Securing Windows Networks

Security Advice From The Front Line

Presented by Robert Hensing PSS Security Incident Response Specialist

Agenda

Revealing Hacker Personas Top Security Mistakes Everyone Seems To Make Securing Windows Networks Staying Secure Secure Windows Initiative Security Improvements in XP Service Pack 2

Revealing Hacker Personas

Overview Revealing Hackers Personas

Automated vs. Targeted Attacks Revealing Hacker Personas

Lame Skilled Sophisticated

Why YOU Were Selected and How You Got 0wn3d

Hacker Personas

Automated Attacks

Spreaders or Scann Sploit Tools or autorooters Worms That Drop Bots or Trojans 0-day Exploits Custom Attacks that Exploit Weakness of Your Internet Presence

Targeted Attacks

Hacker Personas

Lame - ~75% of all intrusions

Motive: Wants your storage and bandwidth Method: Use of spreaders, bots, well known exploits Abilities: Limited high level language ability Payload: Usually FTP servers, backdoors disguised as a clever service name

TCP/IP service or System Security service Microsoft ISA Server Common Files service

Hacker Personas

Skilled - ~24% of all intrusions?

Motive: Wants to explore your network and use your storage and bandwidth, wants to avoid discovery as much as possible. Method: Customized intrusion based on identified vulnerabilities for multiple operating systems or applications Abilities: Advanced HLL, some ASM Payload: FTP servers, keyloggers, backdoors, sniffers, password dumpers

Hacker Personas

Sophisticated - < 1% of all intrusions?

Motive: Wants your money or your secret / confidential data Method: Can customize intrusion based on any number of identified vulnerabilities for a variety of operating systems and applications, possibly using 0-day exploits Abilities: Advanced HLL, Advanced ASM Payload: Rootkits, a single backdoor DLL, extortion letter!

Hacker Personas

Why you were selected and how you got 0wn3d . . .

Odds are great you were 0wn3d by a lamer You were easily identified as a Windows host through a simple port-scan (no firewall) You are on a big fat pipe (possibly hosted) You have weak passwords or missing security patches due to missing or ineffective security policy

Demonstration
Windows Rootkit Hacker Defender

Top Security Mistakes Everyone Seems To Make

Top Security Mistakes

Weak or non-existent password policy No audit policy Sporadic security patch policy Patching the OS, but not the apps Weak or non-existent firewall policy

No egress filtering

No knowledge of securely building a new box which leads to

Hacked? Rebuild! Hacked Again!?

How To End The Cycle of Violence

Install from slipstreamed source

Dont have one? Make one!

Patch or enable a host based firewall (or both) and then connect to the network Dont use the previous admin password

Including the SQL SA password

Dont share local admin passwords across OS installations

Leads to exploit once, run everywhere

Patch the applications (SQL, IIS, Exchange etc.)

Securing Windows Networks

Overview Securing Windows Networks

System Administrator Personas An example of what not to do Threats & Countermeasures Pruning The Low Hanging Fruit

System Admin Personas

Default Skilled Sophisticated

System Admin Personas

Default

Puts servers right on the Internet with no firewall Runs a couple service packs behind (N-2) and doesnt know how to keep up to date with security patches No password policy No audit policy All default configurations and settings (all defaults, all the time)

System Admin Personas

Skilled

Uses Internet IPs, but has router ACLs Latest OS SP, all OS critical updates, hasnt patched the applications in a while if at all 6 character passwords with account lockouts Only audits logon events and monitors for account lockouts by checking event logs periodically Suspicious of default settings

Performed some OS hardening by hand didnt harden the applications though

System Admin Personas

Sophisticated

Uses a firewall with NAT and ingress / egress filtering Uses an IDS / IPS in the DMZ network Ensures critical security patches tested and deployed in 24 hours with rollback plan 12 character passwords, not shared anywhere, no account lockout, may use 2-factor authN Audits everything, archives audit logs daily Hardened OS using security templates / group policy, hardened applications

What Not To Do . . .

