Securing New Technology

Dominique Brezinski

Introduction

We all have a few questions about Windows NT security:

• Is it really secure• Should we be deploying Internet

connected Windows NT systems• What are the current vulnerabilities in NT

Summary of Course

• Security vulnerabilities in the NT architecture and implementation

• Methods for addressing the existing and future security vulnerabilities

• Techniques and tools for assessing security posture

Who is in Attendance?

• Security Auditors?

• System Administrators?

• Developers?

• Others?

Agenda

• Some specifics of the NT security architecture

• Failings from a security perspective

• Securing your NT systems

• Assessing your security practices

NT security Architecture

• Console Logon Process

• Network Logon Process

• Object Access

• Impersonation

Console Logon Process

• Interact with the GINA to give credentials• GINA is the extensible part of WinLogon• WinLogon talks to Authentication

Packages through LSA (Local Security Authority) using LogonUser()

• Current Authentication Package is MSV1_0 (NT LM Security Provider)

• Authentication Package returns security token if credentials are correct

Network Logon Process

• Make connection to Server Service (SMB)• Server Service generates a MSV1_0

compatible challenge and sends it to the client (in a SMB_COM_NEGPROT message)

• Client responds by encrypting the challenge, using the password as the encryption key, and sending it back to the server

Network Logon Process Cont.

• Server Service passes the client’s response and the original challenge to MSV1_0 by calling LsaCallAuthenticationPackage() with the message type MsV1_0Lm20Logon

• The LsaCallAuthenticationPackage() returns a security token to the Server service if everything is successful

Object Access

• Each object has a DACL (Discretionary Access Control List)

• Each Process has a security token (from logon process) attached which contains the identity and privileges of the user context it is executing under

• When a process attempts to access an object, the Security Reference Monitor in the kernel checks to see if the identity or privileges in the token match an ACL entry

Impersonation

• Process obtains a security token for the user to be impersonated through the LogonUser() function or a direct call to a authentication package with LsaCallAuthenticationPackage()

• The process can use this token to temporarily change the user context of a thread to execute as the user (impersonate)

Vulnerabilities and Exploits

Exploits

• Anonymous connections • Network Authentication attacks• Buffer overflows in privileged services• Trojan horses and other file permission

abuses• Privilege escalation through architectural

deficiencies

Anonymous Connections

• Created by using null credentials - net use \\target\IPC$ ““ /user:””

• Prior to SP3 could remotely access the Registry on workstations and some servers

• Can enumerate users, groups, and get SIDs

• Possibly other unknown ramifications

Network Authentication Attacks

• Man in the middle attack on authentication sequence to gain remote access as arbitrary user (fixed in SP3 if message signing is used)

• Password hash grabbing attacks using a known challenge (not fixed in SP3) or brute-force

• Protocol downgrade attacks to obtain plaintext password (fixed in SP3 by default)

Buffer Overflows

• They can happen in NT• WebSite 1.0 had a couple nifty CGI

programs that could be overflowed• The egg (shell code) has been written and

published, so the hard work has been done.

• Services running as SYSTEM or Administrator are the primary targets

Trojan Horses and File Permissions• Targets: files (.exe, .dll, .reg) that will get

executed by a privileged user - Administrator or System

• Extensible portions of the security system are key easy targets - Notification Packages, Password Filters, and GINAs all run under the System context

• FPNWCLNT.DLL is a great example: default Registry entry, but the DLL does not exist on NT 4.0 Workstations.

File Permissions Cont.

• Group Everyone has write permission to %SystemRoot%\system32 by default, so therefore any local user can add a notification package Trojan called FPNWCLNT.DLL that will get called in the System context.

• Group Everyone has FULL CONTROL of %SystemRoot% by default, so even files like poledit.exe and explorer.exe which are (RX) can be changed by anyone.

Privilege Escalation

• On July 4, GetAdmin was released on Usenet.

• GetAdmin gains privilege to attach to another process (SeDebugPrivilege) through a broken kernel API and then creates a thread in the Winlogon process that executes code in GASYS.DLL which adds an arbitrary user to the Administrator’s group. Very naughty ;)

Securing it

Reduce Services

• Only services that are needed should be running - everything else should be disabled.

