W982: Windows 2003XP2000 System and Network Security Networld Interop Las Vegas Wed May 12, 2003 8:3 - PowerPoint PPT Presentation


PPT – W982: Windows 2003XP2000 System and Network Security Networld Interop Las Vegas Wed May 12, 2003 8:3 PowerPoint presentation | free to view - id: 57d34-ZDc1Z


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

W982: Windows 2003XP2000 System and Network Security Networld Interop Las Vegas Wed May 12, 2003 8:3


User can connect as any user account on the system without a password ... 46. Password Crackers. Require access to SAM - direct or copy. Password auditing: ... – PowerPoint PPT presentation

Number of Views:1593
Avg rating:3.0/5.0
Slides: 159
Provided by: astr98


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: W982: Windows 2003XP2000 System and Network Security Networld Interop Las Vegas Wed May 12, 2003 8:3

W982Windows 2003/XP/2000 System and Network
SecurityNetworldInterop - Las VegasWed
May 12, 2003 830am-430pm
  • James Michael Stewart
    MCT, CCNA,
  • MCSA Windows Server 2003, MCSESecurity Windows
  • www.impactonline.com
  • michael_at_impactonline.com

  • This course has changed since submitted for
  • Updated slides, notes, and handouts available
  • www.impactonline.com/interop/
  • All new or changed material is highlighted in

What This Course is NOT about
  • How to break into Windows systems
  • Security issues not related directly to Windows
  • Installing software
  • Troubleshooting non-security issues
  • Details on Intrusion Detection
  • Basics of Windows architecture, administration,
    or operation
  • Other software from Microsoft or third-party

What This Course IS about
  • Why security is important
  • Native security features built into
  • Windows Server 2003
  • Windows 2000 Server and Professional
  • Windows XP Professional
  • How to lock down or secure a Windows system
  • Vulnerabilities of Windows OSes
  • Windows countermeasures

Security Is Important
  • OS or system security does not exist in a vacuum
  • You must address physical security and
    administrative issues otherwise no amount of
    technical or logical security controls will
  • Security must be driven by an organization wide
    security policy.
  • Security is not a goal, it is a process, and
    Security is not a product, it's a mentality
  • Security is maintaining data integrity and
    providing only authorized, controlled access to
    that data

Windows Security isan ART not a SCIENCE
  • Take my recommendations and opinions about
    Windows security at your own risk.
  • Usually, increasing security adds administrative
    overhead, but decreasing security reduces
    administrative workloads. Ultimately, you must
    choose what level of security you require, and
    manage related admin tasks.
  • We welcome other opinions on Windows security in
    the class - we will add useful information to
    online materials and future classes

Windows Security Is
  • Build a perimeter thats harder to cross than
    your neighbors
  • Controlled and monitored access
  • End to end solution, involving clients,
    applications, servers, boundary devices, and all
    relationships between these elements
  • Windows 2000/NT/XP Out of the Box Few secure
  • Windows Server 2003 is much more secure by
  • Maintaining security is never-ending process
    requires vigilance, ongoing monitoring, and

SecurityA Multi-Front Endeavor
  • 100 security does not exist
  • Implement security in layers
  • Security must provide protection from intrusions,
    internal and external attacks, accidents,
    malicious code, and physical destruction.
  • Security policies guide and direct implementation
  • Three Legs of Security
  • Physical access control
  • If physical security not maintained, no amount of
    software security can create a secure environment
    for your data
  • Human education and management
  • OS and software management

Worst Security Mistakes
  • Opening unsolicited email attachments without
    verifying source and checking content first
  • Failing to install security patches
  • Installing unapproved software
  • Neither making nor testing backups
  • Connecting a modem to a phone line while computer
    is connected to a LAN
  • Relying primarily on firewalls and boundary
  • Connecting systems and devices to the LAN or
    Internet before hardening them
  • Using telnet or other unencrypted protocols to
    manage systems and network devices
  • Running unnecessary protocols and services
  • Failing to keep yourself up to date with the
    state of security of your OSes, software, and

Windows Sever 2003New and Modified Features
  • Common Language Runtime
  • Internet Connection Firewall
  • Account behavior changes
  • More Secure Defaults
  • Administration Security
  • Developer enhancements
  • Encrypted File System enhancements
  • IPSEC enhancements
  • Authorization Manager
  • Software Restriction Policies
  • Credential Management
  • PKI Features
  • IIS 6.0 enhancements

Common Language Runtime
  • Common Language Runtime (CLR) software engine
  • improves reliability and helps ensure a safe
    computing environment.
  • reduces the number of bugs and security holes
    caused by common programming mistakes
  • verifies that applications can run without error
    and checks for appropriate security permissions
  • making sure that code only performs appropriate
  • checks where the code was downloaded or installed
  • checks whether the code has a digital signature
    from a trusted developer
  • Checks whether the code has been altered since it
    was digitally signed.

Internet Connection Firewall
  • Simple stateful IP filter
  • Allows all outbound
  • Allows selected inbound

Account Behavior Changes
  • Limiting local account misuse
  • Network logon prevented with blank passwords
  • Network logons using local accounts authenticate
    as guest
  • Administrator account can be disabled
  • The built-in Everyone group includes
    Authenticated Users and Guests, but no longer
    includes members of the Anonymous Logon group
  • Supported authentication techniques Kerberos V5,
    SSL, TLS, NTLM, digest (MD5 hash), passport,
    two-factor (such as smart cards)

More Secure Defaults
  • IIS/FTP/SMTP not installed by default
  • IIS must be configured before first use
  • Many services/interfaces/extensions are disabled
    by default

Administration Security
  • Command line tools (e.g. netstat o)
  • Smartcard authentication for common admin tools
  • Net.exe
  • Runas
  • Terminal Services

Developer Enhancements
  • .Net Common Language runtime
  • Managed code
  • Authentication of code origin
  • Authorization of operations against policy
  • IPSec APIs
  • Application access to EFS metadata
  • Advanced Encryption Standard New Hash support

