Windows Securityby: Mark Lachniet

Introductions

• Mark Lachniet,

• MCNE, MCSE, CCSE, LPIC-1

• Sr. Security Engineer @ Analysts International

• Formerly a technician and then the IS director at Holt Public Schools

• Formerly a MAEDS board member

• New daddy

What we have to work with:

Agenda• Risks• Microsoft Tools to know about• Policies and procedures• Secure network designs• Physical Security• OS Security• IIS Security• Intrusion Detection / Prevention• Vulnerability Assessments• Questions and Answers

History – Microsoft products• WFW, Win9x/ME are meant for single user

implementations – no security to speak of (use desktop security if you need it)

• Windows NT 3.5x / 4.x / 2000 / XP are multi-user systems that presumably enforce system and user security

• None the less, still subscribe to the “kitchen sink” approach, rather than the “secure by default approach” (.NET may change this)

• The new frontier - Internet Information Server, SQL server, programming interfaces such as ASP, VBScript,etc.

History – Microsoft products• Many hackers consider it fun to pick on Microsoft• Some implementation issues such as NTLM

hashing issues have come up• Many problems are due to ID-10-T errors. Easy

configuration = easy mis-configuration• NIMDA, Code Red I / II, and numerous Outlook

viruses have caused big problems and created bad publicity for the company

• Closed-source products make it difficult for individuals to find and fix problems

• Numerous patches, hotfixes, and service packs have created versioning and stability problems on production servers

History – Microsoft’s response• Microsoft has made security a priority• Numerous service packs, hot fixes, and tools have

been created and released• Response time for security issues has improved

greatly and security reporting was formalized• Fewer reported vulnerabilities have fallen

through the cracks• Have halted development and sent all of their

developers to a security boot camp• A “letter from the top” by Bill Gates has formally

stated that security is the direction that the company must go

The current situation• Despite what some would say, it is

possible to secure most Windows machines

• It is, however, very time consuming and potentially complicated to do so

• It requires constant vigilance to keep servers up to date

• This all needs to be factored into the total cost of ownership, and not treated like a side cost

Today’s presentation• Will focus on NT4 / 2000 / XP

• Will focus on Internet servers (IIS)

• Will focus on “hardening” of servers

• Will attempt to be specific

• Assumes a technical audience

• Based on an internal Analysts International server hardening checklist

• Will NOT cover the 100 other things you need to know about security

Risks – a quick summary• To better qualify your risks, you need to perform

a security analysis. Just securing servers is not enough

• Computer security must be “defense in depth” - supported on many levels

• Physical security is critical, without it, nothing is secure (e.g. console, backups, etc.)

• Risks from a poor network design (especially Internet servers) are significant

• Poor policies and procedures can lead to risk (e.g. not coordinating hires/fires w/ H.R.)

• Need monitoring and log analysis to find problems

More risks• Remote access (VPN, dialup, wireless) to the

network that bypass firewalls• Remote control of machines (PC Anywhere, VNC,

Terminal Services)• Vendors and partners! Never trust a vendor, even

me. Firewall them off, and make sure their servers are secure.

• Students – bored, frequently smart, and tons of free time and motivation

• Network sniffing and “man in the middle attacks”• Password cracking• Etc. etc. etc.

Tools I use: hfnetchk.exe • If you aren’t using it, you should• Similar in functionality to Windows update, but

more verbose and doesn’t install anything• Used to check for installed hotfixes and patches

for the NT4, 2000, XP*, IIS, IE5+, SQL 7 / 2000• Examines registry keys and file checksums to

verify the installation of hotfixes and patches• Can be used across the network and can be

scripted to automate security work• Cannot always verify all patches, so there is some

uncertainty if you have correctly applied them• Does not support all Microsoft products• My favorite – its simple and it works

Tools I never use: The IIS lockdown tool

• Follows the “defense in depth” philosophy of security by addressing multiple security aspects

• Meant to provide an easy way of locking down servers. Templates are provided for some profiles of server.

• It may insulate you from the actual changes that it is making. Unless you know where to look, you have to take its word for it

• It also includes the URLScan tool which is a type of IPS (Intrusion Protection System)

Tools I never use:The Personal Security Advisor

• http://www.microsoft.com/technet/mpsa/start.asp

• Web based product to analyze the security of a workstation

• Not designed for complicated installations, and not really suitable for servers or IIS

• It is, however, pretty good at analyzing workstations for things like Internet zone settings, Outlook settings, Microsoft Office, etc.

• A good way to protect end users from Internet naughtiness

• Runs some simple security checks (weak passwords)

• Would be a good tool to run before deploying a workstation or image

Microsoft security checklists and hardening guides

• NT 4 server / workstation checklists

• Win 2k server / pro baseline checklists

• IIS 4.0 / 5.0 baseline checklists

• Domain controller checklists, etc.

• In general, these are a good starting point, but are not really paranoid enough

Good hardening guides • NSA hardening guides• If its good enough for them…• Multiple high-quality guides are free for

download from: http://www.nsa.gov• Come in PDF format with lots of screen captures

and step-by-step instructions• Have guides for Cisco routers, NT4, and many

Windows 2000 guides – exchange, IIS5, group policy, kerberos, etc.

