1 / 37

Securing New Technology

Securing New Technology. Dominique Brezinski. Introduction. We all have a few questions about Windows NT security: Is it really secure Should we be deploying Internet connected Windows NT systems What are the current vulnerabilities in NT. Summary of Course.

michaelhall
Download Presentation

Securing New Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing New Technology Dominique Brezinski

  2. Introduction We all have a few questions about Windows NT security: • Is it really secure • Should we be deploying Internet connected Windows NT systems • What are the current vulnerabilities in NT

  3. Summary of Course • Security vulnerabilities in the NT architecture and implementation • Methods for addressing the existing and future security vulnerabilities • Techniques and tools for assessing security posture

  4. Who is in Attendance? • Security Auditors? • System Administrators? • Developers? • Others?

  5. Agenda • Some specifics of the NT security architecture • Failings from a security perspective • Securing your NT systems • Assessing your security practices

  6. NT security Architecture • Console Logon Process • Network Logon Process • Object Access • Impersonation

  7. Console Logon Process • Interact with the GINA to give credentials • GINA is the extensible part of WinLogon • WinLogon talks to Authentication Packages through LSA (Local Security Authority) using LogonUser() • Current Authentication Package is MSV1_0 (NT LM Security Provider) • Authentication Package returns security token if credentials are correct

  8. Network Logon Process • Make connection to Server Service (SMB) • Server Service generates a MSV1_0 compatible challenge and sends it to the client (in a SMB_COM_NEGPROT message) • Client responds by encrypting the challenge, using the password as the encryption key, and sending it back to the server

  9. Network Logon Process Cont. • Server Service passes the client’s response and the original challenge to MSV1_0 by calling LsaCallAuthenticationPackage() with the message type MsV1_0Lm20Logon • The LsaCallAuthenticationPackage() returns a security token to the Server service if everything is successful

  10. Object Access • Each object has a DACL (Discretionary Access Control List) • Each Process has a security token (from logon process) attached which contains the identity and privileges of the user context it is executing under • When a process attempts to access an object, the Security Reference Monitor in the kernel checks to see if the identity or privileges in the token match an ACL entry

  11. Impersonation • Process obtains a security token for the user to be impersonated through the LogonUser() function or a direct call to a authentication package with LsaCallAuthenticationPackage() • The process can use this token to temporarily change the user context of a thread to execute as the user (impersonate)

  12. Vulnerabilities and Exploits

  13. Exploits • Anonymous connections • Network Authentication attacks • Buffer overflows in privileged services • Trojan horses and other file permission abuses • Privilege escalation through architectural deficiencies

  14. Anonymous Connections • Created by using null credentials - net use \\target\IPC$ ““ /user:”” • Prior to SP3 could remotely access the Registry on workstations and some servers • Can enumerate users, groups, and get SIDs • Possibly other unknown ramifications

  15. Network Authentication Attacks • Man in the middle attack on authentication sequence to gain remote access as arbitrary user (fixed in SP3 if message signing is used) • Password hash grabbing attacks using a known challenge (not fixed in SP3) or brute-force • Protocol downgrade attacks to obtain plaintext password (fixed in SP3 by default)

  16. Buffer Overflows • They can happen in NT • WebSite 1.0 had a couple nifty CGI programs that could be overflowed • The egg (shell code) has been written and published, so the hard work has been done. • Services running as SYSTEM or Administrator are the primary targets

  17. Trojan Horses and File Permissions • Targets: files (.exe, .dll, .reg) that will get executed by a privileged user - Administrator or System • Extensible portions of the security system are key easy targets - Notification Packages, Password Filters, and GINAs all run under the System context • FPNWCLNT.DLL is a great example: default Registry entry, but the DLL does not exist on NT 4.0 Workstations.

  18. File Permissions Cont. • Group Everyone has write permission to %SystemRoot%\system32 by default, so therefore any local user can add a notification package Trojan called FPNWCLNT.DLL that will get called in the System context. • Group Everyone has FULL CONTROL of %SystemRoot% by default, so even files like poledit.exe and explorer.exe which are (RX) can be changed by anyone.

  19. Privilege Escalation • On July 4, GetAdmin was released on Usenet. • GetAdmin gains privilege to attach to another process (SeDebugPrivilege) through a broken kernel API and then creates a thread in the Winlogon process that executes code in GASYS.DLL which adds an arbitrary user to the Administrator’s group. Very naughty ;)

  20. Securing it

  21. Reduce Services • Only services that are needed should be running - everything else should be disabled. • NT needs the following services to be started to function correctly: EventLog, Plug and Play, and Remote Procedure Call Service (TCP port 135 will be listening). • Experiment - start with the above services and only add as needed.

