Using Microsoft s Free Security Tools Help Secure your Windows Systems taken from Web and Other Sources by Thomas Jerry Scott November, 2003

Transcription

1 Using Microsoft s Free Security Tools Help Secure your Windows Systems taken from Web and Other Sources by Thomas Jerry Scott November, 2003 The following chart shows the name and download locations for a number of free Microsoft security analysis tools. One path to improved security for your Microsoft is to use the available security tools from Microsoft. Tool Microsoft Baseline Security Analyzer/HFNetChk KB Scanning Tool QChain IIS Security Planning Tool IIS Lockdown Wizard URLscan Cipher.exe IPSec Policy Configuration tool Domain Controller Diagnostic Tool SQL Server tools Screensavers Location 8ee d36-4f7f-92f2-2bdc5c5385b3/mbsasetup.msi FamilyId=13AE421B-7BAB-41A2-843B- FAD838FE472E&displaylang=en 952ac356-53cb-43a2-9c85-54b1262fca2c/Q815062_W2K_spl_X86_EN.exe Utility/2.0/NT5/EN-US/Iisperms.exe NT45XP/EN-US/iislockd.exe 9/8/198a7fdf f44-035f8faeaf95/Setup.EXE Q298009/NT5/EN-US/Q298009_W2K_SP3_x86_en.EXE ipsecpol/ /nt5/en-us/ipsecpol_setup.exe 0/6b078b8b-b9b ac18-f300724d206e/dcdiag_setup.exe 65cf1ff e-99fb-57d4026f66e4/SQLCritUpdPkg_ENU.exe scrnsvr/1.0/nt5/en-us/seclaws.exe This article describes these tools and how their use can improve your security knowledge. Better security is often achieved by not only knowing your own systems, but also knowing where and how your enemy might attack you. Using Microsoft Free Security Tools T.J. Scott Page 1 of 11

2 Get Help Tracking Patches Your Windows-based computers should have the latest security patches installed. In addition, they should use the optimum security configurations for your servers and employ the strictest security settings allowable in your environment. Many of your Windows systems will serve different roles and, therefore, require different configurations. This makes it difficult to track which computer requires which patches, configuration, and settings. The Microsoft Baseline Security Analyzer (MBSA) was designed to do the following tasks to help; deal with the problems just described: 1. Examine the computers in your network 2. Analyze their Windows components 3. Then generate separate security reports for each analyzed system. The MBSA runs on Windows 2000 or XP computers and can search for security vulnerabilities on computers running Windows NT 4.0, 2000, or XP.The MSBA tool looks for common security problems in many Microsoft products, such as 1. Windows Operating system 2. Common Microsoft Servers: Exchange Server, the IIS Web Server, and SQL Server 3. The Applications: Microsoft Office, Internet Explorer (IE) and the Windows Media Player. MBSA also detects and scans multiple instances of SQL Server on a computer. You can run it with its graphical user interface (GUI) or a command-line interface. The tool searches for the presence of Microsoft's security updates and service packs, confirms security best practices such as strong passwords are in place, and identifies common server security misconfigurations. It also checks for "Guest" account statuses, file system types, available file shares, members of the Administrators group, and misconfigured security zone settings. It then lets you know what you need to do to set things right. MBSA also ensures you always have the latest version of the update installed. Knowing this is advantageous because Microsoft sometimes re-releases security updates when they change. For example, patch MS was issued to fix a remote denial-of-service vulnerability, but it created a different vulnerability; the patch needed to be re-released so it affected only the main problem. Using Microsoft Free Security Tools T.J. Scott Page 2 of 11

3 Using Microsoft Free Security Tools T.J. Scott Page 3 of 11

4 The MSBA tool is similar to the older HFNetChk (Hotfix Network Check) commandline interface tool. In fact, Microsoft designed the MBSA tool to replace the HFNetChk tool.. MBSA allows you to run all HFNetChk's capabilities from MBSA's command-line interface. You can run existing scripts that use HFNetChk after making some simple changes (replacing each occurrence of hfnetchk.exe with mbsacli.exe /hf). MBSA also supercedes the Microsoft Personal Security Advisor (MPSA) and includes all checks MPSA performs. Using Microsoft Free Security Tools T.J. Scott Page 4 of 11

