Presentation on theme: "Unprotected Windows Shares Mohammad Abu-Mahfouze Prepared By : Mohammad Abu-Mahfouze Dr. Lo ’ ai Tawalbeh Supervised By : Dr. Lo ’ ai Tawalbeh Arab Academy."— Presentation transcript:
Unprotected Windows Shares Mohammad Abu-Mahfouze Prepared By : Mohammad Abu-Mahfouze Dr. Lo ’ ai Tawalbeh Supervised By : Dr. Lo ’ ai Tawalbeh Arab Academy for Business and Finance (AABFS) (Spring 2007)
Introduction Microsoft Windows Operating System provides a host machine with the ability to share files or folders across a network with other hosts through Windows network shares. The underlying mechanism of this feature is the Server Message Block (SMB) protocol, or the Common Internet File System (CIFS). These protocols permit a host to manipulate remote files just as if they were local.
Although this is a powerful and useful feature of Windows, improper configuration of network shares may expose critical system files or may provide a mechanism for a nefarious user or program to take full control of the host. One of the ways in which I-Worm.Klez.a-h (Klez Family) worm, Sircam virus and Nimda worm spread so rapidly in 2001 was by discovering unprotected network shares and placing copies of themselves in them. Introduction
Many computer owners open their systems to hackers or attackers when they try to improve convenience for workers and outside researchers by making their drives readable and writeable by network users. But when they take care to ensure the proper configuration of the network shares, the risks of compromise can be adequately mitigated. Introduction
The Peer-to-peer file-sharing services are often constrained by organizations policy due to their widespread use for disseminating copyrighted content illegally, their significant bandwidth consumption for (typically) non- work-related uses, and/or the risk that they may introduce new security vulnerabilities to the organization. Introduction
Although Windows XP Professional is built on the Windows 2000 kernel, there are significant differences between the operating systems - especially when it comes to security. This checklist is partially based on our popular Windows 2000 security checklist and covers both Windows XP Professional and XP Home Edition. Unfortunately, Windows XP Home Edition doesn't have all of the security features of XP Professional, so not all of the options are available for both versions. If you're concerned about your data, we strongly recommend upgrading to XP Professional as soon as possible.Windows 2000 security checklist Securing Windows File Sharing
When implementing these recommendations, keep in mind that there is a trade off between increased security levels and usability for any Operating System. To help you decide how much security you need, we've divided the checklist into Basic, Intermediate, and Advanced Security options. You should assess your potential security risks, determine the value of your data, and balance your needs accordingly.and we will talk about Basic security option Securing Windows File Sharing
How To Make Your Files Securely Shared ?
To tunnel Windows file shares over an SSH (Secure Shell) connection, you need to forward connections on port 139 on the sharing-consumer machine via SSH to the sharing-provider machine. The exact setup differs depending on the version of Windows on the sharing-consumer machine: Securing Windows File Sharing
Configure the SSH client to listen on interface and connect to '\\ \sharename'. This is all that is necessary. In Windows 2000
In Windows XP Same as for Windows 2000, but before using the forwarded share, the local (client's) Windows file sharing server needs to be stopped via 'net stop server'. To disable it permanently, run 'sc config lanmanserver start= disabled'. To re-enable it at a later time, run 'sc config lanmanserver start= auto'. Note the space between 'start= ' and the following parameter - sc will fail without it.
Microsoft Loopback Adapter If you want to avoid disabling the file sharing server on the client machine because you want to retain remote access to the client machine's shared resources, there is another alternative. You can install the Microsoft Loopback Adapter according to instructions relevant to your version of Windows: The Loopback Adapter and file share tunneling: Windows XP and 2003 The Loopback Adapter and file share tunneling: Windows XP and 2003 The Loopback Adapter and file share tunneling: Windows 2000 The Loopback Adapter and file share tunneling: Windows 2000 The Loopback Adapter and file share tunneling: Windows NT4 The Loopback Adapter and file share tunneling: Windows NT4
Remember If you use the Microsoft Loopback Adapter, you should setup your SSH client appropriately: use the Loopback Adapter's IP instead of or If you assigned the Loopback Adapter the IP address , configure a client-to-server port forwarding rule to listen on , port 139; then you can connect to '\\ \sharename'.
Windows file sharing over SSH To make a secure file sharing in Windows. Follow the following steps to get quickly up and started with Windows file sharing over SSH
On the server machine (the file-sharing provider) 1)Install WinSSHD on the server (the machine that has the resources you wish to access with Windows file sharing). 2)No changes to the default WinSSHD configuration are required to use Windows file sharing over SSH. You may wish to make changes to the default WinSSHD configuration later on, to restrict what WinSSHD features are accessible to remote users. However, for the time being, keep your WinSSHD settings at default until your file sharing over SSH is up and running
3)Apart from installing WinSSHD, the only thing you need to do on the server is ensure that there is a Windows account which you can use to log on locally, and which you are comfortable using through Tunnelier and WinSSHD. If such an account does not yet exist, create one and use it to log on for the first time through the local Windows console to make sure all settings for the new account are initialized. 4)Start the WinSSHD service from the WinSSHD Control Panel. On the server machine (the file-sharing provider)
On the client machine: 1)If the client is running Windows XP or 2003 and you wish to retain the ability to share the client's resources, install and configure the Microsoft Loopback Adapter. install and configure 2)Install Tunnelier on the client (the machine from which you wish to be accessing the server machine's shared resources).
