10 mistakes to avoid when securing your Microsoft Network Infrastructure

Transcription

1 10 mistakes to avoid when securing your Microsoft Network Infrastructure Donald R. Glass CISSP, CISA, MCSE, MCSE+I, CNE 1

2 Agenda Preliminaries Introduction, Sun Tzu SANS/ FBI Top 10 List (Microsoft Related) The vulnerabilities The countermeasures Live Demo Conclusions 2

3 Something you should know 3

4 Preliminaries Name: Donald R. Glass, you will never guess what the R. stands for. I won t tell you either. Height: 6 10 = 206 cms. I never played basketball, I never will. Horrendous voice, if you don t understand something, please let me know. All kind of questions and observations will be welcomed. 81 slides, 90 minutes -> > 1.1 min/slide Enjoy the ride... 4

5 The Art of War, Sun Tzu 5

6 The Art of War Hence to fight and conquer in all your battles is not supreme excellence; supreme excellence consists in breaking the enemy's resistance without fighting. Sun Tzu, The Art of War 6

7 The Art of War If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. Sun Tzu, The Art of War. 7

8 The ten most commonly exploited vulnerable services in Windows. 8

9 The List Released by the SANS Institute and the National Infrastructure Protection Center (NIPC). It s a two Top Ten lists: one for *NIX and one for Windows. Live document. The Top Twenty is a prioritized list of vulnerabilities that require immediate remediation. 9

10 10

11 Top Vulnerabilities to Windows Systems W1 Internet Information Services (IIS) W2 Microsoft Data Access Components (MDAC) -- Remote Data Services W3 Microsoft SQL Server W4 NETBIOS -- Unprotected Windows Networking Shares W5 Anonymous Logon -- Null Sessions 11

12 Top Vulnerabilities to Windows Systems W6 LAN Manager Authentication -- Weak LM Hashing W7 General Windows Authentication -- Accounts with No Passwords or Weak Passwords W8 Internet Explorer W9 Remote Registry Access W10 Windows Scripting Host 12

13 W1 Internet Information Services (IIS) Failure to handle unanticipated requests. Many IIS vulnerabilities involve a failure to handle improperly (or just deviously) formed HTTP requests. A remote attacker may: View the source code of scripted applications. View files outside of the Web document root. View files the Web server has been instructed not to serve. Execute arbitrary commands on the server (resulting in, for example, deletion of critical files or installation of a backdoor). Example: Unicode directory transversal vulnerability (Code Blue worm). 13

14 W1 Internet Information Services (IIS) Buffer Overflows.. Many ISAPI extensions (including the ASP, HTR, IDQ, PRINTER, and SSI extensions) are vulnerable to buffer overflows. A carefully crafted request from a remote attacker may result in: Denial of service. Execution of arbitrary code and/or commands in the Web server's user context (e.g., as the IUSR_servername or IWAM_servername user). Example:.idq ISAPI extension vulnerability (Code Red and Code Red II) 14

15 W1 Internet Information Services (IIS) Sample Applications. A sample application, newdsn.exe, allowed the remote attacker to create or overwrite arbitrary files on the server. A number of such applications allow remote viewing of arbitrary files, which may be used to gather information such as database userids and passwords. An iisadmin application, ism.dll dll,, allows remote access to sensitive server information including the Administrator's password. 15

16 W1 Internet Information Services (IIS) Operating Systems Affected Windows NT 4 (any flavor) running IIS 4 Windows 2000 Server running IIS 5 Windows XP Professional running IIS

17 W2 Microsoft Data Access Components (MDAC) -- Remote Data Services The Remote Data Services (RDS) component in older versions of Microsoft Data Access Components (MDAC) has a program flaw which allows remote users to run commands locally with administrative privilege. Combined with a flaw in Microsoft Jet database engine 3.5 (part of MS Access), this exploit may also provide anonymous external access to internal databases. These flaws are well- documented and solutions have been available for more than two years, but outdated or misconfigured systems remain exposed and subject to attack. 17

18 W2 Microsoft Data Access Components (MDAC) -- Remote Data Services Operating Systems Affected Most Microsoft Windows NT 4.0 systems running IIS 3.0 or 4.0, Remote Data Services 1.5, or Visual Studio