Configure your system with an Internet routable IP address Run multiple applications / services on one box

Active Directory, IIS, SQL, Exchange, PCAnywhere, 3rd party software

Avoid installing patches Dont have a password policy

What are the odds that someone would guess 666 is my admin password?

If you do this, heres what the hackers see . . .

Threats Low Hanging Fruit

Overview

NULL Session Enumeration Password / Account Lockout Attacks Password Hash Attacks Remote Code Execution Vulnerabilities Physical Attacks Unauthorized Network Access The VPN firewall bypass Server

Threat - NULL Session Enumeration

Understanding the NULL user

Network connection, usually using NetBIOS TCP139 in which no credentials have been passed. Network token gets created on the server for the client, Everyone SID gets added to the token

Token can now enumerate sensitive information using the Net* APIs the Everyone SID has permissions to!

Countermeasures

RestrictAnonymous=2 Block access to TCP 139/445 Stop server service

Threat Password Attacks / Account Lockout Attacks

Any services that exposes authN protocols are at risk for password guessing attacks

NetBIOS, SMB, RDP, IIS, FTP etc. Use strong passwords instead of an account lockout policy (which only protects weak passwords)

Countermeasures

Educate administrators and users on how to create strong passwords.

Block access to ports that allow authentication from unauthorized networks (i.e. the Internet) with a firewall or IPSec port filtering policy Shutdown un-needed services (Server service, FTP service etc.)

Threat Password Hash Attacks

Online attacks

Dumping password hashes from LSASS while the operating system is running

Pwdump*.exe, L0phtCrack 5

Countermeasure

Require 2-factor authentication Prevent malicious code from running in context of administrator or SYSTEM

Since this attack requires elevated privileges, any steps taken to counter this can be un-done by the code running with these elevated privileges

Arriving at this point means your security posture has failed elsewhere and you have other security issues to deal with

Threat Password Hash Attacks

Man In the Middle Attacks

Sniffing shared-secret authentication exchanges based on a users password between client / server (LM, NTLMv2, Kerberos)

Everyone seems to think Kerberos solved the MITM password-cracking attack!

It did not, per the Kerberos v5 RFC: "Password guessing" attacks are not solved by Kerberos. If a user chooses a poor password, it is possible for an attacker to successfully mount an offline dictionary attack by repeatedly attempting to decrypt, with successive entries from a dictionary, messages obtained which are encrypted under a key derived from the user's password.

Threat Password Hash Attacks

Man In the Middle Attacks

Tools available for LM/NTLM and Kerberos v5

ScoopLM / BeatLM / Kerbcrack / LC5

Security Friday demonstrated NTLMv2 at Blackhat on a 16-node Beowolf cluster in 2002!

All researchers agree the solution is strong passwords!

Countermeasures

Use 2-factor authentication on Windows 2000 and later networks

Allows the use of the PKINIT Kerberos extension which replaces passwords with public/private keys for initial TGT at logon

Use strong 10 character or greater passwords Use IPSec ESP to encrypt network all network traffic Use 802.1x authentication to keep rogue users off your network

Threat Password Hash Attacks

Assume password hashes will eventually be obtained allowing

Brute-force attacks Dictionary attacks

Hybrid attacks (use a dictionary word then brute-force a few chars) L0phtCrack5 utilizes all these methods for cracking hashes

Pre-computation attacks (rainbow tables) the latest craze . . .

Countermeasures

Dont worry about your hashes being stolen make them immune to reversing in any reasonable amount of time! Use 10 character or stronger complex passwords

Or better yet pass-phrases! NT based operating systems support 128 character pass-phrases

Change them every 60 days or less. Minimum time before password can be changed 1 day Number of previous passwords remembered: at least 24

Threat Password Hash Attacks

RainbowCrack Password Cracking Effort vs Password Length
1,878 Years

Time to Crack (Days)

1.4 Hours

Subsecond

Subsecond

Subsecond

10

11

Password Length
Data from Microsoft calculations based on Phillipe Ochslins algorithms with a 1 Terabyte RainbowCrack database (research that is the basis for the new attack).