  22. File Permissions • Don’t give the Everyone group FULL CONTROL of anything • Check “Guidelines for securing Windows NT-based networks and systems” on www.microsoft.com • %SystemRoot% and %SystemRoot%\system32 can be (RX) for non admin users • Removal of execute permission on all executables not needed is a good thing

  23. Registry Permissions • Make sure HKLM\SYSTEM\CurrentControlSet\Control\SecurePipesServers\Winreg exists and only Administrators have permission to it • Again, check “Guidelines for securing Windows NT-based networks and systems” on www.microsoft.com • Use David LeBlanc’s suggestions in the NT Security FAQ

  24. General • Use a password filter to enforce strong passwords (PASSFILT.DLL from SP2 or write your own) • Use passprop.exe from the Resource Kit to enable account lockout on Administrator • Disable Network Logons for administrator equivalent accounts • Turn on auditing for security events

  25. Specific Fixes for Exploits • Install SP3 and set the RestrictAnonymous registry value • Change the DACL of NTOSKRNL.EXE to System and Administrator FULL CONTROL and Everyone EXECUTE (temp hack to fix GetAdmin - not long term) • Remove FPNWCLNT from HKLM\SYSTEM\CurrentControlSet\Control\Lsa\”Notification Packages” • Use message signing NT to NT

  26. More Fixes • Use the TCP/IP Advanced Security options to block all TCP and UDP ports not being used - specifically TCP 135 if not using remote RPC • Disable the WINS TCP/IP binding under the protocol tab and the Server service if the machine is a single purpose server - WWW, FTP

  27. Assessing Your Security

  28. Tools • Your security policy • ISS 4.31 for NT • Ballista • Kane Security Analyst • NAT without #define SCANNER (see *hobbit’s presentation) • A good TCP and UDP port scanner • The Resource Kit(s) • Homebrew (C, TCL, Perl, etc.)

  29. More Tools • DumpAcl • Cacls • Regedt32 • Poledit • Caffiene

  30. Port Scanning • Do a full TCP and UDP port scan • Take note of all listening ports and reference them against what you would expect for the services the machine is suppose to be running • Common listening ports are TCP 135, 137, 138, 139, and several ephemeral ports and UDP 135,137,138, and 139

  31. Service Checks • Tools like ISS, Ballista, and NAT are very helpful • Remember port 139 is used by many services: file sharing and services using RPC over named pipes • Check for all known bugs • Look for unknown or excessive services • See what information can be obtained through SNMP, netstat, RPC end-point mapper, and remote Registry access

  32. File Permission Checks • Print out list of all users and groups • Use a tool like DumpAcl or Cacls to print out a list of all file and directory permissions • Use your security policy as the basis for ACL checks • Look for situation like directories with FULL CONTROL granted to a group that should not have access to some files within the directory

  33. Registry Permission Checks • Use Regedt32 or DumpAcl to list ACLs for HKEY_LOCAL_MACHINE and HKEY_CLASSES_ROOT • Again, use your security policy as a basis for your checks • Look for situations where users can read or write sensitive keys and values • The SNMP community name and AutoLogon password are viewable by everyone by default

  34. Known Vulnerability Checks • Check for all know vulnerabilities • Look for potentially exploitable conditions like the ability to overwrite executables and dynamic link libraries • Check for Registry keys and values writeable by non-administrators - there are several places by default that everyone can change which can lead to Trojan horses (.reg associations)

  35. Policy Enforcement • Is auditing enabled? • Are password length and lifetime checks enabled? • Do users belong to the correct groups? • Kane Security Analyst is a good tool for this stuff

  36. Summary • We have covered the basics of how NT security operates, what some major problems are, strategies to tighten up security, and some methods for checking your risks • Experiment with this knowledge - use it as a starting point and take tangents

  37. Where to get more information • http://www.microsoft.com/workshop/prog/security/guidesecnt.htm • http://www.ntsecurity.net • mailing list at ntsecurity@iss.net • mailing list at ntbugtraq@rc.on.ca • mailing list at bugtraq@netspace.org • dominique.brezinski@cybersafe.com

More Related