Transcript 2002-03-20-MAEDS-SecuringWindows

Windows Security
by: Mark Lachniet
Introductions
• Mark Lachniet,
• MCNE, MCSE, CCSE, LPIC-1
• Sr. Security Engineer @ Analysts
International
• Formerly a technician and then the IS
director at Holt Public Schools
• Formerly a MAEDS board member
• New daddy
What we have to work with:
Agenda
•
•
•
•
•
•
•
•
•
•
Risks
Microsoft Tools to know about
Policies and procedures
Secure network designs
Physical Security
OS Security
IIS Security
Intrusion Detection / Prevention
Vulnerability Assessments
Questions and Answers
History – Microsoft products
• WFW, Win9x/ME are meant for single user
implementations – no security to speak of (use
desktop security if you need it)
• Windows NT 3.5x / 4.x / 2000 / XP are multiuser systems that presumably enforce system
and user security
• None the less, still subscribe to the “kitchen
sink” approach, rather than the “secure by
default approach” (.NET may change this)
• The new frontier - Internet Information
Server, SQL server, programming interfaces
such as ASP, VBScript,etc.
History – Microsoft products
• Many hackers consider it fun to pick on Microsoft
• Some implementation issues such as NTLM
hashing issues have come up
• Many problems are due to ID-10-T errors. Easy
configuration = easy mis-configuration
• NIMDA, Code Red I / II, and numerous Outlook
viruses have caused big problems and created bad
publicity for the company
• Closed-source products make it difficult for
individuals to find and fix problems
• Numerous patches, hotfixes, and service packs have
created versioning and stability problems on
production servers
History – Microsoft’s response
• Microsoft has made security a priority
• Numerous service packs, hot fixes, and tools have
been created and released
• Response time for security issues has improved
greatly and security reporting was formalized
• Fewer reported vulnerabilities have fallen
through the cracks
• Have halted development and sent all of their
developers to a security boot camp
• A “letter from the top” by Bill Gates has formally
stated that security is the direction that the
company must go
The current situation
• Despite what some would say, it is
possible to secure most Windows
machines
• It is, however, very time consuming and
potentially complicated to do so
• It requires constant vigilance to keep
servers up to date
• This all needs to be factored into the
total cost of ownership, and not treated
like a side cost
Today’s presentation
•
•
•
•
•
•
Will focus on NT4 / 2000 / XP
Will focus on Internet servers (IIS)
Will focus on “hardening” of servers
Will attempt to be specific
Assumes a technical audience
Based on an internal Analysts
International server hardening checklist
• Will NOT cover the 100 other things
you need to know about security
Risks – a quick summary
• To better qualify your risks, you need to perform
a security analysis. Just securing servers is not
enough
• Computer security must be “defense in depth” supported on many levels
• Physical security is critical, without it, nothing is
secure (e.g. console, backups, etc.)
• Risks from a poor network design (especially
Internet servers) are significant
• Poor policies and procedures can lead to risk (e.g.
not coordinating hires/fires w/ H.R.)
• Need monitoring and log analysis to find
problems
More risks
• Remote access (VPN, dialup, wireless) to the
network that bypass firewalls
• Remote control of machines (PC Anywhere,
VNC, Terminal Services)
• Vendors and partners! Never trust a vendor,
even me. Firewall them off, and make sure their
servers are secure.
• Students – bored, frequently smart, and tons of
free time and motivation
• Network sniffing and “man in the middle
attacks”
• Password cracking
• Etc. etc. etc.
Tools I use: hfnetchk.exe
• If you aren’t using it, you should
• Similar in functionality to Windows update, but
more verbose and doesn’t install anything
• Used to check for installed hotfixes and patches
for the NT4, 2000, XP*, IIS, IE5+, SQL 7 / 2000
• Examines registry keys and file checksums to
verify the installation of hotfixes and patches
• Can be used across the network and can be
scripted to automate security work
• Cannot always verify all patches, so there is some
uncertainty if you have correctly applied them
• Does not support all Microsoft products
• My favorite – its simple and it works
Tools I never use:
The IIS lockdown tool
• Follows the “defense in depth” philosophy of
security by addressing multiple security
aspects
• Meant to provide an easy way of locking
down servers. Templates are provided for
some profiles of server.
