hardening systems windows nt n.
Skip this Video
Loading SlideShow in 5 Seconds..
Hardening Systems: Windows NT PowerPoint Presentation
Download Presentation
Hardening Systems: Windows NT

Hardening Systems: Windows NT

470 Views Download Presentation
Download Presentation

Hardening Systems: Windows NT

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Hardening Systems: Windows NT Presented to CERTConf 2000September 28, 2000 Stephen M. Nugen, CISSP NebraskaCERT

  2. Introduction • Purpose • Discuss Windows NT-specific InfoSec issues • Provide pointers to specific checklists, etc. • Focus • Windows NT 4.0 • Still outselling Windows 2K • Next year: Windows 2K and/or Whistler (-> .NET) • Server and Workstation versions • Broad rather than deep... • Consider multiple areas of vulnerability • Some topics just too hard or too site-specific to cover with everything else... • Understanding the “why” behind the vulnerability, mitigation • Preparing for multiple variations on a theme • InfoSec is the journey that never ends

  3. Introduction cont’d • Caveat • Presenting and discussing information gleamed from multiple sources • Sources believed to be reliable • Some sources old... some details may be OBE depending on what service packs, patches, hot-fixes have been installed at your site • Some, but not all of these have been tested • Limitations of any single presenter... • IMPORTANT • USE THESE NOTES ONLY AS • IDEAS FOR FURTHER STUDY • POINTS OF REFERENCE... KEYWORDS FOR SEARCHING TECHNET, MSDN, ETC. • CHANGES TO REGISTRY VERY DANGEROUS • BACKUP REGISTRY FIRST • EXPLORE WITH REGEDT32.EXE... USE OPTIONS | READ-ONLY • DON’T TRUST NUGEN’S SPELLING, TYPE, OR VALUE FOR ANY PARTICULAR REGISTRY KEY, ETC.... LOOK IT UP

  4. Introduction cont’d • Assumed • Already understand InfoSec basics • Already understand Windows NT basics • Style • Very informal • Questions and suggestions welcome anytime • Now • Later • If need the source for any specific suggestion/topic, send email to • Ask about abbreviations... like • HKLM = HKEY_LOCAL_MACHINE • HKCU = HKEY_CURRENT_USER

  5. Introduction cont’d • Structure • Accounts • Resources • Auditing • Services • Network • Other • OBE Exploits • Sources

  6. Accounts • Password Restrictions • Passwords should expire after <xx> days to limit scope of compromised password • Password length > 12 characters • For W9X systems, password length of 8 very bad since encrypted in 7-byte chunks • Password uniqueness • Don’t keep reusing compromised passwords • Set Password Uniqueness to remember maximum value (24) • Set Minimum Password Age to 2 days to prevent users from cycling through passwords to return to their “old favorite” • Use Account Lockout to prevent password guessing, brute force • Lockout after <4-5> bad login attempts • Reset count after <20-30> minutes • Lockout duration (30-forever> • If forever, then will need Administrator to restore account

  7. Accounts cont’d • Password restrictions cont’d • User must log on in order to change password... to require Administrator involvement for users whose passwords have expired • Password warning time • Default: NT begins warning users 14 days before password expires • Can change viaHKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon • Misc advice • Constructing passwords... educating users • Don’t forget to self-crack passwords from time to time...

  8. Accounts cont’d • Account Policies... User Rights • Be guided by principles of • Least privilege • Separation of duties... illegal activity which requires collusion less probable, more likely to be detected • Consider • Which group memberships really necessary • Hours of use • Dial-in access... • Which servers users can access... be very concerned about people logging on from a computer in an unsupervised area • Account expiration... especially for test and temporary accounts • Some rights should not be assigned to any user • Act as part of the operating system • Create a token object • Debug programs... not auditable • Generate security audits • Replace a process level token

  9. Accounts cont’d • MS-Recommended changes from default for high-security sites • Right: Log on locally • Workstations and stand-alone servers • Default: Administrators, Everyone, Guests, Power Users, and Users • Change: Remove Everyone and Guests • Domain servers • No change from default recommended • Right: Shut down system • Workstations and stand-alone servers • Default: Administrators, Everyone, Guests, Power Users, and Users • Change: Remove Everyone and Guests • Domain servers • No change from default recommended

