1 / 31

Foiling JD: Top 10 Ways to Stop Hackers

Foiling JD: Top 10 Ways to Stop Hackers. David LeBlanc Eric Schultze Microsoft Corporation. Introduction. Practice Defense in Depth A well-configured server will often resist even newly found vulnerabilities

manelin
Download Presentation

Foiling JD: Top 10 Ways to Stop Hackers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Foiling JD: Top 10 Ways to Stop Hackers David LeBlanc Eric Schultze Microsoft Corporation

  2. Introduction • Practice Defense in Depth • A well-configured server will often resist even newly found vulnerabilities • Example – the NT 4.0 system set up for Eweek’s first OpenHack contest would have remained secure against most new attacks found over the next year

  3. 10. Secure Your Email client • Outlook • Apply the Outlook Security Update • Outlook Express • Move OE to Restricted Sites Zone • Disable Active Scripting and Java • Don’t read e-mail on a web server!

  4. 9. Restrict Anonymous • Set RestrictAnonymous=2 • This blocks detailed enumeration of users and groups over a variety of protocols • (setting included in HiSec* templates) • Do not allow system with RA=2 to become master browser

  5. 8. ACL System Executables • Remove ability for users to execute system commands (cmd.exe, tftp.exe, etc.) • C:\winnt (and subdirectories) • Dir *.exe /s /b > outfile.txt • Cacl *.exe files as such: • Admins: Full • System: Full

  6. 7. ACL Directories • Remove permissions for IUSR, IWAM, and Everyone to Write and Execute files in all directories • Dump directory list to file • Run cacls against each directory • Identify each entry with Everyone perms • Read/Execute • Write • Reset perms as follows:

  7. 7. ACL Directories \Inetpub Everyone:(OI)(CI)F Set to admins:F, everyone:R ------------------------------------------------------------------------------ \Documents and Settings\All Users\DRM Everyone:(OI)(CI)F Set to everyone:R ------------------------------------------------------------------------------ \Documents and Settings\All Users\Application Data\Microsoft\HTML Help Everyone:F \Documents and Settings\All Users\Application Data\Microsoft\HTML Help Everyone:(OI)(CI)(IO)F Set to everyone:R ------------------------------------------------------------------------------ \Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys Everyone:(special access:) READ_CONTROL SYNCHRONIZE FILE_GENERIC_READ FILE_GENERIC_WRITE FILE_READ_DATA FILE_WRITE_DATA FILE_APPEND_DATA FILE_READ_EA FILE_WRITE_EA FILE_READ_ATTRIBUTES FILE_WRITE_ATTRIBUTES Remove FILE_GENERIC_WRITE FILE_WRITE_DATA ------------------------------------------------------------------------------

  8. 7. ACL Directories \Inetpub\AdminScripts Everyone:(OI)(CI)F Inherited permissions from \Inetpub ------------------------------------------------------------------------------ \Inetpub\mailroot Everyone:(OI)(CI)F \Inetpub\mailroot\Badmail Everyone:(OI)(CI)F \Inetpub\mailroot\Drop Everyone:(OI)(CI)F \Inetpub\mailroot\Mailbox Everyone:(OI)(CI)F \Inetpub\mailroot\Pickup Everyone:(OI)(CI)F \Inetpub\mailroot\Queue Everyone:(OI)(CI)F \Inetpub\mailroot\Route Everyone:(OI)(CI)F \Inetpub\mailroot\SortTemp Everyone:(OI)(CI)F Inherited permissions from \Inetpub ------------------------------------------------------------------------------

  9. 7. ACL Directories \WINNT\Tasks Everyone:(OI)(CI)(special access:) READ_CONTROL SYNCHRONIZE FILE_GENERIC_READ FILE_GENERIC_WRITE FILE_GENERIC_EXECUTE FILE_READ_DATA FILE_WRITE_DATA FILE_APPEND_DATA FILE_READ_EA FILE_WRITE_EA FILE_EXECUTE FILE_READ_ATTRIBUTES FILE_WRITE_ATTRIBUTES \WINNT\system32\Setup Everyone:(OI)(CI)F Set to admins:F, everyone:R ------------------------------------------------------------------------------ \WINNT\system32\inetsrv\Data Everyone:F Set to everyone:R ------------------------------------------------------------------------------ \WINNT\system32\Microsoft\Crypto\RSA\MachineKeys Everyone:(special access:) Set to everyone:R