19 W3 Microsoft SQL Server The Microsoft SQL Server (MSSQL) contains several serious vulnerabilities that allow remote attackers to obtain sensitive information, alter database content, compromise SQL servers, and,, in some configurations, compromise server hosts. MSSQL vulnerabilities are well-publicized and actively under attack. Port 1433 (MSSQL default port) has also been regularly registered d as one of the top scan ports in the Internet Storm Center. 19

20 W3 Microsoft SQL Server Operating Systems Affected Any Microsoft Windows system with Microsoft SQL Server 7.0, Microsoft SQL Server 2000 or Microsoft SQL Server Desktop Engine 2000 installed. 20

21 W4 NETBIOS -- Unprotected Windows Networking Shares Microsoft Windows provides a host machine with the ability to share files or folders across a network with other hosts through Windows network shares. The underlying mechanism of this feature is the Server Message Block (SMB) protocol, or the Common Internet File System (CIFS). Example Sircam virus (see CERT Advisory ) 22) and Nimda worm (see CERT Advisory ). 26). 21

22 W4 NETBIOS -- Unprotected Windows Networking Shares Operating Systems Affected Windows 95 Windows 98 Windows NT Windows Me Windows 2000 Windows XP. 22

23 W5 Anonymous Logon -- Null Sessions A Null Session connection, also known as Anonymous Logon, is a mechanism that allows an anonymous user to retrieve information (such as user names and shares) over the network, or to connect without authentication. On Windows NT, 2000 and XP systems, many local services run under the SYSTEM account, known as LocalSystem on Windows 2000 and XP. The SYSTEM account is used for various critical system operations. When one machine needs to retrieve system data from another, the SYSTEM account will open a null session to the other machine. For example: Network neighborhood. 23

24 W5 Anonymous Logon -- Null Sessions Operating Systems Affected Windows NT Windows 2000 Windows XP. 24

25 W6 LAN Manager Authentication Microsoft locally stores legacy LM password hashes (also known as LANMAN hashes) by default on Windows NT, 2000 and XP systems. The weakness of LM hashes derives from the following: Passwords are truncated to 14 characters. Passwords are padded with spaces to become 14 characters. Passwords are converted to all upper case characters. Passwords are split into two seven character pieces. 25

26 W6 LAN Manager Authentication Operating Systems Affected All Microsoft Windows operating systems. 26

27 W7 General Windows Authentication The most common password vulnerabilities are that: user accounts have weak or nonexistent passwords, regardless of the strength of their password, users fail to protect it, the operating system or additional software creates administrative accounts with weak or nonexistent passwords, and password hashing algorithms are known and often hashes are stored such that they are visible by anyone. 27

28 W7 General Windows Authentication Operating Systems Affected Any operating system or application where users authenticate via a user ID and password. 28

29 W8 Internet Explorer The vulnerabilities can be categorized into multiple classes including: Web page spoofing, ActiveX control vulnerabilities, Active scripting vulnerabilities, MIME-type and content-type type misinterpretation and Buffer overflows. The consequences may include: disclosure of cookies, local files or data, execution of local programs, download and execution of arbitrary code or complete takeover of the vulnerable system. 29

30 W8 Internet Explorer Operating Systems Affected These vulnerabilities exist on Microsoft Windows systems running any version of Microsoft Internet Explorer. 30

31 W9 Remote Registry Access Microsoft Windows 9x, Windows CE, Windows NT, Windows 2000, Windows ME and Windows XP employ a central hierarchical database, known as the Registry, to manage software, device configurations and user settings. Improper permissions or security settings can permit remote registry access. Attackers can exploit this feature to compromise the system or form the basis for adjusting file association and permissions to enable malicious code. 31

32 W9 Remote Registry Access Operating Systems Affected Windows 9x Windows CE Windows NT Windows 2000 Windows ME Windows XP 32

33 W10 Windows Scripting Host Windows Scripting Host (WSH), permits any text file with a ".vbs vbs" " extension to be executed as a Visual Basic script. With WSH enabled, a typical worm propagates by including a VBScript as the contents of another file and executes when that file is viewed or in some cases previewed. Example: The Love Bug (ILOVEYOU) worm. 33