60 Day Passwords

137 Days

Threat Password Hash Attacks

Threat - Remote Code Execution

RCE vulnerabilities in exposed network services allow malicious attackers to run code of their choice on a remote system

Stack & Heap overflows Integer under/overflows Format string vulnerabilities

Countermeasures

Disable unnecessary services Block unnecessary ports Install all critical security updates within 24 hours Write secure code.

Run critical services using the new built-in low-privileged accounts Compile C++ code with the VC7 compiler /GS switch Use behavioral blocking software

Sana Security Products

Use Intrusion Prevention Systems

Threat Physical Attacks

Assume the worst physical theft of machine Countermeasures

SYSKEY in mode 2 or 3

Key stored in your head (mode 2) Key stored on a floppy (mode 3)

Protects password hashes with 128 bit symmetric encryption Either mode prevents Nordahl boot-disk attack Also prevents the DS Restore mode style attacks

EFS

Can be used to encrypt sensitive information

Threat Unauthorized Network Access

Applies to both wired and wireless networks Unauthorized user connects or associates with network and receives IP address

Starts scanning, enumerating and hacking Use 802.1x to authenticate network clients before allowing them to use the network Port-based authentication (requires supporting hardware infrastructure)

Countermeasure

Threat VPN Servers

VPN servers usually allow users un-filtered access to the corporate intranet Users contaminate the intranet with malware theyve collected while surfing the Internet (worms, etc.) Countermeasure

Employ a network quarantine solution

Quarantines VPN users in a DMZ network while machine is checked for security policy compliance After machine checks, packets are routed If machine fails check, connection is dropped

Countermeasures - Summary

The vast majority of security threats can be fully mitigated by doing two things well:

Passwords Security updates Design security into the solution from the beginning

Security should not be bolted on

Microsoft Solutions for Security

Review the new Security Guidance Center

http://www.microsoft.com/security/guidance/default.mspx

Windows 2000 Security Hardening Guide

http://www.microsoft.com/technet/security/prodtech/win2000/win2kh g/default.mspx

Windows 2000 Solution for Securing Windows 2000 Server Windows Server 2003 Security Guide
http://go.microsoft.com/fwlink/?LinkId=14846

http://www.microsoft.com/technet/security/prodtech/win2000/secwin 2k/default.mspx

Covers environments running Win9x and later! This is our best solution for securing Windows networks!

Windows Server 2003 Security Guide

Theme

Group Policy can be used to automate the application of security hardening and threat countermeasures through the use of predefined security templates applied to GPOs Automated policy applied as machines join the domain / moved into organizational units

The Windows 2000 and Windows Server 2003 Solutions for Security come with preconfigured ready to deploy templates

Obviously you should test them before deploying them in a production environment They WILL break something

Windows Server 2003 Security Guide

Provides 3 different security levels for the enterprise

Legacy Client (Compatible with Win9x XP) Enterprise Client (Compatible with 2000 & XP only) High Security Client (Compatible with 2000 & XP only)

Demonstration
Securing Windows Servers using Group Policy

Staying Secure

Overview Staying Secure

Awareness

Security Alert Notification Services Vulnerability Assessment Patch Warfare Thursday, Tutorial 6 Incident Response Thursday, Tutorial 6

Responding to Security Events

Staying Secure

Security Alert Notification Service

Get e-mail alerts of Microsoft security bulletins for all Microsoft products Plain-text e-mail, PGP signed with the MSRC PGP key http://www.microsoft.com/security/security_bulletin

Staying Secure

Vulnerability Assessment

Microsoft Baseline Security Analyzer 1.2 Local or Remote Vulnerability & Patch scanner Scans for Windows, IE, IIS, SQL, MSDE, Exchange, Office, Commerce, Biztalk, SNA, and HIS vulnerabilities / patches.