EFS Enhancements
  • Encrypted file sharing in the UI
  • Encrypted files marked with alternate color
  • Sharing Your Encrypted Files with Other Users
  • Encrypted client side cache
  • Used for offline folders, files stored in
    encrypted CSC database
  • Support kernel-mode FIPS-compliant cryptography
  • 3DES algorithm, enabled with Group Policy
  • FIPS Federal Information Processing Standard

EFS Data Recovery Changes
  • Domain Model
  • Removed requirement for Data Recovery Agent
  • Can operate with no data recovery policy or a
    separate key recovery policy
  • Domain Administrator is DRA by default when
    domain is created

EFS over WebDAV
  • Enable encrypted storage on Internet servers (end
    to end encryption)
  • WebDAV is a file sharing protocol over HTTP
  • Alternative to SMB Internet Standard RFC 2518
  • Supported by numerous independent software
  • IIS 5.0 and IIS 6.0 support WebDAV as web folders

IPSec Enhancements
  • Windows 2000/XP/Server 2003 Compatibility
  • Stronger security
  • Diagnostics and supportability
  • UI improvements and IPSec Monitor Snap-in
  • Command line management NETSH
  • Computer startup security
  • IPSec Driver Startup Modes
  • Persistent policy for enhanced security
  • Removed default traffic exemptions
  • NAT traversal
  • Improved IPSec integration with Network Load
  • IPSec support for Resultant Set of Policy (RSoP)

Authorization Manager
  • Flexible framework
  • Role-based access control
  • Role-based administration
  • Support for Forest Trusts two-way transitive
    trusts between every domain in both forests

Software Restriction Policies
  • Group Policy can restrict software installation
    and execution
  • Can restrict by
  • Hash Rule
  • Path Rule
  • Certificate Rule
  • Zone Rule

Credential Manager
  • Provides a secure storage mechanism for user
    credentials, such as passwords and X.509
  • Provides a consistent single-sign on
  • Supported for local and roaming users
  • Simplifies and secures the methods by which
    server and client based applications obtain user

PKI Features
  • Qualified subordination
  • A.K.A. Cross certification
  • More X.509 options implemented on server and
  • Define the namespace for which a subordinate CA
    will issue certificates
  • Specify the acceptable uses of certificates
    issued by a qualified subordinate CA
  • Create trust between separate certification
  • Editable certificate templates
  • Key archive recovery
  • Can configure a CA to archive the keys associated
    with the certificates it issues
  • Auto enrolment renewal
  • Delta CRLs

IIS 6.0 Enhancements
  • Lessons implemented
  • Reduced attack surface
  • Code security
  • Secure defaults
  • Improved ASP security
  • Lower privilege accounts
  • Improved patch management
  • Security features for the platform
  • Application isolation
  • FTP user isolation
  • Passport authentication
  • URL authorization

Some Specific Windows 2003 Security Benefits
  • More than 20 services that were enabled by
    default in W2K are now disabled or operate at
    lower privileges
  • IIS 6.0 and Telnet server is not installed by
    default, plus both run under a new service
    account with lower privileges
  • IE has numerous limitations on its functionality
  • The Security Configuration Wizard which works
    on-top-of Configure Your Server defaults to the
    highest security lockdown for added services and
  • Remote users will be unable to log in using blank
  • Role-based authentication via applications
  • The system root drive is accessible only to
    Administrative group users, the Everyone group is
    fully restricted
  • Stronger VPN policies and filters

Windows 2000 to Windows 2003
  • All known problems with Windows 2000 up through
    approximately MS03-022 are corrected or not
    present in Windows 2003
  • New problems since MS03-023 may be found in
    Windows 2000, Windows XP, and Windows 2003
  • Check Windows Update and Microsoft Security
    Bulletins frequently to stay current with new

Windows 2000 Security Features
  • Improved security model over Windows NT
  • stronger authentication, protocols, services
  • Directory Service Account Management
  • domain trees
  • Organizational Units (OUs) - directory containers
  • Kerberos Authentication Protocol V5
  • Public Key Infrastructure (PKI)
  • X.509 Version 3 Certificate Services
  • CryptoAPI Version 2
  • Encrypting File System (EFS) built into NTFS
  • Secure channel security protocols (SSL 3.0/PCT)
  • Smart card support
  • Private Communications Technology PCT 1.0
  • Distributed Password Authentication (DPA)
  • Transport Layer Security Protocol TLS
  • Internet Security Framework IPSec, L2TP
  • Transitive Trusts

Windows XPSecurity Features
  • Most of the security benefits of Windows 2000 are
    found in Windows XP
  • Additional security features include
  • Internet Connection Firewall
  • Internet Connection Sharing
  • Blank password restriction (access to local
    system only)
  • Encryption of Offline Files
  • Credential Management storage of logon
  • Fast user switching (non-domain only)

Windows XPIPL Vulnerability
  • All passwords rendered useless on Windows XP
  • Boot a Windows XP system with a Windows 2000 CD
  • Start the Windows 2000 Recovery Console
  • User is then able to operate as the administrator
    of the system without a password
  • User can connect as any user account on the
    system without a password
  • User can copy files to floppies or other
    removable media from any local hard drive a
    capability normally restricted within the
    Recovery Console when used legitimately.
  • Only countermeasure physical security
  • http//www.briansbuzz.com/w/030213/

Coverage of Windows Clients
  • Windows XP Professional can be configured as the
    most secure client available from Microsoft
  • Windows 2000 Professional can be configured to be
    almost as secure as Windows XP Professional
  • Both offer different defaults, usually insecure
    defaults, when employed as stand-alone systems
  • This courseware assumes Windows XP Professional
    and Windows 2000 Professional are being used as
    Active Directory domain clients. Therefore they
    take on the security configurations defined by
    Windows 2000 Server or Windows Server 2003 GPOs
    assigned to their AD containers.

Coverage of Windows Servers
  • All Windows 2000 Server and Windows Server 2003
    settings are discussed from the perspective of
    these systems being used as domain controllers.
  • Domain controllers either inherit the security
    configuration of the domain controllers, the
    domain GPO, or are assigned their own unique
    configuration by network administrators.

