1 / 88

Hardening Systems: Windows NT

Hardening Systems: Windows NT. Presented to CERTConf 2000 September 28, 2000. Stephen M. Nugen, CISSP NebraskaCERT smnugen@nugensoft.com. Introduction. Purpose Discuss Windows NT-specific InfoSec issues Provide pointers to specific checklists, etc. Focus Windows NT 4.0

wes
Download Presentation

Hardening Systems: Windows NT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hardening Systems: Windows NT Presented to CERTConf 2000September 28, 2000 Stephen M. Nugen, CISSP NebraskaCERT smnugen@nugensoft.com

  2. Introduction • Purpose • Discuss Windows NT-specific InfoSec issues • Provide pointers to specific checklists, etc. • Focus • Windows NT 4.0 • Still outselling Windows 2K • Next year: Windows 2K and/or Whistler (-> .NET) • Server and Workstation versions • Broad rather than deep... • Consider multiple areas of vulnerability • Some topics just too hard or too site-specific to cover with everything else... • Understanding the “why” behind the vulnerability, mitigation • Preparing for multiple variations on a theme • InfoSec is the journey that never ends

  3. Introduction cont’d • Caveat • Presenting and discussing information gleamed from multiple sources • Sources believed to be reliable • Some sources old... some details may be OBE depending on what service packs, patches, hot-fixes have been installed at your site • Some, but not all of these have been tested • Limitations of any single presenter... • IMPORTANT • USE THESE NOTES ONLY AS • IDEAS FOR FURTHER STUDY • POINTS OF REFERENCE... KEYWORDS FOR SEARCHING TECHNET, MSDN, ETC. • CHANGES TO REGISTRY VERY DANGEROUS • BACKUP REGISTRY FIRST • EXPLORE WITH REGEDT32.EXE... USE OPTIONS | READ-ONLY • DON’T TRUST NUGEN’S SPELLING, TYPE, OR VALUE FOR ANY PARTICULAR REGISTRY KEY, ETC.... LOOK IT UP

  4. Introduction cont’d • Assumed • Already understand InfoSec basics • Already understand Windows NT basics • Style • Very informal • Questions and suggestions welcome anytime • Now • Later • If need the source for any specific suggestion/topic, send email to nt-sec@nugensoft.com • Ask about abbreviations... like • HKLM = HKEY_LOCAL_MACHINE • HKCU = HKEY_CURRENT_USER

  5. Introduction cont’d • Structure • Accounts • Resources • Auditing • Services • Network • Other • OBE Exploits • Sources

  6. Accounts • Password Restrictions • Passwords should expire after <xx> days to limit scope of compromised password • Password length > 12 characters • For W9X systems, password length of 8 very bad since encrypted in 7-byte chunks • Password uniqueness • Don’t keep reusing compromised passwords • Set Password Uniqueness to remember maximum value (24) • Set Minimum Password Age to 2 days to prevent users from cycling through passwords to return to their “old favorite” • Use Account Lockout to prevent password guessing, brute force • Lockout after <4-5> bad login attempts • Reset count after <20-30> minutes • Lockout duration (30-forever> • If forever, then will need Administrator to restore account

  7. Accounts cont’d • Password restrictions cont’d • User must log on in order to change password... to require Administrator involvement for users whose passwords have expired • Password warning time • Default: NT begins warning users 14 days before password expires • Can change viaHKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon • Misc advice • Constructing passwords... educating users • Don’t forget to self-crack passwords from time to time...

  8. Accounts cont’d • Account Policies... User Rights • Be guided by principles of • Least privilege • Separation of duties... illegal activity which requires collusion less probable, more likely to be detected • Consider • Which group memberships really necessary • Hours of use • Dial-in access... • Which servers users can access... be very concerned about people logging on from a computer in an unsupervised area • Account expiration... especially for test and temporary accounts • Some rights should not be assigned to any user • Act as part of the operating system • Create a token object • Debug programs... not auditable • Generate security audits • Replace a process level token

  9. Accounts cont’d • MS-Recommended changes from default for high-security sites • Right: Log on locally • Workstations and stand-alone servers • Default: Administrators, Everyone, Guests, Power Users, and Users • Change: Remove Everyone and Guests • Domain servers • No change from default recommended • Right: Shut down system • Workstations and stand-alone servers • Default: Administrators, Everyone, Guests, Power Users, and Users • Change: Remove Everyone and Guests • Domain servers • No change from default recommended