5 MBSA creates and stores its reports for individual computers as XML files, and it displays the results as HTML in the GUI. To run the GUI version, use the executable Mbsa.exe; to run the command-line interface version, use Mbsacli.exe. Because MBSA uses a master XML database to track the latest security patches and updates, it requires Internet Explorer 5.01 (or later) or a separate XML parser. MBSA provides you with a great deal of control over its processing. For example, you can specify that it scan the local computer, a named computer, a named domain, a named IP, or a range of IP addresses. You can even skip certain checks to save time when looking for a specific issue. You have many options for controlling where output goes and how reports appear, and Microsoft is planning improvements to the tool. Although Microsoft designed MBSA to replace HFNetChk, many administrators are comfortable working with HFNetChk, and it's still useful. You can also access HFNetChk functionality using the command-line interface version of MBSA. HFNetChk helps you ensure that all your Windows-based computers have the latest security patches installed using an XML database of patches, which Microsoft updates continually. HFNetChk runs on Windows NT 4.0, 2000, or XP systems and can scan local or remote computers for the patch status of Windows NT 4.0 or 2000, Internet Explorer, SQL Server, and Microsoft Data Engine, as well as all system services, including IIS. HFNetChk also requires either Internet Explorer 5.01 (or later) or an XML parser to use the XML database. When you run HFNetChk, it scans the target computers to identify the operating system, service packs, and programs installed. Then it compares this information with the XML file and matches available security patches to your combination of installed software. If patches are available for installation but aren't installed on your computer, HFNetChk displays a warning. It's up to you to heed the warning and apply the necessary fixes. The Security Tool Kit and Critical Update Notification utility are other tools to consider. The Microsoft Security Tool Kit contains important security information, current service packs, and critical security patches for Windows 2000, IIS, and Internet Explorer. The Critical Update Notification utility is part of the Security Tool Kit and links to the Windows Update site to help ensure your computers have all the latest patches installed. The Microsoft Qfecheck tool identifies the hotfix levels on servers, reports the service pack levels and hotfix versions installed on your servers. It can also identify if a patch wasn't installed correctly. The Microsoft Hotfix tool simply displays the number and versions of all hotfixes installed on your servers. It's then up to you to find out if any are missing and install them. Microsoft's KB scanning tool is designed specifically to locate host computers that don't have the MS patch installed. Without this patch, a serious problem in the Remote Procedure Call (RPC) interface of Distributed Component Using Microsoft Free Security Tools T.J. Scott Page 5 of 11

6 Object Model (DCOM) could allow attackers to execute arbitrary code remotely on a vulnerable machine. The Microsoft QChain tool allows you to perform several hotfixes before restarting. Usually when you install a hotfix, you're instructed to restart the server after each installation. This can be time-consuming, as well as disruptive to operations and other dependent components. Instead, you run each hotfix installer using the -z switch so that the installer won't restart after the installation. When all hotfix installers have run, you run QChain and restart the computer. Locking Down the System After installing all necessary patches to system components, you'll need to configure your system to reduce security vulnerabilities to a minimum. Unfortunately, almost every feature that involves communication or needs to be configured represents a vulnerability. Therefore, turning off unnecessary features increases security. You want as many drawbridges up as you can manage. The IIS Security Planning Tool helps you plan the level of security you want for your IIS servers. You can choose various levels depending on the role you want a given server to fill. Using a Dynamic HTML (DHTML) interface, the IIS Security Planning Tool helps you select the services the server will provide. Then the tool recommends the most suitable deployment and installation options to achieve the security for those services. You'll need a browser to run the IIS Security Planning Tool, as its name is IISPermissions.htm. Once the IISPermissions.htm tool is running, you can select options including which client operating system to use, whether IIS is local to the browser client, the IIS and operating system versions you want, and the type of authentication to use. The tool displays those computers and resources the client can reach. Using Microsoft Free Security Tools T.J. Scott Page 6 of 11

7 Although all the features of Microsoft's server products are useful and, in many cases, indispensable for supporting your enterprise applications, some can also make the system vulnerable. Attackers are adept at locating weak points in your security armor and leveraging them to the utmost. For this reason, it's prudent to remove or turn off any features that aren't used, to prevent misuse. Naturally, with so many features, this is practically impossible to do manually. The IIS Lockdown Wizard simplifies the process. It includes templates for IISdependent Microsoft products and components such as Exchange, Commerce Server, BizTalk, Small Business Server, SharePoint Portal Server, FrontPage Server Extensions, and SharePoint Team Server. These templates itemize the features you can shut down for each component or product, depending on its role. For example, if your IIS server is a Dynamic Web Server, the tool removes any functionality that specific Web server role doesn't require. In particular, the IIS Lockdown Wizard can remove or disable IIS services such as FTP, HTTP, Network News Transport Protocol (NNTP), and SMTP ( ), all of which are vulnerable to specific attacks. You can also remove ISAPI DLL script mappings and directories you don't need, as well as change file and folder access control lists (ACLs), disable script maps, remove unused virtual directories, and set file permissions. Although the IIS Lockdown Wizard has an interactive user interface, you can also run it from an answer file. This enables you to create scripts to handle specific situations and configurations. You can also run the IIS Lockdown Wizard in unattended mode to configure your settings automatically. The IIS Lockdown Wizard is available both as part of the Security Toolkit and independently. Using Microsoft Free Security Tools T.J. Scott Page 7 of 11

