2002-03-20-MAEDS-SecuringWindows
advertisement
Windows Security by: Mark Lachniet Introductions • Mark Lachniet, • MCNE, MCSE, CCSE, LPIC-1 • Sr. Security Engineer @ Analysts International • Formerly a technician and then the IS director at Holt Public Schools • Formerly a MAEDS board member • New daddy What we have to work with: Agenda • • • • • • • • • • Risks Microsoft Tools to know about Policies and procedures Secure network designs Physical Security OS Security IIS Security Intrusion Detection / Prevention Vulnerability Assessments Questions and Answers History – Microsoft products • WFW, Win9x/ME are meant for single user implementations – no security to speak of (use desktop security if you need it) • Windows NT 3.5x / 4.x / 2000 / XP are multiuser systems that presumably enforce system and user security • None the less, still subscribe to the “kitchen sink” approach, rather than the “secure by default approach” (.NET may change this) • The new frontier - Internet Information Server, SQL server, programming interfaces such as ASP, VBScript,etc. History – Microsoft products • Many hackers consider it fun to pick on Microsoft • Some implementation issues such as NTLM hashing issues have come up • Many problems are due to ID-10-T errors. Easy configuration = easy mis-configuration • NIMDA, Code Red I / II, and numerous Outlook viruses have caused big problems and created bad publicity for the company • Closed-source products make it difficult for individuals to find and fix problems • Numerous patches, hotfixes, and service packs have created versioning and stability problems on production servers History – Microsoft’s response • Microsoft has made security a priority • Numerous service packs, hot fixes, and tools have been created and released • Response time for security issues has improved greatly and security reporting was formalized • Fewer reported vulnerabilities have fallen through the cracks • Have halted development and sent all of their developers to a security boot camp • A “letter from the top” by Bill Gates has formally stated that security is the direction that the company must go The current situation • Despite what some would say, it is possible to secure most Windows machines • It is, however, very time consuming and potentially complicated to do so • It requires constant vigilance to keep servers up to date • This all needs to be factored into the total cost of ownership, and not treated like a side cost Today’s presentation • • • • • • Will focus on NT4 / 2000 / XP Will focus on Internet servers (IIS) Will focus on “hardening” of servers Will attempt to be specific Assumes a technical audience Based on an internal Analysts International server hardening checklist • Will NOT cover the 100 other things you need to know about security Risks – a quick summary • To better qualify your risks, you need to perform a security analysis. Just securing servers is not enough • Computer security must be “defense in depth” supported on many levels • Physical security is critical, without it, nothing is secure (e.g. console, backups, etc.) • Risks from a poor network design (especially Internet servers) are significant • Poor policies and procedures can lead to risk (e.g. not coordinating hires/fires w/ H.R.) • Need monitoring and log analysis to find problems More risks • Remote access (VPN, dialup, wireless) to the network that bypass firewalls • Remote control of machines (PC Anywhere, VNC, Terminal Services) • Vendors and partners! Never trust a vendor, even me. Firewall them off, and make sure their servers are secure. • Students – bored, frequently smart, and tons of free time and motivation • Network sniffing and “man in the middle attacks” • Password cracking • Etc. etc. etc. Tools I use: hfnetchk.exe • If you aren’t using it, you should • Similar in functionality to Windows update, but more verbose and doesn’t install anything • Used to check for installed hotfixes and patches for the NT4, 2000, XP*, IIS, IE5+, SQL 7 / 2000 • Examines registry keys and file checksums to verify the installation of hotfixes and patches • Can be used across the network and can be scripted to automate security work • Cannot always verify all patches, so there is some uncertainty if you have correctly applied them • Does not support all Microsoft products • My favorite – its simple and it works Tools I never use: The IIS lockdown tool • Follows the “defense in depth” philosophy of security by addressing multiple security aspects • Meant to provide an easy way of locking down servers. Templates are provided for some profiles of server. • It may insulate you from the actual changes that it is making. Unless you know where to look, you have to take its word for it • It also includes the URLScan tool which is a type of IPS (Intrusion Protection System) Tools I never use: The Personal Security Advisor • http://www.microsoft.com/technet/mpsa/start.asp • Web based product to analyze the security of a workstation • Not designed for complicated installations, and not really suitable for servers or IIS • It is, however, pretty good at analyzing workstations for things like Internet zone settings, Outlook settings, Microsoft Office, etc. • A good way to protect end users from Internet naughtiness • Runs some simple security checks (weak passwords) • Would be a good tool to run before deploying a workstation or image Microsoft security checklists and hardening guides • • • • NT 4 server / workstation checklists Win 2k server / pro baseline checklists IIS 4.0 / 5.0 