  10. Accounts cont’d • MS-recommended changes from default cont’d • Right: Access this computer from network • Workstations and stand-alone servers • Default: Administrators, Everyone, Power Users • Change: Remove Everyone; Add Users • Domain servers • Default: Administrators, Everyone • Change to: Remove Everyone; add Backup/Server/Print Operators • Also refer to MS Windows NT 4.0 Domain Controller Configuration Checklist

  11. Accounts cont’d • Account policies cont’d • Special considerations • Access this computer from network • Block for Everyone group • For all groups when possible... including administrator... so that administrators have to login interactively at the server, in a controlled environment • Log on locally • Admins only... users shouldn’t be logging into actual server hardware • Take ownership of files and other objects • Admins only... • Manage auditing and security logs • Admins only... • See following note about Auditor account

  12. Accounts cont’d • Administrator account cont’d • Administrators need two separate accounts • Regular use, less-privileged • Not an insult • A precaution against accidental damage • System administration account • Win2K allows “execute as” like Unix “su” • ...Two separate accounts for other privileged accounts as well • Backup Operators, etc.

  13. Accounts cont’d • Administrator account cont’d • Rename Administrator account to something obscure • Exploit tools can still learn the name, but • It’s another barrier... more tools, knowledge, etc. • Some or all of them require the renamed administrator account be in-use... the system administrator logged-on • Be sure to scan the audit logs for logon attempts to Administrator account... • Be sure to hide last user name on logon via registryHKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\DontDisplayLastUserName

  14. Accounts cont’d • Administrator account • Make a decoy Administrator account • No permissions • Waste the time of script kiddies • Audit... • Consider an Auditor account as only account in built-in Administrator Group • All other Admins in special management group with every right except “Manage auditing and security log right” • Allows auditing of most powerful accounts... • Most likely account to be misused, accidentally or deliberately • Most likely account targeted by disgruntled employee or external hacker

  15. Accounts cont’d • Administrator account cont’d • Recovery technique • Make obscure Administrator account with very complex password • Store password in thirds in three different envelopes entrusted to three different managers/employees • Audit... • Use PASSPROP make Administrator account subject to locking policy • From NTRK • Only locks remote access... not local

  16. Accounts cont’d • SYSKEY • aka System Key • Background • NT stores one-way hashes of user passwords in SAM registry • Saved by rdisk /s and some backup programs • Password cracking tools can dump encrypted passwords archived SAM files... for subsequent cracking • SYSKEY encrypts the user password hashes with 128-bit key for added protection • Three modes • Auto Boot • System generates internal key and stores it on the system • Convenient for unattended startups, • Not very secure • Floppy Boot • System generates random key and stores it on floppy • More secure • Must insert floppy to boot the system • If you lose the floppy, order pizza... • Password Boot • Administrator chooses password • Needed to boot • If you forget the password or lose the Administrator, order pizza...

  17. Accounts cont’d • SYSKEY cont’d • Notes • SYSKEY prevents SAM dumping with • Tool built into L0pht Crack 2.5 • Tool pwdump • SYSKEY does not stop SAM dumping with tool pwdump2 • Uses DLL injection techniques different than pwdump • Exploits weakness in SYSKEY encryption... reuse of the keystream • pwdump2 requires administrator access • SYSKEY increases the complexity and time-required to crack password hashes

  18. Accounts cont’d • LANMAN (aka LanManager [LM]) • LANMAN authentication for Windows 9x clients much weaker than Windows NT authentication • SetHKLM\System\CurrentControlSet\Control\LSA\LMCompatibilityLevel = X • Where: • X=0: Support NT and LM password forms • X=1: Use LM only if requested • Vulnerability since hack tools can still request weaker LANMAN authentication • X=2: Never use LM • Preferred • But no Win95/98 clients • Consider disable caching of logon credentials • Used for roaming profiles... leaves local copies • HKLM\System\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount

  19. Resources • Always format volumes as NTFS • FAT filesystems don’t support ACLs • Shares • Share ACLs only restrict remote access, not access to program on the same computer • Local access: Checks file & directory ACLs • Remote access: Checks • Share ACLs, then • File and directory ACLs • Share ACLs can’t be relaxed by share owners, but can created and modified by • Full administrators • Server Operators • Power Users • Print Operators (create only)

