Transcript Computer Security and Penetration Testing Chapter 16 Windows

Computer Security and Penetration
Testing
Chapter 16
Windows Vulnerabilities
Objectives
• Describe the windows operating systems
• Explain the vulnerabilities of Windows Server
2008/XP/Vista/7/8
Computer Security and Penetration Testing
2
Windows Operating System
•
•
•
•
•
Windows XP
Windows Vista
Windows Server 2008
Windows 7
Windows 8
Computer Security and Penetration Testing
3
Vulnerabilities in Windows
2008/XP/Vista/7/8
• All of these operating systems are useful for building
large corporate networks
• All three have good networking features and userfriendly interfaces
– Microsoft continues to support these with new
security patches
• Not remotely secure with default installation settings
Computer Security and Penetration Testing
4
Passwords
• Security of passwords is very important to the
security of any system
– Encryption algorithms and hash values are used to
secure them
• Easiest way to break password security
– Use a password-burning program, which can set the
administrator password to a blank
• Windows 2000 and later applications store
passwords in the form of hash values
– Database called Security Accounts Manager (SAM)
Computer Security and Penetration Testing
5
Passwords (continued)
• Operating system locks the SAM database
– Making it impossible to read the SAM database from
within a Windows operating system
• Hackers are able to crack these passwords by using
password-cracking tools
• Hackers can import passwords from the Windows
registry
• Hackers might also copy the SAM database and use
the password cracker on the file
Computer Security and Penetration Testing
6
Passwords (continued)
• Microsoft utility SYSKEY
– Safeguards passwords from cracking activities
– Encrypts passwords with a 128-bit algorithm, making
it very difficult to crack
• Newer password crackers like Cain and Abel can
crack 128-bit encryption
• pwdump3 gives remote access to the SAM
database
– On a computer in which the SYSKEY utility is active
– Hackers need to have administrator privileges
Computer Security and Penetration Testing
7
Default Accounts
• Default “Administrator” account
– Default password is blank
• Nobody can delete the administrator account from a
Windows computer
– Possible to change the password
• Users can change the name from Administrator to
something else
– Then, make a new account named Administrator but
give it no special access privileges
Computer Security and Penetration Testing
8
Default Accounts (continued)
• Default “Guest” account
– Allows nonregular users to access the system
– Default password is blank
• Default “default” account
– Has full administrative rights at installation
• Default accounts make a password cracker’s life
much easier
Computer Security and Penetration Testing
9
File Sharing
• In Windows, users can share files in a folder
– Select the “Share this folder” option to enable the
sharing feature
• To set the permissions more tightly, click the
Permission button in the Properties dialog box
• Access can be restricted based on user or group
Computer Security and Penetration Testing
10
Windows Registry
• Windows 95 was the first version of Windows to use
a registry
• One critical vulnerability in the registry is related to
the registry information about an action performed
by a user during login
• Windows registry maintains this information in a key
called
– HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi
ndows\ CurrentVersion\Run
Computer Security and Penetration Testing
11
Windows Registry (continued)
• Automatically, every user of a Windows 2000 and
XP computer has a “SetValue” access to this
registry key
• “Set Value” access lets any user who has access to
the system, make modifications
– A user who does not have administrator privileges
can alter this key to obtain unauthorized access
Computer Security and Penetration Testing
12
Trust Relationship
• Trust relationship
– Allows the authenticated users of a Windows domain
to access resources on another domain, without
being authenticated by it
• Operating systems authenticate users
– By means of verifying their Security Identifiers (SIDs)
in the access control list
• Access control lists store SIDs and the user rights
related to each SID
– Resources maintain an access control list
Computer Security and Penetration Testing
13
Trust Relationship (continued)
• A trusting domain allows the trusted domain to
authenticate users
• Cracker can hack a network and add unauthorized
SIDs into that domain’s ACL
• Hackers require administrator privileges on the
trusted domain in order to exploit this
– Furthermore, they need strong technical knowledge
• Microsoft provides patch programs for Windows
2000, known as SID filters, that solve this issue
Computer Security and Penetration Testing
14
RPC Service Failure
• Remote Procedure Call (RPC) service of Windows
– Does not validate inputs that are submitted to it for
processing
• Hackers can easily send RPC requests with invalid
inputs
– Invalid inputs lead to the system services stopping for
a period of time
Computer Security and Penetration Testing
15
Summary
• Microsoft Windows is the most common preinstalled
operating system in the world
• The security of the applications running on a
computer is dependent on the security of the
operating system
• The belief that Windows is less secure than other
operating systems stems in part from the sheer
ubiquity of Windows and from the philosophy
underlying the design of the original Windows
systems
Computer Security and Penetration Testing
16
Summary (continued)
• Vulnerabilities affecting one or more of these systems
include password security, default accounts, file
sharing defaults, Windows registry security defaults,
trust relationships between domains, Event Viewer
buffer overflow, NBNS protocol spoofing, RPC service
failure, SMTP authentication, Telnet vulnerabilities, IP
fragments reassembly, and Reset-Browser frame
vulnerability
• Although Vista places a greater emphasis on security
than its predecessors, some vulnerabilities exist
Computer Security and Penetration Testing
17