• You probably aren’t going to want to do *everything* in them, so pick and choose what makes sense for your organization

Good Hardening Guides• Guides from SANS.org (System

Administration Networking and Security)• These are not free, but are based on the work

of experts in the field• SANS offers the best security training

around, if you can afford to go (~$3k/5days)• SANS also offers security certification tracks

to prove your skills• As part of this certification, you have to write

a “practical” or paper on a topic• These papers are free for all, and mostly good

http://rr.sans.org/win2000/win2000_list.php

The 5 minute tour…• Because of the amount of material to

cover, I am going to discuss a lot of material very quickly

• I will focus more on technical aspects that on administrative stuff

• These are important, but I want to leave enough time for tangible action items you can take home with you

• Please remember, just doing these things does not equal security

Policies and Procedures

• Subscribe to security listserves! You must know what the enemy knows

• BugTraq and NT BugTraq at: http://online.securityfocus.com/archive

• Microsoft Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/notify.asp

• SANS News at http://server2.sans.org/sansnews

• And many others…

Policies and Procedures• Document procedures for the configuration,

usage, and maintenance of servers and workstations

• Update these procedures regularly• Limit access to the server to minimum• Maintain a disaster recovery plan• Limit usage of the server to its core function

(ie, a web server.) Do not use it as a browser or for routine work! This opens it up to the risk of malicious code or user error

Network Security• Use a network design that has security in mind!

• Use a firewall with a DMZ to host all Internet servers

• Use an implicit “deny all” policy, and only open up the necessary ports to the outside (80, 443, 25, 110, etc.) Never NetBIOS stuff (135-139)

• Similarly, create only the bare minimum rules for the DMZ server to talk to the inside network. Don’t allow any communication, if possible

• Consider using Cisco private VLAN technology to limit communication between DMZ servers

• Use encryption! SSL especially

Physical Security• If you can physically access the

machine, you can do almost anything

• I have boot disks that can reset the administrator password in < 5mins

• Once reset, the possibilities are endless – do a “reverse telnet shell”, log keystrokes (such as the real administrator trying to log in), etc.

• Even without rebooting, removable media is an issue

Physical Security• Physically lock up the servers• Make lots of backups (just in case)• Lock up Emergency Repair Disks• Only allow a single OS on the system• Password protect screen savers & BIOS• Disable booting to floppy and CD• Remove all modems and management

tools (e.g. Compaq Insight Manager)• Beware of USB devices!

During Installation• Do not connect to the Internet while

installing (can be hacked during install)• Install the minimal number of packages• Make Internet servers standalone – not

part of any domain or active directory• Format all volumes as NTFS • Install IIS on a separate volume or hard

drive. (note that this requires an unattended installation and script)

• Use strong administrator passwords

Install all service packs

• Operating system

• Internet Information Server

• Internet Explorer

• SQL server, others as needed

• hfnetchk.exe should come up clean* before the server is deployed

Filesystem Security• The ‘everyone’ group has full access to all

drives by default! This is dangerous and unnecessary

• Carefully remove ‘everyone’ and add administrators, users, etc. to disks using descriptive groups

• Create a ‘web user’ group that has READ access to IIS directories

• Create a ‘web admin’ group that has WRITE access to IIS directories

• Add IUSR~BOX and IWAM~BOX to ‘web users’ maybe ‘web admin’

Filesystem Security• Delete or remote access to dangerous

programs to make hacking harder:

ARP.EXE PING.EXE AT.EXE POLEDIT.EXE

ATSVC.EXE POSIX.EXE ATTRIB.EXE QBASIC.EXE

CACLS.EXE QFECHECK.EXE CLIPSRV.EXE RCP.EXE

CMD.EXE RDISK.EXE COMMAND.COM REGEDIT.EXE

CSCRIPT.EXE REGEDIT32.EXE DEBUG.EXE REXEC.EXE

DIALER.EXE ROUTE.EXE EDIT.EXE RSH.EXE

EDLIN.EXE RUNAS.EXE FINGER.EXE RUNONCE.EXE

FTP.EXE SECFIXUP.EXE HYPERTRM.EXE SYSEDIT.EXE

HTIMAGE.EXE SYSKEY.EXE IMAGEMAP.EXE TELNET.EXE

IPCONFIG.EXE TFTP.EXE ISSYNC.EXE TRACERT.EXE

MSIEXEC.EXE TSKILL.EXE NBTSTAT.EXE UNINST.EXE

NET.EXE WSCRIPT.EXE NET1.EXE XCOPY.EXE

NETSH.EXE NETSTAT.EXE NSLOOKUP.EXE

Filesystem Security• Remove all resource kits and SDKs• Disable indexing of disks recursively• Never allow the emergency console to

boot from the hard drive• Delete backup copies of the registry

from X:\%System Root%\repair\• Configure the recycle bin to

immediately delete files• Configure the system swap file to be

deleted at shutdown

High-accountability logging• Enable auditing of filesystem accesses

• Configure auditing to log all failed file accesses by the ‘everyone’ group

• Increase the size of the event log to 512mb if possible

• Set event viewer to delete events that are N days old, where N matches your backup schedule

