W982: Windows 2003XP2000 System and Network Security Networld Interop Las Vegas Wed May 12, 2003 8:3

1
W982Windows 2003/XP/2000 System and Network
SecurityNetworldInterop - Las VegasWed
May 12, 2003 830am-430pm

• James Michael Stewart
• CISSP, ISSAP, TICSA, CIW SA, Security, CTT,
  MCT, CCNA,
• MCSA Windows Server 2003, MCSESecurity Windows
  2000,
• MCDST, MCSE NT W2K, MCPI, iNet
• www.impactonline.com
• michael_at_impactonline.com

2
UPDATED MATERIALS

• This course has changed since submitted for
  printing
• Updated slides, notes, and handouts available
  from
• www.impactonline.com/interop/
• All new or changed material is highlighted in
  green.

3
What This Course is NOT about

• How to break into Windows systems
• Security issues not related directly to Windows
• Installing software
• Troubleshooting non-security issues
• Details on Intrusion Detection
• Basics of Windows architecture, administration,
  or operation
• Other software from Microsoft or third-party
  vendors

4
What This Course IS about

• Why security is important
• Native security features built into
• Windows Server 2003
• Windows 2000 Server and Professional
• Windows XP Professional
• How to lock down or secure a Windows system
• Vulnerabilities of Windows OSes
• Windows countermeasures

5
Security Is Important

• OS or system security does not exist in a vacuum
• You must address physical security and
  administrative issues otherwise no amount of
  technical or logical security controls will
  suffice
• Security must be driven by an organization wide
  security policy.
• Security is not a goal, it is a process, and
  Security is not a product, it's a mentality
  McClure/Scambray
• Security is maintaining data integrity and
  providing only authorized, controlled access to
  that data

6
Windows Security isan ART not a SCIENCE

• Take my recommendations and opinions about
  Windows security at your own risk.
• Usually, increasing security adds administrative
  overhead, but decreasing security reduces
  administrative workloads. Ultimately, you must
  choose what level of security you require, and
  manage related admin tasks.
• We welcome other opinions on Windows security in
  the class - we will add useful information to
  online materials and future classes

7
Windows Security Is

• Build a perimeter thats harder to cross than
  your neighbors
• Controlled and monitored access
• End to end solution, involving clients,
  applications, servers, boundary devices, and all
  relationships between these elements
• Windows 2000/NT/XP Out of the Box Few secure
  defaults
• Windows Server 2003 is much more secure by
  default
• Maintaining security is never-ending process
  requires vigilance, ongoing monitoring, and
  maintenance.

8
SecurityA Multi-Front Endeavor

• 100 security does not exist
• Implement security in layers
• Security must provide protection from intrusions,
  internal and external attacks, accidents,
  malicious code, and physical destruction.
• Security policies guide and direct implementation
• Three Legs of Security
• Physical access control
• If physical security not maintained, no amount of
  software security can create a secure environment
  for your data
• Human education and management
• OS and software management

9
Worst Security Mistakes

• Opening unsolicited email attachments without
  verifying source and checking content first
• Failing to install security patches
• Installing unapproved software
• Neither making nor testing backups
• Connecting a modem to a phone line while computer
  is connected to a LAN
• Relying primarily on firewalls and boundary
  safeguards
• Connecting systems and devices to the LAN or
  Internet before hardening them
• Using telnet or other unencrypted protocols to
  manage systems and network devices
• Running unnecessary protocols and services
• Failing to keep yourself up to date with the
  state of security of your OSes, software, and
  hardware

10
Windows Sever 2003New and Modified Features

• Common Language Runtime
• Internet Connection Firewall
• Account behavior changes
• More Secure Defaults
• Administration Security
• Developer enhancements
• Encrypted File System enhancements
• IPSEC enhancements
• Authorization Manager
• Software Restriction Policies
• Credential Management
• PKI Features
• IIS 6.0 enhancements

11
Common Language Runtime

• Common Language Runtime (CLR) software engine
• improves reliability and helps ensure a safe
  computing environment.
• reduces the number of bugs and security holes
  caused by common programming mistakes
• verifies that applications can run without error
  and checks for appropriate security permissions
• making sure that code only performs appropriate
  operations
• checks where the code was downloaded or installed
  from
• checks whether the code has a digital signature
  from a trusted developer
• Checks whether the code has been altered since it
  was digitally signed.

12
Internet Connection Firewall

• Simple stateful IP filter
• Allows all outbound
• Allows selected inbound

13
Account Behavior Changes

• Limiting local account misuse
• Network logon prevented with blank passwords
• Network logons using local accounts authenticate
  as guest
• Administrator account can be disabled
• The built-in Everyone group includes
  Authenticated Users and Guests, but no longer
  includes members of the Anonymous Logon group
• Supported authentication techniques Kerberos V5,
  SSL, TLS, NTLM, digest (MD5 hash), passport,
  two-factor (such as smart cards)

14
More Secure Defaults

• IIS/FTP/SMTP not installed by default
• IIS must be configured before first use
• Many services/interfaces/extensions are disabled
  by default

15
Administration Security

• Command line tools (e.g. netstat o)
• Smartcard authentication for common admin tools
• Net.exe
• Runas
• Terminal Services

16
Developer Enhancements

• .Net Common Language runtime
• Managed code
• Authentication of code origin
• Authorization of operations against policy
• IPSec APIs
• Application access to EFS metadata
• Advanced Encryption Standard New Hash support

17
EFS Enhancements

• Encrypted file sharing in the UI
• Encrypted files marked with alternate color
• Sharing Your Encrypted Files with Other Users
• Encrypted client side cache
• Used for offline folders, files stored in
  encrypted CSC database
• Support kernel-mode FIPS-compliant cryptography
• 3DES algorithm, enabled with Group Policy
• FIPS Federal Information Processing Standard

18
EFS Data Recovery Changes

• Domain Model
• Removed requirement for Data Recovery Agent
• Can operate with no data recovery policy or a
  separate key recovery policy
• Domain Administrator is DRA by default when
  domain is created

