10 mistakes to avoid when securing your Microsoft Network Infrastructure

(1)

10 mistakes to avoid when securing your

Microsoft Network Infrastructure

Donald R. Glass CISSP, CISA, MCSE, MCSE+I, CNE Donald R. Glass CISSP, CISA, MCSE, MCSE+I, CNE

(2)

Agenda

■

■ PreliminariesPreliminaries

■

■ Introduction, Sun TzuIntroduction, Sun Tzu

■

■ SANS/ FBI Top 10 List (Microsoft Related)SANS/ FBI Top 10 List (Microsoft Related)

■

■ The vulnerabilitiesThe vulnerabilities

■

■ The countermeasuresThe countermeasures

■

(3)

Something you should know

(4)

Preliminaries

■

■ Name: Donald R. Glass, Name: Donald R. Glass, you will never guess what you will never guess what the “R.” stands for. I won’t tell you either

the “R.” stands for. I won’t tell you either..

■

■ Height: 6’ 10” = 206 Height: 6’ 10” = 206 cmscms..

■

■ I never played basketball, I never will.I never played basketball, I never will.

■

■ Horrendous voice, if you don’t understand something, Horrendous voice, if you don’t understand something, please let me know.

please let me know.

■

■ All kind of questions and observations will be All kind of questions and observations will be welcomed.

(5)

The Art of War, Sun Tzu

(6)

The Art of War

■

■ “Hence to fight and conquer in all your battles is not “Hence to fight and conquer in all your battles is not supreme excellence; supreme excellence consists in supreme excellence; supreme excellence consists in breaking the enemy's resistance without fighting.”

breaking the enemy's resistance without fighting.” Sun Tzu, The Art of War

(7)

The Art of War

■

■ “If you know the enemy and know yourself, you need not “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.“

will succumb in every battle.“ Sun Tzu, The Art of War.

(8)

The ten most commonly exploited

vulnerable services in Windows.

(9)

The List

■ Released by the SANS Institute and the National

Infrastructure Protection Center (NIPC).

■ It’s a two Top Ten lists: one for *NIX and one for

Windows.

■ Live document.

■ The Top Twenty is a prioritized list of vulnerabilities

that require immediate remediation.

(10)

(11)

Top Vulnerabilities to Windows Systems

■

■ W1 Internet Information Services (IIS)W1 Internet Information Services (IIS)

■

■ W2 Microsoft Data Access Components (MDAC) W2 Microsoft Data Access Components (MDAC) ---- Remote Remote Data Services

Data Services

■

■ W3 Microsoft SQL ServerW3 Microsoft SQL Server

■

■ W4 NETBIOS W4 NETBIOS ---- Unprotected Windows Networking SharesUnprotected Windows Networking Shares

■

(12)

Top Vulnerabilities to Windows Systems

■

■ W6 LAN Manager Authentication W6 LAN Manager Authentication ---- Weak LM HashingWeak LM Hashing

■

■ W7 General Windows Authentication W7 General Windows Authentication ---- Accounts with No Accounts with No Passwords or Weak Passwords

Passwords or Weak Passwords

■

■ W8 Internet ExplorerW8 Internet Explorer

■

■ W9 Remote Registry AccessW9 Remote Registry Access

■

(13)

W1 Internet Information Services (IIS)

■

■ Failure to handle unanticipated requests.Failure to handle unanticipated requests. Many IIS Many IIS

vulnerabilities involve a failure to handle improperly (or just vulnerabilities involve a failure to handle improperly (or just deviously) formed HTTP requests. A remote attacker may: deviously) formed HTTP requests. A remote attacker may:

–

– View the source code of scripted applications.View the source code of scripted applications.

–

– View files outside of the Web document root.View files outside of the Web document root.

–

– View files the Web server has been instructed not to serve.View files the Web server has been instructed not to serve.

–

– Execute arbitrary commands on the server (resulting in, for Execute arbitrary commands on the server (resulting in, for example, deletion of critical files or installation of a backdoo

example, deletion of critical files or installation of a backdoor).r).

Example: Example:

(14)

W1 Internet Information Services (IIS)

■

■ Buffer OverflowsBuffer Overflows. Many ISAPI extensions (including the . Many ISAPI extensions (including the ASP, HTR, IDQ, PRINTER, and SSI extensions) are

ASP, HTR, IDQ, PRINTER, and SSI extensions) are

vulnerable to buffer overflows. A carefully crafted request vulnerable to buffer overflows. A carefully crafted request from a remote attacker may result in:

from a remote attacker may result in:

–

– Denial of service.Denial of service.

–

– Execution of arbitrary code and/or commands in the Web server's Execution of arbitrary code and/or commands in the Web server's user context (e.g., as the IUSR_

user context (e.g., as the IUSR_servernameservername or IWAM_or IWAM_servernameservername user).

(15)

W1 Internet Information Services (IIS)

■

■ Sample Applications.Sample Applications.