  20. Resources • Shares cont’d • Don’t inadvertently put information in share name • Share names visible even to users who can’t access the share • Names like “Secret Layoff Schedule” best avoided

  21. Resources cont’d • Administrative shares (aka net shares) • Created automatically for each logical volume (e.g. C$, D$) • Hidden from view, but accessible • Helpful in remote administration • Disabled when Server service disabled • Disabled through registry keys • NT ServerHKLM\System\CurrentControlSet\Services\LanManServer\Parameters\AutoShareServer • NT WorkstationHKLM\System\CurrentControlSet\Services\LanManServer\Parameters\AutoShareServer • Can delete existing shares throughnet share /d • Multiple MS-KB articles on this subject...

  22. Resources cont’d • General access permissions • Start with the most sensitive directories and files... • Use tools for large systems • For shared directories and files • Which local users and groups have access... necessary and appropriate? • When network users and groups have access... necessary and appropriate? • Are inherited permissions appropriate? • For non- shared directories and files • Which local users and groups have access... necessary and appropriate? • Are inherited permissions appropriate? • Override the default behavior that the Everyone Group gets full access for all new folders... • Change Everyone group access for parent folder, then create subfolders which inherit permissions • Change Everyone group permissions at drive root... then propagating permissions to subdirectories • Exception: Manually update systemroot folder (usually C:\winnt)

  23. Resources cont’d • Separate data files from program files • Easier administration... backups • Data directories • Users given Write permissions • Remove Execute permission... to prevent user from writing trojan or virus into directory and then executing • Program directories • Users have Read and Execute permissions • Remove Write permissions... to prevent user from writing trojan or virus into directory and then executing • Separate public files from private files • Easier to apply appropriate permissions and audit • Never share the root directory of a drive • Exception: CD-ROM shared for public access • Use encryption when feasible • Especially for exec laptops...

  24. Resources cont’d • MS recommendations for protecting files and directories • \winnt and all subdirectories... see exceptions that follow • Administrators: Full Control • System: Full Control • Creator Owner: Full Control • Everyone: Read • \winnt\repair... where rdisk stores info for ERD disks... includes sensitive info • Administrators: Full Control • \winnt\system32\config • Administrators: Full Control • System: Full Control • Creator Owner: Full Control • Everyone: List

  25. Resources cont’d • MS file recommendations cont’d • \winnt\system32\spool • Administrators: Full Control • System: Full Control • Creator Owner: Full Control • Everyone: Read • Power Users: Change • \winnt\cookies • Administrators: Full Control • System: Full Control • Creator Owner: Full Control • Everyone: • Special directory access: read, write, execute • Special file access: none

  26. Resources cont’d • MS file recommendations cont’d • \winnt\forms • Same protections as \winnt\cookies • \winnt\history • Same protections as \winnt\cookies • \winnt\occache • Same protections as \winnt\cookies • \winnt\profiles • Same protections as \winnt\cookies • \winnt\sendto • Same protections as \winnt\cookies • \winnt\temporary internet files • Same protections as \winnt\cookies

  27. Resources cont’d • MS file recommendations cont’d • \boot.ini • Administrators: Full Control • System: Full Control • \ntdetect.com • Administrators: Full Control • System: Full Control • \ntldr • Administrators: Full Control • System: Full Control • \autoexec.bat • Administrators: Full Control • System: Full Control • Everyone: Read

  28. Resources cont’d • MS file recommendations cont’d • \config.sys • Administrators: Full Control • System: Full Control • Everybody: Read • \temp directory • Administrators: Full Control • System: Full Control • Creator Owner: Full Control • Everyone: • Special directory access: read, write, execute • Special file access: none • Also see specific guidelines from TSS & NSA, 1988

  29. Resources cont’d • Monitor ownership of sensitive files • Example: Administrators shouldn’t be accessing personnel evaluations • Owner should deny access to administrators • If necessary, Admin can take ownership... Then, grant themselves access rights • But, Admins can’t give ownership back to original owner... so leaves tracks • Data owner checks ownership... finds Admin is new owner... can ask the interesting questions • Doesn’t require auditing or access to audits by data owner

  30. Resources cont’d • Prevent remote registry editing • Stronger protection after SP3 • Remote registry editing subject to the ACL on keyHKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg...but HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\Allowed Paths\machinesdefines registry keys exempt from this restriction • See MS-KB Q153183 • Default • NT Server defines key, restricts remote access to Administrators • NT Workstation doesn’t define the key, does not restrict remote access to the registry

  31. Resources cont’d • Disable registry tools when not required • Method-1: HCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools • Directly or via policy editor • Method-2: Use ACLs to restrict use of registry editors • Weakness of this approach: Doesn’t restrict other registry-modifying tools, scripts, etc.

