Securing Windows NetworksSecurity Advice From The Front LineSecurity Advice From The Front Line

Presented by Jithesh Nair – Networking Specialist People Institute of Management Studies Munnad,Kasaragod

Presented by Jithesh Nair – Networking Specialist People Institute of Management Studies Munnad,Kasaragod

Agenda

Revealing Hacker Personas Top Security Mistakes Everyone Seems

To Make Securing Windows Networks Staying Secure Secure Windows Initiative Security Improvements in XP Service

Pack 2

Revealing Hacker Personas

Overview – Revealing Hackers Personas

Automated vs. Targeted Attacks Revealing Hacker Personas

Lame Skilled Sophisticated

Why YOU Were Selected and How You Got 0wn3d

Hacker Personas

Automated Attacks “Spreaders” or “Scan’n Sploit Tools” or “auto-

rooters” Worms That Drop Bots or Trojans

Targeted Attacks 0-day Exploits Custom Attacks that Exploit Weakness of

Your Internet Presence

Hacker Personas

Lame - ~75% of all intrusions Motive: Wants your storage and bandwidth Method: Use of spreaders, bots, well known

exploits Abilities: Limited high level language ability Payload: Usually FTP servers, backdoors

disguised as a ‘clever’ service name “TCP/IP” service or “System Security” service “Microsoft ISA Server Common Files” service

Hacker Personas

Skilled - ~24% of all intrusions? Motive: Wants to explore your network and

use your storage and bandwidth, wants to avoid discovery as much as possible.

Method: Customized intrusion based on identified vulnerabilities for multiple operating systems or applications

Abilities: Advanced HLL, some ASM Payload: FTP servers, keyloggers,

backdoors, sniffers, password dumpers

Hacker Personas

Sophisticated - < 1% of all intrusions? Motive: Wants your money or your secret /

confidential data Method: Can customize intrusion based on

any number of identified vulnerabilities for a variety of operating systems and applications, possibly using 0-day exploits

Abilities: Advanced HLL, Advanced ASM Payload: Rootkits, a single backdoor DLL,

extortion letter!

Hacker Personas

Why you were selected and how you got 0wn3d . . . Odds are great you were 0wn3d by a lamer You were easily identified as a Windows host

through a simple port-scan (no firewall) You are on a big fat pipe (possibly hosted) You have weak passwords or missing security

patches due to missing or ineffective security policy

Demonstration

Windows Rootkit – Hacker DefenderWindows Rootkit – Hacker Defender

Top Security Mistakes Everyone Seems To Make

Top Security Mistakes Weak or non-existent password policy No audit policy Sporadic security patch policy Patching the OS, but not the apps Weak or non-existent firewall policy

No egress filtering No knowledge of securely building a new

box which leads to Hacked? Rebuild! Hacked Again!?

How To End The Cycle of Violence Install from slipstreamed source

Don’t have one? Make one! Patch or enable a host based firewall (or both)

and then connect to the network Don’t use the previous admin password

Including the SQL SA password Don’t share local admin passwords across OS

installations Leads to exploit once, run everywhere

Patch the applications (SQL, IIS, Exchange etc.)

Securing Windows Networks

Overview – Securing Windows Networks System Administrator Personas An example of what not to do Threats & Countermeasures – Pruning

The Low Hanging Fruit

System Admin Personas

Default Skilled Sophisticated

System Admin Personas

Default Puts servers right on the Internet with no

firewall Runs a couple service packs behind (N-2) and

doesn’t know how to keep up to date with security patches

No password policy No audit policy All default configurations and settings (all

defaults, all the time)

System Admin Personas

Skilled Uses Internet IP’s, but has router ACL’s Latest OS SP, all OS critical updates, hasn’t

patched the applications in a while if at all 6 character passwords with account lockouts Only audits logon events and monitors for

account lockouts by checking event logs periodically

Suspicious of default settings Performed some OS hardening by hand – didn’t

harden the applications though

System Admin Personas Sophisticated

Uses a firewall with NAT and ingress / egress filtering

Uses an IDS / IPS in the DMZ network Ensures critical security patches tested and

deployed in 24 hours with rollback plan 12 character passwords, not shared anywhere,

no account lockout, may use 2-factor authN Audits everything, archives audit logs daily Hardened OS using security templates / group

policy, hardened applications

What Not To Do . . . Configure your system with an Internet

routable IP address Run multiple applications / services on one

box Active Directory, IIS, SQL, Exchange,

PCAnywhere, 3rd party software Avoid installing patches Don’t have a password policy

What are the odds that someone would guess ‘666’ is my admin password?

