Presentation
Download
Report
Transcript Presentation
Unprotected Windows
Shares
Prepared By : Mohammad Abu-Mahfouze
Supervised By : Dr. Lo’ai Tawalbeh
Arab Academy for Business and Finance (AABFS)
(Spring 2007)
Introduction
Microsoft Windows Operating System provides
a host machine with the ability to share files or
folders across a network with other hosts
through Windows network shares. The
underlying mechanism of this feature is the
Server Message Block (SMB) protocol, or the
Common Internet File System (CIFS). These
protocols permit a host to manipulate remote
files just as if they were local.
Introduction
Although this is a powerful and useful feature
of Windows, improper configuration of
network shares may expose critical system files
or may provide a mechanism for a nefarious
user or program to take full control of the host.
One of the ways in which I-Worm.Klez.a-h
(Klez Family) worm, Sircam virus and Nimda
worm spread so rapidly in 2001 was by
discovering unprotected network shares and
placing copies of themselves in them.
Introduction
Many computer owners open their
systems to hackers or attackers when
they try to improve convenience for
workers and outside researchers by
making their drives readable and
writeable by network users. But when
they take care to ensure the proper
configuration of the network shares,
the risks of compromise can be
adequately mitigated.
Introduction
The Peer-to-peer file-sharing services are
often constrained by organizations policy due
to their widespread use for disseminating
copyrighted content illegally, their significant
bandwidth consumption for (typically) nonwork-related uses, and/or the risk that they
may introduce new security vulnerabilities to
the organization.
Securing Windows File Sharing
Although Windows XP Professional is built on the Windows
2000 kernel, there are significant differences between the
operating systems - especially when it comes to security.
This checklist is partially based on our popular Windows 2000
security checklist and covers both Windows XP Professional and
XP Home Edition. Unfortunately, Windows XP Home Edition
doesn't have all of the security features of XP Professional, so not
all of the options are available for both versions. If you're
concerned about your data, we strongly recommend upgrading to
XP Professional as soon as possible.
Securing Windows File Sharing
When implementing these recommendations, keep in
mind that there is a trade off between increased
security levels and usability for any Operating
System. To help you decide how much security you
need, we've divided the checklist into Basic,
Intermediate, and Advanced Security options. You
should assess your potential security risks, determine
the value of your data, and balance your needs
accordingly.and we will talk about Basic security
option
How To Make Your
Files
Securely Shared ?
Securing Windows File Sharing
To tunnel Windows file shares over an
SSH (Secure Shell) connection, you need
to forward connections on port 139 on the
sharing-consumer machine via SSH to the
sharing-provider machine. The exact
setup differs depending on the version of
Windows on the sharing-consumer
machine:
In Windows 2000
Configure the SSH client to listen on
interface 127.0.0.2 and connect to
'\\127.0.0.2\sharename'. This is all that is
necessary.
In Windows XP
Same as for Windows 2000, but before using
the forwarded share, the local (client's)
Windows file sharing server needs to be
stopped via 'net stop server'. To disable it
permanently, run 'sc config lanmanserver start=
disabled'. To re-enable it at a later time, run 'sc
config lanmanserver start= auto'. Note the
space between 'start= ' and the following
parameter - sc will fail without it.
Microsoft Loopback Adapter
If you want to avoid disabling the file sharing server on
the client machine because you want to retain remote
access to the client machine's shared resources, there is
another alternative. You can install the Microsoft
Loopback Adapter according to instructions relevant to
your version of Windows:
The Loopback Adapter and file share tunneling:
Windows XP and 2003
The Loopback Adapter and file share tunneling:
Windows 2000
The Loopback Adapter and file share tunneling:
Windows NT4
Remember
If you use the Microsoft Loopback Adapter,
you should setup your SSH client
appropriately: use the Loopback Adapter's IP
instead of 127.0.0.1 or 127.0.0.2. If you
assigned the Loopback Adapter the IP address
10.10.10.10, configure a client-to-server port
forwarding rule to listen on 10.10.10.10, port
139; then you can connect to
'\\10.10.10.10\sharename .'