Overview of Native Security Componentsof Windows
  • Logon control
  • User accounts
  • Groups
  • Accounts policy - passwords and lockout
  • System policies
  • NTFS and Share permissions
  • User Rights
  • Auditing

Login Access Security
  • NetLogon service
  • restricted memory area
  • cannot be spoofed
  • forces physical logon
  • communicates with security database to validate
  • Requires
  • user account name
  • password
  • domain name
  • Remote Control software bypasses via API and
    installed service (logon required to install

Automated Logon
  • DefaultDomainName (Value REG_SZ)
  • DefaultUserName (Value REG_SZ)
  • DefaultPassword (Value REG_SZ)
  • AutoAdminLogon (Value REG_SZ) 1
  • Authentication still occurs, but without user
  • To terminate auto-logon
  • set AutoAdminLogon0
  • delete DefaultPassword
  • Hold SHIFT to logon with alternate user account
  • Used on kiosks other access points where access
    level or physical security is no issue
  • Functions on NT, 2000, XP, 2003

Cached Credentials (1/2)
  • By default, when you attempt to log on to a
    domain from a Windows 2003/XP/2000-based
    workstation or member server and a domain
    controller (DC) cannot be located, no error
    message is displayed.
  • Instead, you log on to the local computer using
    cached credentials.
  • By default, Windows 2003/XP/2000 caches the last
    10 logons
  • Set through Group Policy (Security Options) or
    Registry (CachedLogonsCount). If set to 0, no
    logons are cached and if DC is not available
    logon is denied.

Cached Credentials (2/2)
  • When logged on with cached credentials, user
    account has no access to updated group policies,
    roaming profiles, home folders, or logon scripts.
  • Use set command at Command Prompt
  • LOGONSERVER entry names what system authenticated
  • If local system cached credentials, if DC
    domain validation.
  • Appears in Event Viewers System log event ID
  • Add ReportControllerMissing and ReportDC values
    to Registry to force user warning message.
  • Unlocking a workstation or a DC uses cached
    credentials by default. If you dont disable
    credential caching, then set ForceUnlockLogon to
    1 to require actual AD authentication to unlock

User Accounts Groups
  • Users and groups key to Windows security
  • User Accounts
  • Unique identifiers for each person
  • Security IDs
  • Groups
  • Used to control resource access
  • Machine local, Domain local, Global, Universal
    (native mode)
  • Multiple group memberships
  • Combined permissions
  • Users gt Domain Groups gt Local Groups gt Resources
  • Users are added to groups
  • Groups are assigned permissions for resources
  • Nesting of groups supported
  • Delete vs. Disable old user accounts

System Controlled Groups
  • Pre-Windows 2000 Compatible Access
  • Anonymous Logon
  • Authenticated Users
  • Batch
  • Creator Group
  • Creator Owner
  • Dialup
  • Enterprise Domain Controllers
  • Everyone
  • Interactive
  • Network
  • Proxy
  • Restricted
  • Self
  • Membership is dynamic and managed by the OS
  • Everyone group is still required on boot
    partition and still includes anonymous and null
  • Service
  • System
  • Terminal Server User
  • 2003 specific
  • Digest Authentication
  • Local Service
  • NTLM Authentication
  • Other Organization
  • Remote Interactive Logon
  • SChannel Authentication
  • This Organization

Group Policy
  • GPOs can be assigned to domains, sites, or OUs.
  • Applied LSDOU
  • Combines policies for
  • general security controls
  • audit
  • user rights
  • passwords
  • accounts lockout
  • Kerberos
  • Public key policies
  • IPSec policies
  • 2000 OOB if a user is a member of 70 to 80
    groups, group policy may not be applied. Caused
    by Kerbeross token size limitation, correction
    changes MaxTokenSize from 12000 to 100000 - (SP2)
    - 263693

Group Policy SMB vulnerability
  • SMB signing flaw may allow group policies to be
    modified by unauthorized users
  • Affects Windows 2000 and Windows XP
  • Flaw allows attackers to downgrade the settings
    for SMB signing so packets not signed even though
    systems are configured to use SMB signing. This
    attack occurs during negotiation process between
    client and server. Once exploited, attackers
    could modify packets sent between two systems and
    changes would not be detected.
  • Patch not included in Windows XP SP1
  • MS02-070 KB329710

Password Policy
  • Set password restrictions
  • Min max password age (0-999)
  • W2000 Max 42 days Min 0 days
  • W2003 - Max 42 days Min 1 days
  • Min password length (0-14)
  • W2000 - 0
  • W2003 - 7
  • History (1 - 24 entries)
  • W2000 1
  • W2003 - 24
  • Passwords must meet complexity requirements
  • W2000 disabled
  • W2003 enabled
  • Store passwords using reversible encryption for
    all users in the domain
  • W2000 W2003 - disabled

Password Complexity
  • Forces minimum of 6 characters
  • Incorporates at least 3 character types
  • Uppercase A through Z
  • Lowercase a through z
  • Numerals 0 through 9
  • Non-alphanumeric !, _at_, , , , \,
  • No part user account name or real name
  • Not foolproof April1999 is valid password
    under these restrictions, but easily guessed.
  • When enabled, existing passwords are
    grandfathered new or changed passwords must
    meet restrictions
  • Custom password filters see W2000 and W2003 SDK

Failing Requirements When Changing Passwords
  • Your new password does not meet the minimum
    length or password history requirements of the
    domain. Also, your site may require passwords
    that must be a combination of upper case, lower
    case, numbers, and non-alphanumeric
    characters.Your password must be at least ltgt
    characters long. Your new password cannot be the
    same as any of your previous ltgt passwords. Also,
    your site may require passwords that must be a
    combination of upper case, lower case, numbers,
    and non-alphanumeric characters.

