Embed Size (px)
Citation preview
1
Security & MS WindowsSecurity & MS Windows
by Matthew Cook
Loughborough Universityhttp://www.escarpment.net/
2
Security & MS Windows
Physical Security Password Security Security Holes Windows Desktop Security Windows NT Security Demonstration Questions and Answers
3
Physical Security
"The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn't stake my life on it."
Gene Spafford
4
Physical Security
Secure Location BIOS restrictions Password Protection Boot Devices Case Locks Case Panels
5
Password Security
The object when choosing a password is to make it as difficult as possible for a cracker to make educated guesses about your chosen password. This leaves them no alternative but a brute-force search, trying every possible combination of letters, numbers, and punctuation.
6
Password Security
Do not use your login name in any form Do not use your first or last name Do not use your spouse’s or child’s name Do not use your Car Registration etc. Do not use a dictionary based password Do not use a password shorter that 7 chars Do not write it on ‘post-it’ notes
7
Password Security
Use a password with mixed-case characters Use a password with a mix of alpha-
numerics and punctuation Use a password that is easy to type to avoid
‘Shoulder Surfers’ Use the first letters from song titles, song
lyrics or film quotations
8
Security Holes
Threats Denial of Service Theft of information Modification Fabrication (Spoofing or Masquerading)
9
Security Holes
Physical Security Holes Software Security Holes Incompatible Usage Security Holes Social Engineering Complacency
10
Windows Desktop Security
Advice for 9x system users:
Upgrade to Windows NT or another OS Do not run ‘File and Print sharing’ Do not run ‘Personal Web Services’ Remove *.pwl files
11
Windows Desktop Security
Ensure that security updates are installed:
http://www.microsoft.com/windows95/downloads/
Microsoft Security Notification Service
http://www.microsoft.com/technet/security/notify.asp
12
Windows NT Security
NT Server version 4.0 SP3 appears to provide the range of features and capabilities necessary to support a wide range of business and government tasks in a secure, reliable fashion.
Microsoft 1999
Now for the truth . . . .
13
Windows NT Security
Out of the box Windows NT is a securitytime bomb waiting to explode.
Making Windows NT secure is only achievable by filling all the holes left
by the installation.
14
Windows NT Security
Ten steps to NT Security
1. Secure System (Physical)
2. Install Service Packs and Hot fixes
3. NTFS
4. Admin Account
5. Permissions
15
Windows NT Security
Ten steps to NT Security (cont . . .)
6. Lockouts and Logging
7. Securing the Registry
8. Services and Networking
9. Audits
10. Stay Aware
16
Windows NT Security
1. Secure System (Physical) Install in location Disconnect network Set BIOS boot device ordering Set BIOS administrator password Secure case
17
Windows NT Security
2. Install Service Packs and Hotfixes Assess the security issues in all new service
packs Assess the security issues in the post service
pack hotfixes Currently Microsoft have released Service
Pack 6a and five hot fixes
18
Windows NT Security
3. NTFS Convert your discs to NTFS Provides file based security
From a DOS prompt:
CONVERT drive: /FS:NTFS [/V]
19
Windows NT Security
Provides file based security
20
Windows NT Security
4. Admin Account Rename the account (passprop.exe) Give administrator NO permissions Set User Rights Policy Use inconspicuous names for all super users
and groups
21
Windows NT Security
Set User Rights Policy
22
Windows NT Security
5. Permissions Remove the ‘Everyone Group’ Introduce strong permissions Careful use of the System ‘special user’
23
Windows NT Security
Remove the ‘Everyone Group’
24
Windows NT Security
6. Lockouts and Logging Set lockout limits (3 attempts) Set activation by administrators only
Policy menu in User Manager allows the setting of security policies
25
Windows NT Security
AccountPolicy
26
Windows NT Security
7. Securing the Registry Secure registry keys to prevent interactive
users changing the registry Prevent viewing of sensitive registry keys
Altering settings to prevent security holes such as null password authentication
27
Windows NT Security
Registry Security
28
Windows NT Security
8. Services and Networking Remove unnecessary Services Remove all unnecessary networking
bindings Set IP based packet filtering
29
Windows NT Security
Set IP based packet filtering
30
Windows NT Security
9. Audits Use 3rd party software to analyse your
machine for security holes Set Audit options in User Manager Ask another IT administrator to audit your
machine
31
Windows NT Security
Audit Policy
32
Windows NT Security
10. Stay Aware Microsoft Security Notification Servicehttp://www.microsoft.com/technet/security/notify.asp Computing Journals Colleagues
33
Windows NT Security
C2 Configuration
C2 security is the highest government rating for business computing products; it requires
the system to have discretionary resource protection and auditing capability.
34
Windows NT Security
C2 Configuration
35
Windows NT Security
C2 to B2 of US TCSEC or Orange Book Completed in Dec 1996 by Trusted Systems
Services Inc The study is available online:
http://www.trustedsystems.com/
TCSEC – Trusted Computer System Evaluation Criteria
36
Windows NT Security
Security Configuration Manager Automatically Secures your system Uses Microsoft Management Console Available for download from Microsoft
http://www.microsoft.com/NTServer/nts/
downloads/recommended/scm/
37
Windows NT Security
Security Configuration Manager
38
Windows 2000
Still in evaluation stages Many security holes (Telnet Server) Principals for NT can be applied Has at least 58 vulnerabilities already
39
Security & MS Windows
40
Security & MS Windows
Operating System # Vulnerabilities
Windows NT 4.0 71
Windows 2000 58
RedHat Linux 6.2 i386 34
Windows ’98 31
Windows ’95 28
Debian Linux 2.1 16
S.U.S.E Linux 6.3 15
41
Security & MS Windows
Demonstration
42
Security & MS Windows
Questions and Answers
43
Bibliography
Jim Alves-Foss, University of Idaho Gene Spafford, National Security Institute David A. Curry, National Security Institute http://www.securityfocus.com/ http://www.microsoft.com/ http://www.trustedsystems.com/