–

– A sample application,A sample application, newdsnnewdsn.exe, allowed the remote attacker to .exe, allowed the remote attacker to create or overwrite arbitrary files on the server.

create or overwrite arbitrary files on the server. –

– A number of such applications allow remote viewing of arbitrary A number of such applications allow remote viewing of arbitrary files, which may be used to gather information such as database

files, which may be used to gather information such as database

userids

userids and passwords.and passwords.

–

– An An iisadminiisadmin application, ism.application, ism.dlldll, allows remote access to sensitive , allows remote access to sensitive server information including the Administrator's password.

(16)

W1 Internet Information Services (IIS)

■

■ Operating Systems AffectedOperating Systems Affected

–

– Windows NT 4 (any flavor) running IIS 4Windows NT 4 (any flavor) running IIS 4

–

– Windows 2000 Server running IIS 5Windows 2000 Server running IIS 5

–

(17)

W2 Microsoft Data Access Components (MDAC)

--

--Remote Data Services

Remote Data Services

■

■ The Remote Data Services (RDS) component in older The Remote Data Services (RDS) component in older versions of Microsoft Data Access Components (MDAC) versions of Microsoft Data Access Components (MDAC) has a program flaw which allows remote users to run

has a program flaw which allows remote users to run

commands locally with administrative privilege. Combined commands locally with administrative privilege. Combined with a flaw in Microsoft Jet database engine 3.5 (part of MS with a flaw in Microsoft Jet database engine 3.5 (part of MS Access), this exploit may also provide anonymous external Access), this exploit may also provide anonymous external access to internal databases. These flaws are well

access to internal databases. These flaws are well-

-documented and solutions have been available for more documented and solutions have been available for more than two years, but outdated or

than two years, but outdated or misconfiguredmisconfigured systems systems remain exposed and subject to attack.

(18)

W2 Microsoft Data Access Components (MDAC)

--

--Remote Data Services

Remote Data Services

■

–

– Most Microsoft Windows NT 4.0 systems running IIS 3.0 or 4.0, Most Microsoft Windows NT 4.0 systems running IIS 3.0 or 4.0, Remote Data Services 1.5, or Visual Studio 6.0.

(19)

W3 Microsoft SQL Server

■

■ The Microsoft SQL Server (MSSQL) contains several serious The Microsoft SQL Server (MSSQL) contains several serious

vulnerabilities that allow remote attackers to obtain sensitive

information, alter database content, compromise SQL servers, and

information, alter database content, compromise SQL servers, and, in , in some configurations, compromise server hosts.

some configurations, compromise server hosts.

■

■ MSSQL vulnerabilities are wellMSSQL vulnerabilities are well--publicized and actively under attack.publicized and actively under attack.

■

■ Port 1433 (MSSQL default port) has also been regularly registerePort 1433 (MSSQL default port) has also been regularly registered as d as

one of the top scan ports in the Internet Storm Center.

(20)

W3 Microsoft SQL Server

■

–

– Any Microsoft Windows system with Microsoft SQL Server 7.0, Any Microsoft Windows system with Microsoft SQL Server 7.0, Microsoft SQL Server 2000 or Microsoft SQL Server Desktop

Microsoft SQL Server 2000 or Microsoft SQL Server Desktop

Engine 2000 installed.

(21)

W4 NETBIOS

--

Unprotected Windows Networking

Shares

■

■ Microsoft Windows provides a host machine with the ability Microsoft Windows provides a host machine with the ability to share files or folders across a network with other hosts to share files or folders across a network with other hosts through Windows network shares. The underlying

through Windows network shares. The underlying

mechanism of this feature is the Server Message Block mechanism of this feature is the Server Message Block (SMB) protocol, or the Common Internet File System (SMB) protocol, or the Common Internet File System (CIFS).

(CIFS). Example Example

–

– SircamSircam virus (see CERT Advisory 2001virus (see CERT Advisory 2001--22) and 22) and

–

(22)

W4 NETBIOS

--

Unprotected Windows Networking

Shares

■

– – Windows 95Windows 95 – – Windows 98Windows 98 – – Windows NTWindows NT – – Windows MeWindows Me – – Windows 2000Windows 2000 – – Windows XP.Windows XP.

(23)

W5 Anonymous Logon

--

Null Sessions

■

■ A Null Session connection, also known as Anonymous Logon, is a A Null Session connection, also known as Anonymous Logon, is a

mechanism that allows an anonymous user to retrieve information

(such as user names and shares) over the network, or to connect

without authentication.

■

■ On Windows NT, 2000 and XP systems, many local services run undeOn Windows NT, 2000 and XP systems, many local services run under r

the SYSTEM account, known as

the SYSTEM account, known as LocalSystemLocalSystem on Windows 2000 and on Windows 2000 and XP. The SYSTEM account is used for various critical system

XP. The SYSTEM account is used for various critical system

operations. When one machine needs to retrieve system data from

another, the SYSTEM account will open a null session to the othe

another, the SYSTEM account will open a null session to the other r machine. For example: Network neighborhood.