34 W10 Windows Scripting Host Operating Systems Affected Windows Scripting Host can be installed manually or with Internet Explorer 5 (or higher) on Windows 95 or NT. It is installed by default on Windows 98, ME, 2000 and XP machines. 34

35 How to detect, prevent and correct these vulnerabilities 35

36 W1 Internet Information Services (IIS) How to determine if you are vulnerable. It is simplest to presume that you are vulnerable if the cumulative roll-up has not been applied. To determine whether the cumulative roll-up has been applied on your server, check the registry for the entry listed as follows: Windows NT 4: HKEY_LOCAL_MACHINE\SOFTWARE SOFTWARE\Microsoft\Windows NT\CurrentVersion CurrentVersion\Hotfix\Q

37 W1 Internet Information Services (IIS) or Windows NT 4 Terminal Server Edition: HKEY_LOCAL_MACHINE\SOFTWARE SOFTWARE\Microsoft\Windows NT\CurrentVersion CurrentVersion\Hotfix\Q Windows 2000: HKEY_LOCAL_MACHINE\SOFTWARE SOFTWARE\Microsoft\Updates\Window s 2000\SP3 SP3\Q Windows XP: HKEY_LOCAL_MACHINE\SOFTWARE SOFTWARE\Microsoft\Updates\Window s XP\SP1 SP1\Q

38 W1 Internet Information Services (IIS) Use the HFNetChk tool to verify the presence of the corresponding patch: NT 4: Q NT 4 Terminal Server Edition: Q or XP: Q

39 W1 Internet Information Services (IIS) You are probably vulnerable to sample application exploits if any of the following files reside in your %wwwroot%/scripts directory: code.asp codebrws.asp ism.dll newdsn.exe viewcode.asp winmsdp.exe 39

40 W1 Internet Information Services (IIS) How to Protect Against It. Apply the current patches. Stay current. Eliminate sample applications. Unmap necessary ISAPI extensions. Filter HTTP requests. Perform periodic vulnerability assessments of your Web servers. 40

41 W1 Internet Information Services (IIS) How to Protect Against It Tools. Network Security Hotfix Checker HFNetChk microsoft.com/.com/technet/security/tools/hfnetchk.asp IIS Lockdown Wizard microsoft.com/.com/technet/security/tools/locktool.asp URLScan filter (currently integrated in the IIS Lockdown Wizard). microsoft.com/.com/technet/security/tools/urlscan.asp 41

42 W2 Microsoft Data Access Components (MDAC) -- Remote Data Services How to determine if you are vulnerable. If you are running Microsoft Windows NT 4.0 and IIS 3.0 or 4.0, then check for the existence of "msadcs" msadcs.dll" 42

43 W2 Microsoft Data Access Components (MDAC) -- Remote Data Services How to Protect Against It. If possible, upgrade to MDAC version 2.1 or greater (this may introduce compatibility issues. microsoft.com/data/download..com/data/download.htm Install JetCopkg.exe (MS99-030) JetCopkg.exe is a modified Jet 3.5 engine that has safety features enabled in it to prevent exploitation, referred to as 'sandbox' mode. microsoft.com/default..com/default.aspx?scid=kb;en-us;q If MDAC is not needed, delete the msadcs.dll dll library. 43

44 W2 Microsoft Data Access Components (MDAC) -- Remote Data Services How to Protect Against It Additional references. You, your servers, RDS, and thousands of script kiddies..how to keep your website intact.. (Defending against RDS attacks). wiretrip.net/.net/rfp/p/doc.asp/i2/f3/d29.htm PRB: Security Implications of RDS 1.5, IIS 3.0 or 4.0, and ODBC. microsoft.com/default..com/default.aspx?scid=kb;en-us;q

45 W2 Microsoft Data Access Components (MDAC) -- Remote Data Services Unauthorized ODBC Data Access with RDS and IIS. microsoft.com/.com/technet/treeview/default.asp?url=/ =/technet/ security/bulletin/ms asp Re-Release: Release: Unauthorized Access to IIS Servers through ODBC Data Access with RDS. microsoft.com/.com/technet/treeview/default.asp?url=/ =/technet/ security/bulletin/ms asp 45