If you do this, here’s what the hackers see . . .

Threats – Low Hanging FruitOverview NULL Session Enumeration Password / Account Lockout Attacks Password Hash Attacks Remote Code Execution Vulnerabilities Physical Attacks Unauthorized Network Access The VPN “firewall bypass” Server

Threat - NULL Session Enumeration Understanding the ‘NULL’ user

Network connection, usually using NetBIOS TCP139 in which no credentials have been passed.

Network token gets created on the server for the client, ‘Everyone’ SID gets added to the token Token can now enumerate sensitive information

using the Net* API’s the ‘Everyone’ SID has permissions to!

Countermeasures RestrictAnonymous=2 Block access to TCP 139/445 Stop server service

Threat – Password Attacks / Account Lockout Attacks Any services that exposes authN protocols are

at risk for password guessing attacks NetBIOS, SMB, RDP, IIS, FTP etc.

Countermeasures Use strong passwords instead of an account lockout

policy (which only protects weak passwords) Educate administrators and users on how to create strong

passwords. Block access to ports that allow authentication from

unauthorized networks (i.e. the Internet) with a firewall or IPSec port filtering policy

Shutdown un-needed services (Server service, FTP service etc.)

Threat – Password Hash Attacks Online attacks

Dumping password hashes from LSASS while the operating system is running Pwdump*.exe, L0phtCrack 5

Countermeasure Require 2-factor authentication Prevent malicious code from running in

context of administrator or SYSTEM Since this attack requires elevated privileges, any

steps taken to counter this can be un-done by the code running with these elevated privileges

Arriving at this point means your security posture has failed elsewhere and you have other security issues to deal with

Threat – Password Hash Attacks Man In the Middle Attacks

Sniffing shared-secret authentication exchanges based on a users password between client / server (LM, NTLMv2, Kerberos) Everyone seems to think Kerberos solved the

MITM password-cracking attack! It did not, per the Kerberos v5 RFC: "Password guessing" attacks are not solved by Kerberos. If

a user chooses a poor password, it is possible for an attacker to successfully mount an offline dictionary attack by repeatedly attempting to decrypt, with successive entries from a dictionary, messages obtained which are encrypted under a key derived from the user's password.

Threat – Password Hash Attacks Man In the Middle Attacks

Tools available for LM/NTLM and Kerberos v5 ScoopLM / BeatLM / Kerbcrack / LC5

Security Friday demonstrated NTLMv2 at Blackhat on a 16-node Beowolf cluster in 2002!

All researchers agree the solution is strong passwords!

Countermeasures Use 2-factor authentication on Windows 2000 and later networks

Allows the use of the PKINIT Kerberos extension which replaces passwords with public/private keys for initial TGT at logon

Use strong 10 character or greater passwords Use IPSec ESP to encrypt network all network traffic Use 802.1x authentication to keep rogue users off your network

Threat – Password Hash Attacks Assume password hashes will eventually be obtained

allowing Brute-force attacks Dictionary attacks

Hybrid attacks (use a dictionary word then brute-force a few chars) Pre-computation attacks (rainbow tables) – the latest craze . . .

L0phtCrack5 utilizes all these methods for cracking hashes

Countermeasures Don’t worry about your hashes being stolen – make them

immune to reversing in any reasonable amount of time! Use 10 character or stronger complex passwords

Or better yet pass-phrases! NT based operating systems support 128 character pass-phrases

Change them every 60 days or less. Minimum time before password can be changed 1 day Number of previous passwords remembered: at least 24

Subsecond

Subsecond

Subsecond

1.4 Hours

137 Days

1,878 Years

Tim

e to

Cra

ck (

Day

s)

RainbowCrack Password Cracking Effort vs Password Length

Threat – Password Hash Attacks

6 7 8 9 10 11Password Length

60

Day P

ass

word

s

Data from Microsoft calculations based on Phillipe Ochslin’s algorithms with a 1 Terabyte RainbowCrack database (research that is the basis for the new attack).