• NT needs the following services to be started to function correctly: EventLog, Plug and Play, and Remote Procedure Call Service (TCP port 135 will be listening).

• Experiment - start with the above services and only add as needed.

File Permissions

• Don’t give the Everyone group FULL CONTROL of anything

• Check “Guidelines for securing Windows NT-based networks and systems” on www.microsoft.com

• %SystemRoot% and %SystemRoot%\system32 can be (RX) for non admin users

• Removal of execute permission on all executables not needed is a good thing

Registry Permissions

• Make sure HKLM\SYSTEM\CurrentControlSet\Control\SecurePipesServers\Winreg exists and only Administrators have permission to it

• Again, check “Guidelines for securing Windows NT-based networks and systems” on www.microsoft.com

• Use David LeBlanc’s suggestions in the NT Security FAQ

General

• Use a password filter to enforce strong passwords (PASSFILT.DLL from SP2 or write your own)

• Use passprop.exe from the Resource Kit to enable account lockout on Administrator

• Disable Network Logons for administrator equivalent accounts

• Turn on auditing for security events

Specific Fixes for Exploits

• Install SP3 and set the RestrictAnonymous registry value

• Change the DACL of NTOSKRNL.EXE to System and Administrator FULL CONTROL and Everyone EXECUTE (temp hack to fix GetAdmin - not long term)

• Remove FPNWCLNT from HKLM\SYSTEM\CurrentControlSet\Control\Lsa\”Notification Packages”

• Use message signing NT to NT

More Fixes

• Use the TCP/IP Advanced Security options to block all TCP and UDP ports not being used - specifically TCP 135 if not using remote RPC

• Disable the WINS TCP/IP binding under the protocol tab and the Server service if the machine is a single purpose server - WWW, FTP

Assessing Your Security

Tools

• Your security policy• ISS 4.31 for NT• Ballista• Kane Security Analyst• NAT without #define SCANNER (see *hobbit’s

presentation)• A good TCP and UDP port scanner• The Resource Kit(s)• Homebrew (C, TCL, Perl, etc.)

More Tools

• DumpAcl• Cacls• Regedt32• Poledit• Caffiene

Port Scanning

• Do a full TCP and UDP port scan

• Take note of all listening ports and reference them against what you would expect for the services the machine is suppose to be running

• Common listening ports are TCP 135, 137, 138, 139, and several ephemeral ports and UDP 135,137,138, and 139

Service Checks

• Tools like ISS, Ballista, and NAT are very helpful

• Remember port 139 is used by many services: file sharing and services using RPC over named pipes

• Check for all known bugs• Look for unknown or excessive services• See what information can be obtained through

SNMP, netstat, RPC end-point mapper, and remote Registry access

File Permission Checks

• Print out list of all users and groups• Use a tool like DumpAcl or Cacls to print out

a list of all file and directory permissions• Use your security policy as the basis for

ACL checks• Look for situation like directories with FULL

CONTROL granted to a group that should not have access to some files within the directory

Registry Permission Checks

• Use Regedt32 or DumpAcl to list ACLs for HKEY_LOCAL_MACHINE and HKEY_CLASSES_ROOT

• Again, use your security policy as a basis for your checks

• Look for situations where users can read or write sensitive keys and values

• The SNMP community name and AutoLogon password are viewable by everyone by default

Known Vulnerability Checks

• Check for all know vulnerabilities• Look for potentially exploitable conditions

like the ability to overwrite executables and dynamic link libraries

• Check for Registry keys and values writeable by non-administrators - there are several places by default that everyone can change which can lead to Trojan horses (.reg associations)

Policy Enforcement

• Is auditing enabled?

• Are password length and lifetime checks enabled?

• Do users belong to the correct groups?

• Kane Security Analyst is a good tool for this stuff

Summary

• We have covered the basics of how NT security operates, what some major problems are, strategies to tighten up security, and some methods for checking your risks

• Experiment with this knowledge - use it as a starting point and take tangents

Where to get more information

• http://www.microsoft.com/workshop/prog/security/guidesecnt.htm

• http://www.ntsecurity.net• mailing list at ntsecurity@iss.net• mailing list at ntbugtraq@rc.on.ca• mailing list at bugtraq@netspace.org• dominique.brezinski@cybersafe.com