Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing New Technology Dominique Brezinski. Introduction We all have a few questions about Windows NT security: Is it really secure Should we be deploying.

Published byLee Powers Modified over 8 years ago

Similar presentations

Presentation on theme: "Securing New Technology Dominique Brezinski. Introduction We all have a few questions about Windows NT security: Is it really secure Should we be deploying."— Presentation transcript:

1 Securing New Technology Dominique Brezinski

2 Introduction We all have a few questions about Windows NT security: Is it really secure Should we be deploying Internet connected Windows NT systems What are the current vulnerabilities in NT

3 Summary of Course Security vulnerabilities in the NT architecture and implementation Methods for addressing the existing and future security vulnerabilities Techniques and tools for assessing security posture

4 Who is in Attendance? Security Auditors? System Administrators? Developers? Others?

5 Agenda Some specifics of the NT security architecture Failings from a security perspective Securing your NT systems Assessing your security practices

6 NT security Architecture Console Logon Process Network Logon Process Object Access Impersonation

7 Console Logon Process Interact with the GINA to give credentials GINA is the extensible part of WinLogon WinLogon talks to Authentication Packages through LSA (Local Security Authority) using LogonUser() Current Authentication Package is MSV1_0 (NT LM Security Provider) Authentication Package returns security token if credentials are correct

8 Network Logon Process Make connection to Server Service (SMB) Server Service generates a MSV1_0 compatible challenge and sends it to the client (in a SMB_COM_NEGPROT message) Client responds by encrypting the challenge, using the password as the encryption key, and sending it back to the server

9 Network Logon Process Cont. Server Service passes the client’s response and the original challenge to MSV1_0 by calling LsaCallAuthenticationPackage() with the message type MsV1_0Lm20Logon The LsaCallAuthenticationPackage() returns a security token to the Server service if everything is successful

10 Object Access Each object has a DACL (Discretionary Access Control List) Each Process has a security token (from logon process) attached which contains the identity and privileges of the user context it is executing under When a process attempts to access an object, the Security Reference Monitor in the kernel checks to see if the identity or privileges in the token match an ACL entry

11 Impersonation Process obtains a security token for the user to be impersonated through the LogonUser() function or a direct call to a authentication package with LsaCallAuthenticationPackage() The process can use this token to temporarily change the user context of a thread to execute as the user (impersonate)

12 Vulnerabilities and Exploits

13 Exploits Anonymous connections Network Authentication attacks Buffer overflows in privileged services Trojan horses and other file permission abuses Privilege escalation through architectural deficiencies

14 Anonymous Connections Created by using null credentials - net use \\target\IPC$ ““ /user:”” Prior to SP3 could remotely access the Registry on workstations and some servers Can enumerate users, groups, and get SIDs Possibly other unknown ramifications

15 Network Authentication Attacks Man in the middle attack on authentication sequence to gain remote access as arbitrary user (fixed in SP3 if message signing is used) Password hash grabbing attacks using a known challenge (not fixed in SP3) or brute-force Protocol downgrade attacks to obtain plaintext password (fixed in SP3 by default)

16 Buffer Overflows They can happen in NT WebSite 1.0 had a couple nifty CGI programs that could be overflowed The egg (shell code) has been written and published, so the hard work has been done. Services running as SYSTEM or Administrator are the primary targets

17 Trojan Horses and File Permissions Targets: files (.exe,.dll,.reg) that will get executed by a privileged user - Administrator or System Extensible portions of the security system are key easy targets - Notification Packages, Password Filters, and GINAs all run under the System context FPNWCLNT.DLL is a great example: default Registry entry, but the DLL does not exist on NT 4.0 Workstations.

18 File Permissions Cont. Group Everyone has write permission to %SystemRoot%\system32 by default, so therefore any local user can add a notification package Trojan called FPNWCLNT.DLL that will get called in the System context. Group Everyone has FULL CONTROL of %SystemRoot% by default, so even files like poledit.exe and explorer.exe which are (RX) can be changed by anyone.

19 Privilege Escalation On July 4, GetAdmin was released on Usenet. GetAdmin gains privilege to attach to another process (SeDebugPrivilege) through a broken kernel API and then creates a thread in the Winlogon process that executes code in GASYS.DLL which adds an arbitrary user to the Administrator’s group. Very naughty ;)

20 Securing it

21 Reduce Services Only services that are needed should be running - everything else should be disabled. NT needs the following services to be started to function correctly: EventLog, Plug and Play, and Remote Procedure Call Service (TCP port 135 will be listening). Experiment - start with the above services and only add as needed.