3)Configure the following settings on the Login tab in Tunnelier. Click also the 'Help' link on the Login tab for help with any of these settings. A.Host: The IP address or DNS name of the server that you are accessing. B.Port: You will normally use the default value, 22. This must match the port that WinSSHD is listening on. If you have made no changes to the default WinSSHD configuration to change the port it is listening on, use 22. On the client machine:
C.Username: The Windows account name with which to log into the server. This must be a valid Windows account name with local logon permissions on the side of the server. D.Password: The password with which to log into the server, belonging to the account name specified by Username. E.Store encrypted password in profile: You may optionally wish to enable this setting so that you will not be asked to reenter the password each time when logging in after Tunnelier has been restarted. On the client machine:
4)In the C2S Forwarding tab in Tunnelier, add a new entry and configure the following settings for this entry. Click also the 'Help' link on the C2S Forwarding tab for help with any of these settings. A.Status: This will be 'enabled' by default, leave it that way. B.Listen interface: The default value is If the client machine is running Windows XP, leave this as it is; you will need to uninstall file and printer sharing on the client machine anyway. If the client machine is running Windows 2000, change this to so that you will not need to uninstall file and printer sharing. On the client machine:
C.List. Port: 139. D.Destination Host: set this to the interface on which the file sharing server is listening for SMB connections. Setting this to 'localhost' or will not work because the file sharing server is usually listening on a specific interface rather than all interfaces, so it will not be possible to go through the loopback connection. To determine the interface where the file sharing server is listening, execute 'netstat -an' on the server and examine the output for a line like 'xxxxxx: LISTENING'. The xxxxxx is the IP address that you need to enter in this field. Normally this will be the IP address associated with the server's main ethernet adapter. E.Dest. Port: 139.
5)Click the Login button in Tunnelier and observe the log area for any errors. If the session is established without errors, the SSH setup is running. 6)If you are running Windows XP, you will now need to uninstall (not just disable, but completely uninstall) file and printer sharing on the client machine. This can be done through Network Connections : (each connection) : Properties - select 'File and Printer Sharing' in the list box and press the Uninstall button. This needs to be done for each active network connection on the client machine. 7)If you are using earlier versions of Windows (this is confirmed for Windows 2000 but is likely to apply to the 9x/Me series as well), you will not need to uninstall file and printer sharing if you specified as the Tunnelier C2S rule listening interface (above).
8)Once the above steps have been completed, you will be able to connect securely to the shared resources on the server machine using syntax such as \\ \sharename or \\ \sharename, respectively. This will work as long as the Tunnelier SSH connection remains established. 9)You can make sure that your file sharing connections are going through Tunnelier by checking the Tunnelier log area for a message saying 'Accepted client-to- server connection from... to...:139' corresponding to each connection attempt you make. Likewise, when your file sharing connection closes, Tunnelier should output a log message stating 'Closing client-to-server forwarding channel from... to...:139'.
There are three security measures Basic Security measures Intermediate Security Measures Advanced Security Settings At this presentation we will talk about the basic Security measures only.