(24)

W5 Anonymous Logon

--

Null Sessions

■

– – Windows NTWindows NT – – Windows 2000Windows 2000 – – Windows XP.Windows XP.

(25)

W6 LAN Manager Authentication

■

■ Microsoft locally stores legacy LM password hashes (also Microsoft locally stores legacy LM password hashes (also known as LANMAN hashes) by default on Windows NT, known as LANMAN hashes) by default on Windows NT, 2000 and XP systems.

2000 and XP systems.

■

■ The weakness of LM hashes derives from the following:The weakness of LM hashes derives from the following:

–

– Passwords are truncated to 14 characters.Passwords are truncated to 14 characters.

–

– Passwords are padded with spaces to become 14 characters.Passwords are padded with spaces to become 14 characters.

–

– Passwords are converted to all upper case characters.Passwords are converted to all upper case characters.

–

(26)

W6 LAN Manager Authentication

■

–

(27)

W7 General Windows Authentication

■

■ The most common password vulnerabilities are that:The most common password vulnerabilities are that:

–

– user accounts have weak or nonexistent passwords,user accounts have weak or nonexistent passwords,

–

– regardless of the strength of their password, users fail to protregardless of the strength of their password, users fail to protect it, ect it,

–

– the operating system or additional software creates administratithe operating system or additional software creates administrative ve accounts with weak or nonexistent passwords, and

accounts with weak or nonexistent passwords, and –

– password hashing algorithms are known and often hashes are password hashing algorithms are known and often hashes are stored such that they are visible by anyone.

(28)

W7 General Windows Authentication

■

–

– Any operating system or application where users authenticate viaAny operating system or application where users authenticate via a a user ID and password.

(29)

W8 Internet Explorer

■

■ The vulnerabilities can be categorized into multiple classes incThe vulnerabilities can be categorized into multiple classes including:luding:

–

– Web page spoofing, Web page spoofing, –

– ActiveX control vulnerabilities, ActiveX control vulnerabilities, –

– Active scripting vulnerabilities, Active scripting vulnerabilities, –

– MIMEMIME-type and content-type and content--type misinterpretation and type misinterpretation and –

– Buffer overflows. Buffer overflows. ■

■ The consequences may include:The consequences may include:

–

– disclosure of cookies, local files or data, disclosure of cookies, local files or data, –

– execution of local programs, execution of local programs,

download and execution of arbitrary code or download and execution of arbitrary code or

(30)

W8 Internet Explorer

■

– These vulnerabilities exist on Microsoft Windows systems

(31)

W9 Remote Registry Access

■

■ Microsoft Windows 9x, Windows CE, Windows NT, Microsoft Windows 9x, Windows CE, Windows NT,

Windows 2000, Windows ME and Windows XP employ a Windows 2000, Windows ME and Windows XP employ a central hierarchical database, known as the Registry, to central hierarchical database, known as the Registry, to manage software, device configurations and user settings. manage software, device configurations and user settings.

■

■ Improper permissions or security settings can permit Improper permissions or security settings can permit

remote registry access. Attackers can exploit this feature to remote registry access. Attackers can exploit this feature to compromise the system or form the basis for adjusting file compromise the system or form the basis for adjusting file association and permissions to enable malicious code.

(32)

W9 Remote Registry Access

■

– – Windows 9xWindows 9x – – Windows CEWindows CE – – Windows NTWindows NT – – Windows 2000Windows 2000 – – Windows ME Windows ME – – Windows XPWindows XP

(33)

W10 Windows Scripting Host

■

■ Windows Scripting Host (WSH), permits any text file with a Windows Scripting Host (WSH), permits any text file with a ".

".vbsvbs" extension to be executed as a Visual Basic script." extension to be executed as a Visual Basic script.

■

■ With WSH enabled, a typical worm propagates by including With WSH enabled, a typical worm propagates by including a VBScript as the contents of another file and executes

a VBScript as the contents of another file and executes when that file is viewed or in some cases previewed. when that file is viewed or in some cases previewed. Example:

Example:

–

(34)

W10 Windows Scripting Host

■

– Windows Scripting Host can be installed manually or with

Internet Explorer 5 (or higher) on Windows 95 or NT.

– It is installed by default on Windows 98, ME, 2000 and XP

(35)

How to detect, prevent and correct

these vulnerabilities

(36)

W1 Internet Information Services (IIS)

How to determine if you are vulnerable. How to determine if you are vulnerable.