  10. 6. Disable Services • Alerter • Computer Browser • Indexing Service • Messenger • Print spooler • Remote Registry • Distributed File System • Workstation • Server • Telnet • Smtp

  11. 5. Filter Ports 42 WINS Host Name Server 80 HTTP 88 Kerberos 135 MS RPC 139 NetBIOS Session Service 389 LDAP 443 SSL 445 CIFS-SMB 464 kpasswd 593 HTTP endpoint mapper 636 SSL-ldap 3268 MS Global Catalog 3269 MS Global Catalog 3372 (Local-host only connection) 3389 MS Terminal Server xxxx IIS 5.0 HTML Mgmt

  12. 5. Filter Ports • Apply IPSec Port Filters • Block access to ALL ports but • 80, 443, etc.

  13. 5. Filter Ports

  14. 5. Filter Ports • Apply Port Filtering at the Router • Block all non-essential ports in BOTH directions • Why should DMZ webserver be doing NetBIOS, TFTP, or HTTP OUTBOUND to other Internet Hosts? • It Shouldn’t. Block It.

  15. 4. Disable NetBIOS • Foil Feinman • Don’t allow malicious users to access tcp 139 and tcp/udp 445 • Without this access – it will be much tougher for hacker to enumerate details about users and groups

  16. 4. Disable NetBIOS • IPSec • Create Blocker rules for tcp 139 and tcp/udp 445 • Unbind File and Printer Sharing for Microsoft Networks • Will stop 139 from responding to requests • Advanced IP filtering • Only allow required ports • Unbind NetBIOS from WINS

  17. Must select Advanced – Advanced Settings 4. Unbind F&P Sharing No Reboot Required 445 disappears, 139 appears, but does not respond

  18. 4. Advanced IP Filtering Reboot Required !! Only specified ports are allowed

  19. 4. Advanced IP Filtering Reboot Required !! WARNING Selecting IP Protocols –Permit Only ‘6’ (tcp) will ALSO allow ICMP ‘1’ – even though this is not explicitely defined

  20. 4. Unbind NetBIOS from WINS No Reboot Required 139 disappears, 445 still accepts connections

  21. 4. Disable NetBIOS • Most Secure Option Is to Unbind File and Printer Sharing from the specified adapter • Both 139 and 445 will be prohibited

  22. 4. Foiling Feinman • Aside from Blocking User Enumeration via NetBIOS • You must secure enumeration via SNMP and LDAP • Block tcp 389 and udp 161 • DO NOT weaken perms on AD during AD setup • Or, remove EVERYONE group from Pre-Windows 2000 Compatability group

  23. 4. Foiling Feinman

  24. 3. Apply Security Templates • Templates located in: • Winnt\security\templates • Basicdc • Basicsv • Basicws • Compatws • Hisecdc • Hisecws • Ocfiless • Ocfilesw • Securedc • Securews • HISECWEB – download from microsoft.com/security

  25. 2. Follow IIS5 Checklist • Summary: • Remove sample apps • inetpub\samples • winnt\help\iishelp • Program files\common files\system\msadc • ACL IIS log file • Admin and system Full • Everyone RWC • Enable IIS Logging • Review all code on server for RevertToSelf calls

  26. 2. Follow IIS5 Checklist (cont) • Disable File System Object • Regsrv32 scrrun.dll /u • Remove IISADMPWD directory (if exists) • Only exists if upgraded from IIS4 • Remove script mappings • htr, idc, stm, shtm, shtml • Disable Parent Paths • Scripts, msadc, etc.

  27. Additional IIS Security Steps • Remove or disable Admin web sites • Remove Server extensions if you aren’t using them (remove files, too) • Run Permissions Wizard on all web directories • Disable Windows Auth on directories that don’t need it

  28. 1. Apply Hotfixes • Apply the Patches • MS00-086 • Solves Directory Traversal Vulnerability • Supersedes 00-057 and 00-078 • MS01-007 • Solves Win2K Privilege Escalation Vulnerability • Visit microsoft.com/security for others…

  29. 1. Apply Hotfixes Search by Service Pack

  30. 1. Apply Hotfixes DRAFT

  31. Resources • www.microsoft.com/security • Bulletins and patches • IIS5 Security Checklist • HiSecWeb Template • HFCheck (IIS5 hotfix checker) • secure@microsoft.com • Reports of security vulnerabilities in MS products • secfdbck@microsoft.com • Feedback on website, tools, checklists, etc.

More Related