Professional Documents
Culture Documents
Agenda
Revealing Hacker Personas Top Security Mistakes Everyone Seems To Make Securing Windows Networks Staying Secure Secure Windows Initiative Security Improvements in XP Service Pack 2
Hacker Personas
Automated Attacks
Spreaders or Scann Sploit Tools or autorooters Worms That Drop Bots or Trojans 0-day Exploits Custom Attacks that Exploit Weakness of Your Internet Presence
Targeted Attacks
Hacker Personas
Motive: Wants your storage and bandwidth Method: Use of spreaders, bots, well known exploits Abilities: Limited high level language ability Payload: Usually FTP servers, backdoors disguised as a clever service name
TCP/IP service or System Security service Microsoft ISA Server Common Files service
Hacker Personas
Motive: Wants to explore your network and use your storage and bandwidth, wants to avoid discovery as much as possible. Method: Customized intrusion based on identified vulnerabilities for multiple operating systems or applications Abilities: Advanced HLL, some ASM Payload: FTP servers, keyloggers, backdoors, sniffers, password dumpers
Hacker Personas
Motive: Wants your money or your secret / confidential data Method: Can customize intrusion based on any number of identified vulnerabilities for a variety of operating systems and applications, possibly using 0-day exploits Abilities: Advanced HLL, Advanced ASM Payload: Rootkits, a single backdoor DLL, extortion letter!
Hacker Personas
Odds are great you were 0wn3d by a lamer You were easily identified as a Windows host through a simple port-scan (no firewall) You are on a big fat pipe (possibly hosted) You have weak passwords or missing security patches due to missing or ineffective security policy
Demonstration
Windows Rootkit Hacker Defender
Weak or non-existent password policy No audit policy Sporadic security patch policy Patching the OS, but not the apps Weak or non-existent firewall policy
No egress filtering
Patch or enable a host based firewall (or both) and then connect to the network Dont use the previous admin password
System Administrator Personas An example of what not to do Threats & Countermeasures Pruning The Low Hanging Fruit
Default
Puts servers right on the Internet with no firewall Runs a couple service packs behind (N-2) and doesnt know how to keep up to date with security patches No password policy No audit policy All default configurations and settings (all defaults, all the time)
Skilled
Uses Internet IPs, but has router ACLs Latest OS SP, all OS critical updates, hasnt patched the applications in a while if at all 6 character passwords with account lockouts Only audits logon events and monitors for account lockouts by checking event logs periodically Suspicious of default settings
Sophisticated
Uses a firewall with NAT and ingress / egress filtering Uses an IDS / IPS in the DMZ network Ensures critical security patches tested and deployed in 24 hours with rollback plan 12 character passwords, not shared anywhere, no account lockout, may use 2-factor authN Audits everything, archives audit logs daily Hardened OS using security templates / group policy, hardened applications
What Not To Do . . .
Configure your system with an Internet routable IP address Run multiple applications / services on one box
What are the odds that someone would guess 666 is my admin password?
NULL Session Enumeration Password / Account Lockout Attacks Password Hash Attacks Remote Code Execution Vulnerabilities Physical Attacks Unauthorized Network Access The VPN firewall bypass Server
Network connection, usually using NetBIOS TCP139 in which no credentials have been passed. Network token gets created on the server for the client, Everyone SID gets added to the token
Token can now enumerate sensitive information using the Net* APIs the Everyone SID has permissions to!
Countermeasures
Any services that exposes authN protocols are at risk for password guessing attacks
NetBIOS, SMB, RDP, IIS, FTP etc. Use strong passwords instead of an account lockout policy (which only protects weak passwords)
Countermeasures
Block access to ports that allow authentication from unauthorized networks (i.e. the Internet) with a firewall or IPSec port filtering policy Shutdown un-needed services (Server service, FTP service etc.)
Online attacks
Dumping password hashes from LSASS while the operating system is running
Pwdump*.exe, L0phtCrack 5
Countermeasure
Require 2-factor authentication Prevent malicious code from running in context of administrator or SYSTEM
Since this attack requires elevated privileges, any steps taken to counter this can be un-done by the code running with these elevated privileges
Arriving at this point means your security posture has failed elsewhere and you have other security issues to deal with
Sniffing shared-secret authentication exchanges based on a users password between client / server (LM, NTLMv2, Kerberos)
It did not, per the Kerberos v5 RFC: "Password guessing" attacks are not solved by Kerberos. If a user chooses a poor password, it is possible for an attacker to successfully mount an offline dictionary attack by repeatedly attempting to decrypt, with successive entries from a dictionary, messages obtained which are encrypted under a key derived from the user's password.