  32. Resources cont’d • C2-level protections • Full C2 the subject of multiple white papers, etc. • Investigate ProtectionMode • When present, tells the NT Session Manager that security on base system objects should be at the C2 security level • HKLM\System\CurrentControlSet\Control\SessionManager\ProtectionMode • Ref MS-KB Q244995 • Also investigate additional protection • ProtectionMode doesn’t address all base named objects... for those, useHKLM\System\CurrentControlSet\Control\SessionManager\AdditionalBaseNamedObjectsProtectionMode

  33. Resources cont’d • Sensitive registry areas to control & monitor • Can be used to launch trojans • MS-recommended default ACLs for these registry keys • Administrators: Full Control • System: Full Control • Creator Owner: Full Owner • Everyone: Read • HKLM\Software\Microsoft\Windows\CurrentVersion\Run • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx • HKLM\Software\Microsoft\Windows\CurrentVersion\AeDebug • HKLM\Software\Microsoft\Windows\CurrentVersion\WinLogon

  34. Resources cont’d • MS recommendations for changes to registry key permissions • Changes to default for Everyone group • Default for Everyone: Special Access with • Query Value • Set Value • Create Subkey • Enumerate Subkeys • Notify • Delete • Read Control

  35. Resources cont’d • MS registry recommendations cont’d • Changes for Everyone group cont’d • Change for Everyone Special Access • Retain • Query Value • Enumerate Subkeys • Notify • Read Control • Remove • Set Value • Create Subkey • Delete

  36. Resources cont’d • MS registry recommendations cont’d • Changes for Everyone group cont’d • Applies to • HKLM\Software • But don’t apply to entire subtree or some software may become unusable • HKLM\Software\Microsoft\RPC (and subkeys) • HKLM\Software\Microsoft\Windows NT\CurrentVersion • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Profile List • HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug • ... Too many to list... ref to MS Publication: Securing Windows NT Installation, Oct, 1997 • Don’t forget keys • HKCR (root and all subkeys) • HKU\.DEFAULT

  37. Resources cont’d • Watch out for PATHs • System PATH variable must only contain directories whose ACLs prevent untrusted users from adding or modifying files • Such as executables and DLLs • Such as data files trusted programs rely on • User-level autoexec.bat files can be enabled • Registry keyHKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon • If enabled, then must protect autoexec.bat files • The “.” problem • Most commands and APIs search the current directory (“.”) before the directories specified in the controlled PATH variable • Command window • Scripts • APIs that start other programs • Allows untrusted programs/components/etc. to be accessed in place of trusted elements... spoofing

  38. Resources cont’d • Path cont’d • The “.” problem cont’d • Difficult to protect against... • Some advice • Use 3rd-party command shells if feasible • Routinely scan for executable files • *.exe. *.bat, *.com, *.vbs, etc. • Get real attentive when finding files whose name is the same as common commands, services, etc. • Avoid working in directories where users with lesser capabilities can create files, etc. • Especially important for Administrators • Where possible, use the Start | Run... it does not search “.” before directories specified by system PATH

  39. Resources cont’d • DLL spoofing • Closely related to PATH issues • Goal of malicious user: cause their “special” DLL to be loaded instead of more boring DLL supplied by the operating system or trusted application • Difficulty-1: Rules used to load DLLs at boot time complex • Different for 16-bit and 32-bit DLLs • Trusted source disagrees with MS-KB article • Ref: MS-KB Q164501

  40. Resources cont’d • DLL spoofing cont’d • Difficulty-2: Different methods search different sequences of directories • Program directory • Where the executable resides • May not be protected by default, but should be protected by good Administrator • System directory • Ex: c:\winnt or c:\winnt\system32 • Should be protected • Working directory... • Directory the user entered before starting the program • Protected? • Or, directory program places itself in • Known? • Protected? • DLL spoofing though working directories most serious vulnerability

