Windows Security by: Mark Lachniet. Introductions Mark Lachniet, MCNE, MCSE, CCSE, LPIC-1 Sr....
-
Upload
patricia-poole -
Category
Documents
-
view
229 -
download
1
Transcript of Windows Security by: Mark Lachniet. Introductions Mark Lachniet, MCNE, MCSE, CCSE, LPIC-1 Sr....
Introductions
• Mark Lachniet,
• MCNE, MCSE, CCSE, LPIC-1
• Sr. Security Engineer @ Analysts International
• Formerly a technician and then the IS director at Holt Public Schools
• Formerly a MAEDS board member
• New daddy
Agenda• Risks• Microsoft Tools to know about• Policies and procedures• Secure network designs• Physical Security• OS Security• IIS Security• Intrusion Detection / Prevention• Vulnerability Assessments• Questions and Answers
History – Microsoft products• WFW, Win9x/ME are meant for single user
implementations – no security to speak of (use desktop security if you need it)
• Windows NT 3.5x / 4.x / 2000 / XP are multi-user systems that presumably enforce system and user security
• None the less, still subscribe to the “kitchen sink” approach, rather than the “secure by default approach” (.NET may change this)
• The new frontier - Internet Information Server, SQL server, programming interfaces such as ASP, VBScript,etc.
History – Microsoft products• Many hackers consider it fun to pick on Microsoft• Some implementation issues such as NTLM
hashing issues have come up• Many problems are due to ID-10-T errors. Easy
configuration = easy mis-configuration• NIMDA, Code Red I / II, and numerous Outlook
viruses have caused big problems and created bad publicity for the company
• Closed-source products make it difficult for individuals to find and fix problems
• Numerous patches, hotfixes, and service packs have created versioning and stability problems on production servers
History – Microsoft’s response• Microsoft has made security a priority• Numerous service packs, hot fixes, and tools have
been created and released• Response time for security issues has improved
greatly and security reporting was formalized• Fewer reported vulnerabilities have fallen
through the cracks• Have halted development and sent all of their
developers to a security boot camp• A “letter from the top” by Bill Gates has formally
stated that security is the direction that the company must go
The current situation• Despite what some would say, it is
possible to secure most Windows machines
• It is, however, very time consuming and potentially complicated to do so
• It requires constant vigilance to keep servers up to date
• This all needs to be factored into the total cost of ownership, and not treated like a side cost
Today’s presentation• Will focus on NT4 / 2000 / XP
• Will focus on Internet servers (IIS)
• Will focus on “hardening” of servers
• Will attempt to be specific
• Assumes a technical audience
• Based on an internal Analysts International server hardening checklist
• Will NOT cover the 100 other things you need to know about security
Risks – a quick summary• To better qualify your risks, you need to perform
a security analysis. Just securing servers is not enough
• Computer security must be “defense in depth” - supported on many levels
• Physical security is critical, without it, nothing is secure (e.g. console, backups, etc.)
• Risks from a poor network design (especially Internet servers) are significant
• Poor policies and procedures can lead to risk (e.g. not coordinating hires/fires w/ H.R.)
• Need monitoring and log analysis to find problems
More risks• Remote access (VPN, dialup, wireless) to the
network that bypass firewalls• Remote control of machines (PC Anywhere, VNC,
Terminal Services)• Vendors and partners! Never trust a vendor, even
me. Firewall them off, and make sure their servers are secure.
• Students – bored, frequently smart, and tons of free time and motivation
• Network sniffing and “man in the middle attacks”• Password cracking• Etc. etc. etc.