22 File Permissions Don’t give the Everyone group FULL CONTROL of anything Check “Guidelines for securing Windows NT-based networks and systems” on www.microsoft.com %SystemRoot% and %SystemRoot%\system32 can be (RX) for non admin users Removal of execute permission on all executables not needed is a good thing

23 Registry Permissions Make sure HKLM\SYSTEM\CurrentControlSet\Control \SecurePipesServers\Winreg exists and only Administrators have permission to it Again, check “Guidelines for securing Windows NT-based networks and systems” on www.microsoft.com Use David LeBlanc’s suggestions in the NT Security FAQ

24 General Use a password filter to enforce strong passwords (PASSFILT.DLL from SP2 or write your own) Use passprop.exe from the Resource Kit to enable account lockout on Administrator Disable Network Logons for administrator equivalent accounts Turn on auditing for security events

25 Specific Fixes for Exploits Install SP3 and set the RestrictAnonymous registry value Change the DACL of NTOSKRNL.EXE to System and Administrator FULL CONTROL and Everyone EXECUTE (temp hack to fix GetAdmin - not long term) Remove FPNWCLNT from HKLM\SYSTEM\CurrentControlSet\Control \Lsa\”Notification Packages” Use message signing NT to NT

26 More Fixes Use the TCP/IP Advanced Security options to block all TCP and UDP ports not being used - specifically TCP 135 if not using remote RPC Disable the WINS TCP/IP binding under the protocol tab and the Server service if the machine is a single purpose server - WWW, FTP

27 Assessing Your Security

28 Tools Your security policy ISS 4.31 for NT Ballista Kane Security Analyst NAT without #define SCANNER (see *hobbit’s presentation) A good TCP and UDP port scanner The Resource Kit(s) Homebrew (C, TCL, Perl, etc.)

29 More Tools DumpAcl Cacls Regedt32 Poledit Caffiene

30 Port Scanning Do a full TCP and UDP port scan Take note of all listening ports and reference them against what you would expect for the services the machine is suppose to be running Common listening ports are TCP 135, 137, 138, 139, and several ephemeral ports and UDP 135,137,138, and 139

31 Service Checks Tools like ISS, Ballista, and NAT are very helpful Remember port 139 is used by many services: file sharing and services using RPC over named pipes Check for all known bugs Look for unknown or excessive services See what information can be obtained through SNMP, netstat, RPC end-point mapper, and remote Registry access

32 File Permission Checks Print out list of all users and groups Use a tool like DumpAcl or Cacls to print out a list of all file and directory permissions Use your security policy as the basis for ACL checks Look for situation like directories with FULL CONTROL granted to a group that should not have access to some files within the directory

33 Registry Permission Checks Use Regedt32 or DumpAcl to list ACLs for HKEY_LOCAL_MACHINE and HKEY_CLASSES_ROOT Again, use your security policy as a basis for your checks Look for situations where users can read or write sensitive keys and values The SNMP community name and AutoLogon password are viewable by everyone by default

34 Known Vulnerability Checks Check for all know vulnerabilities Look for potentially exploitable conditions like the ability to overwrite executables and dynamic link libraries Check for Registry keys and values writeable by non-administrators - there are several places by default that everyone can change which can lead to Trojan horses (.reg associations)

35 Policy Enforcement Is auditing enabled? Are password length and lifetime checks enabled? Do users belong to the correct groups? Kane Security Analyst is a good tool for this stuff

36 Summary We have covered the basics of how NT security operates, what some major problems are, strategies to tighten up security, and some methods for checking your risks Experiment with this knowledge - use it as a starting point and take tangents

37 Where to get more information http://www.microsoft.com/workshop/prog/ security/guidesecnt.htm http://www.ntsecurity.net mailing list at ntsecurity@iss.net mailing list at ntbugtraq@rc.on.ca mailing list at bugtraq@netspace.org dominique.brezinski@cybersafe.com

Download ppt "Securing New Technology Dominique Brezinski. Introduction We all have a few questions about Windows NT security: Is it really secure Should we be deploying."

Similar presentations

Ethical Hacking Module IV Enumeration.

Ethical Hacking Module IV Enumeration.
Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Windows 2003 SP1 Member Server in ASU Active Directory WNUG/CCC February 2, 2006 Sharon Bushart CLAS Information Technology.

Windows 2003 SP1 Member Server in ASU Active Directory WNUG/CCC February 2, 2006 Sharon Bushart CLAS Information Technology.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.

Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost 127.0.0.1 (loopback address)  Internal networks 

Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost (loopback address)  Internal networks 
The Deep Technical Audit: How to Identify and Mitigate Risks Presented in Other Sessions David J. Goldman Joseph Nocera.

The Deep Technical Audit: How to Identify and Mitigate Risks Presented in Other Sessions David J. Goldman Joseph Nocera.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.

Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.
Windows Security Mechanisms Al Bento - University of Baltimore.

Windows Security Mechanisms Al Bento - University of Baltimore.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.

Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
PRACTICAL STEPS IN SECURING WINDOWS NT Copyright, 1996 © Dale Carnegie & Associates, Inc. TIP For additional advice see Dale Carnegie Training® Presentation.

PRACTICAL STEPS IN SECURING WINDOWS NT Copyright, 1996 © Dale Carnegie & Associates, Inc. TIP For additional advice see Dale Carnegie Training® Presentation.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Similar presentations

Ads by Google