• Audit the use of privileges

Monitor suspicious log events

• Filter event logs for interesting events– 529: Unknown Username or Bad Password

– 537: Unsuccessful Logon

– 530: Account Logon Time Restriction Violation

– 531: Account Currently Disabled

– 532: Account Has Expired

– 533: User Not Allowed to Log on

– 534: Logon Type Restricted

– 535: Password Expired

– 516: Some Audit Event Records Discarded

– 517: Audit Log Cleared

More Suspicious Events– 624: User Account Created– 630: User Account Deleted – 627: Change Password Attempt – 636: Local Group Member Added – 632: Global Group Member Added – 642: User Account Changed – 643: Domain Policy Changed– 608: User Right Assigned – 609: User Right Removed – 612: Audit Policy Change – 610: New Trusted Domain– 611: Removing Trusted Domain

Network Adapter Settings

• Disable all bindings except TCP/IP• Use IP filters to limit incoming traffic to only

required ports (80, 443, 25, etc.)• Disable remote access to the registry• Disable NetBIOS over TCP/IP• Disable IP routing• Do not make “dual-homed” hosts that connect

insecure (external) networks to secure (internal) networks

• Harden TCP/IP stack to DoS attacks

Disable Unnecessary Services• Alerter• Clipbook server• Computer browser• Distributed File System• Distributed Link Tracking Systems Server• Distributed Link Tracking Systems Client• IPSEC policy agent (unless IPSEC is used)• Licensing Logging Service• Logical Disk Manager Administrator Service

(needed for software RAID)• Messenger• Net Logon

Disable Unnecessary Services• Network DDE• Network DDE DSDM• Print Spooler• Remote Registry Service• Removable Storage• Server Services (needed for SMTP services)• Task Scheduler• TCP/IP NetBIOS Helper• Telephony (needed for terminal server)• Windows Installer• Windows Time• Workstation Service (needed for some

maintenance tasks)

Accounts and User IDs

• Configure password strength enforcement for users

• Rename the administrator account

• Create a bogus administrator account with no rights and log its use

• Rename and disable the guest account

• Remove ‘access this computer from the network’ rights from administrator and ‘everyone’ group

Accounts and User IDs• Remove the ‘log on locally’ right from

all users and groups that don’t need it• Perform periodic password cracking to

find bad passwords (including products that log in and run as services)

• Disable remote access to the registry• Disable anonymous access to NetBIOS

services (used for anonymously iterating user IDs and other NetBIOS information across the network)

IIS Security

• Don’t use Front Page extensions

• Disable the HTML administration site

• Store web content on a separate drive

• Bind the web server process to specific IP addresses (not all available)

• Disable the WebDAV service

• Remove all unneeded ISAPI mappings, especially IDA/IDC (indexing service) and .printer (Internet Printing)

IIS Security

• Remove support for Internet printing– Remove the /printers virtual directory

– Delete files from %SystemRoot%\web\printers

– Disable local or group policy options for “Web-Based Printing”

• Delete default and sample IIS files– \Inetpub\iissamples

– \Inetpub\AdminScripts

– \Program Files\Common Files\System\msadc\Samples

– %SystemRoot%\help\iishelp

– %SystemRoot\System32\Inetsrv\iisadmpwd

– %SystemRoot%\web\printers

IIS Security

• Use restrictive IIS permissions– On "Home Directory" tab, disable Read, Write,

Directory browsing

– Add specific rights as necessary

– The Script Source Access IIS permission is not assigned to any folder

– Use authentication on all folders with Write / Write-Execute access

– If HTTP basic authentication is required, use SSL

– If using NTLM authentication, require NTLM v2

IIS Security• Protect global.asa files

– NTFS permissions set for System, Administrators and Operators = full control

– NTFS permissions set for Authors = modify– NTFS permissions set to explicitly deny IUSR_server and

IWAM_server accts.– All failed accesses to global.asa are logged

• Protect the metabase.bin file– MetaBase.bin has full control for System and Administrators– MetaBase.bin has Modify for Operators– Audit all failed and successful NTFS access to MetaBase.bin

• Enable the maximum level of logging• Set the UseHostName metabase value to hide

the true IP address of the server

Intrusion Prevention / Detection• Various products exist to detect and sometimes

stop hack attacks• One such product is Entercept• These are usually installed on the host• Software components intercept API calls to the

operating system• Can also filter HTTP web requests• Provide for reporting capabilities at the host

and enterprise level• Can be somewhat costly• Like all IDS products, the value is in their

configuration

Vulnerability Assessments• Primarily a scripted process• Takes a “hackers point of view” of the

network and attempts to find vulnerabilities in software (usually over TCP/IP)

• Is useful as a before and after check• Is my preferred method of telling if security

changes “took” properly. You’d be surprised• Vulnerability assessments need to be

performed often with updated tools!• If possible, get expert help with vulnerability

assessments – the tools can tell you a lot, but interpretation of results is critical

Questions and Answers

Mark Lachniet

mlachniet@analysts.com

Rob Dobson

rdobson@analysts.com