46 W3 Microsoft SQL Server How to determine if you are vulnerable. Check the registry for the following value: HKEY_LOCAL_MACHINE\SOFTWARE SOFTWARE\Microsoft\MSSQLServer\M SSQLServer If set, it means that SQL Server or SQL Server Desktop Engine is installed. Use the Microsoft Baseline Security Analizer (MBSA) to check for missing patches and hotfixes. microsoft.com/.com/technet/security/tools/tools/mbsahome.a sp 46

47 W3 Microsoft SQL Server How to Protect Against It. Apply the latest service pack for Microsoft SQL server. Apply the latest cumulative patch that is released after the latest service pack. Apply any individual patches that are released after the latest cumulative patch. Secure the server at system and network level. Perform periodic vulnerability assessments of your SQL servers. 47

48 W3 Microsoft SQL Server How to Protect Against It - Secure the server. Ensure that the built-in in "sa" sa" " account has a strong password, even if your SQL server does not run using this account. Run the MSSQLServer service and SQL Server Agent under a valid domain account with minimal privileges, not as a domain administrator or the SYSTEM (on NT) or LocalSystem (on 2000 or XP) account. 48

49 W3 Microsoft SQL Server Enable Windows NT Authentication. Enable auditing for successful and failed logins. Stop and restart the MSSQLServer service. Configure your clients to use NT authentication. Packet filtering should be performed at network borders to prohibit non-authorized externally-initiated inbound connections to services. Ingress filtering of TCP ports 1433 and 1434 could prevent attackers outside of your network from scanning or infecting vulnerable Microsoft SQL servers in the local network that are not explicitly authorized to provide public SQL services. 49

50 W3 Microsoft SQL Server If TCP ports 1433 and 1434 need to be available on your Internet gateways, enable and customize egress/ingress filtering to prevent misuse of these ports. 50

51 W4 NETBIOS -- Unprotected Windows Networking Shares How to determine if you are vulnerable. Use the Microsoft Baseline Security Analizer (MBSA) to check if the server is vulnerable to SMB exploits. microsoft.com/.com/technet/security/tools/tools/mbsahome.a sp Use any other available network scanner. Please, be advised that proper testing should be performed prior to start using unfamiliar tools in a production environment. 51

52 W4 NETBIOS -- Unprotected Windows Networking Shares How to Protect Against It. Disable sharing wherever it is not required. Do not permit sharing with hosts on the Internet. Ensure all Internet-facing hosts have Windows network shares disabled. Do not permit unauthenticated shares. If file sharing is required, then don't permit unauthenticated access to a share. 52

53 W4 NETBIOS -- Unprotected Windows Networking Shares Restrict shares to only the minimum folders required. Generally, only one folder and possibly sub-folders of that folder. Restrict permissions on shared folders to the minimum required. Be especially careful to only permit write access when it is absolutely required. For added security, allow sharing only to specific IP addresses because DNS names can be spoofed. 53

54 W4 NETBIOS -- Unprotected Windows Networking Shares Block ports used for Windows shares at your network perimeter. Block the NetBIOS ports commonly used by Windows shares at your network perimeter using either your external router or perimeter firewall. The ports that should be blocked are TCP and UDP, and 445 TCP and 445 UDP. 54

55 W5 Anonymous Logon -- Null Sessions How to determine if you are vulnerable. Try to establish a Null session using the following command: net use \\a.b.c.d\ipc$ $ /user: where a.b.c.d is the IP address of the remote system. 55

56 W5 Anonymous Logon -- Null Sessions How to Protect Against It. Modify the RestrictAnonymous Registry key HKLM/System/CurrentControlSet CurrentControlSet/Control/LSA/ /Control/LSA/RestrictAnonymous Restricts anonymous users from displaying lists of users and from viewing security permissions. Note: This setting may have a negative impact on domain controller operations. Test the setting BEFORE you apply it to a production network. 56