  10. Accounts cont’d • MS-recommended changes from default cont’d • Right: Access this computer from network • Workstations and stand-alone servers • Default: Administrators, Everyone, Power Users • Change: Remove Everyone; Add Users • Domain servers • Default: Administrators, Everyone • Change to: Remove Everyone; add Backup/Server/Print Operators • Also refer to MS Windows NT 4.0 Domain Controller Configuration Checklist

  11. Accounts cont’d • Account policies cont’d • Special considerations • Access this computer from network • Block for Everyone group • For all groups when possible... including administrator... so that administrators have to login interactively at the server, in a controlled environment • Log on locally • Admins only... users shouldn’t be logging into actual server hardware • Take ownership of files and other objects • Admins only... • Manage auditing and security logs • Admins only... • See following note about Auditor account

  12. Accounts cont’d • Administrator account cont’d • Administrators need two separate accounts • Regular use, less-privileged • Not an insult • A precaution against accidental damage • System administration account • Win2K allows “execute as” like Unix “su” • ...Two separate accounts for other privileged accounts as well • Backup Operators, etc.

  13. Accounts cont’d • Administrator account cont’d • Rename Administrator account to something obscure • Exploit tools can still learn the name, but • It’s another barrier... more tools, knowledge, etc. • Some or all of them require the renamed administrator account be in-use... the system administrator logged-on • Be sure to scan the audit logs for logon attempts to Administrator account... • Be sure to hide last user name on logon via registryHKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\DontDisplayLastUserName

  14. Accounts cont’d • Administrator account • Make a decoy Administrator account • No permissions • Waste the time of script kiddies • Audit... • Consider an Auditor account as only account in built-in Administrator Group • All other Admins in special management group with every right except “Manage auditing and security log right” • Allows auditing of most powerful accounts... • Most likely account to be misused, accidentally or deliberately • Most likely account targeted by disgruntled employee or external hacker

  15. Accounts cont’d • Administrator account cont’d • Recovery technique • Make obscure Administrator account with very complex password • Store password in thirds in three different envelopes entrusted to three different managers/employees • Audit... • Use PASSPROP make Administrator account subject to locking policy • From NTRK • Only locks remote access... not local

  16. Accounts cont’d • SYSKEY • aka System Key • Background • NT stores one-way hashes of user passwords in SAM registry • Saved by rdisk /s and some backup programs • Password cracking tools can dump encrypted passwords archived SAM files... for subsequent cracking • SYSKEY encrypts the user password hashes with 128-bit key for added protection • Three modes • Auto Boot • System generates internal key and stores it on the system • Convenient for unattended startups, • Not very secure • Floppy Boot • System generates random key and stores it on floppy • More secure • Must insert floppy to boot the system • If you lose the floppy, order pizza... • Password Boot • Administrator chooses password • Needed to boot • If you forget the password or lose the Administrator, order pizza...

  17. Accounts cont’d • SYSKEY cont’d • Notes • SYSKEY prevents SAM dumping with • Tool built into L0pht Crack 2.5 • Tool pwdump • SYSKEY does not stop SAM dumping with tool pwdump2 • Uses DLL injection techniques different than pwdump • Exploits weakness in SYSKEY encryption... reuse of the keystream • pwdump2 requires administrator access • SYSKEY increases the complexity and time-required to crack password hashes

  18. Accounts cont’d • LANMAN (aka LanManager [LM]) • LANMAN authentication for Windows 9x clients much weaker than Windows NT authentication • SetHKLM\System\CurrentControlSet\Control\LSA\LMCompatibilityLevel = X • Where: • X=0: Support NT and LM password forms • X=1: Use LM only if requested • Vulnerability since hack tools can still request weaker LANMAN authentication • X=2: Never use LM • Preferred • But no Win95/98 clients • Consider disable caching of logon credentials • Used for roaming profiles... leaves local copies • HKLM\System\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount

  19. Resources • Always format volumes as NTFS • FAT filesystems don’t support ACLs • Shares • Share ACLs only restrict remote access, not access to program on the same computer • Local access: Checks file & directory ACLs • Remote access: Checks • Share ACLs, then • File and directory ACLs • Share ACLs can’t be relaxed by share owners, but can created and modified by • Full administrators • Server Operators • Power Users • Print Operators (create only)