Windows file sharing over SSH
To make a secure file sharing in
Windows . Follow the following steps
to get quickly up and started with
Windows file sharing over SSH
On the server machine (the file-sharing provider)
1) Install WinSSHD on the server (the
machine that has the resources you wish to
access with Windows file sharing).
2) No changes to the default WinSSHD
configuration are required to use Windows
file sharing over SSH. You may wish to
make changes to the default WinSSHD
configuration later on, to restrict what
WinSSHD features are accessible to remote
users. However, for the time being, keep
your WinSSHD settings at default until your
file sharing over SSH is up and running
On the server machine (the file-sharing provider)
3) Apart from installing WinSSHD, the only
thing you need to do on the server is
ensure that there is a Windows account
which you can use to log on locally, and
which you are comfortable using through
Tunnelier and WinSSHD. If such an account
does not yet exist, create one and use it to
log on for the first time through the local
Windows console to make sure all settings
for the new account are initialized.
4) Start the WinSSHD service from the
WinSSHD Control Panel.
On the client machine:
1) If the client is running Windows XP or
2003 and you wish to retain the
ability to share the client's resources,
install and configure the Microsoft
Loopback Adapter.
2) Install Tunnelier on the client (the
machine from which you wish to be
accessing the server machine's
shared resources).
On the client machine:
3) Configure the following settings on the Login
tab in Tunnelier. Click also the 'Help' link on the
Login tab for help with any of these settings.
A. Host: The IP address or DNS name of the
server that you are accessing.
B. Port: You will normally use the default
value, 22. This must match the port that
WinSSHD is listening on. If you have made
no changes to the default WinSSHD
configuration to change the port it is
listening on, use 22.
On the client machine:
C. Username: The Windows account name with
which to log into the server. This must be a
valid Windows account name with local logon
permissions on the side of the server.
D. Password: The password with which to log into
the server, belonging to the account name
specified by Username.
E. Store encrypted password in profile: You
may optionally wish to enable this setting so
that you will not be asked to reenter the
password each time when logging in after
Tunnelier has been restarted.
On the client machine:
4) In the C2S Forwarding tab in Tunnelier,
add a new entry and configure the following
settings for this entry. Click also the 'Help'
link on the C2S Forwarding tab for help
with any of these settings.
A. Status: This will be 'enabled' by default, leave it
that way.
B. Listen interface: The default value is
127.0.0.1. If the client machine is running
Windows XP, leave this as it is; you will need
to uninstall file and printer sharing on the client
machine anyway. If the client machine is running
Windows 2000, change this to 127.0.0.2 so
that you will not need to uninstall file and printer
sharing.
C. List. Port: 139.
D. Destination Host: set this to the interface on which
the file sharing server is listening for SMB
connections. Setting this to 'localhost' or 127.0.0.1
will not work because the file sharing server is usually
listening on a specific interface rather than all
interfaces, so it will not be possible to go through the
loopback connection. To determine the interface
where the file sharing server is listening, execute
'netstat -an' on the server and examine the output for
a line like 'xxxxxx:139 ... LISTENING'. The xxxxxx is
the IP address that you need to enter in this field.
Normally this will be the IP address associated with
the server's main ethernet adapter.
E. Dest. Port: 139.
5) Click the Login button in Tunnelier and observe the log
area for any errors. If the session is established without
errors, the SSH setup is running.
6) If you are running Windows XP, you will now need to
uninstall (not just disable, but completely uninstall) file and
printer sharing on the client machine. This can be done
through Network Connections : (each connection) :
Properties - select 'File and Printer Sharing' in the list box
and press the Uninstall button. This needs to be done for
each active network connection on the client machine.
7) If you are using earlier versions of Windows (this is
confirmed for Windows 2000 but is likely to apply to the
9x/Me series as well), you will not need to uninstall file and
printer sharing if you specified 127.0.0.2 as the Tunnelier
C2S rule listening interface (above).