19
EFS over WebDAV

• Enable encrypted storage on Internet servers (end
  to end encryption)
• WebDAV is a file sharing protocol over HTTP
• Alternative to SMB Internet Standard RFC 2518
• Supported by numerous independent software
  vendors
• IIS 5.0 and IIS 6.0 support WebDAV as web folders

20
IPSec Enhancements

• Windows 2000/XP/Server 2003 Compatibility
• Stronger security
• Diagnostics and supportability
• UI improvements and IPSec Monitor Snap-in
• Command line management NETSH
• Computer startup security
• IPSec Driver Startup Modes
• Persistent policy for enhanced security
• Removed default traffic exemptions
• NAT traversal
• Improved IPSec integration with Network Load
  Balancing
• IPSec support for Resultant Set of Policy (RSoP)

21
Authorization Manager

• Flexible framework
• Role-based access control
• Role-based administration
• Support for Forest Trusts two-way transitive
  trusts between every domain in both forests

22
Software Restriction Policies

• Group Policy can restrict software installation
  and execution
• Can restrict by
• Hash Rule
• Path Rule
• Certificate Rule
• Zone Rule

23
Credential Manager

• Provides a secure storage mechanism for user
  credentials, such as passwords and X.509
  certificates
• Provides a consistent single-sign on
• Supported for local and roaming users
• Simplifies and secures the methods by which
  server and client based applications obtain user
  credentials

24
PKI Features

• Qualified subordination
• A.K.A. Cross certification
• More X.509 options implemented on server and
  client
• Define the namespace for which a subordinate CA
  will issue certificates
• Specify the acceptable uses of certificates
  issued by a qualified subordinate CA
• Create trust between separate certification
  hierarchies
• Editable certificate templates
• Key archive recovery
• Can configure a CA to archive the keys associated
  with the certificates it issues
• Auto enrolment renewal
• Delta CRLs

25
IIS 6.0 Enhancements

• Lessons implemented
• Reduced attack surface
• Code security
• Secure defaults
• Improved ASP security
• Lower privilege accounts
• Improved patch management
• Security features for the platform
• Application isolation
• FTP user isolation
• Passport authentication
• URL authorization

26
Some Specific Windows 2003 Security Benefits

• More than 20 services that were enabled by
  default in W2K are now disabled or operate at
  lower privileges
• IIS 6.0 and Telnet server is not installed by
  default, plus both run under a new service
  account with lower privileges
• IE has numerous limitations on its functionality
• The Security Configuration Wizard which works
  on-top-of Configure Your Server defaults to the
  highest security lockdown for added services and
  features
• Remote users will be unable to log in using blank
  passwords
• Role-based authentication via applications
• The system root drive is accessible only to
  Administrative group users, the Everyone group is
  fully restricted
• Stronger VPN policies and filters

27
Windows 2000 to Windows 2003

• All known problems with Windows 2000 up through
  approximately MS03-022 are corrected or not
  present in Windows 2003
• New problems since MS03-023 may be found in
  Windows 2000, Windows XP, and Windows 2003
• Check Windows Update and Microsoft Security
  Bulletins frequently to stay current with new
  developments

28
Windows 2000 Security Features

• Improved security model over Windows NT
• stronger authentication, protocols, services
• Directory Service Account Management
• domain trees
• Organizational Units (OUs) - directory containers
  
• Kerberos Authentication Protocol V5
• Public Key Infrastructure (PKI)
• X.509 Version 3 Certificate Services
• CryptoAPI Version 2
• Encrypting File System (EFS) built into NTFS
• Secure channel security protocols (SSL 3.0/PCT)
• Smart card support
• Private Communications Technology PCT 1.0
• Distributed Password Authentication (DPA)
• Transport Layer Security Protocol TLS
• Internet Security Framework IPSec, L2TP
• Transitive Trusts

29
Windows XPSecurity Features

• Most of the security benefits of Windows 2000 are
  found in Windows XP
• Additional security features include
• Internet Connection Firewall
• Internet Connection Sharing
• Blank password restriction (access to local
  system only)
• Encryption of Offline Files
• Credential Management storage of logon
  credentials
• Fast user switching (non-domain only)

30
Windows XPIPL Vulnerability

• All passwords rendered useless on Windows XP
• Boot a Windows XP system with a Windows 2000 CD
• Start the Windows 2000 Recovery Console
• User is then able to operate as the administrator
  of the system without a password
• User can connect as any user account on the
  system without a password
• User can copy files to floppies or other
  removable media from any local hard drive a
  capability normally restricted within the
  Recovery Console when used legitimately.
• Only countermeasure physical security
• http//www.briansbuzz.com/w/030213/

31
Coverage of Windows Clients

• Windows XP Professional can be configured as the
  most secure client available from Microsoft
• Windows 2000 Professional can be configured to be
  almost as secure as Windows XP Professional
• Both offer different defaults, usually insecure
  defaults, when employed as stand-alone systems
• This courseware assumes Windows XP Professional
  and Windows 2000 Professional are being used as
  Active Directory domain clients. Therefore they
  take on the security configurations defined by
  Windows 2000 Server or Windows Server 2003 GPOs
  assigned to their AD containers.

32
Coverage of Windows Servers

• All Windows 2000 Server and Windows Server 2003
  settings are discussed from the perspective of
  these systems being used as domain controllers.
• Domain controllers either inherit the security
  configuration of the domain controllers, the
  domain GPO, or are assigned their own unique
  configuration by network administrators.

