Safeguarding your Business Safeguarding your Business Assets through Understanding of Assets through Understanding of
the Win32 APIthe Win32 API
Introduction
• David J. Goldman– CSA, Velosecure LLC– Managing the Windows Security Practice of
PricewaterhouseCoopers’ Global Risk Management Solutions
– [email protected]– 212-596-5682
Introduction
• Todd M Feinman– Candidate for MBA at Harvard Business
School, 2002– CEO, Velosecure LLC– Manager within PricewaterhouseCoopers’
Global Risk Management Solutions– [email protected]– 212-596-7299
Objective
• Explain some of the vulnerabilities inherent to the Win32 API
• Talk through some examples of how these could affect real companies
• Discuss how to protect against such security breaches
Windows Management
• User– Users, groups, account policy…
• Resource– File, directory, service permissions…
• System– Services, registry, hotfixes…
• Network– Shares, trusts, remote access…
• Auditing– Audit policy, event logs, directory auditing…
Security Assertions
• Confidentiality– Sensitive information will not be read by unauthorized
individuals
• Integrity– Reliable information will not be modified by
unauthorized individuals
• Availability– Information will be accessible by authorized
individuals in a timely manner.
A Malicious Plan of Attack
• Can I connect with NULL – Yes? Procure any and all information
• Connect to shares, get a username, guess a password, run brute force attacks…
• Can I connect with Guest or User access – Yes? Get Service information, Registry access,
exploit daemons.• Connect to service control manager, HKLM, ftp or
web...
Case 1: Enterprise-Wide Employee Directory
• Background:– Pharmaceuticals company– 60,000 employees’ information defined within a directory– Two dozen domains
• Concerns:– Primary: Availability– Secondary: Confidentiality and Integrity
• Why:– Numerous directors and managers require access– Complex hierarchical corporate authority
Primary Assessment
• To ensure that:– All domain controllers available for
authentication (not using random sample)– Users can search directory for information
about each other, including office number and email address
– No one is trying to compromise availability of the servers
– Printers accessible by doctors and researchers
User Security Methodology
• List all Users and their properties– NetUserEnum NetUserGetInfo
• List all Groups, their properties, and members– NetGroupEnum NetGroupGetInfo
NetGroupGetUsers– NetLocalGroupEnum
NetLocalGroupGetMembers
Resource Security Methodology
• List all Printers and their properties
• Retrieve the permissions for each printer– EnumPrinters GetNamedSecurityInfo
System Security Methodology
• Retrieve the network information– NetWkstaGetInfo– NetWkstaTransportEnum
• Determine it’s domain membership– LsaQueryInformationPolicy
• Retrieve OS level and other Windows information– NetServerGetInfo
Network Security Methodology
• Enumerate the trusts between domain– Trusting
• NetUserEnum(FILTER_INTERDOMAIN_TRUST_ACCOUNT) NetUserGetInfo
– Trusted• LsaEnumerateTrustedDomains
Network Security Methodology
• Enumerate the trusts between domain– Trusting
• NetUserEnum(FILTER_INTERDOMAIN_TRUST_ACCOUNT) NetUserGetInfo
– Trusted• LsaEnumerateTrustedDomains
Auditing Security Methodology
• Event Log Settings– Registry Data
• HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security
• Event Log Data– ReadEventLog (529, 539, 531, 517, 612)
Null Credentials
• NetUserEnum• NetUserGetInfo• NetGroupEnum• NetGroupGetInfo• NetGroupGetUsers• NetLocalGroupEnum• NetLocalGroupGetMembers• NetWkstaGetInfo (not in NT4)• NetWkstaTransportEnum• NetServerGetInfo
Case 2: Data Warehouse Security
• Background:– Yellow Page Publishing company– 100,000 customers’ account information and data– Over 100 file servers nationally
• Concerns:– Primary: Confidentiality– Secondary: Integrity and Availability
• Why:– Customers’ advertisements are competitive advantage– Need for authorized direct modification of data 24x7
Primary Assessment
• To ensure that:– File Server directory access controls are appropriate
(using random sample)
– Agents can update only their authorized companies’ data and only authorized projects within such companies.
– Unauthorized reading of other companies’ information is prohibited
– Raw data files are not accessible by anyone but programs
User Security Methodology
• Enumerate each individual’s user rights and access privileges– LsaEnumerateAccountsWithUserRight
Resource Security Methodology
• Retrieve the permissions for directories
• Retrieve the permissions for file executables that run as a service (localSystem)
• Retrieve the permissions for services– GetNamedSecurityInfo, GetAce,
LookupAccountSid
System Security Methodology
• Enumerate scheduled jobs (backups)– NetScheduleJobEnum
Network Security Methodology
• Retrieve list of shares– NetShareEnum
• Check permissions on shares
• Check permissions on directories that are shared– GetNamedSecurityInfo, GetAce,
LookupAccountSid
Auditing Security Methodology
• Retrieve Directory Auditing Lists (SACLs)– GetNamedSecurityInfo, GetAce,
LookupAccountSid
Null Credentials
• NetShareEnum
Case 3: Securities Trading
• Background:– Company trading securities on the Internet– Multiple vendor network segments + Internet customers– Entry points on dozens of servers
• Concerns:– Primary: Integrity– Secondary: Confidentiality and Availability
• Why:– Transactions must be accurate, timely, and complete– Non-repudiation
Primary Assessment
• To ensure that:– No one can modify the data on machines used
for trading securities– Services cannot be exploited to compromise the
domain or local machine– A brute force attack will not succeed or go
undetected
User Security Methodology
• Identify the parameters used for the password restrictions and account lockout– NetUserModalsGet
• Grab the password hashes and perform strength assessment– samdump
Resource Security Methodology
• Retrieve the information for each drive and ensure NTFS is running– GetVolInfo
System Security Methodology
• Enumerate registry values and permissions– RegConnectRegistry RegOpenKeyEx
RegQueryInfoKey RegEnumKey RegEnumValue
– RegGetKeySecurity GetSecurityDescriptorDacl
• Enumerate Services and Device Drivers– EnumServicesStatus QueryServiceStatus
QueryServiceConfig
Network Security Methodology
• Check if the built-in administrator can be locked out remotely– LsaOpenPolicy LsaQueryInformationPolicy
SamConnect SamOpenDomain SamQueryInformationDomain
• Assess dial-in settings– RasAdminPortEnum RasAdminPortGetInfo
Auditing Security Methodology
• Retrieve Audit Policy Information– OpenPolicy LsaQueryInformationPolicy
Null Credentials
• NetUserModalsGet