Dominique Brezinski

advertisement
Securing New Technology
Dominique Brezinski
Introduction
We all have a few questions about
Windows NT security:
• Is it really secure
• Should we be deploying Internet
connected Windows NT systems
• What are the current vulnerabilities in NT
Summary of Course
• Security vulnerabilities in the NT
architecture and implementation
• Methods for addressing the existing
and future security vulnerabilities
• Techniques and tools for assessing
security posture
Who is in Attendance?
•
•
•
•
Security Auditors?
System Administrators?
Developers?
Others?
Agenda
• Some specifics of the NT security
architecture
• Failings from a security perspective
• Securing your NT systems
• Assessing your security practices
NT security Architecture
•
•
•
•
Console Logon Process
Network Logon Process
Object Access
Impersonation
Console Logon Process
• Interact with the GINA to give credentials
• GINA is the extensible part of WinLogon
• WinLogon talks to Authentication
Packages through LSA (Local Security
Authority) using LogonUser()
• Current Authentication Package is
MSV1_0 (NT LM Security Provider)
• Authentication Package returns security
token if credentials are correct
Network Logon Process
• Make connection to Server Service (SMB)
• Server Service generates a MSV1_0
compatible challenge and sends it to the
client (in a SMB_COM_NEGPROT
message)
• Client responds by encrypting the
challenge, using the password as the
encryption key, and sending it back to the
server
Network Logon Process Cont.
• Server Service passes the client’s
response and the original challenge to
MSV1_0 by calling
LsaCallAuthenticationPackage() with the
message type MsV1_0Lm20Logon
• The LsaCallAuthenticationPackage()
returns a security token to the Server
service if everything is successful
Object Access
• Each object has a DACL (Discretionary
Access Control List)
• Each Process has a security token (from
logon process) attached which contains
the identity and privileges of the user
context it is executing under
• When a process attempts to access an
object, the Security Reference Monitor in
the kernel checks to see if the identity or
privileges in the token match an ACL entry
Impersonation
• Process obtains a security token for the
user to be impersonated through the
LogonUser() function or a direct call to a
authentication package with
LsaCallAuthenticationPackage()
• The process can use this token to
temporarily change the user context of a
thread to execute as the user
(impersonate)
Vulnerabilities and Exploits
Exploits
•
•
•
•
Anonymous connections
Network Authentication attacks
Buffer overflows in privileged services
Trojan horses and other file permission
abuses
• Privilege escalation through architectural
deficiencies
Anonymous Connections
• Created by using null credentials - net use
\\target\IPC$ ““ /user:””
• Prior to SP3 could remotely access the
Registry on workstations and some
servers
• Can enumerate users, groups, and get
SIDs
• Possibly other unknown ramifications
Network Authentication Attacks
• Man in the middle attack on authentication
sequence to gain remote access as
arbitrary user (fixed in SP3 if message
signing is used)
• Password hash grabbing attacks using a
known challenge (not fixed in SP3) or
brute-force
• Protocol downgrade attacks to obtain
plaintext password (fixed in SP3 by
default)
Buffer Overflows
• They can happen in NT
• WebSite 1.0 had a couple nifty CGI
programs that could be overflowed
• The egg (shell code) has been written and
published, so the hard work has been
done.
• Services running as SYSTEM or
Administrator are the primary targets
Trojan Horses and File
Permissions
• Targets: files (.exe, .dll, .reg) that will get
executed by a privileged user Administrator or System
• Extensible portions of the security system
are key easy targets - Notification
Packages, Password Filters, and GINAs all
run under the System context
• FPNWCLNT.DLL is a great example:
default Registry entry, but the DLL does
not exist on NT 4.0 Workstations.
File Permissions Cont.
• Group Everyone has write permission to
%SystemRoot%\system32 by default, so
therefore any local user can add a
notification package Trojan called
FPNWCLNT.DLL that will get called in the
System context.
• Group Everyone has FULL CONTROL of
%SystemRoot% by default, so even files
like poledit.exe and explorer.exe which are
(RX) can be changed by anyone.
Privilege Escalation
• On July 4, GetAdmin was released on
Usenet.
• GetAdmin gains privilege to attach to
another process (SeDebugPrivilege)
through a broken kernel API and then
creates a thread in the Winlogon process
that executes code in GASYS.DLL which
adds an arbitrary user to the
Administrator’s group. Very naughty ;)
Securing it
Reduce Services
• Only services that are needed should be
running - everything else should be
disabled.