8 Servers face exploits from attackers who try to use specially crafted HTTP requests to cause buffer overflows or escalations in user privileges, among other destructive outcomes. For example, it's possible for extremely long URLs, strange characters, or certain combinations of characters to present risks. To prevent or mitigate these kinds of attacks, Web site administrators need to filter HTTP requests so hazardous ones don't reach the server. The Microsoft URLScan tool is an ISAPI filter that examines incoming HTTP requests before they reach IIS. Blocking potentially dangerous HTTP requests reduces risks and improves overall performance, because the server doesn't have to handle those requests and can concentrate on legitimate requests. You can install URLScan on servers running IIS 4.0 and later while running the IIS Lockdown Tool, or you can install it independently. The URLScan tool is integrated into the IIS Lockdown Wizard with its own customized templates for filtering HTTP requests based on each supported server role. Most administrators use URLScan in conjunction with the IIS Lockdown Wizard, so this integration saves you the trouble of creating custom filters. You can also install URLScan within the IIS Lockdown Wizard. The latest edition of URLScan, version 2.5, adds filters that limit the size of incoming HTTP requests and special characters known to be part of certain exploits. The tool also provides administrators with more options, such as giving them the capability to log long URLs; and it allows them greater latitude when configuring URLScan, such as giving them the capability to change the directory for the log files. URLScan includes a set of default characters to exclude, which is based on previous attacks. For example, hackers have used ".." in directory traversal attacks. However, you'll need to keep in mind that the default set might include characters that are legitimate for your system. In this case, you'll need to alter the configuration file to permit those specific characters. The default characters are there for a reason, so be prepared to accept the consequences for altering them. For example, you might need to monitor specifically for attacks that use those same characters. One danger you face is that attackers might be able to access sensitive information on the system. Another danger is that an attacker can find significant system information (such as passwords) in ordinary files. And yet another danger is the possibility of an attacker using information in "deleted" files (files that still exist physically, but are inaccessible normally). Protecting Special Files For these and other reasons, Microsoft developed the Encrypting File System (EFS). EFS performs automatic data encryption and decryption on NTFS disk drives. It's transparent to applications: During normal file reads and writes, the files are encrypted or decrypted automatically. You can designate entire folders as encrypted. In this case, all files in, or added to, that folder will be encrypted. Using Microsoft Free Security Tools T.J. Scott Page 8 of 11

9 To encrypt a folder s files, the steps are: In Windows Explorer, right click on the folder, choose Properties, then Advanced, and then check the Encrypt files to Secure Data checkbox. You can also use the cipher.exe command-line tool to manage encrypted data in the EFS, if you want to work on a file at a time.. The tool can also "wipe" or overwrite "deleted" data on a drive permanently, making that data physically inaccessible and eliminating the possibility of an attacker gaining access to it. You must install cipher.exe with its installer package to add the NTFS functionality that the cipher.exe requires to run properly. Data Transit Security Over the Network IP security protocol (IPSec) is a commonly used protocol to enhance security. It provides authentication and confidentiality for exchanged packets, and is available for both IP versions 4 and 6. However, IPSec's policies can be complex and difficult to configure properly. The Windows 2000 Resource Kit includes the IPSec Policy Configuration tool, Ipsecpol.exe. This command-line utility can help you create, assign, and delete IPSec policies. Ipsecpol.exe can handle dynamic and static policies in Active Directory as well as in local and remote registries. As with most tools that are powerful and flexible, Ipsecpol.exe can be a little confusing to use. Following Microsoft's examples will help you achieve certain results in specific situations and become familiar with how the tool works. It can also be confusing to keep track of the services that run on your system's domain controllers. The Windows 2000 Support Tools include the DcDiag.exe utility for this purpose. DcDiag.exe checks for all services that could run on the domain controllers in your environment. You should be aware that because some services are disabled in the Domain Controller Baseline Policy, DcDiag.exe will report them as errors. Keep track of these disabled services so you can discriminate between them and any actual problems with your domain configuration. Securing SQL Microsoft provides several tools specifically for improving SQL Server 2000's security. However, many administrators aren't even aware they're running SQL Server. This is because the SQL Server Desktop Engine (also known as MSDE 2000) underlies much of the functionality of the Windows system, which also makes it vulnerable to SQL-specific attacks. SQL Server 2000 is vulnerable to certain known attacks, such as the Slammer worm. Microsoft offers three tools to help you combat such attacks: SQL Scan, SQL Check, and SQL Critical Update. The SQL Critical Update Kit also includes these three tools, as well as a Systems Management Server (SMS) deployment tool and the Servpriv.exe utility. The same kit also provides the SQL Server 2000 Critical Update Wizard, which leads you through the steps to check and update your computer. Using Microsoft Free Security Tools T.J. Scott Page 9 of 11