• It may insulate you from the actual changes
that it is making. Unless you know where to
look, you have to take its word for it
• It also includes the URLScan tool which is a
type of IPS (Intrusion Protection System)
Tools I never use:
The Personal Security Advisor
• http://www.microsoft.com/technet/mpsa/start.asp
• Web based product to analyze the security of a
workstation
• Not designed for complicated installations, and not really
suitable for servers or IIS
• It is, however, pretty good at analyzing workstations for
things like Internet zone settings, Outlook settings,
Microsoft Office, etc.
• A good way to protect end users from Internet naughtiness
• Runs some simple security checks (weak passwords)
• Would be a good tool to run before deploying a
workstation or image
Microsoft security checklists
and hardening guides
•
•
•
•
NT 4 server / workstation checklists
Win 2k server / pro baseline checklists
IIS 4.0 / 5.0 baseline checklists
Domain controller checklists, etc.
• In general, these are a good starting
point, but are not really paranoid
enough
Good hardening guides
• NSA hardening guides
• If its good enough for them…
• Multiple high-quality guides are free for
download from: http://www.nsa.gov
• Come in PDF format with lots of screen captures
and step-by-step instructions
• Have guides for Cisco routers, NT4, and many
Windows 2000 guides – exchange, IIS5, group
policy, kerberos, etc.
• You probably aren’t going to want to do
*everything* in them, so pick and choose what
makes sense for your organization
Good Hardening Guides
• Guides from SANS.org (System
Administration Networking and Security)
• These are not free, but are based on the work
of experts in the field
• SANS offers the best security training
around, if you can afford to go (~$3k/5days)
• SANS also offers security certification tracks
to prove your skills
• As part of this certification, you have to write
a “practical” or paper on a topic
• These papers are free for all, and mostly good
http://rr.sans.org/win2000/win2000_list.php
The 5 minute tour…
• Because of the amount of material to
cover, I am going to discuss a lot of
material very quickly
• I will focus more on technical aspects
that on administrative stuff
• These are important, but I want to leave
enough time for tangible action items
you can take home with you
• Please remember, just doing these
things does not equal security
Policies and Procedures
• Subscribe to security listserves! You
must know what the enemy knows
• BugTraq and NT BugTraq at:
http://online.securityfocus.com/archive
• Microsoft Security Bulletins at:
http://www.microsoft.com/technet/security/bulletin/notify.asp
• SANS News at
http://server2.sans.org/sansnews
• And many others…
Policies and Procedures
• Document procedures for the configuration,
usage, and maintenance of servers and
workstations
• Update these procedures regularly
• Limit access to the server to minimum
• Maintain a disaster recovery plan
• Limit usage of the server to its core function
(ie, a web server.) Do not use it as a browser
or for routine work! This opens it up to the
risk of malicious code or user error
Network Security
• Use a network design that has security in mind!
• Use a firewall with a DMZ to host all Internet
servers
• Use an implicit “deny all” policy, and only open
up the necessary ports to the outside (80, 443, 25,
110, etc.) Never NetBIOS stuff (135-139)
• Similarly, create only the bare minimum rules for
the DMZ server to talk to the inside network.
Don’t allow any communication, if possible
• Consider using Cisco private VLAN technology
to limit communication between DMZ servers
• Use encryption! SSL especially
Physical Security
• If you can physically access the
machine, you can do almost anything
• I have boot disks that can reset the
administrator password in < 5mins
• Once reset, the possibilities are endless –
do a “reverse telnet shell”, log
keystrokes (such as the real
administrator trying to log in), etc.
• Even without rebooting, removable
media is an issue
Physical Security
•
•
•
•
•
•
•
Physically lock up the servers
Make lots of backups (just in case)
Lock up Emergency Repair Disks
Only allow a single OS on the system
Password protect screen savers & BIOS
Disable booting to floppy and CD
Remove all modems and management
tools (e.g. Compaq Insight Manager)
• Beware of USB devices!