Tools I use: hfnetchk.exe • If you aren’t using it, you should• Similar in functionality to Windows update, but
more verbose and doesn’t install anything• Used to check for installed hotfixes and patches
for the NT4, 2000, XP*, IIS, IE5+, SQL 7 / 2000• Examines registry keys and file checksums to
verify the installation of hotfixes and patches• Can be used across the network and can be
scripted to automate security work• Cannot always verify all patches, so there is some
uncertainty if you have correctly applied them• Does not support all Microsoft products• My favorite – its simple and it works
Tools I never use: The IIS lockdown tool
• Follows the “defense in depth” philosophy of security by addressing multiple security aspects
• Meant to provide an easy way of locking down servers. Templates are provided for some profiles of server.
• It may insulate you from the actual changes that it is making. Unless you know where to look, you have to take its word for it
• It also includes the URLScan tool which is a type of IPS (Intrusion Protection System)
Tools I never use:The Personal Security Advisor
• http://www.microsoft.com/technet/mpsa/start.asp
• Web based product to analyze the security of a workstation
• Not designed for complicated installations, and not really suitable for servers or IIS
• It is, however, pretty good at analyzing workstations for things like Internet zone settings, Outlook settings, Microsoft Office, etc.
• A good way to protect end users from Internet naughtiness
• Runs some simple security checks (weak passwords)
• Would be a good tool to run before deploying a workstation or image
Microsoft security checklists and hardening guides
• NT 4 server / workstation checklists
• Win 2k server / pro baseline checklists
• IIS 4.0 / 5.0 baseline checklists
• Domain controller checklists, etc.
• In general, these are a good starting point, but are not really paranoid enough
Good hardening guides • NSA hardening guides• If its good enough for them…• Multiple high-quality guides are free for
download from: http://www.nsa.gov• Come in PDF format with lots of screen captures
and step-by-step instructions• Have guides for Cisco routers, NT4, and many
Windows 2000 guides – exchange, IIS5, group policy, kerberos, etc.
• You probably aren’t going to want to do *everything* in them, so pick and choose what makes sense for your organization
Good Hardening Guides• Guides from SANS.org (System
Administration Networking and Security)• These are not free, but are based on the work
of experts in the field• SANS offers the best security training
around, if you can afford to go (~$3k/5days)• SANS also offers security certification tracks
to prove your skills• As part of this certification, you have to write
a “practical” or paper on a topic• These papers are free for all, and mostly good
http://rr.sans.org/win2000/win2000_list.php
The 5 minute tour…• Because of the amount of material to
cover, I am going to discuss a lot of material very quickly
• I will focus more on technical aspects that on administrative stuff
• These are important, but I want to leave enough time for tangible action items you can take home with you
• Please remember, just doing these things does not equal security
Policies and Procedures
• Subscribe to security listserves! You must know what the enemy knows
• BugTraq and NT BugTraq at: http://online.securityfocus.com/archive
• Microsoft Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/notify.asp
• SANS News at http://server2.sans.org/sansnews
• And many others…
Policies and Procedures• Document procedures for the configuration,
usage, and maintenance of servers and workstations
• Update these procedures regularly• Limit access to the server to minimum• Maintain a disaster recovery plan• Limit usage of the server to its core function
(ie, a web server.) Do not use it as a browser or for routine work! This opens it up to the risk of malicious code or user error
Network Security• Use a network design that has security in mind!
• Use a firewall with a DMZ to host all Internet servers
• Use an implicit “deny all” policy, and only open up the necessary ports to the outside (80, 443, 25, 110, etc.) Never NetBIOS stuff (135-139)
• Similarly, create only the bare minimum rules for the DMZ server to talk to the inside network. Don’t allow any communication, if possible
• Consider using Cisco private VLAN technology to limit communication between DMZ servers
• Use encryption! SSL especially
Physical Security• If you can physically access the
machine, you can do almost anything
• I have boot disks that can reset the administrator password in < 5mins
• Once reset, the possibilities are endless – do a “reverse telnet shell”, log keystrokes (such as the real administrator trying to log in), etc.
• Even without rebooting, removable media is an issue
Physical Security• Physically lock up the servers• Make lots of backups (just in case)• Lock up Emergency Repair Disks• Only allow a single OS on the system• Password protect screen savers & BIOS• Disable booting to floppy and CD• Remove all modems and management
tools (e.g. Compaq Insight Manager)• Beware of USB devices!