Designing Secure Passwords
  • Implement company/organization security policy
  • Use cracking tools to test your password strength
  • LC4, PassFilt Pro, John the Ripper, Quakenbushs
    Password Appraiser
  • Allow no part of e-mail address in password
  • Change every 30 - 45 days
  • Maintain history of previous passwords to prevent
  • Always assign passwords to all accounts
  • Avoid common words dictionary, slang, industry
    acronyms, etc.
  • Use ALT characters - ALT-130 for é, ALT-157 for
    , etc.
  • Avoid use on administrator accounts
  • Never write passwords down

Password Crackers
  • Require access to SAM - direct or copy
  • Password auditing
  • _at_stakes LC4 http//www.atstake.com/
  • Quakenbushs Password Appraiser
  • Most perform reverse hash extraction
  • Protect your SAM!
  • LC4 can sniff SMB exchanges on networks to pull
    passwords use switched networks to force end to
    end communications
  • Several tools are available that boot from a
    floppy and can change the password on any
  • Peter Nordahl's Offline NT Password Registry
    Editor tool
  • Sysinternals Locksmith

Audit Password Registry Keys
  • Enable auditing through Group Policys Audit
  • Start scheduler service, set system startup
  • AT lttimegt /interactive regedt32.exe
  • Registry editor is launched with System level
    access - SAM and SECURITY hives (Note System is
    NTs closest equivalent to UNIXs superuser or
    root access)
  • Set SAM hive auditing parameters
  • at lttimegt /interactive "regedt32.exe"
  • Set SecurityAuditing per event user/group

Accounts Policy
  • Set Lockout parameters
  • Lockout duration (0 99999 minutes)
  • Failed logon attempts
  • Counter reset after time limit
  • Not enabled by default on W2K or W2K3
  • Account is locked out checkbox on user account
    properties dialog box

User Account Security Controls
  • Logon hours
  • Log On To restricted to workstations
  • Account info expiration never or by date
  • Account Options (next slide)
  • Dial-in
  • Remote Access Permission (dial-in or VPN)
    allow, deny, or controlled by Remote Access
  • Verify caller ID (requires supported hardware)
  • Call back pre-defined or user-supplied
  • Terminal Services Sessions
  • End disconnected sessions timeout
  • Time limit for active sessions
  • Time limit for idle sessions
  • Enable remote control/observation
  • Require uses permission to control/observe

Account Options
  • User must change password at next logon
  • User cannot change password
  • Password never expires
  • Store password using reversible encryption
  • Account is disabled
  • Smart card is required for interactive logon
  • Account is trusted for delegation
  • Account is sensitive and cannot be delegated
  • Use DES encryption types for this account
  • Do not require Kerberos pre-authentication
  • Direct user account settings override group
    policy settings!!

Audit Policy
  • All Windows Objects can be audited
  • Two controls policy and object
  • Policies
  • Account logon events
  • Account management
  • Directory service access
  • Logon events
  • Object access
  • Policy change
  • Privilege use
  • Process tracking
  • System events
  • Object level controls accessed through Advanced
    Security Properties
  • Audit policy must be enabled in order for audited
    events to be recorded in the Security log

Sample Audit Detail
Auditing for Security
  • Suspect events
  • failed log on attempts
  • repeated denied access to resource
  • system reboots
  • DumpEVT Export event logs to text files for use
    in scripts and databases - www.somarsoft.com
  • As the amount of data gathered by auditing
    increases, so does need to employ IDS or a data
    mining tool to deal with the data load

Example Audit Schemes
  • Random password attacks
  • account logon events, logon events Failure
  • Stolen passwords (must filter for abnormal
  • account logon events, logon events Success
  • Misuse of admin privileges
  • privilege use Success account management
    Success policy change Success system events
  • Virus infection (track W for all .exe, .bat, and
  • process tracking Success, Failure directory
    service access, object access Success, Failure
  • Access to sensitive files (track R,W for suspect
  • directory service access, object access Success,

Working with User Rights
  • Review defaults of User Rights (see handout
    "User Rights")
  • To increase security settings, make the following
  • Allow Log on locally assigned only to
    Administrators on Servers
  • Shutdown the System assigned only to
    Administrators, Power Users
  • Access computer from network assigned to Users,
    revoke for Administrators and Everyone
  • Restore files/directories revoke for Backup
  • Bypass traverse checking assigned to
    Authenticated Users, revoke for Everyone

  • Ownership grants a user Full Control over an
  • Ownership can be taken by users with
  • Take Ownership of Files or Other Objects User
  • NTFS object level Ownership permissions.
  • Administrators and Domain Admins have this user
    right by default.
  • Ownership can be assigned using subinacl (RK
  • subinacl /subdirectories c\winnt\profiles\.
  • Ownership can be used to bypass any Deny setting.

NTFS Security
  • Defined by object files, directories, printers
  • Set by group or user for Allow or Deny
  • Standard file settings
  • Full Control (RXWDPO)Modify (RXWD)Read
    Execute (RX)List Folder Contents (dir only)
    (R)Read (R) Write (W)
  • Always check defaults on new objects in regards
    tothe Everyone group
  • Container rule - move vs. copy
  • Inheritance is configurable,inheritance of
    permissionsand auditing is distinct

Share Permissions
  • Permissions
  • Full Control
  • Change
  • Read
  • All permissions basedon Allow or Deny
  • W2K new share Full Controlto Everyone
  • W2K3 new share Read onlyto Everyone
  • On objects Sharing tab
  • Able to set maximumsimultaneous users
  • Caching
  • Allow/prevent caching
  • Manual - Offline Files
  • Automatic

Managing Permissions
  • NTFS - All user specific and group membership
    permissions on the same resource are cumulative.
  • Share - All user specific and group membership
    permissions on the same share are cumulative.
  • Combining NTFS and Share Permissions
  • Cumulative NTFS is compared to the cumulative
    Share - most restrictive applies
  • Think of it as an ANDing function
  • Deny always results in deny. Watch for conflicts
    caused by multi-group memberships.
  • Grant permissions on as needed basis need to
    know or least privilege
  • SystemTools DumpSec (www.systemtools.com)
  • dumps permissions (ACLs) for file system,
    registry, shares and printers into a readable
    listbox format