57 W5 Anonymous Logon -- Null Sessions Modify the RestrictAnonymous Registry key Available Settings: 0 (Disabled): Anonymous users are not restricted. 1 (Enabled): Users who log on anonymously (also known as null session connections) cannot display lists of domain user names or o share names. 2 (Enabled): Anonymous users have no access without explicit anonymous permissions. (only in W2K/ XP versions). Block TCP and UDP ports 135, 137, 138, 139 and 445 at the external router or firewall. 57

58 W6 LAN Manager Authentication How to determine if you are vulnerable. If you are running a default installation of NT, 2000 or XP, you are vulnerable since LAN Manager hashes are stored locally by default. If you have legacy operating systems in your environment that require LM authentication in order to communicate to servers, then you are vulnerable because those machines send LM hashes which can be sniffed off the network. 58

59 W6 LAN Manager Authentication How to Protect Against It. Disable LM Authentication across the network. Set the LMCompatibilityLevel Registry key (in HKLM/System\CurrentControlSet CurrentControlSet\Control\LSA) to: If all of your systems are Windows NT SP4 or later, you can set this to 3 on all clients and 5 on all domain controllers to prevent any a transmission of LM hashes on the network. Legacy systems (such as Windows 95/98) will not use NTLMv2 with the default Microsoft Network Client. To get NTLMv2 capability, install the Directory Services Client. Once installed, the registry value name is "LMCompatibility" LMCompatibility," and the allowed values are 0 or 3. 59

60 W6 LAN Manager Authentication Prevent the LM Hash from Being Stored. One major problem with simply removing the LM hashes being passed over the network is that the hashes are still created and stored in the SAM or Active Directory. Microsoft has a mechanism available for turning off the creation of the LM hashes altogether, but only in Windows 2000 and XP. Windows 2000: HKLM\System System\CurentControlSet\Control\LSA\NoLMHash Windows XP: HKLM\System System\CurentControlSet\Control\LSA (Value: NoLMHash,, Data type: REG_DWORD, Value: 1). 60

61 W6 LAN Manager Authentication How to Protect Against It additional references. How to Disable LM Authentication on Windows NT [Q147706] LMCompatibilityLevel and Its Effects [Q175641] microsoft.com/default..com/default.aspx?scid=kb%3ben- us%3b microsoft.com/default..com/default.aspx?scid=kb%3ben- us%3b

62 W6 LAN Manager Authentication How to Enable NTLMv2 Authentication for Windows 95/98/2000/NT [Q239869] New Registry Key to Remove LM Hashes from Active Directory and Security Account Manager microsoft.com/default..com/default.aspx?scid=kb%3ben- us%3b microsoft.com/default..com/default.aspx?scid=kb%3ben- us%3b

63 W7 General Windows Authentication How to determine if you are vulnerable. Test the passwords using a known password cracker. Note: Never run a password scanner, even on systems for which you have administrative access, without explicit and preferably written permission from your employer. Administrators with the most benevolent of intentions have been fired for running password cracking tools without authority to do so. 63

64 W7 General Windows Authentication How to Protect Against It. Ensure that passwords are strong. Protect strong passwords. Tightly control accounts. Maintain a strong password policy for the enterprise. 64

65 W7 General Windows Authentication How to Protect Against It Tools. LC4 (l0phtcrack version 4) atstake.com/research/.com/research/lc/ John the Ripper openwall.com/john/ Symantec NetRecon enterprisesecurity.symantec.com/products/products..com/products/products.cfm?prod uctid=46 65

66 W8 Internet Explorer How to determine if you are vulnerable. Make sure the latest service packs, hotfixes and patches are installed. This could be done by: Windows Update service Network Security Hotfix Checker (NFNetChk( NFNetChk) Microsoft Baseline Security Analyzer (MBSA) 66

67 W8 Internet Explorer How to Protect Against It. Apply the latest service pack for Internet Explorer. Apply the latest cumulative patch that is released after the latest service pack. Apply any individual patches that are released after the latest cumulative patch. 67