33
Overview of Native Security Componentsof Windows
2003/XP/2000

• Logon control
• User accounts
• Groups
• Accounts policy - passwords and lockout
• System policies
• NTFS and Share permissions
• User Rights
• Auditing

34
Login Access Security

• NetLogon service
• restricted memory area
• CTRL-ALT-DEL
• cannot be spoofed
• forces physical logon
• communicates with security database to validate
  users
• Requires
• user account name
• password
• domain name
• Remote Control software bypasses via API and
  installed service (logon required to install
  service)

35
Automated Logon

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  NT\CurrentVersion\Winlogon
• DefaultDomainName (Value REG_SZ)
• DefaultUserName (Value REG_SZ)
• DefaultPassword (Value REG_SZ)
• AutoAdminLogon (Value REG_SZ) 1
• Authentication still occurs, but without user
  input
• To terminate auto-logon
• set AutoAdminLogon0
• delete DefaultPassword
• Hold SHIFT to logon with alternate user account
• Used on kiosks other access points where access
  level or physical security is no issue
• Functions on NT, 2000, XP, 2003

36
Cached Credentials (1/2)

• By default, when you attempt to log on to a
  domain from a Windows 2003/XP/2000-based
  workstation or member server and a domain
  controller (DC) cannot be located, no error
  message is displayed.
• Instead, you log on to the local computer using
  cached credentials.
• By default, Windows 2003/XP/2000 caches the last
  10 logons
• Set through Group Policy (Security Options) or
  Registry (CachedLogonsCount). If set to 0, no
  logons are cached and if DC is not available
  logon is denied.

37
Cached Credentials (2/2)

• When logged on with cached credentials, user
  account has no access to updated group policies,
  roaming profiles, home folders, or logon scripts.
• Use set command at Command Prompt
• LOGONSERVER entry names what system authenticated
  you.
• If local system cached credentials, if DC
  domain validation.
• Appears in Event Viewers System log event ID
  5719
• Add ReportControllerMissing and ReportDC values
  to Registry to force user warning message.
• Unlocking a workstation or a DC uses cached
  credentials by default. If you dont disable
  credential caching, then set ForceUnlockLogon to
  1 to require actual AD authentication to unlock
  systems.

38
User Accounts Groups

• Users and groups key to Windows security
• User Accounts
• Unique identifiers for each person
• Security IDs
• Groups
• Used to control resource access
• Machine local, Domain local, Global, Universal
  (native mode)
• Multiple group memberships
• Combined permissions
• Users gt Domain Groups gt Local Groups gt Resources
• Users are added to groups
• Groups are assigned permissions for resources
• Nesting of groups supported
• Delete vs. Disable old user accounts

39
System Controlled Groups

• Pre-Windows 2000 Compatible Access
• Anonymous Logon
• Authenticated Users
• Batch
• Creator Group
• Creator Owner
• Dialup
• Enterprise Domain Controllers
• Everyone
• Interactive
• Network
• Proxy
• Restricted
• Self
• Membership is dynamic and managed by the OS
  itself
• Everyone group is still required on boot
  partition and still includes anonymous and null
  sessions

• Service
• System
• Terminal Server User
• 2003 specific
• Digest Authentication
• Local Service
• NTLM Authentication
• Other Organization
• Remote Interactive Logon
• SChannel Authentication
• This Organization

40
Group Policy

• GPOs can be assigned to domains, sites, or OUs.
• Applied LSDOU
• Combines policies for
• general security controls
• audit
• user rights
• passwords
• accounts lockout
• Kerberos
• Public key policies
• IPSec policies
• 2000 OOB if a user is a member of 70 to 80
  groups, group policy may not be applied. Caused
  by Kerbeross token size limitation, correction
  changes MaxTokenSize from 12000 to 100000 - (SP2)
  - 263693

41
Group Policy SMB vulnerability

• SMB signing flaw may allow group policies to be
  modified by unauthorized users
• Affects Windows 2000 and Windows XP
• Flaw allows attackers to downgrade the settings
  for SMB signing so packets not signed even though
  systems are configured to use SMB signing. This
  attack occurs during negotiation process between
  client and server. Once exploited, attackers
  could modify packets sent between two systems and
  changes would not be detected.
• Patch not included in Windows XP SP1
• MS02-070 KB329710

42
Password Policy

• Set password restrictions
• Min max password age (0-999)
• W2000 Max 42 days Min 0 days
• W2003 - Max 42 days Min 1 days
• Min password length (0-14)
• W2000 - 0
• W2003 - 7
• History (1 - 24 entries)
• W2000 1
• W2003 - 24
• Passwords must meet complexity requirements
• W2000 disabled
• W2003 enabled
• Store passwords using reversible encryption for
  all users in the domain
• W2000 W2003 - disabled

43
Password Complexity

• Forces minimum of 6 characters
• Incorporates at least 3 character types
• Uppercase A through Z
• Lowercase a through z
• Numerals 0 through 9
• Non-alphanumeric !, _at_, , , , \,
• No part user account name or real name
• Not foolproof April1999 is valid password
  under these restrictions, but easily guessed.
• When enabled, existing passwords are
  grandfathered new or changed passwords must
  meet restrictions
• Custom password filters see W2000 and W2003 SDK

44
Failing Requirements When Changing Passwords

• Your new password does not meet the minimum
  length or password history requirements of the
  domain. Also, your site may require passwords
  that must be a combination of upper case, lower
  case, numbers, and non-alphanumeric
  characters.Your password must be at least ltgt
  characters long. Your new password cannot be the
  same as any of your previous ltgt passwords. Also,
  your site may require passwords that must be a
  combination of upper case, lower case, numbers,
  and non-alphanumeric characters.