Disk Quotas
  • Disk quotas
  • Configurable per volume
  • Configurable per user
  • Prevent file writing when limitation exceeded
  • Space limitation and warning level in KB, MB, GB,
    TB, or PB
  • Enable log events for quota limit reach or
    warning level reach
  • Quota limits based on uncompressed file size
  • More control and granularity through third-party
    quota solutions, such as Quota Advisor and
    Storage Central from www.sunbelt-software.com

Process Security
  • Inherits parents Access Token
  • Use Task Scheduler to launch tasks with any user
    account credentials
  • Services can be launched with System or any user
    account credentials
  • Once launched, access level of process cannot
  • Use RunAs to execute under another user security
    contents requires username and password. Use as
    command line or hold-shift then right-click over
    .exe for pop-up menu

Windows Kerberos Policy
  • Trusted third-party Authentication protocol
    developed at MIT as part of Project Athena
  • Kerberos V5
  • Faster connections
  • Mutual Authentication
  • Delegated Authentication
  • Simplified Trust Management
  • Interoperability
  • Defined at domain level controls Kerberos
  • Implemented by domains Key Distribution Center
  • Stored as part of domain security policy(may
    only be set by Domain Admins)
  • Windows attempts to use Kerberos first to
    authenticate user logons. If Kerberos fails, NTLM
    is attempted (if enabled)
  • NTLM appears primarily for backward compatibility
    with non-Kerberos supporting Windows clients

Initial Logon
Service Request
Service Ticket
TGT Cached Locally
Session Established
Windows 2000based Computer
Windows 2000based Computer
Target Server
Group Policy SettingsKerberos
  • Enforce User Logon Restrictions
  • Maximum Lifetime That a User Ticket Can Be
  • Maximum Service Ticket Lifetime
  • Maximum Tolerance for Synchronization of Computer
  • Maximum User Ticket Lifetime

Disable LM Authentication
  • W2K supports
  • Kerberos
  • Windows NT challenge/response v.2 (NTLM 2)
  • Includes LM, NTLM 1, NTLM 2
  • LM enabled by default Security Option LAN
    Manager authentication
  • W2K3 supports
  • Kerberos
  • Windows NT challenge/response v.2 (NTLM 2)
  • Includes LM, NTLM 1, NTLM 2
  • LM disabled by default Security Option LAN
    Manager authentication, set to Send NTLM Response
  • Windows 95, WfW, Macs, and OS/2 clients only
    support LM not NTLM
  • Windows 98, SE, Me can be upgraded to support
    NTLM v2 with the Directory Services Client add-on
  • Add NTLM 2 to W95/98 Q239869

Directory Services Client
  • Active Directory Client Extensions for Windows
    95, Windows 98, and Windows NT Workstation 4.0
  • Adds to client AD site awareness, W2K domain
    logon, Active Directory Service Interfaces, DFS
    client, WAB, and NTLM v2.
  • Does not add Kerberos, Group policy or
    Intellimirror support, IPSec, L2TP, SPN, nor
    mutual authentication
  • Windows 9x Active Directory client extension is
    distributed on the Windows 2000 CD
  • Active Directory client extension for Microsoft
    Windows NT 4.0 (with SP6a Microsoft Internet
    Explorer 4.01 or higher) on MS Web site
  • No version of Directory Services Client for
    Windows Me (Millennium)

Public Key Infrastructure 1/2
  • PKI adds authentication encryption services to
  • How PKI Works
  • PKI based on certificates managed by CA that
    verifies identity
  • Public keys issued for widespread distribution
    private key stays with user
  • Anyone can use the public key to encrypt only
    the holder of the private key can decrypt
  • When a public key appears first, followed by a
    private key, this supports key exchange
  • When a private key appears first, followed by a
    public key, this is a digital signature
  • PKI thus provides both identification and
  • Numerous applications use Digital Certificates to
    provide security
  • E-mail, Web, digital file signing, Smart Cards,
    IPSec, EFS recovery agent

Public Key Infrastructure 2/2
  • PKI Components
  • Certificate Services
  • CryptoAPI CSPs provide crypto operations
    private key management
  • Certificate stores to store manage certificates
  • Certificate Services
  • Process certificate requests
  • Verify access qualifications for requesters
  • Create issue certificates for qualified
  • Generate private keys and deliver to requesters
    protected store
  • Manage private key cryptography services
  • Distribute publish certificates for public
  • Manage certificate revocations
  • Store certificate transactions for auditing
  • Works through Certification Authority Console

EFS Issues 1/3
  • EFS (Encryption File System) is built into
    Windows 2000, Windows XP, and Windows 2003 NTFS
  • Encrypting boot and system files will cause
    problems if the system can even boot
  • Issues when autoexec.bat is encrypted
  • Users are unable to log on locally
  • Remote resource access fails
  • Resolution
  • Decrypt
  • Use Recovery Console to log on as Admin, delete
    file, then recreate
  • Alter Registry to bypass autoexec.bat fie,
    delete, then recreate.
  • EFS protects files on NTFS partitions, not when
    in transport over the network or when resident in
    system memory (i.e. in use by an application)

EFS Issues 2/3
  • EFS works using a public key to encrypt files and
    a private key to decrypt files. If the private
    key is lost, the files cannot be decrypted
  • A user can be designated as EFS recovery agents
    who can recover data after the private key of
    another user is lost
  • Through secpol.msc a private key can be exported
    to removable media and deleted from the local
  • EFS cannot be used to encrypt system files, use
    alternatives PC Guardian's Encryption Plus for
    Hard Disks (EPHD)

EFS Issues 3/3
  • EFS on Windows 2000 uses DESX for encryption. It
    can only decrypt using DESX.
  • EFS Windows XP pre-SP1 use 3DES for encryption.
    It can decrypt using DESX or 3DES.
  • EFS on Windows XP SP1 and Windows 2003 uses AES
    for encryption, by default. It can decrypt using
    DESX, 3DES, or AES.
  • EFS Files Appear Corrupted When You Open Them
  • Instructions on setting XP SP1 and 2003 to use
    3DES or DESX
  • Do not change this setting if there are existing
    encrypted files
  • Attempting to open AES encrypted files on Windows
    2000 or Windows XP pre-SP1 systems will corrupt
    the files resulting in data loss!