English, German, French or Japanese builds!

Staying Secure

MBSA Pros and Cons

Pros

Free Great product coverage Agent-less Requires Authentication with remote machine and the Remote Registry and Server Services Slow when scanning large networks No easy way to aggregate XML output

Cons

Staying Secure

3rd Party vulnerability assessment software

ISS Internet Scanner System Scanner Foundstone FoundScan

Much more in-depth than MBSA 1.2

Secure Windows Initiative

Secure Windows Initiative

Microsofts New Security Culture

Started with Bill Gates Trustworthy Computing Memo Lead to SD3+C

Secure By Design, Secure By Default, Secure in Deployment + Communications Windows Server 2003 first product to result from SWI, makes use of many Attack Surface Reductions (ASRs)

Secure Windows Initiative

Secure Windows Initiative SD3+C

Secure by Design

Secure by Default

Code reviews IIS re-architecture Threat models $200M investment

Configuration automation IIS re-architecture Threat models Identity management $200M investment Monitoring infrastructure Prescriptive guidance

Secure in Design Secure by Deployment Code reviews

60% less attack surface area by default compared to Windows NT 4.0 SP3 Services off by default Services run at lower privilege Community investment Architecture webcasts Writing Secure Code 2.0

Communications

Secure Windows Initiative

Does SWI work? Lets have a look . . . MS03-007, vulnerability exploited through IIS 5.0 + WebDAV WS2003 / IIS 6 not affected because:

IIS6 not installed by default

If it was installed, WebDAV disabled by default

If it was enabled, IIS6 rejects long URLs by default If it didnt reject long URLs, BO would occur in low privilege process not a process running as SYSTEM

Secure Windows Initiative

Are there other examples? MS04-011, fixes 14 Windows vulnerabilities Of these 14 vulnerabilities the LSASS and PCT vulnerabilities are critical on Windows 2000 and exploits were in the wild days after the patch was released!

Secure Windows Initiative

These vulnerabilities were rated as Low on Windows Server 2003 why?

Attack Surface Reductions (ASRs) as a result of SWI

PCT is not enabled by default! LSASS vulnerability not remotely exploitable by default!

Secure Windows Initiative

Want more? Coming soon:

Secure Server Roles for Windows Server 2003

Task based security wizard to further automate hardening WS2003 server roles The most secure consumer operating system to date!

Windows XP Service Pack 2

Security Improvements in XP Service Pack 2

Security Improvements in XP SP2

Overview

Network Protection Technologies Memory Protection Technologies Safer E-Mail Safer Browsing Windows Installer 3.0

Network Protection Technologies

Alerter & Messenger GONE! (Okay, disabled)

Universal Plug & Play also disabled by default Disabled unless WHQL Bluetooth device is present

Bluetooth network stack included by default

Network Protection Technologies

DCOM Locked down by default!

Previously, no way for administrators to enforce machine-wide access policy for all DCOM applications

XP has over 150 DCOM servers OOB! Many DCOM applications have weak Launch and Access permissions that allow anonymous remote activation / access! Administrators had no way to centrally manage / override these settings!

Network Protection Technologies

DCOM Solution: Machine-wide access check performed before any server-specific access checks are performed.

Starting with XP SP2, only administrators can remotely launch / activate DCOM servers! Everyone is granted local launch, activation and call permissions

Network Protection Technologies

RPC Locked down by default (RPC Interface Restriction)

Previously RPC interfaces were wide open for anonymous access SP2 adds RestrictRemoteClients setting and enables it by default

Requires all remote RPC clients to authenticate Must set EnableAuthEpResolution to 1 on clients to get the EPM working again.