8) Once the above steps have been completed, you will
be able to connect securely to the shared resources
on the server machine using syntax such as
\\127.0.0.1\sharename or \\127.0.0.2\sharename,
respectively. This will work as long as the Tunnelier
SSH connection remains established.
9) You can make sure that your file sharing connections
are going through Tunnelier by checking the Tunnelier
log area for a message saying 'Accepted client-toserver connection from ... to ...:139' corresponding to
each connection attempt you make. Likewise, when
your file sharing connection closes, Tunnelier should
output a log message stating 'Closing client-to-server
forwarding channel from ... to ...:139'.
Security Measures
Security Measures
There are three security measures
Basic Security measures
Intermediate Security Measures
Advanced Security Settings
At this presentation we will talk about the basic
Security measures only .
Basic Security Measures
Provide Physical Security for the machine
It may seem basic, but we didn't want you to
overlook the obvious. The simple fact is that
most security breaches in corporate environments
occur from the inside. Keep your workstation in
an office that locks, install a lock on the CPU
case, keep it locked, and store the key safely
away from the computer at a secure location. (i.e.
a locked cabinet in the server room)
Basic Security Measures
Use NTFS on all your partitions
The FAT16/FAT32 file systems that were
shipped with Windows 95/98/ME offered
no security for your data and left your
system wide open to attacks. The NTFS
file system is faster than FAT32 and
allows you to set permissions down to
the file level. If you're unsure of how
your system is configured,
Basic Security Measures
using NTFS on Windows XP Professional
allows you to encrypt files and folders
using the Encrypting File System (EFS).
If you are dual booting Windows XP and
Windows 9x/Me, keep in mind that these
operating systems cannot read NTFS
partitions, and you won't be able to
access the files when you are in
Windows 9x/ME
Basic Security Measures
Disable Simple File Sharing
Both Windows XP Home Edition and XP
Professional workstations that are not part of a
domain, use a network access model called
"Simple File Sharing" , where all attempts to
log on to the computer from across the network
are forced to use the Guest account (to prevent
them from using a local Administrator account
that wasn't configured with a password) This
means that if you're connected to the internet
and don't use a secure firewall, your files
contained within those shares are available to
just about anybody
Basic Security Measures
To disable Simple File Sharing on
XP Professional:
Click Start > My Computer > Tools >
Folder Options Select the View tab Go
to Advanced Settings, clear the Use
Simple File Sharing box click Apply
Basic Security Measures
Unfortunately, XP Home Edition doesn't allow you
to disable Simple File Sharing and is unable to join a
domain, so the best you can hope for is to make sure
you set your shared folders to be read only, hide the
file shares by using a $ sign after the folder name, or
if your using the NTFS file system, use the 'Make
Private" option in the folder properties. Windows XP
Professional workstations that are part of a domain
or that have Simple File Sharing disabled, use the
"Classic" NT security model that requires all users to
authenticate before granting access to shared
folders .
Basic Security Measures
Use passwords on all user accounts
Both Windows XP Professional and Home Edition allow
user accounts to utilize blank passwords to log into
their local workstations, although in XP Professional,
accounts with blank passwords can no longer be used
to log on to the computer remotely over the network.
Obviously, blank passwords are a bad idea if you care
about security. Make sure you assign passwords to all
accounts ,especially the Administrator account and
any accounts with Administrator privileges. By the
way, in XP Home Edition all user accounts have
administrative privileges and no password by
default .Make sure you close this hole as soon as
possible
Basic Security Measures
Use the Administrator Group with care
It's very common for home users and small business
administrators to simply give all local accounts full
Administrator privileges in order eliminate the
inconvenience of logging into another account.
However this practice gives a hacker the opportunity
to try to crack a greater number of administrator level
accounts and increases his/her chance for success. It
also increases the odds that malicious code executed
via an e-mail attachment or other vector can do more
damage to your files. In a workgroup consider placing
local users with a greater need for control in the local
Power Users group, instead of the Administrators
group. And avoid the temptation of using the local
administrator account as your default login account.