  • IP Security (aka IPSec)
  • IETF standard security protocol (RFC 2411
    provides a roadmap to all related RFCs)
  • Provides authentication and encryption
  • AH (Authentication Header) integrity and
  • ESP (Encapsulating Security Payload) integrity,
    authentication, confidentiality - encryption
  • Operates at layer 3 as a plug-in between
    transport (UDP or TCP) and network (IP and
    others) protocols
  • Works with both IPv4 and IPv6
  • Wide industry support, expected to become
    predominant VPN Internet standard
  • Used with Layer 2 Tunneling Protocol (L2TP) for
    dial-up VPNs, uses by itself for
    network-to-network VPNs

IP Security (IPSec) Policies
  • Construct IPSec policies using Windows Security
  • IPSec policies associate with default domain
    policy, default local policy, or customized
  • Includes abilities to negotiate security services
    (called negotiation policies)
  • IP filters let different policies apply to
    different computers, based on destination
  • To create IPSec policy
  • Create a named Security Policy for some container
  • Create negotiation policies
  • Create IP filters, associate with negotiation

Locking Down Windows Systems
  • The first steps to locking down Windows include
  • Applying service packs
  • Applying needed hot fixes and patches
  • Apply security templates
  • Testing for a secure configuration

Service Packs
  • Hotfix - single issue, apply only if necessary
  • Service Pack - cumulative patches fixes
  • Re-installation of Service Pack not necessarily
    required after installing new drivers or software
    on Windows 2000/XP/2003 as was with Windows NT
  • Windows 2000 SP4 see later slide
  • Windows Server 2003 no service packs available
    as of 11/14/03, SP1 beta rumored to be in testing
    for release in late 2004

Windows 2003 SP1
  • Due late 2004
  • Will include numerous features and improvements
    from the Springboard project
  • Springboard includes elements and components
    originally designed for Longhorn, for which
    Microsoft has accelerated release for Windows
    2003 and Windows XP
  • Will include
  • Roles based Security Configuration Wizard (SCW)
    to quickly configure new servers based on
    function or role
  • Insecure network client isolation
  • VPN quarantine
  • Enterprise level protection features (yet

Windows 2003 Pre-SP1Security Issues 1/2
  • 23 pre-SP1 hot fixes as of 5/11/2004
  • MS04-015 Vulnerability in Help and Support
    Center Could Allow Remote Code Execution (840374)
  • MS04-014 Vulnerability in the Microsoft Jet
    Database Engine Could Allow Code Execution
  • MS04-012 Cumulative Update for Microsoft
    RPC/DCOM (828741)
  • MS04-011 Security Update for Microsoft Windows
  • MS04-007 ASN .1 Vulnerability Could Allow Code
    Execution (828028)
  • MS04-006 Vulnerability in the Windows Internet
    Naming Service (WINS) Could Allow Code Execution
  • MS04-003 Buffer Overrun in MDAC Function Could
    Allow Code Execution (832483)
  • MS03-048 Cumulative Security Update for
    Internet Explorer (824145)

Windows 2003 Pre-SP1Security Issues 2/2
  • MS03-045 Buffer Overrun in the ListBox and in
    the ComboBox Control Could Allow Code Execution
  • MS03-044 Buffer Overrun in Windows Help and
    Support Center Could Lead to System Compromise
  • MS03-043 Buffer Overrun in Messenger Service
    Could Allow Code Execution (828035)
  • MS03-041 Vulnerability in Authenticode
    Verification Could Allow Remote Code Execution
  • MS03-039 Buffer Overrun In RPCSS Service Could
    Allow Code Execution (824146)
  • MS03-034 Flaw in NetBIOS Could Lead to
    Information Disclosure (824105)
  • MS03-030 Unchecked Buffer in DirectX Could
    Enable System Compromise (819696)
  • MS03-026 Buffer Overrun In RPC Interface Could
    Allow Code Execution (823980)
  • MS03-023 Buffer Overrun In HTML Converter Could
    Allow Code Execution (823559)

Windows 2000 SP5
  • Due late 2004, after Windows 2003 SP1 ships
  • No reliable details on elements other than
    existing post-SP4 hot-fixes (17 as of 5/11/2004)
  • MS03-022, MS03-023, MS03-026, MS03-034, MS03-039,
    MS03-041, MS03-042, MS03-043, MS03-044, MS03-045,
    MS03-049, MS04-006, MS04-007, MS04-008, MS04-011,
    MS04-012, MS04-014

Windows 2000 Service Pack 4
  • Released Aug 2003 - generally stable
  • Recommended for Windows 2000 Server and Pro
  • Available on CD, through Windows Update, on
    Windows 2000 Web area
  • SP4 includes 674 fixes (102 for security
    issues), see KB Q327194
  • Note these are issues in addition to those in
    SP3 and earlier.
  • Release notes for W2K SP4 813432
  • SP4, like SP3, upgrades the system to use 128-bit
    encryption. If you uninstall SP4 (or SP3), the
    system will remain at 128-bit encryption.
  • SP4 includes Internet Explorer 5.01 SP4 and
    Outlook Express 5.5 with SP2
  • SP4 adds to Windows 2000 native 802.1x wireless
    networking support and native USB 2.0 support
  • There are 14 post SP4 security issues as of March

Known Issues with W2K SP4
  • Local Security Policy Values Revert to the Values
    That Are Stored in SecEdit.sdb (KB827664)
  • If you have Windows Update service disabled when
    you install SP4, the installation program
    re-enables Windows Update without notifying you.
  • .Net Framework 1.0 programs won't run.
  • Available hotfix or upgrade to .Net Framework 1.1
  • Norton Internet Security 2001 is incompatible.
  • Upgrade NIS (KB823087)
  • Exchange Server can't start its Key Management
  • Workaround database defragmentation (KB818952)
  • Other known issues KB 813432