68 W9 Remote Registry Access How to determine if you are vulnerable. NT Resource Kit (NTRK) available from Microsoft contains an executable file entitled "regdump" regdump.exe" that will passively test remote registry access permissions from a Windows NT host against other Windows NT/Windows 2000 or Windows XP hosts on the Internet or internal network. msdn.microsoft.com/library/default.asp?.com/library/default.asp?url=/library/en- us/apcguide apcguide/htm/utilities_10.asp A collection of command line shell scripts that will test for registry access permissions and a range of other related security concerns. afentis.com/top20 68

69 W9 Remote Registry Access How to Protect Against It. Restrict Network Access. To restrict network access to the registry create the following Registry key: HKEY_LOCAL_MACHINE\SYSTEM SYSTEM\CurrentControlSet\Control\SecurePipeServ ers\winreg Description: REG_SZ Value: Registry Server Security permissions set on this key define the Users or Groups that are permitted remote Registry access. Default Windows installations define this key and set the Access Control List to provide full privileges to the system Administrator and Administrators Group (and Backup Operators in Windows 2000). 69

70 W9 Remote Registry Access Limit the authorized remote access. Enforcing strict restrictions upon the registry can have adverse side effects upon dependent services, such as the Directory Replicator and the network printer Spooler service. It is therefore possible to add a degree of granularity to the permissions, by adding either the account name that the service is running under to the access list of the "winreg" winreg" " key, or by configuring Windows to bypass the access restriction to certain keys by listing them in the Machine or Users value under the AllowedPaths key. 70

71 W9 Remote Registry Access For Windows NT: HKEY_LOCAL_MACHINE\SYSTEM SYSTEM\CurrentControlSet\Control\Secure PipeServers\winreg winreg\allowedpaths Value: Machine Value Type: REG_MULTI_SZ - Multi string Default Data: System\CurrentControlSet CurrentControlSet\Control\ProductOptions System\CurrentControlSet CurrentControlSet\Control\Print\Printers Printers System\CurrentControlSet CurrentControlSet\Services\Eventlog Software\Microsoft Microsoft\WindowsNT\CurrentVersion System\CurrentControlSet CurrentControlSet\Services\Replicator Valid Range: (A valid path to a location in the registry) Description: Allow machines access to listed locations in the registry provided that no explicit access restrictions exist for that location. 71

72 W9 Remote Registry Access Value: Users Value Type: REG_MULTI_SZ - Multi string Default Data: (none) Valid Range: (A valid path to a location in the registry) Description: Allow users access to listed locations in the registry provided that no explicit access restrictions exist for that location. 72

73 W9 Remote Registry Access In the Microsoft Windows 2000 and Windows XP Registry: Value: Machine Value Type: REG_MULTI_SZ - Multi string Default Data: System\CurrentControlSet CurrentControlSet\Control\ProductOptions System\CurrentControlSet CurrentControlSet\Control\Print\Printers Printers System\CurrentControlSet CurrentControlSet\control\Server Application System\CurrentControlSet CurrentControlSet\Services\Eventlog\ Software\Microsoft Microsoft\Windows NT\CurrentVersion Value: Users (does not exist by default) 73

74 W9 Remote Registry Access How to Protect Against It additional references. How to Restrict Access to NT Registry from a Remote Computer. microsoft.com/default..com/default.aspx?scid=kb%3ben- us%3b

75 W10 Windows Scripting Host (WSH) How to determine if you are vulnerable. If you are running Windows 95 or NT with IE 5 or higher, or are running Windows 98, ME, 2000 or XP, and have not disabled WSH, then you are vulnerable. 75

76 W10 Windows Scripting Host (WSH) How to Protect Against It. Disable or remove Windows Scripting Host. Always keep the Anti-virus software and definitions up-to to- date. 76

77 How to assess your level of exposure 77

78 78

79 Conclusions Most of these vulnerabilities have been know for a number of years. Most of the countermeasures are not hard to deploy. Still there are the most exploited vulnerabilities. 79

80 emrisk.com/ 80

81 Silka M. Gonzalez CISA, CPA President emrisk.com or Donald R. Glass CISSP, CISA, MCSE, MCSE+I, CNE Manager emrisk.com

82 This document was created with Win2PDF available at The unregistered version of Win2PDF is for evaluation or non-commercial use only.