■

■ It is simplest to presume that you are vulnerable if the It is simplest to presume that you are vulnerable if the cumulative roll

cumulative roll--up has not been applied. To determine up has not been applied. To determine whether the cumulative roll

whether the cumulative roll--up has been applied on your up has been applied on your server, check the registry for the entry listed as follows: server, check the registry for the entry listed as follows:

Windows NT 4:

Windows NT 4: –

– HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE\\SOFTWARESOFTWARE\\MicrosoftMicrosoft\\Windows Windows NT

(37)

W1 Internet Information Services (IIS)

Windows NT 4 Terminal Server Edition:

Windows NT 4 Terminal Server Edition: –

– HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE\\SOFTWARESOFTWARE\\MicrosoftMicrosoft\\Windows Windows NT

NT\\CurrentVersionCurrentVersion\\HotfixHotfix\\Q317636Q317636 Windows 2000:

Windows 2000: –

– HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE\\SOFTWARESOFTWARE\\MicrosoftMicrosoft\\UpdatesUpdates\\WindowWindow s 2000

s 2000\\SP3SP3\\Q319733Q319733 Windows XP:

Windows XP: –

– HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE\\SOFTWARESOFTWARE\\MicrosoftMicrosoft\\UpdatesUpdates\\WindowWindow s XP

(38)

W1 Internet Information Services (IIS)

■

■ Use the Use the HFNetChk HFNetChk tool to verify the presence of the tool to verify the presence of the corresponding patch:

corresponding patch:

•

• NT 4: Q319733NT 4: Q319733 •

• NT 4 Terminal Server Edition: Q317636NT 4 Terminal Server Edition: Q317636 •

(39)

W1 Internet Information Services (IIS)

■

■ You are probably vulnerable to sample application exploits You are probably vulnerable to sample application exploits if any of the following files reside in your

if any of the following files reside in your %

%wwwrootwwwroot%/scripts directory:%/scripts directory:

–

– code.aspcode.asp

–

– codebrwscodebrws.asp.asp

–

– ism.ism.dlldll

–

– newdsnnewdsn.exe.exe

–

– viewcodeviewcode.asp.asp

–

(40)

W1 Internet Information Services (IIS)

How to Protect Against It. How to Protect Against It.

■

■ Apply the current patches.Apply the current patches.

■

■ Stay current.Stay current.

■

■ Eliminate sample applications.Eliminate sample applications.

■

■ Unmap necessary ISAPI extensions.Unmap necessary ISAPI extensions.

■

(41)

W1 Internet Information Services (IIS)

How to Protect Against It

How to Protect Against It –– Tools.Tools.

■

■ Network Security Network Security Hotfix Hotfix Checker Checker –– HFNetChkHFNetChk

–

– http://www.http://www.microsoftmicrosoft.com/.com/technettechnet/security/tools//security/tools/hfnetchkhfnetchk.asp.asp

■

■ IIS Lockdown WizardIIS Lockdown Wizard

–

– http://www.http://www.microsoftmicrosoft.com/.com/technettechnet/security/tools//security/tools/locktoollocktool.asp.asp

■

■ URLScanURLScan filter (currently integrated in the IIS Lockdown filter (currently integrated in the IIS Lockdown Wizard).

Wizard).

(42)

W2 Microsoft Data Access Components (MDAC)

--

--Remote Data Services

Remote Data Services

■

■ If you are running Microsoft Windows NT 4.0 and IIS 3.0 or If you are running Microsoft Windows NT 4.0 and IIS 3.0 or 4.0, then check for the existence of "

(43)

W2 Microsoft Data Access Components (MDAC)

--

--Remote Data Services

Remote Data Services

■

■ If possible, upgrade to MDAC version 2.1 or greater (this If possible, upgrade to MDAC version 2.1 or greater (this may introduce compatibility issues.

may introduce compatibility issues.

–

– http://www.http://www.microsoftmicrosoft.com/data/download..com/data/download.htmhtm

■

■ Install Install JetCopkgJetCopkg.exe (MS99.exe (MS99--030)030) JetCopkgJetCopkg.exe is a .exe is a

modified Jet 3.5 engine that has safety features enabled in modified Jet 3.5 engine that has safety features enabled in it to prevent exploitation, referred to as 'sandbox' mode.

it to prevent exploitation, referred to as 'sandbox' mode.

–

(44)

W2 Microsoft Data Access Components (MDAC)

--

--Remote Data Services

Remote Data Services

How to Protect Against It –– Additional references.Additional references.

■

■ You, your servers, RDS, and thousands of script kiddies You, your servers, RDS, and thousands of script kiddies ..how to keep your website intact.. (Defending against RDS ..how to keep your website intact.. (Defending against RDS attacks).

attacks).

–

– http://www.http://www.wiretripwiretrip.net/.net/rfprfp/p/doc.asp/i2/f3/d29./p/doc.asp/i2/f3/d29.htmhtm

■

■ PRB: Security Implications of RDS 1.5, IIS 3.0 or 4.0, and PRB: Security Implications of RDS 1.5, IIS 3.0 or 4.0, and ODBC.

(45)

W2 Microsoft Data Access Components (MDAC)

--

--Remote Data Services

Remote Data Services

■

■ Unauthorized ODBC Data Access with RDS and IIS.Unauthorized ODBC Data Access with RDS and IIS.

–

– http://www.http://www.microsoftmicrosoft.com/.com/technettechnet//treeviewtreeview/default.asp?/default.asp?urlurl=/=/technettechnet// security/bulletin/ms98

security/bulletin/ms98--004.asp004.asp

■

■ ReRe--Release: Unauthorized Access to IIS Servers through Release: Unauthorized Access to IIS Servers through ODBC Data Access with RDS.