Windows XP Service Pack 2
  • To be released?? current rumor is July 2004
  • Will require significant changes to an
    organizations deployment processes and
    configuration procedures
  • New security and networking enforced defaults
    will cause numerous applications and services to
    fail, reconfiguration will be necessary
  • RC1 of SP2 not stable enough for widespread
  • RC2 of SP2 due soon may be suitable for limited
    testing, I dont recommend production environment
    deployment of these test releases
  • Sweeping changes to Windows XP
  • Improved default security
  • Improved ICF, RPC, DCOM, COM
  • Better memory management and protection (i.e.
    buffer overflow)
  • Improved IE, Outlook Express, Windows Messenger

Windows XP Service Pack 1a
  • SP1a for Windows XP released on 2/3/2003
  • There are 77 post SP1a security issues as of
    March 2004
  • SP1a and SP1 are identical, except that the
    Microsoft VM (Java support) is removed from SP1a.
  • Generally considered stable
  • We recommend installation on all XP systems
  • Updates XP systems with hotfixes released through
    mid-Aug 2003 (MS02-048)
  • Includes IE 6 SP1 USB 2.0
  • Does not include BlueTooth
  • Known issues KB324722
  • 57 post SP1a hot fixes as of 5/11/2004

Windows XPSecurity Rollup Package 1
  • Released 10/14/2003
  • As an interim release before SP2
  • Contains 22 security related patches in a single
    installation package
  • Includes security patches from SP1 through
  • KB826939

Working with Service Packs
  • Review documentation and KB documents associated
    with Service Pack and/or hotfix before initiating
  • Need sufficient free space on boot partition, 3
    times size of SP, more if uninstall info is saved
  • Move previous SP's uninstall directory from
    SystemRoot\NTServicePackUninstall\ to another
    safe location.
  • Backup data, Registry, maybe entire system
  • Reboot the system
  • Terminate all applications, stop unneeded
    services, stop debugging, stop remote control
  • Disable Server service to prevent network access
    before starting SP/HF application
  • Stop all third-party services requiring disk
    access, i.e. virus protection and

Managing SPs and HFs
  • Service Pack presence visible through most
    HelpAbout screens from native utilities, WINVER
  • Hotfix identification varies by hot-fix -
    typically run HOTFIX.EXE or view Hotfix Registry
    key for list
  • Qfecheck management tool from Microsoft
  • UpdateEXPERT SP and HF inventory and
    installation tool from Sunbelt Software
  • HFNetChkPro from Shavlik Technologies
  • http//www.shavlik.com/pHFNetChkPro.aspx
  • All DCs should be maintained at same SP level,
    mixing can introduce problems
  • Software Update Svcs (SUS) internalizes
    manages Windows Update for private networks
  • Service packs for Windows 2000, XP, and 2003 can
    be slipstreamed for new installations or a
    pre-integrated installation CD may be available

Lockdown Tools 1/2
  • Microsoft Baseline Security Analyzer (MBSA) 1.2
  • GUI and command line tool
  • Runs on Windows 2003/XP/2000 only, but will scan
    Windows NT 4.0, Windows 2003, Windows 2000,
    Windows XP, IIS 4.0, IIS 5.0, SQL 7.0, SQL 2000,
    IE 5.01, and Office 2000/2002/2003, more.
  • Lists all necessary or applicable patches, fixes,
    or security settings for each detected OS and
  • Each issue is scored
  • Red X missing
  • Yellow X possible vulnerability or reminder
  • Green check verified secured setting or control
  • Blue asterisks reminder or warning of possible
  • Blue information icon information about system
  • Possible risk MBSA can create a plaintext
    report, with clever scripting a malicious user
    can create an automated attack tool based on the

Lockdown Tools 2/2
  • MBSA was developed with Shavlik Technologies
  • Commercial versions are available
  • HFNetChkPro
  • EnterpriseInspector
  • Both are free for use on up to 10 workstations
    and 1 server
  • www.shavlik.com
  • HFNetChk
  • command line tool which scans for installed
  • Excellent for scanning local and networked
  • Does not download or install necessary patches
  • CIS benchmark security tool
  • Evaluates a Windows systems for compliance
    against pre-defined security benchmarks

Security Configuration and Analysis
  • MMC snap-ins
  • Security Configuration and Analysis
  • Security Templates
  • Used to customize Group Policies a.k.a. security
  • Several pre-defined security templates for
    client, server, and DC systems of basic,
    compatible, secure, and high security.
  • Analyze current security state
  • Impose a pre-defined or customized security
  • Create custom templates

Well-known Vulnerabilities
  • Windows is at risk to a wide number of well-known
    and oft-exploited vulnerabilities.
  • The following slides discuss many of these along
    with workarounds and countermeasures

Services and Security
  • Only install necessary services
  • Unbind unneeded protocols
  • Candidate services to disable/remove
  • Alerter Clipbook Server
  • Computer Browser DHCP client
  • Directory Replicator Messenger
  • NetLogon Network DDE
  • Plug and Play RPC locator
  • Server SNMP Trap service
  • Spooler TCP/IP NetBIOS Helper
  • Telephony service Workstation
  • Unnecessary services offer information gathering
    holes or access points
  • Test service removal on non-production systems
  • Sysinternals Process Explorer - displays DLL
  • See the BlkViper Web site on removing/disabling

SNMP Problems
  • If using SNMP, remove or alter public default
  • Anyone with an SNMP browser can poll this
  • Snmputil from Resource Kit
  • Snmputil walk ltIP addressgt public ltOIDgt
  • OIDs identifies a specific branch in the MIB
  • IP Browser from Solar Winds (www.cerberus-infosec.
    co.uk) offers GUI exploration of public community
  • Dont deploy SNMP unless you use it

Raw Sockets
  • Windows 2003, Windows XP, Windows 2000, UNIX, and
    Linux, support administrative or root only access
    to full raw sockets
  • However, on stand-alone Windows XP Professional
    and Home systems, all local users are
    administrators by default
  • Full raw sockets is a means by which the TCP/IP
    stack is bypassed to allow direct access to
    underlying network data transport
  • Full raw sockets were originally designed as
    research tools, not for real-world OSes
  • Full raw sockets allow spoofed IP addresses and
    SYN floods
  • IEs defaults download and install software
    without users knowledge
  • Use GRC.coms SocketToMe and SocketLock to detect
    and close down raw sockets to users and restrict
    it to SYSTEM access only