Countermeasures
Allows the use of the PKINIT Kerberos extension which replaces passwords with public/private keys for initial TGT at logon
Use strong 10 character or greater passwords Use IPSec ESP to encrypt network all network traffic Use 802.1x authentication to keep rogue users off your network
Hybrid attacks (use a dictionary word then brute-force a few chars) L0phtCrack5 utilizes all these methods for cracking hashes
Countermeasures
Dont worry about your hashes being stolen make them immune to reversing in any reasonable amount of time! Use 10 character or stronger complex passwords
Or better yet pass-phrases! NT based operating systems support 128 character pass-phrases
Change them every 60 days or less. Minimum time before password can be changed 1 day Number of previous passwords remembered: at least 24
1.4 Hours
Subsecond
Subsecond
Subsecond
10
11
Password Length
Data from Microsoft calculations based on Phillipe Ochslins algorithms with a 1 Terabyte RainbowCrack database (research that is the basis for the new attack).
60 Day Passwords
137 Days
RCE vulnerabilities in exposed network services allow malicious attackers to run code of their choice on a remote system
Countermeasures
Disable unnecessary services Block unnecessary ports Install all critical security updates within 24 hours Write secure code.
Run critical services using the new built-in low-privileged accounts Compile C++ code with the VC7 compiler /GS switch Use behavioral blocking software
SYSKEY in mode 2 or 3
Protects password hashes with 128 bit symmetric encryption Either mode prevents Nordahl boot-disk attack Also prevents the DS Restore mode style attacks
EFS
Applies to both wired and wireless networks Unauthorized user connects or associates with network and receives IP address
Starts scanning, enumerating and hacking Use 802.1x to authenticate network clients before allowing them to use the network Port-based authentication (requires supporting hardware infrastructure)
Countermeasure
VPN servers usually allow users un-filtered access to the corporate intranet Users contaminate the intranet with malware theyve collected while surfing the Internet (worms, etc.) Countermeasure
Quarantines VPN users in a DMZ network while machine is checked for security policy compliance After machine checks, packets are routed If machine fails check, connection is dropped
Countermeasures - Summary
The vast majority of security threats can be fully mitigated by doing two things well:
Passwords Security updates Design security into the solution from the beginning
http://www.microsoft.com/technet/security/prodtech/win2000/win2kh g/default.mspx
Windows 2000 Solution for Securing Windows 2000 Server Windows Server 2003 Security Guide
http://go.microsoft.com/fwlink/?LinkId=14846
http://www.microsoft.com/technet/security/prodtech/win2000/secwin 2k/default.mspx
Covers environments running Win9x and later! This is our best solution for securing Windows networks!
Theme
Group Policy can be used to automate the application of security hardening and threat countermeasures through the use of predefined security templates applied to GPOs Automated policy applied as machines join the domain / moved into organizational units
The Windows 2000 and Windows Server 2003 Solutions for Security come with preconfigured ready to deploy templates
Obviously you should test them before deploying them in a production environment They WILL break something
Legacy Client (Compatible with Win9x XP) Enterprise Client (Compatible with 2000 & XP only) High Security Client (Compatible with 2000 & XP only)
Demonstration
Securing Windows Servers using Group Policy
Staying Secure
Awareness
Security Alert Notification Services Vulnerability Assessment Patch Warfare Thursday, Tutorial 6 Incident Response Thursday, Tutorial 6
Staying Secure
Get e-mail alerts of Microsoft security bulletins for all Microsoft products Plain-text e-mail, PGP signed with the MSRC PGP key http://www.microsoft.com/security/security_bulletin
Staying Secure
Vulnerability Assessment
Microsoft Baseline Security Analyzer 1.2 Local or Remote Vulnerability & Patch scanner Scans for Windows, IE, IIS, SQL, MSDE, Exchange, Office, Commerce, Biztalk, SNA, and HIS vulnerabilities / patches.
Staying Secure
Pros
Free Great product coverage Agent-less Requires Authentication with remote machine and the Remote Registry and Server Services Slow when scanning large networks No easy way to aggregate XML output
Cons
Staying Secure
Secure By Design, Secure By Default, Secure in Deployment + Communications Windows Server 2003 first product to result from SWI, makes use of many Attack Surface Reductions (ASRs)
Secure by Default
Configuration automation IIS re-architecture Threat models Identity management $200M investment Monitoring infrastructure Prescriptive guidance
60% less attack surface area by default compared to Windows NT 4.0 SP3 Services off by default Services run at lower privilege Community investment Architecture webcasts Writing Secure Code 2.0
Communications
Does SWI work? Lets have a look . . . MS03-007, vulnerability exploited through IIS 5.0 + WebDAV WS2003 / IIS 6 not affected because:
If it was enabled, IIS6 rejects long URLs by default If it didnt reject long URLs, BO would occur in low privilege process not a process running as SYSTEM
Are there other examples? MS04-011, fixes 14 Windows vulnerabilities Of these 14 vulnerabilities the LSASS and PCT vulnerabilities are critical on Windows 2000 and exploits were in the wild days after the patch was released!