Basic Security Measures
Disable the Guest Account
The guest account has always been a huge hacker
hole, and should be disabled as soon as you install
your workstation. Unfortunately, this setting
recommendation only applies to Windows XP
Professional computers that belong to a domain, or to
computers that do not use the Simple File Sharing
model. Windows XP Home Edition will not allow you to
disable the Guest account. When you disable the
Guest account in Windows XP Home Edition via the
Control Panel, it only removes the listing of the Guest
account from the Fast User Switching Welcome
screen, and the Log-On Local right. The network
credentials will remain intact and guest users will still
be able to connect to shared resources of the affected
machine across a network
Basic Security Measures
Use a firewall if you have a full time internet
connection
Having instant, high speed access to the internet is a
real convenience but it also puts your data at risk.
Although XP comes with a built in firewall (called ICF),
it is not enabled by default, and it only filters incoming
traffic without attempting to manage or restrict
outbound connections at all. While this may be fine for
most users, we highly recommend using a third party
personal firewall such as BlackIce if you're concerned
about your data. For corporate users already behind a
firewall, consider using Group Policy to enable ICF and
disable specific ports when users are not connected to
the corporate network.
Basic Security Measures
Use a router instead of ICS
The Internet Connection Sharing feature
within XP allows a user to connect one
PC to the internet and then share that
connection with the rest of the
computers within his home or small
office network. While it was generally a
good idea when it was conceived, if you
have a high speed connection a real
router is a faster, easier to configure,
and more secure .
Basic Security Measures
Install AntiVirus Software on all
workstations
Viruses and other forms of malicious
software have been around for years,
but today's malware utilizes the internet
and e-mail systems to spread globally in
a matter of hours. Installing AntiVirus
software is a basic step in protecting
your data, but it's near useless if the
definitions aren't updated.
Basic Security Measures
Keep up to date with hotfixes and
service packs
Windows XP is a complex operating system and is not
immune to its own bugs and security holes. Its
common tactic for hackers to use the latest known
security hole to break into a system and work
backward from there until they find an open door that
gives them full access. In fact 99% of system
breaches are executed using known security
vulnerabilities that were never patched. Use the
Windows Update feature or automatic update to keep
your system up to date. You can also use the
Microsoft Baseline Security Analyzer to check your
system for known vulnerabilities.
Basic Security Measures
Password protect the screensaver
Once again this is a basic security step that is often
circumvented by users. Make sure all of your workstations have
this feature enabled to prevent an internal threat from taking
advantage of an unlocked console. For best results, choose the
blank screensaver or logon screensaver. Avoid the OpenGL and
graphic intensive program that eat CPU cycles and memory.
Make sure the wait setting is appropriate for your business. If
you can get your users in the habit of manually locking their
workstations when they walk away from their desks, you can
probably get away with an idle time of 15 minutes or more. You
can keep users from changing this setting via Group Policy or
the local security policy
Basic Security Measures
Secure your wireless network
The new 802.11 wireless standard allows you
to roam freely without cables and make
anywhere your virtual office. This also gives
hackers another open door to your data if you
fail to lock it. A recent survey in the U.K found
that of 5,000 wireless networks that were
discovered by simply driving around the city
with a wireless enabled laptop, 92% were wide
open. As "drive by" hacking and warchalking
are becoming common practice, any hacker
with a laptop and a Pringles can could
potentially compromise your network.
Basic Security Measures
Secure your Backup tapes
It's amazing how many organizations
implement excellent platform
security, and then don't encrypt
and/or lock up their backup tapes
containing the same data. It's also a
good idea to keep your Emergency
Repair Disks locked up and stored
away from your workstations as well.
References
http://isc.sans.org/port.html?port=139
http://list.msu.edu/cgibin/wa?A2=ind0004&L=msusecurity&P=51
http://www.securityfocus.com/infocus/1
527
http://archives.neohapsis.com/archives/
snort/2003-03/0419.html
http://www.bitvise.com/products