Dirty-Dozen: Top 12 Issues in Windows 2000 Security

Roberta BraggSecurity EvangelistHave Computer Will Travel, Inc.

Agenda

1. Was the FBI Right?

2. Too Trusting?

3. EFS/ XP/W2K Issues

4. Anonymous Access Exposes Data

5. Preventing

Unauthorized Access

6. NTFS Inheritance

7. Don’t Give Permissions to User Accounts

8. So many security settings to configure!

9. So many boxes to secure

10.Too Many Administrators

11. Patching Mania

12. Weak Passwords

1. Was the FBI Right?

Universal Plug-and-Play standard

Feature of XP – unfortunately flawed

Security Bulletin MS01-59

Q article - Q315056

What’s the Fuss?

Buffer overrun – attacker controls system

Endless download cycle (DoS) possible if

maliciously configured device host

Flooding of third party server (DoS) with

bogus requests

Patch Available

Windows XP and Windows 98

Or Disable SSDP Discovery Service

Configuration to Limit Exposure – Q315056

Regulate device download based on

scope

Regulate device description download

based on Router Hops

Port restrictions

Delay Mechanisms

2. Too Trusting

Security Bulletin MS02-001 - Using SID

Filtering to Prevent Elevation of Privilege

Attacks

An Administrator of one domain could

obtain administrative rights in another

Domain Trust Relationships

W2K NT

NT

trusted

trusting

To exploit you’d have to:

Be Domain Administrator in the trusted

domain

NT: develop and install custom operating

system components

W2K: binary edit of data structures that

hold SIDHistory mechanism

Protecting Security Boundaries

No trust

NT style trust between domains in

separate forest – SID Filtering

Kerberos style trust between domains in

forest NO!!!!!! Do not apply Sid Filtering

Vet, Hire and Audit Trustworthy admins

3. EFS/XP/W2K

EFS algorithms

Is Data Loss Possible?

Storage Issues

XP specific issues

Best Practice

Excellent Encryption Product

Symmetric and Asymmetric Encryption

W2K – File recovery

.NET – File or key recovery

Is Data Loss Possible?

Very possible to lose data

Disable EFS

Implement PKI

Deploy EFS

Storage Issues

Network Storage• W2K Not encrypted during transport – use IPSec

• XP use Web Folders – files remain encrypted

Copy to FAT – decrypted

W2K/XP backup preserves encryption

XP Specific Issues

Sharing encrypted files may be

dangerous

Administrative password reset uncouples

certificate from user account

4. Anonymous Access Exposes Data

Anonymous access is accomplished via

null domain name, account password

Necessary for some applications/services

5. Preventing Unauthorized Access

Windows 2000/XP in domain – Kerberos

Compatibility dilemma

• NT – NTLM

• Win9x – LM

NTLMv2 advantage

• Prevents sending of LM password hash

• Available NT, Win9x with AD client installed

Registry entry to prevent storage LM password

hash

6. NTFS Permissions Inheritance

Windows NT - can be cascaded to any

level!

Windows 2000 - can be blocked at

subfolder level.

Windows XP unlike W2K – can apply

defaults to upgrade.

7. Don’t Give Permissions to User Accounts

Add user accounts to Global Groups

Add Global Groups to local Groups

Assign permissions to local groups

W2K native mode use Universal Groups

Promotes ease of administration, assurance

of access removal, clear audit path

Best Practice

8. So Many Security Settings to Configure

Tool

9. So Many Boxes to Secure

Develop baselines for classes of boxes

Create baseline security templates

Apply• Security Configuration and Analysis

• Group Policy

Use to audit system compliance with

policy

Key Feature

10. Too Many Administrators

Use Default Groups• Server/account/print operator

• Power User

Create groups and assign rights and permissions

Question and evaluate any request for administrative status

Window 2000 – Use delegation of authority

11. Patching Mania

Everyone says to patch your

system ?????

Windows Update – single systems

Windows Corporate Update Site• http://corporate.windowsupdate.microsoft.com

Qchain

12. Weak Passwords

Many attacks require authenticated

access

Default Password policy is weak

Users need training in creating strong

passwords

Consider alternatives – Biometrics; Smart

cards

What is Microsoft Doing? Trustworthy Computing?

Bill Gates speech on trustworthy

computing.

Month long no-new-code sabbatical.

Can perfect code be produced?

What will it cost?

What’s the track record, really?

Stats (www.securityfocus.com)

Most vulnerabilities: Mandrake Soft

Linux with 34

2nd, 3rd, 4th place - three other versions

of Linux

5th Windows 2000, 2 versions of Solaris

tied with 24 each

www.securityfocus stats

0

20

40

60

80

100

2001 2000

NT & W2K

Red Hat Linux

Call to Action!

Patch and/or Disable UPnP

Understand the Meaning of Trust

Disable EFS until PKI

Restrict Anonymous Access

Force NTMv2 where

Kerberos won’t prevail

Protect Key NTFS

Permissions

AGLP

Create Security Baselines

Use Group Policy

Delegate Authority

Patch

Use strong

authentication

Checklist

(hold Bill’s feet to the fire)

Questions?

Roberta BraggSecurity EvangelistHave Computer Will Travel, Inc.