45
Designing Secure Passwords

• Implement company/organization security policy
• Use cracking tools to test your password strength
• LC4, PassFilt Pro, John the Ripper, Quakenbushs
  Password Appraiser
• Allow no part of e-mail address in password
• Change every 30 - 45 days
• Maintain history of previous passwords to prevent
  reuse
• Always assign passwords to all accounts
• Avoid common words dictionary, slang, industry
  acronyms, etc.
• Use ALT characters - ALT-130 for é, ALT-157 for
  , etc.
• Avoid use on administrator accounts
• Never write passwords down

46
Password Crackers

• Require access to SAM - direct or copy
• Password auditing
• _at_stakes LC4 http//www.atstake.com/
• Quakenbushs Password Appraiser
  http//www.quakenbush.com/
• Most perform reverse hash extraction
• Protect your SAM!
• LC4 can sniff SMB exchanges on networks to pull
  passwords use switched networks to force end to
  end communications
• Several tools are available that boot from a
  floppy and can change the password on any
  account
• Peter Nordahl's Offline NT Password Registry
  Editor tool
• Sysinternals Locksmith

47
Audit Password Registry Keys

• Enable auditing through Group Policys Audit
  Policy
• Start scheduler service, set system startup
• AT lttimegt /interactive regedt32.exe
• Registry editor is launched with System level
  access - SAM and SECURITY hives (Note System is
  NTs closest equivalent to UNIXs superuser or
  root access)
• Set SAM hive auditing parameters
• at lttimegt /interactive "regedt32.exe"
• HKEY_LOCAL_MACHINE\SAM
• Set SecurityAuditing per event user/group

48
Accounts Policy

• Set Lockout parameters
• Lockout duration (0 99999 minutes)
• Failed logon attempts
• Counter reset after time limit
• Not enabled by default on W2K or W2K3
• Account is locked out checkbox on user account
  properties dialog box

49
User Account Security Controls

• Logon hours
• Log On To restricted to workstations
• Account info expiration never or by date
• Account Options (next slide)
• Dial-in
• Remote Access Permission (dial-in or VPN)
  allow, deny, or controlled by Remote Access
  Policy
• Verify caller ID (requires supported hardware)
• Call back pre-defined or user-supplied
• Terminal Services Sessions
• End disconnected sessions timeout
• Time limit for active sessions
• Time limit for idle sessions
• Enable remote control/observation
• Require uses permission to control/observe

50
Account Options

• User must change password at next logon
• User cannot change password
• Password never expires
• Store password using reversible encryption
• Account is disabled
• Smart card is required for interactive logon
• Account is trusted for delegation
• Account is sensitive and cannot be delegated
• Use DES encryption types for this account
• Do not require Kerberos pre-authentication
• Direct user account settings override group
  policy settings!!

51
Audit Policy

• All Windows Objects can be audited
• Two controls policy and object
• Policies
• Account logon events
• Account management
• Directory service access
• Logon events
• Object access
• Policy change
• Privilege use
• Process tracking
• System events
• Object level controls accessed through Advanced
  Security Properties
• Audit policy must be enabled in order for audited
  events to be recorded in the Security log

52
Sample Audit Detail
53
Auditing for Security

• Suspect events
• failed log on attempts
• repeated denied access to resource
• system reboots
• DumpEVT Export event logs to text files for use
  in scripts and databases - www.somarsoft.com
• As the amount of data gathered by auditing
  increases, so does need to employ IDS or a data
  mining tool to deal with the data load

54
Example Audit Schemes

• Random password attacks
• account logon events, logon events Failure
• Stolen passwords (must filter for abnormal
  activity)
• account logon events, logon events Success
• Misuse of admin privileges
• privilege use Success account management
  Success policy change Success system events
  Success
• Virus infection (track W for all .exe, .bat, and
  .dll)
• process tracking Success, Failure directory
  service access, object access Success, Failure
• Access to sensitive files (track R,W for suspect
  users/groups)
• directory service access, object access Success,
  Failure

55
Working with User Rights

• Review defaults of User Rights (see handout
  "User Rights")
• To increase security settings, make the following
  changes
• Allow Log on locally assigned only to
  Administrators on Servers
• Shutdown the System assigned only to
  Administrators, Power Users
• Access computer from network assigned to Users,
  revoke for Administrators and Everyone
• Restore files/directories revoke for Backup
  Operators
• Bypass traverse checking assigned to
  Authenticated Users, revoke for Everyone

56
Ownership

• Ownership grants a user Full Control over an
  object
• Ownership can be taken by users with
• Take Ownership of Files or Other Objects User
  Right
• NTFS object level Ownership permissions.
• Administrators and Domain Admins have this user
  right by default.
• Ownership can be assigned using subinacl (RK
  tool)
• subinacl /subdirectories c\winnt\profiles\.
  /setowneradministrator
• Ownership can be used to bypass any Deny setting.

57
NTFS Security

• Defined by object files, directories, printers
• Set by group or user for Allow or Deny
• Standard file settings
• Full Control (RXWDPO)Modify (RXWD)Read
  Execute (RX)List Folder Contents (dir only)
  (R)Read (R) Write (W)
• Always check defaults on new objects in regards
  tothe Everyone group
• Container rule - move vs. copy
• Inheritance is configurable,inheritance of
  permissionsand auditing is distinct

58
Share Permissions

• Permissions
• Full Control
• Change
• Read
• All permissions basedon Allow or Deny
• W2K new share Full Controlto Everyone
• W2K3 new share Read onlyto Everyone
• On objects Sharing tab
• Able to set maximumsimultaneous users
• Caching
• Allow/prevent caching
• Manual - Offline Files
• Automatic

59
Managing Permissions

• NTFS - All user specific and group membership
  permissions on the same resource are cumulative.
• Share - All user specific and group membership
  permissions on the same share are cumulative.
• Combining NTFS and Share Permissions
• Cumulative NTFS is compared to the cumulative
  Share - most restrictive applies
• Think of it as an ANDing function
• Deny always results in deny. Watch for conflicts
  caused by multi-group memberships.
• Grant permissions on as needed basis need to
  know or least privilege
• SystemTools DumpSec (www.systemtools.com)
• dumps permissions (ACLs) for file system,
  registry, shares and printers into a readable
  listbox format

60
Disk Quotas

• Disk quotas
• Configurable per volume
• Configurable per user
• Prevent file writing when limitation exceeded
• Space limitation and warning level in KB, MB, GB,
  TB, or PB
• Enable log events for quota limit reach or
  warning level reach
• Quota limits based on uncompressed file size
• More control and granularity through third-party
  quota solutions, such as Quota Advisor and
  Storage Central from www.sunbelt-software.com

61
Process Security

• Inherits parents Access Token
• Use Task Scheduler to launch tasks with any user
  account credentials
• Services can be launched with System or any user
  account credentials
• Once launched, access level of process cannot
  change
• Use RunAs to execute under another user security
  contents requires username and password. Use as
  command line or hold-shift then right-click over
  .exe for pop-up menu