  20. Resources • Shares cont’d • Don’t inadvertently put information in share name • Share names visible even to users who can’t access the share • Names like “Secret Layoff Schedule” best avoided

  21. Resources cont’d • Administrative shares (aka net shares) • Created automatically for each logical volume (e.g. C$, D$) • Hidden from view, but accessible • Helpful in remote administration • Disabled when Server service disabled • Disabled through registry keys • NT ServerHKLM\System\CurrentControlSet\Services\LanManServer\Parameters\AutoShareServer • NT WorkstationHKLM\System\CurrentControlSet\Services\LanManServer\Parameters\AutoShareServer • Can delete existing shares throughnet share /d • Multiple MS-KB articles on this subject...

  22. Resources cont’d • General access permissions • Start with the most sensitive directories and files... • Use tools for large systems • For shared directories and files • Which local users and groups have access... necessary and appropriate? • When network users and groups have access... necessary and appropriate? • Are inherited permissions appropriate? • For non- shared directories and files • Which local users and groups have access... necessary and appropriate? • Are inherited permissions appropriate? • Override the default behavior that the Everyone Group gets full access for all new folders... • Change Everyone group access for parent folder, then create subfolders which inherit permissions • Change Everyone group permissions at drive root... then propagating permissions to subdirectories • Exception: Manually update systemroot folder (usually C:\winnt)

  23. Resources cont’d • Separate data files from program files • Easier administration... backups • Data directories • Users given Write permissions • Remove Execute permission... to prevent user from writing trojan or virus into directory and then executing • Program directories • Users have Read and Execute permissions • Remove Write permissions... to prevent user from writing trojan or virus into directory and then executing • Separate public files from private files • Easier to apply appropriate permissions and audit • Never share the root directory of a drive • Exception: CD-ROM shared for public access • Use encryption when feasible • Especially for exec laptops...

  24. Resources cont’d • MS recommendations for protecting files and directories • \winnt and all subdirectories... see exceptions that follow • Administrators: Full Control • System: Full Control • Creator Owner: Full Control • Everyone: Read • \winnt\repair... where rdisk stores info for ERD disks... includes sensitive info • Administrators: Full Control • \winnt\system32\config • Administrators: Full Control • System: Full Control • Creator Owner: Full Control • Everyone: List

  25. Resources cont’d • MS file recommendations cont’d • \winnt\system32\spool • Administrators: Full Control • System: Full Control • Creator Owner: Full Control • Everyone: Read • Power Users: Change • \winnt\cookies • Administrators: Full Control • System: Full Control • Creator Owner: Full Control • Everyone: • Special directory access: read, write, execute • Special file access: none

  26. Resources cont’d • MS file recommendations cont’d • \winnt\forms • Same protections as \winnt\cookies • \winnt\history • Same protections as \winnt\cookies • \winnt\occache • Same protections as \winnt\cookies • \winnt\profiles • Same protections as \winnt\cookies • \winnt\sendto • Same protections as \winnt\cookies • \winnt\temporary internet files • Same protections as \winnt\cookies

  27. Resources cont’d • MS file recommendations cont’d • \boot.ini • Administrators: Full Control • System: Full Control • \ • Administrators: Full Control • System: Full Control • \ntldr • Administrators: Full Control • System: Full Control • \autoexec.bat • Administrators: Full Control • System: Full Control • Everyone: Read

  28. Resources cont’d • MS file recommendations cont’d • \config.sys • Administrators: Full Control • System: Full Control • Everybody: Read • \temp directory • Administrators: Full Control • System: Full Control • Creator Owner: Full Control • Everyone: • Special directory access: read, write, execute • Special file access: none • Also see specific guidelines from TSS & NSA, 1988

  29. Resources cont’d • Monitor ownership of sensitive files • Example: Administrators shouldn’t be accessing personnel evaluations • Owner should deny access to administrators • If necessary, Admin can take ownership... Then, grant themselves access rights • But, Admins can’t give ownership back to original owner... so leaves tracks • Data owner checks ownership... finds Admin is new owner... can ask the interesting questions • Doesn’t require auditing or access to audits by data owner

  30. Resources cont’d • Prevent remote registry editing • Stronger protection after SP3 • Remote registry editing subject to the ACL on keyHKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg...but HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\Allowed Paths\machinesdefines registry keys exempt from this restriction • See MS-KB Q153183 • Default • NT Server defines key, restricts remote access to Administrators • NT Workstation doesn’t define the key, does not restrict remote access to the registry

  31. Resources cont’d • Disable registry tools when not required • Method-1: HCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools • Directly or via policy editor • Method-2: Use ACLs to restrict use of registry editors • Weakness of this approach: Doesn’t restrict other registry-modifying tools, scripts, etc.