Basic Security Measures Provide Physical Security for the machine It may seem basic, but we didn't want you to overlook the obvious. The simple fact is that most security breaches in corporate environments occur from the inside. Keep your workstation in an office that locks, install a lock on the CPU case, keep it locked, and store the key safely away from the computer at a secure location. (i.e. a locked cabinet in the server room)
Basic Security Measures Use NTFS on all your partitions The FAT16/FAT32 file systems that were shipped with Windows 95/98/ME offered no security for your data and left your system wide open to attacks. The NTFS file system is faster than FAT32 and allows you to set permissions down to the file level. If you're unsure of how your system is configured,
using NTFS on Windows XP Professional allows you to encrypt files and folders using the Encrypting File System (EFS). If you are dual booting Windows XP and Windows 9x/Me, keep in mind that these operating systems cannot read NTFS partitions, and you won't be able to access the files when you are in Windows 9x/ME Basic Security Measures
Disable Simple File Sharing Both Windows XP Home Edition and XP Professional workstations that are not part of a domain, use a network access model called "Simple File Sharing", where all attempts to log on to the computer from across the network are forced to use the Guest account (to prevent them from using a local Administrator account that wasn't configured with a password) This means that if you're connected to the internet and don't use a secure firewall, your files contained within those shares are available to just about anybody
To disable Simple File Sharing on XP Professional: Click Start > My Computer > Tools > Folder Options Select the View tab Go to Advanced Settings, clear the Use Simple File Sharing box click Apply Basic Security Measures
Unfortunately, XP Home Edition doesn't allow you to disable Simple File Sharing and is unable to join a domain, so the best you can hope for is to make sure you set your shared folders to be read only, hide the file shares by using a $ sign after the folder name, or if your using the NTFS file system, use the 'Make Private" option in the folder properties. Windows XP Professional workstations that are part of a domain or that have Simple File Sharing disabled, use the "Classic" NT security model that requires all users to authenticate before granting access to shared folders. Basic Security Measures
Use passwords on all user accounts Both Windows XP Professional and Home Edition allow user accounts to utilize blank passwords to log into their local workstations, although in XP Professional, accounts with blank passwords can no longer be used to log on to the computer remotely over the network. Obviously, blank passwords are a bad idea if you care about security. Make sure you assign passwords to all accounts, especially the Administrator account and any accounts with Administrator privileges. By the way, in XP Home Edition all user accounts have administrative privileges and no password by default. Make sure you close this hole as soon as possible Basic Security Measures
Use the Administrator Group with care It's very common for home users and small business administrators to simply give all local accounts full Administrator privileges in order eliminate the inconvenience of logging into another account. However this practice gives a hacker the opportunity to try to crack a greater number of administrator level accounts and increases his/her chance for success. It also increases the odds that malicious code executed via an attachment or other vector can do more damage to your files. In a workgroup consider placing local users with a greater need for control in the local Power Users group, instead of the Administrators group. And avoid the temptation of using the local administrator account as your default login account. Basic Security Measures
Disable the Guest Account The guest account has always been a huge hacker hole, and should be disabled as soon as you install your workstation. Unfortunately, this setting recommendation only applies to Windows XP Professional computers that belong to a domain, or to computers that do not use the Simple File Sharing model. Windows XP Home Edition will not allow you to disable the Guest account. When you disable the Guest account in Windows XP Home Edition via the Control Panel, it only removes the listing of the Guest account from the Fast User Switching Welcome screen, and the Log-On Local right. The network credentials will remain intact and guest users will still be able to connect to shared resources of the affected machine across a network Basic Security Measures
Use a firewall if you have a full time internet connection Having instant, high speed access to the internet is a real convenience but it also puts your data at risk. Although XP comes with a built in firewall (called ICF), it is not enabled by default, and it only filters incoming traffic without attempting to manage or restrict outbound connections at all. While this may be fine for most users, we highly recommend using a third party personal firewall such as BlackIce if you're concerned about your data. For corporate users already behind a firewall, consider using Group Policy to enable ICF and disable specific ports when users are not connected to the corporate network.BlackIce Basic Security Measures
Use a router instead of ICS The Internet Connection Sharing feature within XP allows a user to connect one PC to the internet and then share that connection with the rest of the computers within his home or small office network. While it was generally a good idea when it was conceived, if you have a high speed connection a real router is a faster, easier to configure, and more secure. Basic Security Measures
Install AntiVirus Software on all workstations Viruses and other forms of malicious software have been around for years, but today's malware utilizes the internet and systems to spread globally in a matter of hours. Installing AntiVirus software is a basic step in protecting your data, but it's near useless if the definitions aren't updated. Basic Security Measures
Keep up to date with hotfixes and service packs Windows XP is a complex operating system and is not immune to its own bugs and security holes. Its common tactic for hackers to use the latest known security hole to break into a system and work backward from there until they find an open door that gives them full access. In fact 99% of system breaches are executed using known security vulnerabilities that were never patched. Use the Windows Update feature or automatic update to keep your system up to date. You can also use the Microsoft Baseline Security Analyzer to check your system for known vulnerabilities. Microsoft Baseline Security Analyzer Basic Security Measures
Password protect the screensaver Once again this is a basic security step that is often circumvented by users. Make sure all of your workstations have this feature enabled to prevent an internal threat from taking advantage of an unlocked console. For best results, choose the blank screensaver or logon screensaver. Avoid the OpenGL and graphic intensive program that eat CPU cycles and memory. Make sure the wait setting is appropriate for your business. If you can get your users in the habit of manually locking their workstations when they walk away from their desks, you can probably get away with an idle time of 15 minutes or more. You can keep users from changing this setting via Group Policy or the local security policy Basic Security Measures
Secure your wireless network The new wireless standard allows you to roam freely without cables and make anywhere your virtual office. This also gives hackers another open door to your data if you fail to lock it. A recent survey in the U.K found that of 5,000 wireless networks that were discovered by simply driving around the city with a wireless enabled laptop, 92% were wide open. As "drive by" hacking and warchalking are becoming common practice, any hacker with a laptop and a Pringles can could potentially compromise your network.warchalkinglaptop and a Pringles can Basic Security Measures
Secure your Backup tapes It's amazing how many organizations implement excellent platform security, and then don't encrypt and/or lock up their backup tapes containing the same data. It's also a good idea to keep your Emergency Repair Disks locked up and stored away from your workstations as well. Basic Security Measures