62
Windows Kerberos Policy

• Trusted third-party Authentication protocol
  developed at MIT as part of Project Athena
• Kerberos V5
• Faster connections
• Mutual Authentication
• Delegated Authentication
• Simplified Trust Management
• Interoperability
• Defined at domain level controls Kerberos
  settings
• Implemented by domains Key Distribution Center
  (KDC)
• Stored as part of domain security policy(may
  only be set by Domain Admins)
• Windows attempts to use Kerberos first to
  authenticate user logons. If Kerberos fails, NTLM
  is attempted (if enabled)
• NTLM appears primarily for backward compatibility
  with non-Kerberos supporting Windows clients

63
Kerberos
Initial Logon
Service Request
KDC
KDC
Ticket-GrantingTicket
2
1
2
TGT
TGT
ST
Service Ticket
1
3
3
ST
TGT Cached Locally
Session Established
4
Windows 2000based Computer
Windows 2000based Computer
Target Server
64
Group Policy SettingsKerberos

• Enforce User Logon Restrictions
• Maximum Lifetime That a User Ticket Can Be
  Renewed
• Maximum Service Ticket Lifetime
• Maximum Tolerance for Synchronization of Computer
  Clocks
• Maximum User Ticket Lifetime

65
Disable LM Authentication

• W2K supports
• Kerberos
• Windows NT challenge/response v.2 (NTLM 2)
• Includes LM, NTLM 1, NTLM 2
• LM enabled by default Security Option LAN
  Manager authentication
• W2K3 supports
• Kerberos
• Windows NT challenge/response v.2 (NTLM 2)
• Includes LM, NTLM 1, NTLM 2
• LM disabled by default Security Option LAN
  Manager authentication, set to Send NTLM Response
  Only
• Windows 95, WfW, Macs, and OS/2 clients only
  support LM not NTLM
• Windows 98, SE, Me can be upgraded to support
  NTLM v2 with the Directory Services Client add-on
• Add NTLM 2 to W95/98 Q239869

66
Directory Services Client

• Active Directory Client Extensions for Windows
  95, Windows 98, and Windows NT Workstation 4.0
• Adds to client AD site awareness, W2K domain
  logon, Active Directory Service Interfaces, DFS
  client, WAB, and NTLM v2.
• Does not add Kerberos, Group policy or
  Intellimirror support, IPSec, L2TP, SPN, nor
  mutual authentication
• Windows 9x Active Directory client extension is
  distributed on the Windows 2000 CD
• Active Directory client extension for Microsoft
  Windows NT 4.0 (with SP6a Microsoft Internet
  Explorer 4.01 or higher) on MS Web site
• No version of Directory Services Client for
  Windows Me (Millennium)

67
Public Key Infrastructure 1/2

• PKI adds authentication encryption services to
  Windows
• How PKI Works
• PKI based on certificates managed by CA that
  verifies identity
• Public keys issued for widespread distribution
  private key stays with user
• Anyone can use the public key to encrypt only
  the holder of the private key can decrypt
• When a public key appears first, followed by a
  private key, this supports key exchange
• When a private key appears first, followed by a
  public key, this is a digital signature
• PKI thus provides both identification and
  authentication
• Numerous applications use Digital Certificates to
  provide security
• E-mail, Web, digital file signing, Smart Cards,
  IPSec, EFS recovery agent

68
Public Key Infrastructure 2/2

• PKI Components
• Certificate Services
• CryptoAPI CSPs provide crypto operations
  private key management
• Certificate stores to store manage certificates
• Certificate Services
• Process certificate requests
• Verify access qualifications for requesters
• Create issue certificates for qualified
  requesters
• Generate private keys and deliver to requesters
  protected store
• Manage private key cryptography services
• Distribute publish certificates for public
  access
• Manage certificate revocations
• Store certificate transactions for auditing
• Works through Certification Authority Console

69
EFS Issues 1/3

• EFS (Encryption File System) is built into
  Windows 2000, Windows XP, and Windows 2003 NTFS
• Encrypting boot and system files will cause
  problems if the system can even boot
• Issues when autoexec.bat is encrypted
• Users are unable to log on locally
• Remote resource access fails
• Resolution
• Decrypt
• Use Recovery Console to log on as Admin, delete
  file, then recreate
• Alter Registry to bypass autoexec.bat fie,
  delete, then recreate.
• EFS protects files on NTFS partitions, not when
  in transport over the network or when resident in
  system memory (i.e. in use by an application)

70
EFS Issues 2/3

• EFS works using a public key to encrypt files and
  a private key to decrypt files. If the private
  key is lost, the files cannot be decrypted
• A user can be designated as EFS recovery agents
  who can recover data after the private key of
  another user is lost
• Through secpol.msc a private key can be exported
  to removable media and deleted from the local
  system
• EFS cannot be used to encrypt system files, use
  alternatives PC Guardian's Encryption Plus for
  Hard Disks (EPHD)

71
EFS Issues 3/3

• EFS on Windows 2000 uses DESX for encryption. It
  can only decrypt using DESX.
• EFS Windows XP pre-SP1 use 3DES for encryption.
  It can decrypt using DESX or 3DES.
• EFS on Windows XP SP1 and Windows 2003 uses AES
  for encryption, by default. It can decrypt using
  DESX, 3DES, or AES.
• EFS Files Appear Corrupted When You Open Them
  KB329741
• Instructions on setting XP SP1 and 2003 to use
  3DES or DESX
• Do not change this setting if there are existing
  encrypted files
• Attempting to open AES encrypted files on Windows
  2000 or Windows XP pre-SP1 systems will corrupt
  the files resulting in data loss!