• NT needs the following services to be
started to function correctly: EventLog,
Plug and Play, and Remote Procedure Call
Service (TCP port 135 will be listening).
• Experiment - start with the above services
and only add as needed.
File Permissions
• Don’t give the Everyone group FULL
CONTROL of anything
• Check “Guidelines for securing Windows
NT-based networks and systems” on
www.microsoft.com
• %SystemRoot% and
%SystemRoot%\system32 can be (RX) for
non admin users
• Removal of execute permission on all
executables not needed is a good thing
Registry Permissions
• Make sure
HKLM\SYSTEM\CurrentControlSet\Control
\SecurePipesServers\Winreg exists and
only Administrators have permission to it
• Again, check “Guidelines for securing
Windows NT-based networks and
systems” on www.microsoft.com
• Use David LeBlanc’s suggestions in the
NT Security FAQ
General
• Use a password filter to enforce strong
passwords (PASSFILT.DLL from SP2 or
write your own)
• Use passprop.exe from the Resource Kit
to enable account lockout on
Administrator
• Disable Network Logons for administrator
equivalent accounts
• Turn on auditing for security events
Specific Fixes for Exploits
• Install SP3 and set the
RestrictAnonymous registry value
• Change the DACL of NTOSKRNL.EXE to
System and Administrator FULL
CONTROL and Everyone EXECUTE (temp
hack to fix GetAdmin - not long term)
• Remove FPNWCLNT from
HKLM\SYSTEM\CurrentControlSet\Control
\Lsa\”Notification Packages”
• Use message signing NT to NT
More Fixes
• Use the TCP/IP Advanced Security
options to block all TCP and UDP
ports not being used - specifically
TCP 135 if not using remote RPC
• Disable the WINS TCP/IP binding
under the protocol tab and the Server
service if the machine is a single
purpose server - WWW, FTP
Assessing Your Security
Tools
•
•
•
•
•
Your security policy
ISS 4.31 for NT
Ballista
Kane Security Analyst
NAT without #define SCANNER (see
*hobbit’s presentation)
• A good TCP and UDP port scanner
• The Resource Kit(s)
• Homebrew (C, TCL, Perl, etc.)
More Tools
•
•
•
•
•
DumpAcl
Cacls
Regedt32
Poledit
Caffiene
Port Scanning
• Do a full TCP and UDP port scan
• Take note of all listening ports and
reference them against what you
would expect for the services the
machine is suppose to be running
• Common listening ports are TCP 135,
137, 138, 139, and several ephemeral
ports and UDP 135,137,138, and 139
Service Checks
• Tools like ISS, Ballista, and NAT are very
helpful
• Remember port 139 is used by many
services: file sharing and services using
RPC over named pipes
• Check for all known bugs
• Look for unknown or excessive services
• See what information can be obtained
through SNMP, netstat, RPC end-point
mapper, and remote Registry access
File Permission Checks
• Print out list of all users and groups
• Use a tool like DumpAcl or Cacls to print
out a list of all file and directory
permissions
• Use your security policy as the basis for
ACL checks
• Look for situation like directories with
FULL CONTROL granted to a group that
should not have access to some files
within the directory
Registry Permission Checks
• Use Regedt32 or DumpAcl to list ACLs for
HKEY_LOCAL_MACHINE and
HKEY_CLASSES_ROOT
• Again, use your security policy as a basis
for your checks
• Look for situations where users can read
or write sensitive keys and values
• The SNMP community name and
AutoLogon password are viewable by
everyone by default
Known Vulnerability Checks
• Check for all know vulnerabilities
• Look for potentially exploitable conditions
like the ability to overwrite executables
and dynamic link libraries
• Check for Registry keys and values
writeable by non-administrators - there are
several places by default that everyone
can change which can lead to Trojan
horses (.reg associations)
Policy Enforcement
• Is auditing enabled?
• Are password length and lifetime
checks enabled?
• Do users belong to the correct
groups?
• Kane Security Analyst is a good tool
for this stuff
Summary
• We have covered the basics of how
NT security operates, what some
major problems are, strategies to
tighten up security, and some
methods for checking your risks
• Experiment with this knowledge - use
it as a starting point and take
tangents
Where to get more information
• http://www.microsoft.com/workshop/prog/
security/guidesecnt.htm
• http://www.ntsecurity.net
• mailing list at ntsecurity@iss.net
• mailing list at ntbugtraq@rc.on.ca
• mailing list at bugtraq@netspace.org
• dominique.brezinski@cybersafe.com
Download