  32. Resources cont’d • C2-level protections • Full C2 the subject of multiple white papers, etc. • Investigate ProtectionMode • When present, tells the NT Session Manager that security on base system objects should be at the C2 security level • HKLM\System\CurrentControlSet\Control\SessionManager\ProtectionMode • Ref MS-KB Q244995 • Also investigate additional protection • ProtectionMode doesn’t address all base named objects... for those, useHKLM\System\CurrentControlSet\Control\SessionManager\AdditionalBaseNamedObjectsProtectionMode

  33. Resources cont’d • Sensitive registry areas to control & monitor • Can be used to launch trojans • MS-recommended default ACLs for these registry keys • Administrators: Full Control • System: Full Control • Creator Owner: Full Owner • Everyone: Read • HKLM\Software\Microsoft\Windows\CurrentVersion\Run • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx • HKLM\Software\Microsoft\Windows\CurrentVersion\AeDebug • HKLM\Software\Microsoft\Windows\CurrentVersion\WinLogon

  34. Resources cont’d • MS recommendations for changes to registry key permissions • Changes to default for Everyone group • Default for Everyone: Special Access with • Query Value • Set Value • Create Subkey • Enumerate Subkeys • Notify • Delete • Read Control

  35. Resources cont’d • MS registry recommendations cont’d • Changes for Everyone group cont’d • Change for Everyone Special Access • Retain • Query Value • Enumerate Subkeys • Notify • Read Control • Remove • Set Value • Create Subkey • Delete

  36. Resources cont’d • MS registry recommendations cont’d • Changes for Everyone group cont’d • Applies to • HKLM\Software • But don’t apply to entire subtree or some software may become unusable • HKLM\Software\Microsoft\RPC (and subkeys) • HKLM\Software\Microsoft\Windows NT\CurrentVersion • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Profile List • HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug • ... Too many to list... ref to MS Publication: Securing Windows NT Installation, Oct, 1997 • Don’t forget keys • HKCR (root and all subkeys) • HKU\.DEFAULT

  37. Resources cont’d • Watch out for PATHs • System PATH variable must only contain directories whose ACLs prevent untrusted users from adding or modifying files • Such as executables and DLLs • Such as data files trusted programs rely on • User-level autoexec.bat files can be enabled • Registry keyHKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon • If enabled, then must protect autoexec.bat files • The “.” problem • Most commands and APIs search the current directory (“.”) before the directories specified in the controlled PATH variable • Command window • Scripts • APIs that start other programs • Allows untrusted programs/components/etc. to be accessed in place of trusted elements... spoofing

  38. Resources cont’d • Path cont’d • The “.” problem cont’d • Difficult to protect against... • Some advice • Use 3rd-party command shells if feasible • Routinely scan for executable files • *.exe. *.bat, *.com, *.vbs, etc. • Get real attentive when finding files whose name is the same as common commands, services, etc. • Avoid working in directories where users with lesser capabilities can create files, etc. • Especially important for Administrators • Where possible, use the Start | Run... it does not search “.” before directories specified by system PATH

  39. Resources cont’d • DLL spoofing • Closely related to PATH issues • Goal of malicious user: cause their “special” DLL to be loaded instead of more boring DLL supplied by the operating system or trusted application • Difficulty-1: Rules used to load DLLs at boot time complex • Different for 16-bit and 32-bit DLLs • Trusted source disagrees with MS-KB article • Ref: MS-KB Q164501

  40. Resources cont’d • DLL spoofing cont’d • Difficulty-2: Different methods search different sequences of directories • Program directory • Where the executable resides • May not be protected by default, but should be protected by good Administrator • System directory • Ex: c:\winnt or c:\winnt\system32 • Should be protected • Working directory... • Directory the user entered before starting the program • Protected? • Or, directory program places itself in • Known? • Protected? • DLL spoofing though working directories most serious vulnerability

  41. Resources cont’d • DLL spoofing cont’d • Safe locations for DLLs • DLLs in protected system directories • Application DLLs in same directory as application, suitably protected • Periodically scan for *.DLL files located outside of protected system and application directories • Protect shortcuts • If a malicious user can change the properties of a shortcut... • System shortcuts (desktop and Start Menu) generally already protected inside Profile directory, private by default • Users should be cautioned not to create shortcuts in directories not write-protected from all others

  42. Resources cont’d • Extension mapping • Can easily spoof when allowed to change the association between file types and system action • Single mapping should serve all users and only trusted programs whose executable files are properly protected • Problem-1: Anyone can change mapping • By default, all local users (members of INTERACTIVE pseudo-group) can modify the mapping through user tools • Mapping stored underHKLM\Software\Classes • Change permissions on this key • Replace Interactive group with a one that holds only trusted users • Restrict non-Admin write access to the command keyHKLM\Software\Classes\regfile\shell\open\command

  43. Resources cont’d • Extension mapping cont’d • Problem-2: Standard extensions can be dangerous • *.reg files contain scripts executed by registry editor, making changes to the registry • Consider disabling this association • To avoid surprises • Can always reassociate when needed... always record the existing association before changing it • For high-security environments, selectively unmap every association not required for normal operations • Very carefully, methodically, one or two at a time, with regression test scripts, etc. • Note: Executables can be run from command line, regardless of their file extension

  44. Resources cont’d • Watch out for data files containing more than data • Best-known example: Macro viruses embedded in a MS-Office file • Lessor-known example: OCX embedded in a .RTF file • Lessor-known example: NTFS streams... • NTFS files can contain multiple streams • Most tools only operate on Stream 0 • Files can contain data in Stream 0; hacker tools in Stream 1; etc. • Printer drivers • NT thoughtfully automatically installs print drivers as needed... • Untrusted print drivers could divert the data... • Restrict this ability to administrators, print operators and power users • HKLM\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrintDrivers

  45. Resources cont’d • Consider writing the system page file during clean system shutdown • HKLM\System\CurrentControlSet\Control\SessionManager\MemoryManagement\ClearPageFileAtShutdown • Increases duration of shutdown process • Lock the server console when not in use • Explicitly • Password-protected locking screen savers • Consider turning off auto-generation of 8.3 names • Filenames in 8.3 only needed for backward compatibility with 16-bit applications • Turning off improves performance (don’t know how much) • HKEY\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation

  46. Resources cont’d • Consider removing the “R” permission from executable program files • Benefit: Prevents users from copying • Perhaps to their directory searched before the system directories • Effectively negating the replacement of an untrusted component with a trusted component • Problem • Desktop manager cannot determine icon for such files • May generate an audit entry it auditing failed reads • Displays default icon

  47. Resources cont’d • Consider restricting the use of DCOM • Remote interactive user write access to DCOM RunAs value • KeyHKLM\Software\Classes\AppID • Remove Interactive set, create, and write permissions • Replace permissions on existing subkeys • Disable DCOM which can be used to execute commands remotely • KeyHKLM\Software\Microsoft\Ole\EnableDCOM

  48. Auditing • General notes • Auditing enabled through User Manager | Policies | Audit • Directory/file auditing by user (groups or accounts) controlled through file manager • Explorer | <select file> | <right-click> | properties | security | auditing • Printer auditing controlled through Print Manager • Print Manager | <select printer> | <right-click> | properties | security | auditing • Auditing of base system objects requires a new registry key • HKLM\System\CurrentControlSet\Control\Lsa\AuditBaseObjects • Then, enable “Object Access” using User Manager

  49. Auditing cont’d • General notes cont’d • Even with auditing privilege use, certain privileges not audited • To control size of audit logs • Ex: Backup and restore privileges • If required in special circumstances, checkout • HKLM\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing

  50. Auditing cont’d • Set log size reasonably large • Depends on granularity of auditing, activity level, etc.... • Experiment... 4096 and 8192 commonly-cited sizes... monitor • Consider placing event logs in separate partition(s) so they never fail because of insufficient disk space • HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security\File • HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System\File • HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\File • Enable log wrapping with “Overwrite Events as Needed” • Goal: Overwrite needn’t happen with good maintenance, archives • Routine log maintenance • Monitor size • Move to long-term storage • Clear • Know chain of evidence rules