During Installation• Do not connect to the Internet while
installing (can be hacked during install)• Install the minimal number of packages• Make Internet servers standalone – not
part of any domain or active directory• Format all volumes as NTFS • Install IIS on a separate volume or hard
drive. (note that this requires an unattended installation and script)
• Use strong administrator passwords
Install all service packs
• Operating system
• Internet Information Server
• Internet Explorer
• SQL server, others as needed
• hfnetchk.exe should come up clean* before the server is deployed
Filesystem Security• The ‘everyone’ group has full access to all
drives by default! This is dangerous and unnecessary
• Carefully remove ‘everyone’ and add administrators, users, etc. to disks using descriptive groups
• Create a ‘web user’ group that has READ access to IIS directories
• Create a ‘web admin’ group that has WRITE access to IIS directories
• Add IUSR~BOX and IWAM~BOX to ‘web users’ maybe ‘web admin’
Filesystem Security• Delete or remote access to dangerous
programs to make hacking harder:
ARP.EXE PING.EXE AT.EXE POLEDIT.EXE
ATSVC.EXE POSIX.EXE ATTRIB.EXE QBASIC.EXE
CACLS.EXE QFECHECK.EXE CLIPSRV.EXE RCP.EXE
CMD.EXE RDISK.EXE COMMAND.COM REGEDIT.EXE
CSCRIPT.EXE REGEDIT32.EXE DEBUG.EXE REXEC.EXE
DIALER.EXE ROUTE.EXE EDIT.EXE RSH.EXE
EDLIN.EXE RUNAS.EXE FINGER.EXE RUNONCE.EXE
FTP.EXE SECFIXUP.EXE HYPERTRM.EXE SYSEDIT.EXE
HTIMAGE.EXE SYSKEY.EXE IMAGEMAP.EXE TELNET.EXE
IPCONFIG.EXE TFTP.EXE ISSYNC.EXE TRACERT.EXE
MSIEXEC.EXE TSKILL.EXE NBTSTAT.EXE UNINST.EXE
NET.EXE WSCRIPT.EXE NET1.EXE XCOPY.EXE
NETSH.EXE NETSTAT.EXE NSLOOKUP.EXE
Filesystem Security• Remove all resource kits and SDKs• Disable indexing of disks recursively• Never allow the emergency console to
boot from the hard drive• Delete backup copies of the registry
from X:\%System Root%\repair\• Configure the recycle bin to
immediately delete files• Configure the system swap file to be
deleted at shutdown
High-accountability logging• Enable auditing of filesystem accesses
• Configure auditing to log all failed file accesses by the ‘everyone’ group
• Increase the size of the event log to 512mb if possible
• Set event viewer to delete events that are N days old, where N matches your backup schedule
• Audit the use of privileges
Monitor suspicious log events
• Filter event logs for interesting events– 529: Unknown Username or Bad Password
– 537: Unsuccessful Logon
– 530: Account Logon Time Restriction Violation
– 531: Account Currently Disabled
– 532: Account Has Expired
– 533: User Not Allowed to Log on
– 534: Logon Type Restricted
– 535: Password Expired
– 516: Some Audit Event Records Discarded
– 517: Audit Log Cleared
More Suspicious Events– 624: User Account Created– 630: User Account Deleted – 627: Change Password Attempt – 636: Local Group Member Added – 632: Global Group Member Added – 642: User Account Changed – 643: Domain Policy Changed– 608: User Right Assigned – 609: User Right Removed – 612: Audit Policy Change – 610: New Trusted Domain– 611: Removing Trusted Domain
Network Adapter Settings
• Disable all bindings except TCP/IP• Use IP filters to limit incoming traffic to only
required ports (80, 443, 25, etc.)• Disable remote access to the registry• Disable NetBIOS over TCP/IP• Disable IP routing• Do not make “dual-homed” hosts that connect
insecure (external) networks to secure (internal) networks
• Harden TCP/IP stack to DoS attacks
Disable Unnecessary Services• Alerter• Clipbook server• Computer browser• Distributed File System• Distributed Link Tracking Systems Server• Distributed Link Tracking Systems Client• IPSEC policy agent (unless IPSEC is used)• Licensing Logging Service• Logical Disk Manager Administrator Service