10 Certain threats are so serious that Microsoft has created tools specifically to deal with them. The Slammer worm is one such threat to SQL Server or the Microsoft SQL Server Desktop Engine (MSDE); I'll discuss the tools that address it. The Slammer Vulnerability Assessment Tool performs tests on your computer or environment to assess whether there are vulnerabilities in the Slammer worm. If vulnerabilities exist, the tool suggests an option for downloading the appropriate patch. This tool runs from the Microsoft Web site and accesses the machines you specify. SQL Critical Update scans the computer it's running on for instances of SQL Server 2000 and MSDE 2000 that are vulnerable to the Slammer worm, then updates the pertinent files. SQL Critical Update runs on Windows 98, ME, NT 4.0, 2000, and XP. Unfortunately, SQL Critical Update only runs locally, not remotely. The SQL Scan tool (Sqlscan.exe) does a search similar to the SQL Critical Update, but on a wider scale. It can scan an individual computer, a Windows domain, or a range of IP addresses for instances of SQL Server 2000 and MSDE If it finds any instances, it then determines if they're vulnerable to the Slammer worm. Note that SQL Scan doesn't change any files, as SQL Critical Update does; it simply identifies the vulnerabilities, and you'll still need to take the steps to fix them. SQL Scan runs only on Windows 2000 (or higher) and scans computers running Windows NT 4.0, 2000, or XP Professional. It doesn't work on Windows 98, ME, or XP Home Edition. SQL Check scans only the computer it's running on for instances of SQL Server 2000 and MSDE If it finds areas that are vulnerable to Slammer, it disables them (for Windows NT 4.0, 2000, or XP) or identifies them (for Windows 98 or ME). The SQL Critical Update Wizard is an associated tool that leads you through the process of detecting vulnerabilities and updating any affected files. It runs on Windows 98, ME, NT 4.0, 2000, and XP. If you've used the appropriate lockdown tools, your system should be battened down well. However, this isn't a one-time process. You should keep abreast of newly discovered vulnerabilities and the methods for dealing with them. Also reassess your system configuration periodically: Sometimes changes in applications or usage merit changing what's turned on and what's turned off. Using Microsoft Free Security Tools T.J. Scott Page 10 of 11

11 Mastering The Art of Detection Once you've configured your system, you must still assume that it will be a target of an attack. New exploits are hatched daily, and even the strongest armor has chinks. You've erected a fence; now you need to patrol it. You can configure your Windows system to post errors or events into one or more log files. These files are usually on the local machine, and it's often helpful to access them for analysis or comparison, especially when you're trying to understand what happened during a security incident. The Dump Event Log tool command-line tool (Dumpel.exe), included in the Windows 2000 Server Resource Kit, assists in this process. It dumps an event log for a local or a remote system into a specified tab-separated text file. You can then import the resulting file into a spreadsheet or database, or use scripts to analyze the file. The Dump Event Log tool can also filter certain event types to zero in on a specific issue. Research in computer security shows consistently that user problems, not malicious software, cause the most security problems. The reformed hacker, Kevin Mitnick, in his new book The Art of Deception details how social engineering hacks work. A good paraphrase of Mitnick s basic message is People are the weakest link in your security chain. To deal with user problems, Microsoft provides two screensavers to remind users of basic security practices. One screensaver displays the Ten Immutable Laws of Security, and the other displays the Ten Immutable Laws of Security Administration. By installing these screensavers, you might gain some valuable allies in your security battle: your users. As a bottom line notion, you should think about security in general terms. Use the basic steps patching and lockdown, and monitoring and recovery to form the outline of your own security plans. Further, take advantage of the security tools that are available. You never achieve a fully secure system; instead security is a neverending path you must strive not to stray from. Using Microsoft Free Security Tools T.J. Scott Page 11 of 11