Threat – Password Hash Attacks

Threat - Remote Code Execution RCE vulnerabilities in exposed network services allow

malicious attackers to run code of their choice on a remote system Stack & Heap overflows Integer under/overflows Format string vulnerabilities

Countermeasures

Disable unnecessary services

Block unnecessary ports

Install all critical security updates within 24 hours

Write secure code.

Run critical services using the new built-in low-privileged accounts

Compile C++ code with the VC7 compiler /GS switch

Use behavioral blocking software Sana Security Products

Use Intrusion Prevention Systems

Threat – Physical Attacks Assume the worst – physical theft of

machine Countermeasures

SYSKEY in mode 2 or 3 Key stored in your head (mode 2) Key stored on a floppy (mode 3)

Protects password hashes with 128 bit symmetric encryption

Either mode prevents ‘Nordahl’ boot-disk attack Also prevents the DS Restore mode style attacks

EFS Can be used to encrypt sensitive information

Threat – Unauthorized Network Access Applies to both wired and wireless

networks Unauthorized user connects or associates

with network and receives IP address Starts scanning, enumerating and hacking

Countermeasure Use 802.1x to authenticate network clients

before allowing them to use the network Port-based authentication (requires

supporting hardware infrastructure)

Threat – VPN Servers VPN servers usually allow users un-

filtered access to the corporate intranet Users contaminate the intranet with

malware they’ve collected while surfing the Internet (worms, etc.)

Countermeasure Employ a network quarantine solution

Quarantines VPN users in a DMZ network while machine is checked for security policy compliance

After machine checks, packets are routed If machine fails check, connection is dropped

Countermeasures - Summary The vast majority of security threats can be fully

mitigated by doing two things well: Passwords Security updates

Security should not be ‘bolted on’ Design security into the solution from the beginning

Microsoft Solutions for Security Review the new Security Guidance Center

http://www.microsoft.com/security/guidance/default.mspx

Windows 2000 Security Hardening Guidehttp://www.microsoft.com/technet/security/prodtech/win2000/win2khg/default.mspx

Windows 2000 Solution for Securing Windows 2000 Serverhttp://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspx

Windows Server 2003 Security Guidehttp://go.microsoft.com/fwlink/?LinkId=14846 Covers environments running Win9x and later! This is our best solution for securing Windows networks!

Windows Server 2003 Security Guide Theme

Group Policy can be used to automate the application of security hardening and threat countermeasures through the use of pre-defined security templates applied to GPO’s

Automated – policy applied as machines join the domain / moved into organizational units

The Windows 2000 and Windows Server 2003 Solutions for Security come with pre-configured ready to deploy templates Obviously you should test them before

deploying them in a production environment They WILL break something

Windows Server 2003 Security Guide

Provides 3 different security levels for the enterprise Legacy Client (Compatible with Win9x – XP) Enterprise Client (Compatible with 2000 & XP

only) High Security Client (Compatible with 2000 &

XP only)

Demonstration

Securing Windows Servers using Group PolicySecuring Windows Servers using Group Policy

Staying Secure

Overview – Staying Secure

Awareness Security Alert Notification Services Vulnerability Assessment

Responding to Security Events Patch Warfare – Thursday, Tutorial 6 Incident Response – Thursday, Tutorial 6

Staying Secure

Security Alert Notification Service Get e-mail alerts of Microsoft security bulletins

for all Microsoft products Plain-text e-mail, PGP signed with the MSRC

PGP key http://www.microsoft.com/security/security_bul

letins/alerts2.asp

Staying Secure

Vulnerability Assessment Microsoft Baseline Security Analyzer 1.2 Local or Remote Vulnerability & Patch

scanner Scans for Windows, IE, IIS, SQL, MSDE,

Exchange, Office, Commerce, Biztalk, SNA, and HIS vulnerabilities / patches. English, German, French or Japanese builds!