baseline checklists Domain controller checklists, etc. • In general, these are a good starting point, but are not really paranoid enough Good hardening guides • NSA hardening guides • If its good enough for them… • Multiple high-quality guides are free for download from: http://www.nsa.gov • Come in PDF format with lots of screen captures and step-by-step instructions • Have guides for Cisco routers, NT4, and many Windows 2000 guides – exchange, IIS5, group policy, kerberos, etc. • You probably aren’t going to want to do *everything* in them, so pick and choose what makes sense for your organization Good Hardening Guides • Guides from SANS.org (System Administration Networking and Security) • These are not free, but are based on the work of experts in the field • SANS offers the best security training around, if you can afford to go (~$3k/5days) • SANS also offers security certification tracks to prove your skills • As part of this certification, you have to write a “practical” or paper on a topic • These papers are free for all, and mostly good http://rr.sans.org/win2000/win2000_list.php The 5 minute tour… • Because of the amount of material to cover, I am going to discuss a lot of material very quickly • I will focus more on technical aspects that on administrative stuff • These are important, but I want to leave enough time for tangible action items you can take home with you • Please remember, just doing these things does not equal security Policies and Procedures • Subscribe to security listserves! You must know what the enemy knows • BugTraq and NT BugTraq at: http://online.securityfocus.com/archive • Microsoft Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/notify.asp • SANS News at http://server2.sans.org/sansnews • And many others… Policies and Procedures • Document procedures for the configuration, usage, and maintenance of servers and workstations • Update these procedures regularly • Limit access to the server to minimum • Maintain a disaster recovery plan • Limit usage of the server to its core function (ie, a web server.) Do not use it as a browser or for routine work! This opens it up to the risk of malicious code or user error Network Security • Use a network design that has security in mind! • Use a firewall with a DMZ to host all Internet servers • Use an implicit “deny all” policy, and only open up the necessary ports to the outside (80, 443, 25, 110, etc.) Never NetBIOS stuff (135-139) • Similarly, create only the bare minimum rules for the DMZ server to talk to the inside network. Don’t allow any communication, if possible • Consider using Cisco private VLAN technology to limit communication between DMZ servers • Use encryption! SSL especially Physical Security • If you can physically access the machine, you can do almost anything • I have boot disks that can reset the administrator password in < 5mins • Once reset, the possibilities are endless – do a “reverse telnet shell”, log keystrokes (such as the real administrator trying to log in), etc. • Even without rebooting, removable media is an issue Physical Security • • • • • • • Physically lock up the servers Make lots of backups (just in case) Lock up Emergency Repair Disks Only allow a single OS on the system Password protect screen savers & BIOS Disable booting to floppy and CD Remove all modems and management tools (e.g. Compaq Insight Manager) • Beware of USB devices! During Installation • Do not connect to the Internet while installing (can be hacked during install) • Install the minimal number of packages • Make Internet servers standalone – not part of any domain or active directory • Format all volumes as NTFS • Install IIS on a separate volume or hard drive. (note that this requires an unattended installation and script) • Use strong administrator passwords Install all service packs • • • • Operating system Internet Information Server Internet Explorer SQL server, others as needed • hfnetchk.exe should come up clean* before the server is deployed Filesystem Security • The ‘everyone’ group has full access to all drives by default! This is dangerous and unnecessary • Carefully remove ‘everyone’ and add administrators, users, etc. to disks using descriptive groups • Create a ‘web user’ group that has READ access to IIS directories • Create a ‘web admin’ group that has WRITE access to IIS directories • Add IUSR~BOX and IWAM~BOX to ‘web users’ maybe ‘web admin’ Filesystem Security • Delete or remote access to dangerous programs to make hacking harder: ARP.EXE ATSVC.EXE CACLS.EXE CMD.EXE CSCRIPT.EXE DIALER.EXE EDLIN.EXE FTP.EXE HTIMAGE.EXE IPCONFIG.EXE MSIEXEC.EXE NET.EXE NETSH.EXE PING.EXE POSIX.EXE QFECHECK.EXE RDISK.EXE REGEDIT32.EXE ROUTE.EXE RUNAS.EXE SECFIXUP.EXE SYSKEY.EXE TFTP.EXE TSKILL.EXE WSCRIPT.EXE NETSTAT.EXE AT.EXE ATTRIB.EXE CLIPSRV.EXE COMMAND.COM DEBUG.EXE EDIT.EXE FINGER.EXE HYPERTRM.EXE IMAGEMAP.EXE ISSYNC.EXE NBTSTAT .EXE NET1.EXE NSLOOKUP.EXE POLEDIT.EXE QBASIC.EXE RCP.EXE REGEDIT.EXE REXEC.EXE RSH.EXE RUNONCE.EXE SYSEDIT.EXE TELNET.EXE TRACERT.EXE UNINST.EXE XCOPY.EXE Filesystem Security • Remove all resource kits and SDKs • Disable indexing of disks recursively • Never allow the emergency console to boot from the hard drive • Delete backup copies of the registry from X:\%System Root%\repair\ • Configure the recycle bin to immediately delete files • Configure the system swap file to be deleted at shutdown High-accountability logging • Enable auditing of filesystem accesses • Configure auditing to log all failed file accesses by the ‘everyone’ group • Increase the size of the event log to 512mb if possible • Set event viewer to delete events that are N days old, where N matches your backup schedule • Audit the use of privileges Monitor suspicious log events • Filter event logs for interesting events – – – – – – – – – – 529: Unknown Username or Bad Password 537: Unsuccessful Logon 530: Account Logon Time Restriction Violation 531: Account Currently Disabled 532: Account Has Expired 533: User Not Allowed to Log on 534: Logon Type Restricted 535: Password Expired 516: Some Audit Event Records Discarded 517: Audit Log Cleared More Suspicious Events – – – – – – – – – – – – 624: User Account Created 630: User Account Deleted 627: Change Password Attempt 636: Local Group Member Added 632: Global Group Member Added 642: User Account Changed 643: Domain Policy Changed 608: User Right Assigned 609: User Right Removed 612: Audit Policy Change 610: New Trusted Domain 611: Removing Trusted Domain Network Adapter Settings • Disable all bindings except TCP/IP • Use IP filters to limit incoming traffic to only required ports (80, 443, 25, etc.) • Disable remote access to the registry • Disable NetBIOS over TCP/IP • Disable IP routing • Do not make “dual-homed” hosts that connect insecure (external) networks to secure (internal) networks • Harden TCP/IP stack to DoS attacks Disable Unnecessary Services • • • • • • • • • Alerter Clipbook server Computer browser Distributed File System Distributed Link Tracking Systems Server Distributed Link Tracking Systems Client IPSEC policy agent (unless IPSEC is used) Licensing Logging Service Logical Disk Manager Administrator Service (needed for software RAID) • Messenger • Net Logon Disable Unnecessary Services • • • • • • • • • • • • Network DDE Network DDE DSDM Print Spooler Remote Registry Service Removable Storage Server Services (needed for SMTP services) Task Scheduler TCP/IP NetBIOS Helper Telephony (needed for terminal server) Windows Installer Windows Time Workstation Service (needed for some maintenance tasks) Accounts and User IDs • Configure password strength enforcement for users • Rename the administrator account • Create a bogus administrator account with no rights and log its use • Rename and disable the guest account • Remove ‘access this computer from the network’ rights from administrator and ‘everyone’ group Accounts and User IDs • Remove the ‘log on locally’ right from all users and groups that don’t need it • Perform periodic password cracking to find bad passwords (including products that log in and run as services) • Disable remote access to the registry • Disable anonymous access to NetBIOS services (used for anonymously iterating user IDs and other NetBIOS information across the network) IIS Security • • • • Don’t use Front Page extensions Disable the HTML administration site Store web content on a separate drive Bind the web server process to specific IP addresses (not all available) • Disable the WebDAV service • Remove all unneeded ISAPI mappings, especially IDA/IDC (indexing service) and .printer (Internet Printing) IIS Security • Remove support for Internet printing – Remove the /printers virtual directory – Delete files from %SystemRoot%\web\printers – Disable local or group policy options for “Web-Based Printing” • Delete default and sample IIS files – – – – – – \Inetpub\iissamples \Inetpub\AdminScripts \Program Files\Common Files\System\msadc\Samples %SystemRoot%\help\iishelp %SystemRoot\System32\Inetsrv\iisadmpwd %SystemRoot%\web\printers IIS Security • Use restrictive IIS permissions – On "Home Directory" tab, disable Read, Write, Directory browsing – Add specific rights as necessary – The Script Source Access IIS permission is not assigned to any folder – Use authentication on all folders with Write / Write-Execute access – If HTTP basic authentication is required, use SSL – If using NTLM authentication, require NTLM v2 IIS Security • Protect global.asa files – NTFS permissions set for System, Administrators and Operators = full control – NTFS permissions set for Authors = modify – NTFS permissions set to explicitly deny IUSR_server and IWAM_server accts. – All failed accesses to global.asa are logged • Protect the metabase.bin file – MetaBase.bin has full control for System and Administrators – MetaBase.bin has Modify for Operators – Audit all failed and successful NTFS access to MetaBase.bin • Enable the maximum level of logging • Set the UseHostName metabase value to hide the true IP address of the server Intrusion Prevention / Detection • Various products exist to detect and sometimes stop hack attacks • One such product is Entercept • These are usually installed on the host • Software components intercept API calls to the operating system • Can also filter HTTP web requests • Provide for reporting capabilities at the host and enterprise level • Can be somewhat costly • Like all IDS products, the value is in their configuration Vulnerability Assessments • Primarily a scripted process • Takes a “hackers point of view” of the network and attempts to find vulnerabilities in software (usually over TCP/IP) • Is useful as a before and after check • Is my preferred method of telling if security changes “took” properly. You’d be surprised • Vulnerability assessments need to be performed often with updated tools! • If possible, get expert help with vulnerability assessments – the tools can tell you a lot, but interpretation of results is critical Questions and Answers Mark Lachniet mlachniet@analysts.com Rob Dobson rdobson@analysts.com