  41. Resources cont’d • DLL spoofing cont’d • Safe locations for DLLs • DLLs in protected system directories • Application DLLs in same directory as application, suitably protected • Periodically scan for *.DLL files located outside of protected system and application directories • Protect shortcuts • If a malicious user can change the properties of a shortcut... • System shortcuts (desktop and Start Menu) generally already protected inside Profile directory, private by default • Users should be cautioned not to create shortcuts in directories not write-protected from all others

  42. Resources cont’d • Extension mapping • Can easily spoof when allowed to change the association between file types and system action • Single mapping should serve all users and only trusted programs whose executable files are properly protected • Problem-1: Anyone can change mapping • By default, all local users (members of INTERACTIVE pseudo-group) can modify the mapping through user tools • Mapping stored underHKLM\Software\Classes • Change permissions on this key • Replace Interactive group with a one that holds only trusted users • Restrict non-Admin write access to the command keyHKLM\Software\Classes\regfile\shell\open\command

  43. Resources cont’d • Extension mapping cont’d • Problem-2: Standard extensions can be dangerous • *.reg files contain scripts executed by registry editor, making changes to the registry • Consider disabling this association • To avoid surprises • Can always reassociate when needed... always record the existing association before changing it • For high-security environments, selectively unmap every association not required for normal operations • Very carefully, methodically, one or two at a time, with regression test scripts, etc. • Note: Executables can be run from command line, regardless of their file extension

  44. Resources cont’d • Watch out for data files containing more than data • Best-known example: Macro viruses embedded in a MS-Office file • Lessor-known example: OCX embedded in a .RTF file • Lessor-known example: NTFS streams... • NTFS files can contain multiple streams • Most tools only operate on Stream 0 • Files can contain data in Stream 0; hacker tools in Stream 1; etc. • Printer drivers • NT thoughtfully automatically installs print drivers as needed... • Untrusted print drivers could divert the data... • Restrict this ability to administrators, print operators and power users • HKLM\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrintDrivers

  45. Resources cont’d • Consider writing the system page file during clean system shutdown • HKLM\System\CurrentControlSet\Control\SessionManager\MemoryManagement\ClearPageFileAtShutdown • Increases duration of shutdown process • Lock the server console when not in use • Explicitly • Password-protected locking screen savers • Consider turning off auto-generation of 8.3 names • Filenames in 8.3 only needed for backward compatibility with 16-bit applications • Turning off improves performance (don’t know how much) • HKEY\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation

  46. Resources cont’d • Consider removing the “R” permission from executable program files • Benefit: Prevents users from copying • Perhaps to their directory searched before the system directories • Effectively negating the replacement of an untrusted component with a trusted component • Problem • Desktop manager cannot determine icon for such files • May generate an audit entry it auditing failed reads • Displays default icon

  47. Resources cont’d • Consider restricting the use of DCOM • Remote interactive user write access to DCOM RunAs value • KeyHKLM\Software\Classes\AppID • Remove Interactive set, create, and write permissions • Replace permissions on existing subkeys • Disable DCOM which can be used to execute commands remotely • KeyHKLM\Software\Microsoft\Ole\EnableDCOM

  48. Auditing • General notes • Auditing enabled through User Manager | Policies | Audit • Directory/file auditing by user (groups or accounts) controlled through file manager • Explorer | <select file> | <right-click> | properties | security | auditing • Printer auditing controlled through Print Manager • Print Manager | <select printer> | <right-click> | properties | security | auditing • Auditing of base system objects requires a new registry key • HKLM\System\CurrentControlSet\Control\Lsa\AuditBaseObjects • Then, enable “Object Access” using User Manager

  49. Auditing cont’d • General notes cont’d • Even with auditing privilege use, certain privileges not audited • To control size of audit logs • Ex: Backup and restore privileges • If required in special circumstances, checkout • HKLM\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing

  50. Auditing cont’d • Set log size reasonably large • Depends on granularity of auditing, activity level, etc.... • Experiment... 4096 and 8192 commonly-cited sizes... monitor • Consider placing event logs in separate partition(s) so they never fail because of insufficient disk space • HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security\File • HKLM\SYSTEM\CurrentControlSet\Services\EventLog\System\File • HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\File • Enable log wrapping with “Overwrite Events as Needed” • Goal: Overwrite needn’t happen with good maintenance, archives • Routine log maintenance • Monitor size • Move to long-term storage • Clear • Know chain of evidence rules

More Related