Staying Secure

MBSA Pro’s and Con’s Pro’s

Free Great product coverage Agent-less

Con’s Requires Authentication with remote machine and

the Remote Registry and Server Services Slow when scanning large networks No easy way to aggregate XML output

Staying Secure

3rd Party vulnerability assessment software ISS Internet Scanner – System Scanner Foundstone FoundScan

Much more in-depth than MBSA 1.2

Secure Windows Initiative

Secure Windows Initiative

Microsoft’s New Security Culture Started with Bill Gates Trustworthy Computing

Memo Lead to SD3+C

Secure By Design, Secure By Default, Secure in Deployment + Communications

Secure Windows Initiative Windows Server 2003 first product to result from

SWI, makes use of many Attack Surface Reductions (ASR’s)

Secure by DefaultSecure by DefaultSecure by DefaultSecure by Default► 60% less attack

surface area by default compared to Windows NT 4.0 SP3

► Services off by default► Services run at lower

privilege

► 60% less attack surface area by default compared to Windows NT 4.0 SP3

► Services off by default► Services run at lower

privilege

► Code reviews► IIS re-architecture► Threat models► $200M investment

► Code reviews► IIS re-architecture► Threat models► $200M investment

Secure by DesignSecure by DesignSecure by DesignSecure by Design

CommunicationsCommunicationsCommunicationsCommunicationsSecure by DesignSecure by DesignSecure by DesignSecure by Design► Code reviewsCode reviews► IIS re-architectureIIS re-architecture► Threat modelsThreat models► $200M investment$200M investment

► Code reviewsCode reviews► IIS re-architectureIIS re-architecture► Threat modelsThreat models► $200M investment$200M investment

Secure in Secure in DeploymentDeploymentSecure in Secure in DeploymentDeployment► Configuration

automation► Identity management► Monitoring

infrastructure► Prescriptive guidance

► Configuration automation

► Identity management► Monitoring

infrastructure► Prescriptive guidance

► Community investment

► Architecture webcasts

► Writing Secure Code 2.0

► Community investment

► Architecture webcasts

► Writing Secure Code 2.0

Secure Windows Initiative SD3+C

Secure Windows Initiative Does SWI work? Let’s have a look . . . MS03-007, vulnerability exploited through

IIS 5.0 + WebDAV WS2003 / IIS 6 not affected because:

IIS6 not installed by default If it was installed, WebDAV disabled by default

If it was enabled, IIS6 rejects long URL’s by default If it didn’t reject long URL’s, BO would occur in low

privilege process not a process running as SYSTEM

Secure Windows Initiative

Are there other examples? MS04-011, fixes 14 Windows vulnerabilities Of these 14 vulnerabilities the LSASS and

PCT vulnerabilities are critical on Windows 2000 and exploits were in the wild days after the patch was released!

Secure Windows Initiative

These vulnerabilities were rated as ‘Low’ on Windows Server 2003 – why? Attack Surface Reductions (ASR’s) as a result

of SWI PCT is not enabled by default! LSASS vulnerability not remotely exploitable by

default!

Secure Windows Initiative

Want more? Coming soon: Secure Server Roles for Windows Server

2003 Task based security wizard to further automate

hardening WS2003 server roles Windows XP Service Pack 2

The most secure consumer operating system to date!

Security Improvements in XP Service Pack 2

Security Improvements in XP SP2

Overview Network Protection Technologies Memory Protection Technologies Safer E-Mail Safer Browsing Windows Installer 3.0

Network Protection Technologies

Alerter & Messenger – GONE! (Okay, disabled) Universal Plug & Play also disabled by default

Bluetooth network stack included by default Disabled unless WHQL Bluetooth device is

present

Network Protection Technologies

DCOM – Locked down by default! Previously, no way for administrators to enforce

machine-wide access policy for all DCOM applications XP has over 150 DCOM servers OOB! Many DCOM applications have weak “Launch” and

“Access” permissions that allow anonymous remote activation / access!

Administrators had no way to centrally manage / override these settings!

Network Protection Technologies DCOM Solution: Machine-wide access check

performed before any server-specific access checks are performed. Starting with XP SP2, only administrators can

remotely launch / activate DCOM servers! Everyone is granted local launch, activation and

call permissions

Network Protection Technologies

RPC – Locked down by default (RPC Interface Restriction) Previously RPC interfaces were wide open for

anonymous access SP2 adds RestrictRemoteClients setting and

enables it by default Requires all remote RPC clients to authenticate

The EPM now requires AuthN Must set EnableAuthEpResolution to 1 on clients to

get the EPM working again.