ODBC Data Access with RDS.

–

– http://www.http://www.microsoftmicrosoft.com/.com/technettechnet//treeviewtreeview/default.asp?/default.asp?urlurl=/=/technettechnet// security/bulletin/ms99

(46)

W3 Microsoft SQL Server

■

■ Check the registry for the following value:Check the registry for the following value:

–

– HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE\\SOFTWARESOFTWARE\\MicrosoftMicrosoft\\MSSQLServerMSSQLServer\\MM SSQLServer

SSQLServer

If set, it means that SQL Server or SQL Server Desktop If set, it means that SQL Server or SQL Server Desktop Engine is installed.

Engine is installed.

■

■ Use the Microsoft Baseline Security Use the Microsoft Baseline Security Analizer Analizer (MBSA) to (MBSA) to check for missing patches and

(47)

W3 Microsoft SQL Server

■

■ Apply the latest service pack for Microsoft SQL server.Apply the latest service pack for Microsoft SQL server.

■

■ Apply the latest cumulative patch that is released after the Apply the latest cumulative patch that is released after the latest service pack.

latest service pack.

■

■ Apply any individual patches that are released after the Apply any individual patches that are released after the latest cumulative patch.

latest cumulative patch.

■

■ Secure the server at system and network level.Secure the server at system and network level.

■

■ Perform periodic vulnerability assessments of your SQL Perform periodic vulnerability assessments of your SQL servers.

(48)

W3 Microsoft SQL Server

How to Protect Against It -- Secure the server.Secure the server.

■

■ Ensure that the builtEnsure that the built--in "in "sasa" account has a strong " account has a strong

password, even if your SQL server does not run using this password, even if your SQL server does not run using this account.

account.

■

■ Run theRun the MSSQLServerMSSQLServer service and SQL Server Agent service and SQL Server Agent under a valid domain account with minimal privileges, not under a valid domain account with minimal privileges, not as a domain administrator or the SYSTEM (on NT) or

as a domain administrator or the SYSTEM (on NT) or LocalSystem

(49)

W3 Microsoft SQL Server

■

■ Enable Windows NT Authentication. Enable auditing for Enable Windows NT Authentication. Enable auditing for successful and failed logins. Stop and restart the

successful and failed logins. Stop and restart the MSSQLServer

MSSQLServer service. Configure your clients to use NT service. Configure your clients to use NT authentication.

authentication.

■

■ Packet filtering should be performed at network borders to Packet filtering should be performed at network borders to prohibit non

prohibit non--authorized externallyauthorized externally--initiated inbound initiated inbound

connections to services. Ingress filtering of TCP ports 1433 connections to services. Ingress filtering of TCP ports 1433 and 1434 could prevent attackers outside of your network and 1434 could prevent attackers outside of your network from scanning or infecting vulnerable Microsoft SQL

from scanning or infecting vulnerable Microsoft SQL servers in the local network that are not explicitly

servers in the local network that are not explicitly authorized to provide public SQL services.

(50)

W3 Microsoft SQL Server

■

■ If TCP ports 1433 and 1434 need to be available on your If TCP ports 1433 and 1434 need to be available on your Internet gateways, enable and customize egress/ingress Internet gateways, enable and customize egress/ingress filtering to prevent misuse of these ports.

(51)

W4 NETBIOS

--

Unprotected Windows Networking

Shares

■

■ Use the Microsoft Baseline SecurityUse the Microsoft Baseline Security AnalizerAnalizer (MBSA) to (MBSA) to check if the server is vulnerable to SMB exploits.

check if the server is vulnerable to SMB exploits.

–

– http://www.http://www.microsoftmicrosoft.com/.com/technettechnet/security/tools/Tools//security/tools/Tools/MBSAhomeMBSAhome.a.a sp

sp

■

■ Use any other available network scanner. Please, be Use any other available network scanner. Please, be advised that proper testing should be performed prior to advised that proper testing should be performed prior to start using unfamiliar tools in a production environment. start using unfamiliar tools in a production environment.

(52)

W4 NETBIOS

--

Unprotected Windows Networking

Shares

■

■ Disable sharing wherever it is not required.Disable sharing wherever it is not required.

■

■ Do not permit sharing with hosts on the Internet. Ensure all Do not permit sharing with hosts on the Internet. Ensure all Internet

Internet--facing hosts have Windows network shares facing hosts have Windows network shares disabled.

disabled.

■

■ Do not permit unauthenticated shares. If file sharing is Do not permit unauthenticated shares. If file sharing is required, then don't permit unauthenticated access to a required, then don't permit unauthenticated access to a share.

(53)

W4 NETBIOS

--

Unprotected Windows Networking

Shares

■

■ Restrict shares to only the minimum folders required. Restrict shares to only the minimum folders required. Generally, only one folder and possibly sub

Generally, only one folder and possibly sub--folders of that folders of that folder.

folder.