The EPM now requires AuthN

Network Protection Technologies

Windows Firewall (the software formerly known as ICF)

Boot time security On by default for all interfaces, global configuration (all interfaces can share same configuration) Local subnet restriction Command line support (via netsh) for scriptomatic configuration (think logon scripts) On with no exceptions Exception List Multiple Profiles RPC Support Restore Defaults Unattended Setup for OEMs Multicast / Broadcast support New and improved Group Policy configuration (via System.adm)

Memory Protection Technologies

Introducing Data Execution Protection (NX)

Buffer overflows usually place shellcode on the stack or in the heap and cause execution to jump to this location NX marks areas of the stack / heap as nonexecutable preventing this mal-code from running

Usermode apps that attempt to run code will AV Kernelmode drivers that attempt to run code will bluescreen

Supported on AMD64, IA64 and forthcoming x64 Intel CPUs for both 32bit and 64bit Windows XP

Memory Protection Technologies

/GS

Stack based buffer overflow protection Places canary value on the stack before / after stack allocations Value is checked when values are read from the stack to make sure the stack hasnt been overwritten If canary value has changed, process crashes vs. allowing code to execute

Safer E-Mail

Outlook Express will read all e-mail as plain-text by default

Blocks HTML e-mail exploits If you chose to render HTML e-mail, external HTML is not rendered / downloaded Blocks web bugs etc. Apps no longer have to roll their own attachment handling code (can be shared by IM, e-mail etc)

Dont download external HTML content

AES API (Attachment Execution Service)

Safer Browsing

Internet Explorer

Add-On Management / Crash Protection Binary Behaviors locked down now

Option appears in each zone for configuring ActiveX security model now applied to URL binding

BindToObject mitigation

Microsoft Java VM can be disabled per zone Local Machine Zone lockdown

All local files / content processed by IE run in LMZ

No ActiveX objects allowed Scripts set to Prompt Binary Behaviors disallowed No Java!

Safer Browsing

Internet Explorer

Improved MIME handling

4 different checks performed (file extension, Content-Type/Disposition from header and MIME sniff) Objects lose scope when browsing to a different domain /FQDN Sites can no longer access cached objects from other sites

Object caching / Scope

POP UP BLOCKER!!!!! Never trust content from Publishername One Prompt Per Control Per Page

Endless loop attack

Safer Browsing

Internet Explorer

Authenticode Dialog box supports ellipses

Annoying Active X controls with overly long descriptions can now be viewed Prevents UI spoofing attacks Prevents scripts from moving windows to hide URL bars / status bars etc Scripts can no longer disable it

Window Restrictions

Script Sizing / Repositioning restrictions

Status bar always visible

Safer Browsing

Internet Explorer

Script Pop-up Window Placement, pop-ups now constrained so that they

Do not extend above the top or below the bottom of the parent Internet Explorer Web Object Control (WebOC) window. Are smaller in height than the parent WebOC window. Overlap the parent window horizontally. Stay with the parent window if the parent window moves. Appear above its parent so other windows (such as a dialog box) cannot be hidden.

Mitigates chromeless window attacks

Safer Browsing

Internet Explorer

Zone Elevation blocks

Internet Explorer prevents the overall security context for any link on a page from being higher than the security context of the root URL

Scripts can not navigate from Internet Zone to Local Machine Zone AND Local Machine Zone is locked down by default now even if it could happen!

Zone Elevation Attacks are one of the most exploited IE attack vectors

Windows Installer 3.0

SUS 2.0 will utilize MSI 3.0 Improved inventory functions across user and installation contexts Support for binary delta compression

Makes patches smaller / quicker to download Authors can provide explicit installation order

Patch Sequencing

Supports WinHTTP (vs. WinInet) for web downloads No longer interactive

Runs as SYSTEM, Interactive SYSTEM services can be shattered

Demonstration (time permitting)

Out of Box Experience Automatic Updates Security Center Windows Firewall RPC Hardening Internet Explorer Add-ons

Manager

So are we there yet?

Were getting there, stay tuned . . .

2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.