Windows 2003 Security Hints

Transcription

1 Windows 2003 Security Hints Security Event April 28, 2004 Pae 1 Aenda The Power of Group Policies Local Policies Active Directory Services (Oranizational Units) Group Policy Manaement Console Administrative Templates Demonstrations Rainbow Crack Software Restriction Domain Trust Vulnerability Hardeninlists of Compass Security Security Event April 28, 2004 Pae 2 1

2 Policies Usin Group Policy and its extensions, you can: Manae reistry-based policy throuh Administrative Templates. Group Policy creates a file that contains reistry settins that are written to the User or Local Machine portion of the reistry database (like application settins for IE and Outlook). Assin scripts (such as computer startup and shutdown, and loon and looff). Redirect folders from the Documents and Settins folder on the local computer to network locations (My documents). Manae applications (assin, publish, update, or repair). To do this, you use the Software Installation extension. Specify security options includin Software Restriction. Security Event April 28, 2004 Pae 3 Local Policies Run mmc File Add/remove Snap-In Add Group Policy Security Event April 28, 2004 Pae 4 2

3 ADS (OU-Structure) OU s are used to roup similar objects Objects can be users or computers Policy can be attached to an OU in order to apply the settins to all OU members OU=Oranizational Unit, ADS=Active Directory Services Security Event April 28, 2004 Pae 5 Group Policy Manaement Console Security Event April 28, 2004 Pae 6 3

4 Administrative Templates Lock the user down in order to ain security and lower the load of the help desk. Security Event April 28, 2004 Pae 7 Demonstration 1 Rainbow Crack Time-Memory Tradeoff Security Event April 28, 2004 Pae 8 4

5 Rainbowcrack: Overview Rainbow Crack Time/Memory Tradeoff Bases on precomputed tables Idea: Execute the exhaustive work in advance and store all password:hash pairs. This method is not practicable because of the lare amount of memory is needed! The cipher text is stored in chains whereby only the first and the last element of a chain is stored in memory. The chains are created usin a reduction function which creates a key (password) from a cipher text. Source: Security Event April 28, 2004 Pae 9 Rainbowcrack: Pre-condition Precomputed Rainbow Tables LM Table, Keyspace: alphanumeric and 7 characters take about 15 days to compute (related to the processor speed) The password hashes Local SAM Active Directory (on DC) Rescue floppy disk Repair folder Backup tapes Over the network Security Event April 28, 2004 Pae 10 5

6 Rainbowcrack: Extraction of the hashes Extract the hashes from the AD Security Event April 28, 2004 Pae 11 Rainbowcrack live Run the cryptoanalysis Security Event April 28, 2004 Pae 12 6

7 Rainbowcrack: Countermeasures Protect the key to the castle (password hashes) Minimize the Domain Admin accounts Domain Administrators should not do office work with the hih-privileed account (use Terminal Server instead) Patch your DC s Do not install server applications (IIS, SQL...) on DC s Protect your installation sources, backups as well as ERDs Do not store LM hash (Group Policies) Enforce stron passwords (Group Policies) Security Event April 28, 2004 Pae 13 Demonstration 2 Software Restriction Policies Stop Malicious Mobile Code Security Event April 28, 2004 Pae 14 7

8 Software Restriction Policy: Overview Software Restriction Policy Applicable by Group Policy Controls the invokin of code Rule set Default Policy Disallow, Unrestricted Path Rule (e.. c:\proram files) Hash Rule Certificate Rule Security Event April 28, 2004 Pae 15 Software Restriction Policy: Rules Software Restriction Policy Security Event April 28, 2004 Pae 16 8

9 Software Restriction Policy: Demonstration The prevention of executin malicious mobile code Security Event April 28, 2004 Pae 17 Software Restriction Policy: What reason? You can not prevent the delivery of Malicious Mobile Code! Software Restriction Policy can help to prevent the execution of MMC Proper plannin and maintenance is crucial Security Event April 28, 2004 Pae 18 9

10 Demonstration 3 Domain Trust Vulnerability In God we trust all other we monitor (NSA) Security Event April 28, 2004 Pae 19 Domain Trust Vulnerability: Security Model Windows Security Model All resources are protected with Access Control Lists (ACL) ACLs contain Access Control Entries (ACE) ACE = security ID (SID) of a user account Source: Security Event April 28, 2004 Pae 20 10

11 Domain Trust Vulnerability: Trustin Domain Trust The loon domain compiles the ticket (authorization data) All domains within a forest have automatic, two way trusts Security Event April 28, 2004 Pae 21 Domain Trust Vulnerability: Desin Bu Desin Bu A trustin domain (resource) never verifies the authorization data it ets from a trusted domain (user). The trustin domain believes that the account that seeks access is leitimately allowed to use all of the SIDs presented in the authorization data includin the one in the SIDHistory! Security Event April 28, 2004 Pae 22 11

12 Domain Trust Vulnerability: Attack Overview Root Domain The admin of the child domain wants to take over the root domain. Enterprise Admins Child Domain Domain Controller Admin Security Event April 28, 2004 Pae 23 Domain Trust Vulnerability: Attack I Get the SID for a user in the taret domain Security Event April 28, 2004 Pae 24 12

13 Domain Trust Vulnerability: Attack II Insertion of the athered SID into the SIDHistory Pre-Conditions: Physical access to the server, Directory Restore Password Security Event April 28, 2004 Pae 25 Domain Trust Vulnerability: Attack III Modified SIDHistory The particular user is now able to connect to the other domain and fulfill domain admin tasks! Security Event April 28, 2004 Pae 26 13

14 Domain Trust Vulnerability: Countermeasures Countermeasures Cannot be prevented within a forest A security patch implements SID filterin which prevents inter-forest attacks Secure desin of Active Directory (different forest for different leal entities) Security Event April 28, 2004 Pae 27 Thank you Do not spend your time in securin your systems, just encrypt all your data (Unknown) Security Event April 28, 2004 Pae 28 14