Five Steps to Improve Internal Network Security. Chattanooga Information security Professionals

Five Steps to

Improve Internal

Network Security

Who Am I?

Security Analyst: Sword & Shield

Blogger: averagesecurityguy.info

Developer: github.com/averagesecurityguy

I have been in IT since 2000 and in Information Security since 2006. I have worked as a programmer, technical trainer, system administrator, and information security auditor. I currently work as a Security Analyst at Sword & Shield, I maintain a blog at

Since 1997 Sword & Shield Enterprise

Security has been the trusted information

security partner for more than 3,000 clients

in all 50 states and 27 countries around the

globe. We serve clients in the financial,

Five Steps

1. Disable LM Hashes

2. Change Shared Local Admin Passwords

3. Disable Open File Shares

Disclaimer

I see most things in black and white with a

few shades of grey coming into focus once

in while. Disable is very black and white

Disable LM Hashes

LM is a weak hashing algorithm, which

breaks 14 character or less passwords into

two easily cracked 7 character or less

passwords.

Many tools exist to crack LM hashes.

Disable LM Hashes

Group Policy

1. Open Computer Configuration -> Windows Settings -> Security

Settings -> Local Policies -> Security Options

2. Network security: Do not store LAN Manager hash value on next

password change.

Local Machine

1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control

\Lsa

2. Add DWORD NoLMHash

3. Set the value to 1

Disable LM Hashes

Are You Sure?

LM Hashes are not saved to disk but are

still created in memory, which means they

can be extracted and cracked.* The only

solution is to use 15 character passwords.

*

Disable LM Hashes

Change Shared Local

Admin Passwords

It is very common for the same local

administrator password to be used

throughout an organization.

Once an attacker has the shared password

he has control of a large portion of the

organization.

A recent client had multiple AD domains in use. I compromised a machine in one domain and cracked the local administrator password. Since this password was reused throughout the

Change Shared Local

Admin Passwords

Change Shared Local

Admin Passwords

2003 AD Domain

You can create a VB script and place it in the logon scripts of the GPO or

run it as a standalone script with a list of computers to modify.

2008 AD Domain

1. Open Computer Configuration -> Preferences -> Control Panel

Settings -> Local Users and Groups

2. Right-click and select New -> Local User

3. In the dialog box set the Action to Update, set the Username to

Administrator, and put in the password twice.

* http://tsmith.co/2011/changing-local-admin-passwords-on-the-network/

When placing a script in the GPO you risk exposing the password of the domain admin account used in the script. One option would be to setup the script, force a reboot of the

client machines so the script gets applied, and then remove the script. Another option would be to run the script as a domain admin outside of the GPO. A list of computers would need to be supplied to the script to automate the process.

These methods will apply the new passwords to all computers affected by the GPO, which defeats the purpose if all computers are under the same GPO. I would recommend having

workstations, servers, and Domain Controllers placed in separate OUs with appropriate GPOs applied and a different admin password for each group. I would also recommend all local

Disable Open File

Shares

Client 1

All shares on the primary file server were open and I found Protected

Health Information and the source code to the client’s web site,

including database credentials.

Client 2

A user was sharing files with Windows Simple File Sharing in Windows

XP. The user shared a document containing passwords used by the

marketing department, including passwords to the Facebook account

and mailing list system.

Disable Open File

Shares

Disable Open File

Shares

World writeable root owned files on an NFS share. We could add a script here or modify an existing script to run malicious code. I believe this was because squash root was not

Disable Open File

Shares

Disable Open File

Shares

Disable Open File

Shares

Windows Shares

1. Open Folder Options

2. Go to the View tab

3. Uncheck “Use Simple File Sharing”

4. View the Properties for a Folder

5. Go to the Sharing tab and set the

permissions to Everyone Full

Control

6. Go to the Security tab and set

appropriate NTFS permissions.

Disable Open File

Shares

NFS Shares

1. Edit/etc/exports to ensure only appropriate directories are listed.

2. For each directory, ensure only the appropriate IP addresses are

granted access.

3. Check the options for each IP address to ensure read/write

permissions are set correctly.

4. Ensure root is properly squashed.

Change Default/Blank

Passwords

Blank sa passwords in MSSQL can lead to

full machine compromise.

Blank local administrator passwords allow

full machine compromise.

My favorite are default/blank passwords

on devices like printers, scanners, UPSs,

and blade management servers.

Default and blank passwords are everywhere. I have compromised servers using blank sa

Change Default/Blank

Passwords

Change Default/Blank

Passwords

Change Default/Blank

Passwords

Change Default/Blank

Passwords

Change Default/Blank

Passwords

Change Default/Blank

Passwords

Change Default/Blank

Passwords

There is no automated method for fixing

this issue. You can use tools like Nessus to

help you identify vulnerable services but

Nessus can not find everything.

During a typical pentest, I manually

browse to almost every web server found.

Nessus will find most of the dangerous stuff like blank admin/root passwords, blank sa passwords, and Apache tomcat default passwords. Nessus can not determine weak

Change Default/Blank

Passwords

Identify devices such as routers, switches,

printers, and faxes.

Disable any services not needed such as

web servers and FTP.

Put a strong password on any services that

are not disabled.

Change Default/Blank

Passwords

Default Password Lists:*

http://www.phenoelit.org/dpl/dpl.html

http://cirt.net/passwords

http://www.virus.org/default-password

*Visit these at your own risk.

Disable RDP Access

Once logged in attacker has full control of

machine.

Local Administrator account cannot be

logged out. (Morto Worm)

MS12-020: Currently DOS only but RCE

may become available soon. (Will be

Disable RDP Access

Morto Worm:

The Morto worm scans a network for machines running RDP and

attempts to login using the administrator account and a list of weak

passwords. After it logs in it copies itself to the new machine, searches

for other vulnerable machines and, it calls back to a C&C server to await

commands.*

Disable RDP Access

MS12-020:

The update in MS12-020 fixes a vulnerability in RDP, which is present in

all versions of Windows.* Newer versions of RDP use network level

authentication (NLA), which requires an attacker to authenticate to the

server before connecting to the RDP service, but this does not fix the

underlying vulnerability. The only fix is to apply the update.

Disable RDP Access

Group Policy (Server 2003)

1. Open Computer Configuration -> Administrative Templates ->

Windows Components -> Terminal Services

2. Set “Allow users to connect remotely using Terminal Services” to

disabled.*

* http://support.microsoft.com/kb/306300

RDP is disabled by default in Windows XP / Server 2003 and above. Use Group Policy to ensure it stays disabled.

Disable RDP Access

Group Policy (Server 2008)

1. Open Computer Configuration -> Administrative Templates ->

Windows Components -> Remote Desktop Services -> Connections

2. Set “Allow users to connect remotely using Remote Desktop

Services” to disabled.*

Questions about the

Five Steps?

1. Disable LM Hashes

2. Change Shared Local Admin Passwords

3. Disable Open File Shares

Five Steps to

Improve Internal

Network Security