■

■ Restrict permissions on shared folders to the minimum Restrict permissions on shared folders to the minimum required. Be especially careful to only permit write access required. Be especially careful to only permit write access when it is absolutely required.

when it is absolutely required.

■

■ For added security, allow sharing only to specific IP For added security, allow sharing only to specific IP addresses because DNS names can be spoofed. addresses because DNS names can be spoofed.

(54)

W4 NETBIOS

--

Unprotected Windows Networking

Shares

■

■ Block ports used for Windows shares at your network Block ports used for Windows shares at your network perimeter. Block the NetBIOS ports commonly used by perimeter. Block the NetBIOS ports commonly used by Windows shares at your network perimeter using either Windows shares at your network perimeter using either your external router or perimeter firewall. The ports that your external router or perimeter firewall. The ports that should be blocked are 137

should be blocked are 137--139 TCP and 137139 TCP and 137--139 UDP, 139 UDP, and 445 TCP and 445 UDP.

(55)

W5 Anonymous Logon

--

Null Sessions

How to determine if you are vulnerable.

■

■ Try to establish a Null session using the following Try to establish a Null session using the following command:

command:

net use

net use \\\a.b.c.d\a.b.c.d\\ipcipc$ “” /user:””$ “” /user:””

where

(56)

W5 Anonymous Logon

--

Null Sessions

How to Protect Against It.

■

■ Modify the Modify the RestrictAnonymousRestrictAnonymous Registry key Registry key

HKLM/System/

HKLM/System/CurrentControlSetCurrentControlSet/Control/LSA//Control/LSA/RestrictAnonymousRestrictAnonymous

–

– Restricts anonymous users from displaying lists of users and froRestricts anonymous users from displaying lists of users and from m viewing security permissions.

viewing security permissions. –

– Note: This setting may have a negative impact on domain controllNote: This setting may have a negative impact on domain controller er operations. Test the setting BEFORE you apply it to a production

operations. Test the setting BEFORE you apply it to a production

network.

(57)

W5 Anonymous Logon

--

Null Sessions

■

■ Modify the Modify the RestrictAnonymousRestrictAnonymous Registry key Registry key

–

– Available Settings:Available Settings:

•

• 0 (Disabled): Anonymous users are not restricted. 0 (Disabled): Anonymous users are not restricted. •

• 1 (Enabled): Users who log on anonymously (also known as null 1 (Enabled): Users who log on anonymously (also known as null session connections) cannot display lists of domain user names o session connections) cannot display lists of domain user names or r share names.

share names. •

• 2 (Enabled): Anonymous users have no access without explicit 2 (Enabled): Anonymous users have no access without explicit anonymous permissions. (only in W2K/ XP versions).

anonymous permissions. (only in W2K/ XP versions).

■

■ Block TCP and UDP ports 135, 137, 138, 139 and 445 at Block TCP and UDP ports 135, 137, 138, 139 and 445 at the external router or firewall.

(58)

W6 LAN Manager Authentication

■

■ If you are running a default installation of NT, 2000 or XP, If you are running a default installation of NT, 2000 or XP, you are vulnerable since LAN Manager hashes are stored you are vulnerable since LAN Manager hashes are stored locally by default.

locally by default.

■

■ If you have legacy operating systems in your environment If you have legacy operating systems in your environment that require LM authentication in order to communicate to that require LM authentication in order to communicate to servers, then you are vulnerable because those machines servers, then you are vulnerable because those machines send LM hashes which can be sniffed off the network.

(59)

W6 LAN Manager Authentication

■

■ Disable LM Authentication across the network.Disable LM Authentication across the network.

Set the

Set the LMCompatibilityLevel LMCompatibilityLevel Registry key (in Registry key (in HKLM/System

HKLM/System\\CurrentControlSetCurrentControlSet\\ControlControl\\LSA) to:LSA) to:

–

– If all of your systems are Windows NT SP4 or later, you can set If all of your systems are Windows NT SP4 or later, you can set this this to 3 on all clients and 5 on all domain controllers to prevent a

to 3 on all clients and 5 on all domain controllers to prevent any ny transmission of LM hashes on the network.

transmission of LM hashes on the network. –

– Legacy systems (such as Windows 95/98) will not use NTLMv2 with Legacy systems (such as Windows 95/98) will not use NTLMv2 with the default Microsoft Network Client. To get NTLMv2 capability,

the default Microsoft Network Client. To get NTLMv2 capability,

install the Directory Services Client. Once installed, the regis

install the Directory Services Client. Once installed, the registry try value name is "

(60)

W6 LAN Manager Authentication

■

■ Prevent the LM Hash from Being Stored.Prevent the LM Hash from Being Stored.

–

– One major problem with simply removing the LM hashes being One major problem with simply removing the LM hashes being passed over the network is that the hashes are still created and

passed over the network is that the hashes are still created and

stored in the SAM or Active Directory.