Network Protection Technologies Windows Firewall (the software formerly known as ICF)

Boot time security On by default for all interfaces, global configuration (all interfaces

can share same configuration) Local subnet restriction Command line support (via netsh) for scriptomatic configuration

(think logon scripts) “On with no exceptions” Exception List Multiple Profiles RPC Support Restore Defaults Unattended Setup for OEM’s Multicast / Broadcast support New and improved Group Policy configuration (via System.adm)

Memory Protection Technologies Introducing Data Execution Protection (NX)

Buffer overflows usually place ‘shellcode’ on the stack or in the heap and cause execution to jump to this location

NX marks areas of the stack / heap as non-executable preventing this mal-code from running Usermode apps that attempt to run code will AV Kernelmode drivers that attempt to run code will

bluescreen Supported on AMD64, IA64 and forthcoming

x64 Intel CPU’s for both 32bit and 64bit Windows XP

Memory Protection Technologies

/GS Stack based buffer overflow protection Places ‘canary’ value on the stack before /

after stack allocations Value is checked when values are read from

the stack to make sure the stack hasn’t been overwritten

If canary value has changed, process crashes vs. allowing code to execute

Safer E-Mail Outlook Express will read all e-mail as plain-

text by default Blocks HTML e-mail exploits

“Don’t download external HTML content If you chose to render HTML e-mail, external HTML

is not rendered / downloaded Blocks “web bugs” etc.

AES API (Attachment Execution Service) Apps no longer have to roll their own attachment

handling code (can be shared by IM, e-mail etc)

Safer Browsing Internet Explorer

Add-On Management / Crash Protection Binary Behaviors locked down now

Option appears in each zone for configuring

BindToObject mitigation ActiveX security model now applied to URL binding

Microsoft Java VM can be disabled per zone Local Machine Zone lockdown

All local files / content processed by IE run in LMZ No ActiveX objects allowed Scripts set to Prompt Binary Behaviors – disallowed No Java!

Safer Browsing

Internet Explorer Improved MIME handling

4 different checks performed (file extension, Content-Type/Disposition from header and MIME sniff)

Object caching / Scope Objects lose scope when browsing to a different domain

/FQDN Sites can no longer access cached objects from other sites

POP UP BLOCKER!!!!! “Never trust content from Publishername” One Prompt Per Control Per Page

Endless loop attack

Safer Browsing

Internet Explorer Authenticode Dialog box supports ellipses

Annoying Active X controls with overly long descriptions can now be viewed

Window Restrictions Prevents UI spoofing attacks

Script Sizing / Repositioning restrictions Prevents scripts from moving windows to hide URL bars /

status bars etc Status bar always visible

Scripts can no longer disable it

Safer Browsing

Internet Explorer Script Pop-up Window Placement, pop-ups now

constrained so that they Do not extend above the top or below the bottom of the

parent Internet Explorer Web Object Control (WebOC) window.

Are smaller in height than the parent WebOC window. Overlap the parent window horizontally. Stay with the parent window if the parent window moves. Appear above its parent so other windows (such as a dialog

box) cannot be hidden. Mitigates chromeless window attacks

Safer Browsing

Internet Explorer Zone Elevation blocks

Internet Explorer prevents the overall security context for any link on a page from being higher than the security context of the root URL Scripts can not navigate from Internet Zone to Local

Machine Zone AND Local Machine Zone is locked down by default now

even if it could happen! Zone Elevation Attacks are one of the most

exploited IE attack vectors

Windows Installer 3.0 SUS 2.0 will utilize MSI 3.0 Improved inventory functions across user and

installation contexts Support for binary delta compression

Makes patches smaller / quicker to download

Patch Sequencing Authors can provide explicit installation order

Supports WinHTTP (vs. WinInet) for web downloads No longer interactive

Runs as SYSTEM, Interactive SYSTEM services can be “shattered”

Demonstration (time permitting)Out of Box ExperienceAutomatic UpdatesSecurity CenterWindows FirewallRPC HardeningInternet Explorer Add-ons Manager

Out of Box ExperienceAutomatic UpdatesSecurity CenterWindows FirewallRPC HardeningInternet Explorer Add-ons Manager

For More Details Contact Me :9961731733 For More Details Contact Me :9961731733 www.pims.ac.in www.pims.ac.in

So are we there yet?So are we there yet?So are we there yet?So are we there yet?

We’re getting there, stay tuned . . .We’re getting there, stay tuned . . .We’re getting there, stay tuned . . .We’re getting there, stay tuned . . .