During Installation
• Do not connect to the Internet while
installing (can be hacked during install)
• Install the minimal number of packages
• Make Internet servers standalone – not
part of any domain or active directory
• Format all volumes as NTFS
• Install IIS on a separate volume or hard
drive. (note that this requires an
unattended installation and script)
• Use strong administrator passwords
Install all service packs
•
•
•
•
Operating system
Internet Information Server
Internet Explorer
SQL server, others as needed
• hfnetchk.exe should come up clean*
before the server is deployed
Filesystem Security
• The ‘everyone’ group has full access to all
drives by default! This is dangerous and
unnecessary
• Carefully remove ‘everyone’ and add
administrators, users, etc. to disks using
descriptive groups
• Create a ‘web user’ group that has READ
access to IIS directories
• Create a ‘web admin’ group that has WRITE
access to IIS directories
• Add IUSR~BOX and IWAM~BOX to ‘web
users’ maybe ‘web admin’
Filesystem Security
• Delete or remote access to dangerous
programs to make hacking harder:
ARP.EXE
ATSVC.EXE
CACLS.EXE
CMD.EXE
CSCRIPT.EXE
DIALER.EXE
EDLIN.EXE
FTP.EXE
HTIMAGE.EXE
IPCONFIG.EXE
MSIEXEC.EXE
NET.EXE
NETSH.EXE
PING.EXE
POSIX.EXE
QFECHECK.EXE
RDISK.EXE
REGEDIT32.EXE
ROUTE.EXE
RUNAS.EXE
SECFIXUP.EXE
SYSKEY.EXE
TFTP.EXE
TSKILL.EXE
WSCRIPT.EXE
NETSTAT.EXE
AT.EXE
ATTRIB.EXE
CLIPSRV.EXE
COMMAND.COM
DEBUG.EXE
EDIT.EXE
FINGER.EXE
HYPERTRM.EXE
IMAGEMAP.EXE
ISSYNC.EXE
NBTSTAT .EXE
NET1.EXE
NSLOOKUP.EXE
POLEDIT.EXE
QBASIC.EXE
RCP.EXE
REGEDIT.EXE
REXEC.EXE
RSH.EXE
RUNONCE.EXE
SYSEDIT.EXE
TELNET.EXE
TRACERT.EXE
UNINST.EXE
XCOPY.EXE
Filesystem Security
• Remove all resource kits and SDKs
• Disable indexing of disks recursively
• Never allow the emergency console to
boot from the hard drive
• Delete backup copies of the registry
from X:\%System Root%\repair\
• Configure the recycle bin to
immediately delete files
• Configure the system swap file to be
deleted at shutdown
High-accountability logging
• Enable auditing of filesystem accesses
• Configure auditing to log all failed file
accesses by the ‘everyone’ group
• Increase the size of the event log to
512mb if possible
• Set event viewer to delete events that
are N days old, where N matches your
backup schedule
• Audit the use of privileges
Monitor suspicious log events
• Filter event logs for interesting events
–
–
–
–
–
–
–
–
–
–
529: Unknown Username or Bad Password
537: Unsuccessful Logon
530: Account Logon Time Restriction Violation
531: Account Currently Disabled
532: Account Has Expired
533: User Not Allowed to Log on
534: Logon Type Restricted
535: Password Expired
516: Some Audit Event Records Discarded
517: Audit Log Cleared
More Suspicious Events
–
–
–
–
–
–
–
–
–
–
–
–
624: User Account Created
630: User Account Deleted
627: Change Password Attempt
636: Local Group Member Added
632: Global Group Member Added
642: User Account Changed
643: Domain Policy Changed
608: User Right Assigned
609: User Right Removed
612: Audit Policy Change
610: New Trusted Domain
611: Removing Trusted Domain
Network Adapter Settings
• Disable all bindings except TCP/IP
• Use IP filters to limit incoming traffic to only
required ports (80, 443, 25, etc.)