Microsoft has a mechanism available for turning off the creation

Microsoft has a mechanism available for turning off the creation of of the LM hashes altogether, but only in Windows 2000 and XP.

the LM hashes altogether, but only in Windows 2000 and XP.

•

• Windows 2000: Windows 2000: HKLM

HKLM\\SystemSystem\\CurentControlSetCurentControlSet\Control\Control\\LSALSA\\NoLMHashNoLMHash •

(61)

W6 LAN Manager Authentication

How to Protect Against It –– additional references.additional references.

■

■ How to Disable LM Authentication on Windows NT How to Disable LM Authentication on Windows NT [Q147706]

[Q147706]

–

– http://support.http://support.microsoftmicrosoft.com/default..com/default.aspxaspx??scidscid=kb%3Ben=kb%3Ben- -us%3B147706

us%3B147706

■

■ LMCompatibilityLevelLMCompatibilityLevel and Its Effects [Q175641]and Its Effects [Q175641]

–

(62)

W6 LAN Manager Authentication

■

■ How to Enable NTLMv2 Authentication for Windows How to Enable NTLMv2 Authentication for Windows 95/98/2000/NT [Q239869]

95/98/2000/NT [Q239869]

–

us%3B239869

■

■ New Registry Key to Remove LM Hashes from Active New Registry Key to Remove LM Hashes from Active Directory and Security Account Manager

Directory and Security Account Manager

–

(63)

W7 General Windows Authentication

■

■ Test the passwords using a known password cracker.Test the passwords using a known password cracker.

■

■ NoteNote: : Never run a password scanner, even on systems for Never run a password scanner, even on systems for

which you have administrative access, without explicit and

preferably written permission from your employer.

Administrators with the most benevolent of intentions have

been fired for running password cracking tools without

authority to do so.

(64)

W7 General Windows Authentication

■

■ Ensure that passwords are strong.Ensure that passwords are strong.

■

■ Protect strong passwords.Protect strong passwords.

■

■ Tightly control accounts.Tightly control accounts.

■

(65)

W7 General Windows Authentication

How to Protect Against It –– Tools.Tools.

■

■ LC4 (l0phtcrack version 4)LC4 (l0phtcrack version 4)

–

– http://www.http://www.atstakeatstake.com/research/.com/research/lclc//

■

■ John the RipperJohn the Ripper

–

– http://www.http://www.openwallopenwall.com/john/.com/john/

■

■ Symantec Symantec NetReconNetRecon

–

– http://http://enterprisesecurityenterprisesecurity..symantecsymantec.com/products/products..com/products/products.cfmcfm??ProdProd uctID

(66)

W8 Internet Explorer

■

■ Make sure the latest service packs, Make sure the latest service packs, hotfixes hotfixes and patches and patches are installed. This could be done by:

are installed. This could be done by:

–

– Windows Update serviceWindows Update service

–

– Network Security Network Security Hotfix Hotfix Checker (Checker (NFNetChkNFNetChk))

–

(67)

W8 Internet Explorer

■

■ Apply the latest service pack for Internet Explorer.Apply the latest service pack for Internet Explorer.

■

■ Apply the latest cumulative patch that is released after the Apply the latest cumulative patch that is released after the latest service pack.

latest service pack.

■

■ Apply any individual patches that are released after the Apply any individual patches that are released after the latest cumulative patch.

(68)

W9 Remote Registry Access

How to determine if you are vulnerable.

■

■ NT Resource Kit (NTRK) available from Microsoft contains an NT Resource Kit (NTRK) available from Microsoft contains an

executable file entitled "

executable file entitled "regdumpregdump.exe" that will passively test remote .exe" that will passively test remote registry access permissions from a Windows NT host against other

registry access permissions from a Windows NT host against other

Windows NT/Windows 2000 or Windows XP hosts on the Internet or

internal network.

–

– http://http://msdnmsdn..microsoftmicrosoft.com/library/default.asp?.com/library/default.asp?urlurl=/library/en=/library/en- -us/

us/apcguideapcguide//htmhtm/utilities_10.asp/utilities_10.asp ■

■ A collection of command line shell scripts that will test for reA collection of command line shell scripts that will test for registry gistry

access permissions and a range of other related security concern

(69)

W9 Remote Registry Access

How to Protect Against It.

■

■ Restrict Network Access. Restrict Network Access.

–

– To restrict network access to the registry create the following To restrict network access to the registry create the following Registry key:Registry key: •

• HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE\\SYSTEMSYSTEM\\CurrentControlSetCurrentControlSet\\ControlControl\\SecurePipeServSecurePipeServ ers

ers\\winregwinreg

•

• Description: REG_SZDescription: REG_SZ

•

• Value: Registry ServerValue: Registry Server

–

– Security permissions set on this key define the Users or Groups that are Security permissions set on this key define the Users or Groups that are permitted remote Registry access. Default Windows installations

permitted remote Registry access. Default Windows installations define this define this key and set the Access Control List to provide full privileges t

key and set the Access Control List to provide full privileges to the system o the system Administrator and Administrators Group (and Backup Operators in

(70)

W9 Remote Registry Access

■

■ Limit the authorized remote access.Limit the authorized remote access.