72
IPSec

• IP Security (aka IPSec)
• IETF standard security protocol (RFC 2411
  provides a roadmap to all related RFCs)
• Provides authentication and encryption
• AH (Authentication Header) integrity and
  authentication
• ESP (Encapsulating Security Payload) integrity,
  authentication, confidentiality - encryption
• Operates at layer 3 as a plug-in between
  transport (UDP or TCP) and network (IP and
  others) protocols
• Works with both IPv4 and IPv6
• Wide industry support, expected to become
  predominant VPN Internet standard
• Used with Layer 2 Tunneling Protocol (L2TP) for
  dial-up VPNs, uses by itself for
  network-to-network VPNs

73
IP Security (IPSec) Policies

• Construct IPSec policies using Windows Security
  Manager
• IPSec policies associate with default domain
  policy, default local policy, or customized
  policy
• Includes abilities to negotiate security services
  (called negotiation policies)
• IP filters let different policies apply to
  different computers, based on destination
  protocol
• To create IPSec policy
• Create a named Security Policy for some container
• Create negotiation policies
• Create IP filters, associate with negotiation
  policies

74
Locking Down Windows Systems

• The first steps to locking down Windows include
• Applying service packs
• Applying needed hot fixes and patches
• Apply security templates
• Testing for a secure configuration

75
Service Packs

• Hotfix - single issue, apply only if necessary
• Service Pack - cumulative patches fixes
• Re-installation of Service Pack not necessarily
  required after installing new drivers or software
  on Windows 2000/XP/2003 as was with Windows NT
• Windows 2000 SP4 see later slide
• Windows Server 2003 no service packs available
  as of 11/14/03, SP1 beta rumored to be in testing
  for release in late 2004

76
Windows 2003 SP1

• Due late 2004
• Will include numerous features and improvements
  from the Springboard project
• Springboard includes elements and components
  originally designed for Longhorn, for which
  Microsoft has accelerated release for Windows
  2003 and Windows XP
• Will include
• Roles based Security Configuration Wizard (SCW)
  to quickly configure new servers based on
  function or role
• Insecure network client isolation
• VPN quarantine
• Enterprise level protection features (yet
  unrevealed)

77
Windows 2003 Pre-SP1Security Issues 1/2

• 23 pre-SP1 hot fixes as of 5/11/2004
• MS04-015 Vulnerability in Help and Support
  Center Could Allow Remote Code Execution (840374)
• MS04-014 Vulnerability in the Microsoft Jet
  Database Engine Could Allow Code Execution
  (837001)
• MS04-012 Cumulative Update for Microsoft
  RPC/DCOM (828741)
• MS04-011 Security Update for Microsoft Windows
  (835732)
• MS04-007 ASN .1 Vulnerability Could Allow Code
  Execution (828028)
• MS04-006 Vulnerability in the Windows Internet
  Naming Service (WINS) Could Allow Code Execution
  (830352)
• MS04-003 Buffer Overrun in MDAC Function Could
  Allow Code Execution (832483)
• MS03-048 Cumulative Security Update for
  Internet Explorer (824145)

78
Windows 2003 Pre-SP1Security Issues 2/2

• MS03-045 Buffer Overrun in the ListBox and in
  the ComboBox Control Could Allow Code Execution
  (824141)
• MS03-044 Buffer Overrun in Windows Help and
  Support Center Could Lead to System Compromise
  (825119)
• MS03-043 Buffer Overrun in Messenger Service
  Could Allow Code Execution (828035)
• MS03-041 Vulnerability in Authenticode
  Verification Could Allow Remote Code Execution
  (823182)
• MS03-039 Buffer Overrun In RPCSS Service Could
  Allow Code Execution (824146)
• MS03-034 Flaw in NetBIOS Could Lead to
  Information Disclosure (824105)
• MS03-030 Unchecked Buffer in DirectX Could
  Enable System Compromise (819696)
• MS03-026 Buffer Overrun In RPC Interface Could
  Allow Code Execution (823980)
• MS03-023 Buffer Overrun In HTML Converter Could
  Allow Code Execution (823559)

79
Windows 2000 SP5

• Due late 2004, after Windows 2003 SP1 ships
• No reliable details on elements other than
  existing post-SP4 hot-fixes (17 as of 5/11/2004)
• MS03-022, MS03-023, MS03-026, MS03-034, MS03-039,
  MS03-041, MS03-042, MS03-043, MS03-044, MS03-045,
  MS03-049, MS04-006, MS04-007, MS04-008, MS04-011,
  MS04-012, MS04-014

80
Windows 2000 Service Pack 4

• Released Aug 2003 - generally stable
• Recommended for Windows 2000 Server and Pro
• Available on CD, through Windows Update, on
  Windows 2000 Web area
• SP4 includes 674 fixes (102 for security
  issues), see KB Q327194
• Note these are issues in addition to those in
  SP3 and earlier.
• Release notes for W2K SP4 813432
• SP4, like SP3, upgrades the system to use 128-bit
  encryption. If you uninstall SP4 (or SP3), the
  system will remain at 128-bit encryption.
• SP4 includes Internet Explorer 5.01 SP4 and
  Outlook Express 5.5 with SP2
• SP4 adds to Windows 2000 native 802.1x wireless
  networking support and native USB 2.0 support
• There are 14 post SP4 security issues as of March
  2004.

81
Known Issues with W2K SP4

• Local Security Policy Values Revert to the Values
  That Are Stored in SecEdit.sdb (KB827664)
• If you have Windows Update service disabled when
  you install SP4, the installation program
  re-enables Windows Update without notifying you.
• .Net Framework 1.0 programs won't run.
• Available hotfix or upgrade to .Net Framework 1.1
  (KB823845)
• Norton Internet Security 2001 is incompatible.
• Upgrade NIS (KB823087)
• Exchange Server can't start its Key Management
  Service.
• Workaround database defragmentation (KB818952)
• Other known issues KB 813432

82
Windows XP Service Pack 2

• To be released?? current rumor is July 2004
• Will require significant changes to an
  organizations deployment processes and
  configuration procedures
• New security and networking enforced defaults
  will cause numerous applications and services to
  fail, reconfiguration will be necessary
• RC1 of SP2 not stable enough for widespread
  deployment
• RC2 of SP2 due soon may be suitable for limited
  testing, I dont recommend production environment
  deployment of these test releases
• Sweeping changes to Windows XP
• Improved default security
• Improved ICF, RPC, DCOM, COM
• Better memory management and protection (i.e.
  buffer overflow)
• Improved IE, Outlook Express, Windows Messenger

83
Windows XP Service Pack 1a

• SP1a for Windows XP released on 2/3/2003
• There are 77 post SP1a security issues as of
  March 2004
• SP1a and SP1 are identical, except that the
  Microsoft VM (Java support) is removed from SP1a.
  
