try provided that no explicit access restrictions exist for that loc
provided that no explicit access restrictions exist for that location.ation.
W9 Remote Registry Access W9 Remote Registry Access
■■ In the Microsoft Windows 2000 and Windows XP Registry:In the Microsoft Windows 2000 and Windows XP Registry:
■■ In the Microsoft Windows 2000 and Windows XP Registry:In the Microsoft Windows 2000 and Windows XP Registry: