foiling jd top 10 ways to stop hackers l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Foiling JD: Top 10 Ways to Stop Hackers PowerPoint Presentation
Download Presentation
Foiling JD: Top 10 Ways to Stop Hackers

Loading in 2 Seconds...

play fullscreen
1 / 31

Foiling JD: Top 10 Ways to Stop Hackers - PowerPoint PPT Presentation


  • 138 Views
  • Uploaded on

Foiling JD: Top 10 Ways to Stop Hackers. David LeBlanc Eric Schultze Microsoft Corporation. Introduction. Practice Defense in Depth A well-configured server will often resist even newly found vulnerabilities

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Foiling JD: Top 10 Ways to Stop Hackers' - manelin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
foiling jd top 10 ways to stop hackers

Foiling JD: Top 10 Ways to Stop Hackers

David LeBlanc

Eric Schultze

Microsoft Corporation

introduction
Introduction
  • Practice Defense in Depth
  • A well-configured server will often resist even newly found vulnerabilities
  • Example – the NT 4.0 system set up for Eweek’s first OpenHack contest would have remained secure against most new attacks found over the next year
10 secure your email client
10. Secure Your Email client
  • Outlook
    • Apply the Outlook Security Update
  • Outlook Express
    • Move OE to Restricted Sites Zone
    • Disable Active Scripting and Java
  • Don’t read e-mail on a web server!
9 restrict anonymous
9. Restrict Anonymous
  • Set RestrictAnonymous=2
    • This blocks detailed enumeration of users and groups over a variety of protocols
    • (setting included in HiSec* templates)
    • Do not allow system with RA=2 to become master browser
8 acl system executables
8. ACL System Executables
  • Remove ability for users to execute system commands (cmd.exe, tftp.exe, etc.)
    • C:\winnt (and subdirectories)
      • Dir *.exe /s /b > outfile.txt
      • Cacl *.exe files as such:
        • Admins: Full
        • System: Full
7 acl directories
7. ACL Directories
  • Remove permissions for IUSR, IWAM, and Everyone to Write and Execute files in all directories
    • Dump directory list to file
    • Run cacls against each directory
    • Identify each entry with Everyone perms
      • Read/Execute
      • Write
    • Reset perms as follows:
7 acl directories7
7. ACL Directories

\Inetpub

Everyone:(OI)(CI)F

Set to admins:F, everyone:R

------------------------------------------------------------------------------

\Documents and Settings\All Users\DRM

Everyone:(OI)(CI)F

Set to everyone:R

------------------------------------------------------------------------------

\Documents and Settings\All Users\Application Data\Microsoft\HTML Help

Everyone:F

\Documents and Settings\All Users\Application Data\Microsoft\HTML Help

Everyone:(OI)(CI)(IO)F

Set to everyone:R

------------------------------------------------------------------------------

\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

Everyone:(special access:)

READ_CONTROL

SYNCHRONIZE

FILE_GENERIC_READ

FILE_GENERIC_WRITE

FILE_READ_DATA

FILE_WRITE_DATA

FILE_APPEND_DATA

FILE_READ_EA

FILE_WRITE_EA

FILE_READ_ATTRIBUTES

FILE_WRITE_ATTRIBUTES

Remove

FILE_GENERIC_WRITE

FILE_WRITE_DATA

------------------------------------------------------------------------------

7 acl directories8
7. ACL Directories

\Inetpub\AdminScripts

Everyone:(OI)(CI)F

Inherited permissions from \Inetpub

------------------------------------------------------------------------------

\Inetpub\mailroot

Everyone:(OI)(CI)F

\Inetpub\mailroot\Badmail

Everyone:(OI)(CI)F

\Inetpub\mailroot\Drop

Everyone:(OI)(CI)F

\Inetpub\mailroot\Mailbox

Everyone:(OI)(CI)F

\Inetpub\mailroot\Pickup

Everyone:(OI)(CI)F

\Inetpub\mailroot\Queue

Everyone:(OI)(CI)F

\Inetpub\mailroot\Route

Everyone:(OI)(CI)F

\Inetpub\mailroot\SortTemp

Everyone:(OI)(CI)F

Inherited permissions from \Inetpub

------------------------------------------------------------------------------

7 acl directories9
7. ACL Directories

\WINNT\Tasks

Everyone:(OI)(CI)(special access:)

READ_CONTROL

SYNCHRONIZE

FILE_GENERIC_READ

FILE_GENERIC_WRITE

FILE_GENERIC_EXECUTE

FILE_READ_DATA

FILE_WRITE_DATA

FILE_APPEND_DATA

FILE_READ_EA

FILE_WRITE_EA

FILE_EXECUTE

FILE_READ_ATTRIBUTES

FILE_WRITE_ATTRIBUTES

\WINNT\system32\Setup

Everyone:(OI)(CI)F

Set to admins:F, everyone:R

------------------------------------------------------------------------------

\WINNT\system32\inetsrv\Data

Everyone:F

Set to everyone:R

------------------------------------------------------------------------------

\WINNT\system32\Microsoft\Crypto\RSA\MachineKeys

Everyone:(special access:)

Set to everyone:R

6 disable services
6. Disable Services
  • Alerter
  • Computer Browser
  • Indexing Service
  • Messenger
  • Print spooler
  • Remote Registry
  • Distributed File System
  • Workstation
  • Server
  • Telnet
  • Smtp
5 filter ports
5. Filter Ports

42 WINS Host Name Server

80 HTTP

88 Kerberos

135 MS RPC

139 NetBIOS Session Service

389 LDAP

443 SSL

445 CIFS-SMB

464 kpasswd

593 HTTP endpoint mapper

636 SSL-ldap

3268 MS Global Catalog

3269 MS Global Catalog

3372 (Local-host only connection)

3389 MS Terminal Server

xxxx IIS 5.0 HTML Mgmt

5 filter ports12
5. Filter Ports
  • Apply IPSec Port Filters
    • Block access to ALL ports but
      • 80, 443, etc.
5 filter ports14
5. Filter Ports
  • Apply Port Filtering at the Router
    • Block all non-essential ports in BOTH directions
    • Why should DMZ webserver be doing NetBIOS, TFTP, or HTTP OUTBOUND to other Internet Hosts?
      • It Shouldn’t. Block It.
4 disable netbios
4. Disable NetBIOS
  • Foil Feinman
    • Don’t allow malicious users to access tcp 139 and tcp/udp 445
    • Without this access – it will be much tougher for hacker to enumerate details about users and groups
4 disable netbios16
4. Disable NetBIOS
  • IPSec
    • Create Blocker rules for tcp 139 and tcp/udp 445
  • Unbind File and Printer Sharing for Microsoft Networks
    • Will stop 139 from responding to requests
  • Advanced IP filtering
    • Only allow required ports
  • Unbind NetBIOS from WINS
4 unbind f p sharing

Must select Advanced – Advanced Settings

4. Unbind F&P Sharing

No Reboot Required

445 disappears, 139 appears, but does not respond

4 advanced ip filtering
4. Advanced IP Filtering

Reboot Required !!

Only specified ports are allowed

4 advanced ip filtering19
4. Advanced IP Filtering

Reboot Required !!

WARNING

Selecting IP Protocols –Permit Only ‘6’ (tcp) will ALSO allow ICMP ‘1’ – even though this is not explicitely defined

4 unbind netbios from wins
4. Unbind NetBIOS from WINS

No Reboot Required

139 disappears, 445 still accepts connections

4 disable netbios21
4. Disable NetBIOS
  • Most Secure Option Is to Unbind File and Printer Sharing from the specified adapter
    • Both 139 and 445 will be prohibited
4 foiling feinman
4. Foiling Feinman
  • Aside from Blocking User Enumeration via NetBIOS
    • You must secure enumeration via SNMP and LDAP
    • Block tcp 389 and udp 161
    • DO NOT weaken perms on AD during AD setup
      • Or, remove EVERYONE group from Pre-Windows 2000 Compatability group
3 apply security templates
3. Apply Security Templates
  • Templates located in:
    • Winnt\security\templates
      • Basicdc
      • Basicsv
      • Basicws
      • Compatws
      • Hisecdc
      • Hisecws
      • Ocfiless
      • Ocfilesw
      • Securedc
      • Securews
      • HISECWEB – download from microsoft.com/security
2 follow iis5 checklist
2. Follow IIS5 Checklist
  • Summary:
    • Remove sample apps
      • inetpub\samples
      • winnt\help\iishelp
      • Program files\common files\system\msadc
    • ACL IIS log file
      • Admin and system Full
      • Everyone RWC
    • Enable IIS Logging
    • Review all code on server for RevertToSelf calls
2 follow iis5 checklist cont
2. Follow IIS5 Checklist (cont)
  • Disable File System Object
    • Regsrv32 scrrun.dll /u
  • Remove IISADMPWD directory (if exists)
    • Only exists if upgraded from IIS4
  • Remove script mappings
    • htr, idc, stm, shtm, shtml
  • Disable Parent Paths
    • Scripts, msadc, etc.
additional iis security steps
Additional IIS Security Steps
  • Remove or disable Admin web sites
  • Remove Server extensions if you aren’t using them (remove files, too)
  • Run Permissions Wizard on all web directories
  • Disable Windows Auth on directories that don’t need it
1 apply hotfixes
1. Apply Hotfixes
  • Apply the Patches
    • MS00-086
      • Solves Directory Traversal Vulnerability
      • Supersedes 00-057 and 00-078
    • MS01-007
      • Solves Win2K Privilege Escalation Vulnerability
    • Visit microsoft.com/security for others…
1 apply hotfixes29
1. Apply Hotfixes

Search by Service Pack

resources
Resources
  • www.microsoft.com/security
    • Bulletins and patches
    • IIS5 Security Checklist
    • HiSecWeb Template
    • HFCheck (IIS5 hotfix checker)
  • secure@microsoft.com
    • Reports of security vulnerabilities in MS products
  • secfdbck@microsoft.com
    • Feedback on website, tools, checklists, etc.