(needed for software RAID)• Messenger• Net Logon
Disable Unnecessary Services• Network DDE• Network DDE DSDM• Print Spooler• Remote Registry Service• Removable Storage• Server Services (needed for SMTP services)• Task Scheduler• TCP/IP NetBIOS Helper• Telephony (needed for terminal server)• Windows Installer• Windows Time• Workstation Service (needed for some
maintenance tasks)
Accounts and User IDs
• Configure password strength enforcement for users
• Rename the administrator account
• Create a bogus administrator account with no rights and log its use
• Rename and disable the guest account
• Remove ‘access this computer from the network’ rights from administrator and ‘everyone’ group
Accounts and User IDs• Remove the ‘log on locally’ right from
all users and groups that don’t need it• Perform periodic password cracking to
find bad passwords (including products that log in and run as services)
• Disable remote access to the registry• Disable anonymous access to NetBIOS
services (used for anonymously iterating user IDs and other NetBIOS information across the network)
IIS Security
• Don’t use Front Page extensions
• Disable the HTML administration site
• Store web content on a separate drive
• Bind the web server process to specific IP addresses (not all available)
• Disable the WebDAV service
• Remove all unneeded ISAPI mappings, especially IDA/IDC (indexing service) and .printer (Internet Printing)
IIS Security
• Remove support for Internet printing– Remove the /printers virtual directory
– Delete files from %SystemRoot%\web\printers
– Disable local or group policy options for “Web-Based Printing”
• Delete default and sample IIS files– \Inetpub\iissamples
– \Inetpub\AdminScripts
– \Program Files\Common Files\System\msadc\Samples
– %SystemRoot%\help\iishelp
– %SystemRoot\System32\Inetsrv\iisadmpwd
– %SystemRoot%\web\printers
IIS Security
• Use restrictive IIS permissions– On "Home Directory" tab, disable Read, Write,
Directory browsing
– Add specific rights as necessary
– The Script Source Access IIS permission is not assigned to any folder
– Use authentication on all folders with Write / Write-Execute access
– If HTTP basic authentication is required, use SSL
– If using NTLM authentication, require NTLM v2
IIS Security• Protect global.asa files
– NTFS permissions set for System, Administrators and Operators = full control
– NTFS permissions set for Authors = modify– NTFS permissions set to explicitly deny IUSR_server and
IWAM_server accts.– All failed accesses to global.asa are logged
• Protect the metabase.bin file– MetaBase.bin has full control for System and Administrators– MetaBase.bin has Modify for Operators– Audit all failed and successful NTFS access to MetaBase.bin
• Enable the maximum level of logging• Set the UseHostName metabase value to hide
the true IP address of the server
Intrusion Prevention / Detection• Various products exist to detect and sometimes
stop hack attacks• One such product is Entercept• These are usually installed on the host• Software components intercept API calls to the
operating system• Can also filter HTTP web requests• Provide for reporting capabilities at the host
and enterprise level• Can be somewhat costly• Like all IDS products, the value is in their
configuration
Vulnerability Assessments• Primarily a scripted process• Takes a “hackers point of view” of the
network and attempts to find vulnerabilities in software (usually over TCP/IP)
• Is useful as a before and after check• Is my preferred method of telling if security
changes “took” properly. You’d be surprised• Vulnerability assessments need to be
performed often with updated tools!• If possible, get expert help with vulnerability
assessments – the tools can tell you a lot, but interpretation of results is critical