• Generally considered stable
• We recommend installation on all XP systems
• Updates XP systems with hotfixes released through
  mid-Aug 2003 (MS02-048)
• Includes IE 6 SP1 USB 2.0
• Does not include BlueTooth
• Known issues KB324722
• 57 post SP1a hot fixes as of 5/11/2004

84
Windows XPSecurity Rollup Package 1

• Released 10/14/2003
• As an interim release before SP2
• Contains 22 security related patches in a single
  installation package
• Includes security patches from SP1 through
  MS03-039
• KB826939

85
Working with Service Packs

• Review documentation and KB documents associated
  with Service Pack and/or hotfix before initiating
  installation.
• Need sufficient free space on boot partition, 3
  times size of SP, more if uninstall info is saved
• Move previous SP's uninstall directory from
  SystemRoot\NTServicePackUninstall\ to another
  safe location.
• Backup data, Registry, maybe entire system
• Reboot the system
• Terminate all applications, stop unneeded
  services, stop debugging, stop remote control
  sessions
• Disable Server service to prevent network access
  before starting SP/HF application
• Stop all third-party services requiring disk
  access, i.e. virus protection and
  defragmenters/optimizers

86
Managing SPs and HFs

• Service Pack presence visible through most
  HelpAbout screens from native utilities, WINVER
  tool
• Hotfix identification varies by hot-fix -
  typically run HOTFIX.EXE or view Hotfix Registry
  key for list
• Qfecheck management tool from Microsoft
• UpdateEXPERT SP and HF inventory and
  installation tool from Sunbelt Software
• HFNetChkPro from Shavlik Technologies
• http//www.shavlik.com/pHFNetChkPro.aspx
• All DCs should be maintained at same SP level,
  mixing can introduce problems
• Software Update Svcs (SUS) internalizes
  manages Windows Update for private networks
• Service packs for Windows 2000, XP, and 2003 can
  be slipstreamed for new installations or a
  pre-integrated installation CD may be available

87
Lockdown Tools 1/2

• Microsoft Baseline Security Analyzer (MBSA) 1.2
• GUI and command line tool
• Runs on Windows 2003/XP/2000 only, but will scan
  Windows NT 4.0, Windows 2003, Windows 2000,
  Windows XP, IIS 4.0, IIS 5.0, SQL 7.0, SQL 2000,
  IE 5.01, and Office 2000/2002/2003, more.
• Lists all necessary or applicable patches, fixes,
  or security settings for each detected OS and
  software.
• Each issue is scored
• Red X missing
• Yellow X possible vulnerability or reminder
  warning
• Green check verified secured setting or control
• Blue asterisks reminder or warning of possible
  vulnerability
• Blue information icon information about system
• Possible risk MBSA can create a plaintext
  report, with clever scripting a malicious user
  can create an automated attack tool based on the
  results.

88
Lockdown Tools 2/2

• MBSA was developed with Shavlik Technologies
• Commercial versions are available
• HFNetChkPro
• EnterpriseInspector
• Both are free for use on up to 10 workstations
  and 1 server
• www.shavlik.com
• HFNetChk
• command line tool which scans for installed
  hotfixes
• Excellent for scanning local and networked
  systems
• Does not download or install necessary patches
• CIS benchmark security tool
• Evaluates a Windows systems for compliance
  against pre-defined security benchmarks

89
Security Configuration and Analysis

• MMC snap-ins
• Security Configuration and Analysis
• Security Templates
• Used to customize Group Policies a.k.a. security
  templates.
• Several pre-defined security templates for
  client, server, and DC systems of basic,
  compatible, secure, and high security.
• Analyze current security state
• Impose a pre-defined or customized security
  template
• Create custom templates

90
Well-known Vulnerabilities

• Windows is at risk to a wide number of well-known
  and oft-exploited vulnerabilities.
• The following slides discuss many of these along
  with workarounds and countermeasures

91
Services and Security

• Only install necessary services
• Unbind unneeded protocols
• Candidate services to disable/remove
• Alerter Clipbook Server
• Computer Browser DHCP client
• Directory Replicator Messenger
• NetLogon Network DDE
• Plug and Play RPC locator
• Server SNMP Trap service
• Spooler TCP/IP NetBIOS Helper
• Telephony service Workstation
• Unnecessary services offer information gathering
  holes or access points
• Test service removal on non-production systems
• Sysinternals Process Explorer - displays DLL
  dependencies
• See the BlkViper Web site on removing/disabling
  services

92
SNMP Problems

• If using SNMP, remove or alter public default
  community
• Anyone with an SNMP browser can poll this
  community
• Snmputil from Resource Kit
• Snmputil walk ltIP addressgt public ltOIDgt
• OIDs identifies a specific branch in the MIB
• IP Browser from Solar Winds (www.cerberus-infosec.
  co.uk) offers GUI exploration of public community
• Dont deploy SNMP unless you use it

93
Raw Sockets

• Windows 2003, Windows XP, Windows 2000, UNIX, and
  Linux, support administrative or root only access
  to full raw sockets
• However, on stand-alone Windows XP Professional
  and Home systems, all local users are
  administrators by default
• Full raw sockets is a means by which the TCP/IP
  stack is bypassed to allow direct access to
  underlying network data transport
• Full raw sockets were originally designed as
  research tools, not for real-world OSes
• Full raw sockets allow spoofed IP addresses and
  SYN floods
• IEs defaults download and install software
  without users knowledge
• Use GRC.coms SocketToMe and SocketLock to detect
  and close down raw sockets to users and restrict
  it to SYSTEM access only