–

– Enforcing strict restrictions upon the registry can have adverseEnforcing strict restrictions upon the registry can have adverse side side effects upon dependent services, such as the Directory Replicato

effects upon dependent services, such as the Directory Replicator r and the network printer Spooler service.

and the network printer Spooler service. –

– It is therefore possible to add a degree of granularity to the It is therefore possible to add a degree of granularity to the

permissions, by adding either the account name that the service

permissions, by adding either the account name that the service is is running under to the access list of the "

running under to the access list of the "winregwinreg" key, or by " key, or by

configuring Windows to bypass the access restriction to certain

keys by listing them in the Machine or Users value under the

AllowedPaths

(71)

W9 Remote Registry Access

■

■ For Windows NT: For Windows NT:

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE\\SYSTEMSYSTEM\\CurrentControlSetCurrentControlSet\\ControlControl\\SecureSecure PipeServers

PipeServers\\winregwinreg\\AllowedPathsAllowedPaths

–

– Value: MachineValue: Machine •

• Value Type: REG_MULTI_SZ Value Type: REG_MULTI_SZ -- Multi stringMulti string

•

• Default Data: SystemDefault Data: System\\CurrentControlSetCurrentControlSet\\ControlControl\\ProductOptions ProductOptions System

System\\CurrentControlSetCurrentControlSet\\ControlControl\\PrintPrint\\Printers Printers System

System\\CurrentControlSetCurrentControlSet\\ServicesServices\\EventlogEventlog Software

Software\\MicrosoftMicrosoft\\WindowsNTWindowsNT\\CurrentVersionCurrentVersion System

System\\CurrentControlSetCurrentControlSet\\ServicesServices\\ReplicatorReplicator

•

• Valid Range: (A valid path to a location in the registry)Valid Range: (A valid path to a location in the registry)

Description: Allow machines access to listed locations in the re

(72)

W9 Remote Registry Access

–

– Value: UsersValue: Users

•

• Value Type: REG_MULTI_SZ Value Type: REG_MULTI_SZ -- Multi stringMulti string •

• Default Data: (none)Default Data: (none) •

• Valid Range: (A valid path to a location in the registry)Valid Range: (A valid path to a location in the registry) •

• Description: Allow users access to listed locations in the regisDescription: Allow users access to listed locations in the registry try provided that no explicit access restrictions exist for that loc

(73)

W9 Remote Registry Access

■

■ In the Microsoft Windows 2000 and Windows XP Registry:In the Microsoft Windows 2000 and Windows XP Registry:

–

– Value: MachineValue: Machine

•

• Value Type: REG_MULTI_SZ -Value Type: REG_MULTI_SZ - Multi stringMulti string •

• Default Data: System\Default Data: System\CurrentControlSetCurrentControlSet\\ControlControl\\ProductOptionsProductOptions System

System\\CurrentControlSetCurrentControlSet\\ControlControl\\PrintPrint\\Printers Printers System

System\\CurrentControlSetCurrentControlSet\\controlcontrol\\Server Application Server Application System

System\\CurrentControlSetCurrentControlSet\\ServicesServices\\EventlogEventlog\\ Software

Software\\MicrosoftMicrosoft\Windows NT\Windows NT\\CurrentVersionCurrentVersion

–

(74)

W9 Remote Registry Access

How to Protect Against It –– additional references.additional references.

■

■ How to Restrict Access to NT Registry from a Remote How to Restrict Access to NT Registry from a Remote Computer.

Computer.

–

(75)

W10 Windows Scripting Host (WSH)

■

■ If you are running Windows 95 or NT with IE 5 or higher, or If you are running Windows 95 or NT with IE 5 or higher, or are running Windows 98, ME, 2000 or XP, and have not are running Windows 98, ME, 2000 or XP, and have not disabled WSH, then you are vulnerable.

(76)

W10 Windows Scripting Host (WSH)

■

■ Disable or remove Windows Scripting Host.Disable or remove Windows Scripting Host.

■

■ Always keep the AntiAlways keep the Anti--virus software and definitions upvirus software and definitions up--toto- -date.

(77)

How to assess your level of

exposure

(78)

(79)

Conclusions

■

■ Most of these vulnerabilities have been know for a number Most of these vulnerabilities have been know for a number of years.

of years.

■

■ Most of the countermeasures are not hard to deploy.Most of the countermeasures are not hard to deploy.

■

(80)

http://www.

(81)

Silka

Silka M. Gonzalez CISA, CPAM. Gonzalez CISA, CPA President

President info@

[email protected] 305 789

305 789--6662 or 305 3356662 or 305 335--76107610

Donald R. Glass CISSP, CISA, MCSE, MCSE+I, CNE Donald R. Glass CISSP, CISA, MCSE, MCSE+I, CNE

Manager Manager

dglass

(82)