PCT is not enabled by default! LSASS vulnerability not remotely exploitable by default!
Task based security wizard to further automate hardening WS2003 server roles The most secure consumer operating system to date!
Overview
Network Protection Technologies Memory Protection Technologies Safer E-Mail Safer Browsing Windows Installer 3.0
Universal Plug & Play also disabled by default Disabled unless WHQL Bluetooth device is present
Previously, no way for administrators to enforce machine-wide access policy for all DCOM applications
XP has over 150 DCOM servers OOB! Many DCOM applications have weak Launch and Access permissions that allow anonymous remote activation / access! Administrators had no way to centrally manage / override these settings!
DCOM Solution: Machine-wide access check performed before any server-specific access checks are performed.
Starting with XP SP2, only administrators can remotely launch / activate DCOM servers! Everyone is granted local launch, activation and call permissions
Previously RPC interfaces were wide open for anonymous access SP2 adds RestrictRemoteClients setting and enables it by default
Requires all remote RPC clients to authenticate Must set EnableAuthEpResolution to 1 on clients to get the EPM working again.
Boot time security On by default for all interfaces, global configuration (all interfaces can share same configuration) Local subnet restriction Command line support (via netsh) for scriptomatic configuration (think logon scripts) On with no exceptions Exception List Multiple Profiles RPC Support Restore Defaults Unattended Setup for OEMs Multicast / Broadcast support New and improved Group Policy configuration (via System.adm)
Buffer overflows usually place shellcode on the stack or in the heap and cause execution to jump to this location NX marks areas of the stack / heap as nonexecutable preventing this mal-code from running
Usermode apps that attempt to run code will AV Kernelmode drivers that attempt to run code will bluescreen
Supported on AMD64, IA64 and forthcoming x64 Intel CPUs for both 32bit and 64bit Windows XP
/GS
Stack based buffer overflow protection Places canary value on the stack before / after stack allocations Value is checked when values are read from the stack to make sure the stack hasnt been overwritten If canary value has changed, process crashes vs. allowing code to execute
Safer E-Mail
Blocks HTML e-mail exploits If you chose to render HTML e-mail, external HTML is not rendered / downloaded Blocks web bugs etc. Apps no longer have to roll their own attachment handling code (can be shared by IM, e-mail etc)
Safer Browsing
Internet Explorer
Option appears in each zone for configuring ActiveX security model now applied to URL binding
BindToObject mitigation
Microsoft Java VM can be disabled per zone Local Machine Zone lockdown
No ActiveX objects allowed Scripts set to Prompt Binary Behaviors disallowed No Java!
Safer Browsing
Internet Explorer
4 different checks performed (file extension, Content-Type/Disposition from header and MIME sniff) Objects lose scope when browsing to a different domain /FQDN Sites can no longer access cached objects from other sites
POP UP BLOCKER!!!!! Never trust content from Publishername One Prompt Per Control Per Page
Safer Browsing
Internet Explorer
Annoying Active X controls with overly long descriptions can now be viewed Prevents UI spoofing attacks Prevents scripts from moving windows to hide URL bars / status bars etc Scripts can no longer disable it
Window Restrictions
Safer Browsing
Internet Explorer
Do not extend above the top or below the bottom of the parent Internet Explorer Web Object Control (WebOC) window. Are smaller in height than the parent WebOC window. Overlap the parent window horizontally. Stay with the parent window if the parent window moves. Appear above its parent so other windows (such as a dialog box) cannot be hidden.
Safer Browsing
Internet Explorer
Internet Explorer prevents the overall security context for any link on a page from being higher than the security context of the root URL
Scripts can not navigate from Internet Zone to Local Machine Zone AND Local Machine Zone is locked down by default now even if it could happen!
Zone Elevation Attacks are one of the most exploited IE attack vectors
SUS 2.0 will utilize MSI 3.0 Improved inventory functions across user and installation contexts Support for binary delta compression
Makes patches smaller / quicker to download Authors can provide explicit installation order
Patch Sequencing
Manager
2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.