94
Enumeration UsingTelnet Client (1/2)

• Use any telnet client
• telnet ltdomain name or IPgt port
• Followed by pressing Enter several times
• Test common ports 80 (Web), 21 (FTP), 25 (SMTP),
  etc.
• Many services respond with error msg (a.k.a.
  banner) listing information about service on that
  port
• For example
• HTTP/1.1 400 Bad Request
• Server Microsoft-IIS/6.0
• Date Wed, 23 Aug 2000 161904 GMT
• Web server enumeration tool ID Serve from GRC
• http//grc.com/id/idserve.htm

95
Enumeration UsingTelnet Client (2/2)

• Protection
• remove default banners where possible
• check open ports with scanner (nmap)
• prevent remote Registry access
• Dont rely on obscurity as your only means of
  security
• IISs URLScan utility disables banners on any
  version of IIS by refusing invalid service
  requests. Knowledge Base 317741 - HOW TO Mask
  IIS Version Information from Network Trace and
  Telnet
• Avoid telnet service whenever possible, use
  secure alternatives such as remote control
  software (such as PCAnywhere), SSH (secure
  shell), or stunnel.

96
File Streaming

• A method for hiding executables
• Requires NTFSs POSIX capabilities and RK cp
  tool
• cp ltfilegt lthostfilegtltfilegtS
• Streamed files can be executed without extraction
  using
• Start lthostfilegtltfilegt
• Can be used on files and directories
• Great way for hackers to hide toolkits
• Locate streamed files with
• LADS Locate Alternate Data Streams
  www.heysoft.de/nt/ntfs-ads.htm
• Streams - www.sysinternals.com/misc.htm
• SANS warning http//www.sans.org/newlook/alerts/N
  TFS.htm
• If POSIX is removed/disabled, existing streams
  still function but no new streams possible.

97
Boot Partition Conversion Problem

• If Windows 2000 is installed onto FAT/FAT32
  formatted boot partition, then converted to NTFS
• Correct default security permissions not applied
  to files on boot partition
• Use SECEDIT tool to apply correct permissions
• Q237399
• If NT 4.0 was installed with SYSPREP, a bug
  prevents the Win2K upgrade from converting a FAT
  boot partition to NTFS
• Must manually convert drive, no other MS fix
• Q256917

98
51 IP Addresses

• A Windows 2000 Server as a domain server cannot
  support more than 51 IP addresses OOB
• Bug in Active Directory causes error
• Attempting to add 52nd address renders system
  unable to
• Authenticate users
• Launch and use administrative tools
• Limitation is per server, not per NIC
• Corrected in SP2
• Only workarounds
• add a second system
• use W2K as a non-domain controller

99
Administrative shares

• C, D,
• Hidden/system shares
• Accessed from any client on network
• Can be accessedover VPN, RAS,PPTP
• Only requireadmin nameand password

100
Hidden Systems

• NET CONFIG SERVER /HIDDENyesno
• Removes system from browse lists
• Prevents Server service from being tuned via the
  Network applet
• Disables auto-tuning
• To restore auto-tuning, edit the Registry and
  correct the entries in the LanmanServer
  Parameters section
• See KB 128167 321710 314498

101
Predefined accounts

• Administrator
• Can be renamed
• Requires non-blank password on Domain Controllers
• Cannot be locked out or disabled
• Cannot be deleted
• Password never expires
• Password cannot be stored with reversible
  encryption
• Smart card cannot be required
• Cannot be delegated
• DES cannot be used and Kerberos is required
• Guest
• Can be renamed
• Blank password by default
• Can be locked out and disabled
• Cannot be deleted
• Disabled by default
• Remember everyone knows these accounts exist

102
The IIS Accounts

• IUSR_computername
• Created by IIS for anonymous Web FTP access
• Log on Locally right
• Member of Guests and Domain Users (DCs only)
• Non-blank random password
• Access enabled by default
• Can be renamed, requires change in Active
  Directory Users and Computers as well as in both
  IISs Web and FTP server Properties
• Remove from Domain Users and Guests groups to
  force local and Web access only

103
SAM Deletion

• Deleting the \winnt\system32\config\sam file
  destroys all user accounts and assigns blank
  password to administrator
• Use only as last resort
• All domain and security settings related to uses
  and groups are destroyed

104
Replace Passwords

• Winternals Locksmith
• Used to replace user account password
• Works on any account, including Administrator
• Requires physical access
• Requires NTRecover or Remote Recover
• NTRecover allows data from one system to be moved
  across a serial cable to another system. The
  source system is booted with a floppy to bypass
  security or to recover a failed system.
• Winternals www.winternals.com
• Similar tool ntpasswd http//home.eunet.no/pnor
  dahl/ntpasswd/

105
Who is the Admin?

• List admins with
• NET GROUP "Domain Admins" /DOMAIN
• Get more details on each listed user with
• NET USER username /DOMAIN more
• Decoys are for external users
• Any valid user can exploit NetBIOS to extract
  information about users and systems

106
Administrator Decoy

• Rename real Administrator account with
  subtlenon-obvious name - avoid admin, sysop,
  root, master
• Create new decoy account named Administrator
  with simple password
• Remove all or most access privileges and group
  memberships
• Audit every action and logon attempt
• Consider creating fake confidential content to
  snag intruders long enough to be detected and
  located (I.e. a honeypot)
• Method only isolates Admin account from external
  intruders, Domain Admins can always discover
  accounts

107
Double Admin Accounts

• Each administrator needs two accounts
• Administrative account for management work
• Normal user account for daily work
• No two admins should ever share an account
• Restrict/Delegate each admin to his or her
  segment/resource responsibilities
• Only grant Admin access to trusted users
• Keep local Admins out of Domain Admins global
  group to control access levels
• Audit admin account activities
• Be pessimistic about offering admin access
• Revoke log on from network User Right for all
  admin accounts - requires physical presence at
  syst