Enumeration UsingTelnet Client (1/2)
  • Use any telnet client
  • telnet ltdomain name or IPgt port
  • Followed by pressing Enter several times
  • Test common ports 80 (Web), 21 (FTP), 25 (SMTP),
  • Many services respond with error msg (a.k.a.
    banner) listing information about service on that
  • For example
  • HTTP/1.1 400 Bad Request
  • Server Microsoft-IIS/6.0
  • Date Wed, 23 Aug 2000 161904 GMT
  • Web server enumeration tool ID Serve from GRC
  • http//grc.com/id/idserve.htm

Enumeration UsingTelnet Client (2/2)
  • Protection
  • remove default banners where possible
  • check open ports with scanner (nmap)
  • prevent remote Registry access
  • Dont rely on obscurity as your only means of
  • IISs URLScan utility disables banners on any
    version of IIS by refusing invalid service
    requests. Knowledge Base 317741 - HOW TO Mask
    IIS Version Information from Network Trace and
  • Avoid telnet service whenever possible, use
    secure alternatives such as remote control
    software (such as PCAnywhere), SSH (secure
    shell), or stunnel.

File Streaming
  • A method for hiding executables
  • Requires NTFSs POSIX capabilities and RK cp
  • cp ltfilegt lthostfilegtltfilegtS
  • Streamed files can be executed without extraction
  • Start lthostfilegtltfilegt
  • Can be used on files and directories
  • Great way for hackers to hide toolkits
  • Locate streamed files with
  • LADS Locate Alternate Data Streams
  • Streams - www.sysinternals.com/misc.htm
  • SANS warning http//www.sans.org/newlook/alerts/N
  • If POSIX is removed/disabled, existing streams
    still function but no new streams possible.

Boot Partition Conversion Problem
  • If Windows 2000 is installed onto FAT/FAT32
    formatted boot partition, then converted to NTFS
  • Correct default security permissions not applied
    to files on boot partition
  • Use SECEDIT tool to apply correct permissions
  • Q237399
  • If NT 4.0 was installed with SYSPREP, a bug
    prevents the Win2K upgrade from converting a FAT
    boot partition to NTFS
  • Must manually convert drive, no other MS fix
  • Q256917

51 IP Addresses
  • A Windows 2000 Server as a domain server cannot
    support more than 51 IP addresses OOB
  • Bug in Active Directory causes error
  • Attempting to add 52nd address renders system
    unable to
  • Authenticate users
  • Launch and use administrative tools
  • Limitation is per server, not per NIC
  • Corrected in SP2
  • Only workarounds
  • add a second system
  • use W2K as a non-domain controller

Administrative shares
  • C, D,
  • Hidden/system shares
  • Accessed from any client on network
  • Can be accessedover VPN, RAS,PPTP
  • Only requireadmin nameand password

Hidden Systems
  • Removes system from browse lists
  • Prevents Server service from being tuned via the
    Network applet
  • Disables auto-tuning
  • To restore auto-tuning, edit the Registry and
    correct the entries in the LanmanServer
    Parameters section
  • See KB 128167 321710 314498

Predefined accounts
  • Administrator
  • Can be renamed
  • Requires non-blank password on Domain Controllers
  • Cannot be locked out or disabled
  • Cannot be deleted
  • Password never expires
  • Password cannot be stored with reversible
  • Smart card cannot be required
  • Cannot be delegated
  • DES cannot be used and Kerberos is required
  • Guest
  • Can be renamed
  • Blank password by default
  • Can be locked out and disabled
  • Cannot be deleted
  • Disabled by default
  • Remember everyone knows these accounts exist

The IIS Accounts
  • IUSR_computername
  • Created by IIS for anonymous Web FTP access
  • Log on Locally right
  • Member of Guests and Domain Users (DCs only)
  • Non-blank random password
  • Access enabled by default
  • Can be renamed, requires change in Active
    Directory Users and Computers as well as in both
    IISs Web and FTP server Properties
  • Remove from Domain Users and Guests groups to
    force local and Web access only

SAM Deletion
  • Deleting the \winnt\system32\config\sam file
    destroys all user accounts and assigns blank
    password to administrator
  • Use only as last resort
  • All domain and security settings related to uses
    and groups are destroyed

Replace Passwords
  • Winternals Locksmith
  • Used to replace user account password
  • Works on any account, including Administrator
  • Requires physical access
  • Requires NTRecover or Remote Recover
  • NTRecover allows data from one system to be moved
    across a serial cable to another system. The
    source system is booted with a floppy to bypass
    security or to recover a failed system.
  • Winternals www.winternals.com
  • Similar tool ntpasswd http//home.eunet.no/pnor

Who is the Admin?
  • List admins with
  • NET GROUP "Domain Admins" /DOMAIN
  • Get more details on each listed user with
  • NET USER username /DOMAIN more
  • Decoys are for external users
  • Any valid user can exploit NetBIOS to extract
    information about users and systems

Administrator Decoy
  • Rename real Administrator account with
    subtlenon-obvious name - avoid admin, sysop,
    root, master
  • Create new decoy account named Administrator
    with simple password
  • Remove all or most access privileges and group
  • Audit every action and logon attempt
  • Consider creating fake confidential content to
    snag intruders long enough to be detected and
    located (I.e. a honeypot)
  • Method only isolates Admin account from external
    intruders, Domain Admins can always discover

Double Admin Accounts
  • Each administrator needs two accounts
  • Administrative account for management work
  • Normal user account for daily work
  • No two admins should ever share an account
  • Restrict/Delegate each admin to his or her
    segment/resource responsibilities
  • Only grant Admin access to trusted users
  • Keep local Admins out of Domain Admins global
    group to control access levels
  • Audit admin account activities
  • Be pessimistic about offering admin access
  • Revoke log on from network User Right for all
    admin accounts - requires physical presence at
About PowerShow.com