• Disable remote access to the registry
• Disable NetBIOS over TCP/IP
• Disable IP routing
• Do not make “dual-homed” hosts that
connect insecure (external) networks to secure
(internal) networks
• Harden TCP/IP stack to DoS attacks
Disable Unnecessary Services
•
•
•
•
•
•
•
•
•
Alerter
Clipbook server
Computer browser
Distributed File System
Distributed Link Tracking Systems Server
Distributed Link Tracking Systems Client
IPSEC policy agent (unless IPSEC is used)
Licensing Logging Service
Logical Disk Manager Administrator Service
(needed for software RAID)
• Messenger
• Net Logon
Disable Unnecessary Services
•
•
•
•
•
•
•
•
•
•
•
•
Network DDE
Network DDE DSDM
Print Spooler
Remote Registry Service
Removable Storage
Server Services (needed for SMTP services)
Task Scheduler
TCP/IP NetBIOS Helper
Telephony (needed for terminal server)
Windows Installer
Windows Time
Workstation Service (needed for some
maintenance tasks)
Accounts and User IDs
• Configure password strength
enforcement for users
• Rename the administrator account
• Create a bogus administrator account
with no rights and log its use
• Rename and disable the guest account
• Remove ‘access this computer from the
network’ rights from administrator and
‘everyone’ group
Accounts and User IDs
• Remove the ‘log on locally’ right from
all users and groups that don’t need it
• Perform periodic password cracking to
find bad passwords (including products
that log in and run as services)
• Disable remote access to the registry
• Disable anonymous access to NetBIOS
services (used for anonymously iterating
user IDs and other NetBIOS
information across the network)
IIS Security
•
•
•
•
Don’t use Front Page extensions
Disable the HTML administration site
Store web content on a separate drive
Bind the web server process to specific
IP addresses (not all available)
• Disable the WebDAV service
• Remove all unneeded ISAPI mappings,
especially IDA/IDC (indexing service)
and .printer (Internet Printing)
IIS Security
• Remove support for Internet printing
– Remove the /printers virtual directory
– Delete files from %SystemRoot%\web\printers
– Disable local or group policy options for “Web-Based
Printing”
• Delete default and sample IIS files
–
–
–
–
–
–
\Inetpub\iissamples
\Inetpub\AdminScripts
\Program Files\Common Files\System\msadc\Samples
%SystemRoot%\help\iishelp
%SystemRoot\System32\Inetsrv\iisadmpwd
%SystemRoot%\web\printers
IIS Security
• Use restrictive IIS permissions
– On "Home Directory" tab, disable Read, Write,
Directory browsing
– Add specific rights as necessary
– The Script Source Access IIS permission is not
assigned to any folder
– Use authentication on all folders with Write /
Write-Execute access
– If HTTP basic authentication is required, use SSL
– If using NTLM authentication, require NTLM v2
IIS Security
• Protect global.asa files
– NTFS permissions set for System, Administrators and Operators
= full control
– NTFS permissions set for Authors = modify
– NTFS permissions set to explicitly deny IUSR_server and
IWAM_server accts.
– All failed accesses to global.asa are logged
• Protect the metabase.bin file
– MetaBase.bin has full control for System and Administrators
– MetaBase.bin has Modify for Operators
– Audit all failed and successful NTFS access to MetaBase.bin
• Enable the maximum level of logging
• Set the UseHostName metabase value to hide
the true IP address of the server
Intrusion Prevention / Detection
• Various products exist to detect and
sometimes stop hack attacks
• One such product is Entercept
• These are usually installed on the host
• Software components intercept API calls to
the operating system
• Can also filter HTTP web requests
• Provide for reporting capabilities at the host
and enterprise level
• Can be somewhat costly
• Like all IDS products, the value is in
their configuration
Vulnerability Assessments
• Primarily a scripted process
• Takes a “hackers point of view” of the
network and attempts to find vulnerabilities
in software (usually over TCP/IP)
• Is useful as a before and after check
• Is my preferred method of telling if security
changes “took” properly. You’d be surprised
• Vulnerability assessments need to be
performed often with updated tools!
• If possible, get expert help with vulnerability
assessments – the tools can tell you a lot, but
interpretation of results is critical
Questions and Answers
Mark Lachniet
[email protected]
Rob Dobson
[email protected]