[344] in Best-of-Security
BoS: NT SECURITY
daemon@ATHENA.MIT.EDU (Con Zymaris)
Tue Sep 9 20:07:46 1997
From: Con Zymaris <conz@cyber.com.au>
Date: Fri, 5 Sep 1997 14:01:07 +1100 ()
Old-X-Originally-To: To: unix@cyber.com.au
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
NT SECURITY
Don't get hammered
Hackers are uncovering, exploiting, and publicizing security flaws in NT servers
By Al Berg
As the Internet becomes more populated with Microsoft Windows NT-based servers, hackers--not
surprisingly--are keeping pace by uncovering and exploiting security flaws in the company's flagship product.
Just a year ago, the hacking community was ignoring NT boxes, preferring to break into the more familiar and
more widely deployed Unix systems. Recently, however, NT system administrators have had a rude awakening
as hackers have turned their attentions to publicizing NT's security flaws. While keeping your systems secure may
seem like a running battle with attackers, staying informed, monitoring your systems, and applying the latest
patches and fixes will lock down vulnerabilities.
The most important step administrators can take to secure their systems is also the simplest: staying current.
Windows NT Server 4.0 is more secure than its predecessors. Once you've made the jump to the latest version
of the NOS, your work has just begun.
Staying current with Microsoft's Service Packs and Hot Fixes is key to keeping up with the hackers. Service
Packs are major updates to the NOS and may contain literally hundreds of fixes for bugs. Hot Fixes are patches
that are quickly written and issued by Microsoft and are intended to address and repair new problems before the
next Service Pack is released.
The downside of quickly issuing these Hot Fixes is twofold: First, some of the recent Hot Fixes have not
completely resolved the problems they were meant to address and have had to be re-released. Second, Hot
Fixes are not "system tested" and may have unwanted and unanticipated interactions with other system
components. For this reason, many Hot Fixes are released with disclaimers advising system administrators not to
install them unless they are having the specific problems which they address.
Microsoft announces security issues and the related Service Packs and Hot Fixes on its World Wide Web site at
http://www.microsoft.com/security.
Lock the front door
Having an up-to-date and patched system is a start, but it won't be very effective unless the network is behind a
firewall. Firewalls provide a first line of defense against hackers, allowing network configurations to be sheltered
from the outside world and controlling the types of traffic flowing in and out.
On NT systems, the firewall should be configured to prevent outside users from making connections on TCP/IP
ports not needed for the applications you are offering to the world. User Datagram Protocol (UDP) ports 137,
138, and 139 allow access to NT servers through NetBIOS over TCP/IP, and should be blocked at the router,
the firewall, or both to stop attackers.
The key to deciding which IP ports to allow in to the network lies in clearly defining the roles that NT servers are
to play for outside users. Then you'll want to configure those servers to play only those roles.
For example, a system that is intended to serve only as a Web server for the outside world should have
nonessentialservices such as Domain Naming Service (DNS), ftp (File Transfer Protocol), Windows Internet
Name Service (WINS), and Dynamic Host Configuration Protocol (DHCP) disabled. You can disable services
through the Services icon on the Control Panel.
When setting up the servers, disk partitions should be created as NT File System (NTFS) rather than FAT (file
allocation table) partitions. NTFS offers the capability of placing security restrictions on files and directories so
that access to sensitive information can be controlled. If your server has both NTFS and FAT partitions, place all
system and other sensitive files on the NTFS side. Once NTFS partitions are set up, you'll want to exploit
NTFS's capability of restricting access to files or directories so that users are provided only the access they need
to do their jobs.
Another important precaution is to use strong passwords--and force users to change them often. Hackers have
done a lot of research on Windows NT's password cryptography.
At the recent DefCon hacker convention in Las Vegas, "Mudge" and "Hobbit," two hackers from The L0PHT,
advised administrators to use passwords of seven characters to make life more difficult for hackers, and most
experts are in agreement on this recommendation.
Also make sure your users avoid passwords that appear in the dictionary to prevent the surprisingly effective
dictionary attack, in which attackers simply try all of the words in a large text file. Microsoft's password filter
DLL (dynamic link library), described in Knowledge Base article Q151082, forces users to choose fairly strong
passwords.
NT's auditing facility, accessible from User Manager under Policies/Audit, is available for recording system
events and then monitoring the audit logs. This should be done daily so that you will quickly detect any suspicious
activity.
Another precaution is to remove or disable the GUEST account from NT servers and require that each outside
user enter a username and password so that you can audit their activities on your systems. If you run public
services such as Web or ftp servers on your NT server, anonymous connections will be mapped to a special
account called IUSR_servername. Be sure to review and restrict the rights granted to this account to the absolute
minimum required for the servers to work.
Target: Administrator
An attacker's ultimate target is the server's Administrator password. Like the root account on Unix systems,
getting Administrator access gives an attacker free rein and total control of the system. There are steps you can
take to make it more difficult to crack this key account:
First, create a new account with a nonobvious name and assign all Administrator privileges to it. Don't delete the
default Administrator account, just remove all its privileges. This way, attackers will waste their time breaking into
the false account.
Next, keep membership in the Administrators group severely limited and check it regularly. If a new account
name appears, you'll know you've got problems.
Third, don't allow administrators to access sensitive computers, especially domain controllers, over the network.
This right can be removed through the User Manager program.
Finally, use the PASSPROP.EXE programs to turn on the intruder-lockout feature on the Administrator
account, which will prevent an attacker from trying manydifferent passwords in what's called a brute force hack.
Another precaution for securing the NT server is to secure the system console. While Internet attackers get all of
the publicity, most of the really dangerous password-grabbing hacks out there today depend on the attacker
getting physical access to the system console. Because most attacks originate inside the targeted organization,
keeping the server in a securely locked room with a password-protected screen saver is an effective way of
thwarting some of the most dangerous attacks.
One of the best resources for staying abreast of NT security issues is the Internet itself.
The Windows NT Security Mailing List (NTSEC), for example, provides a forum for the discussion of security
practices and problems. Many flaws are exposed and discussed here weeks before reports appear in the trade
press. You can subscribe to NTSEC by sending an E-mail to request-ntsecurity@iss.net with the text "subscribe
ntsecurity"in the body of the message.
NTSecurity.Net (http://www.ntsecurity.net) provides information ranging from security discussions to FAQ
(frequently asked question) lists and tips.
The Nomad Mobile Research Center (http://www.nmrc.org) is the home of the Unofficial NT Hack FAQ, which
contains a wealth of information on how NT systems can be compromised, as well as how systems administrators
can protect their systems.
The L0PHT is a Boston-based group of hackers who spend quite a bit of time poking and prodding NT to find
security problems. Visit their site at http://www.l0pht.com.
And of course, check in with Microsoft at http://www.microsoft.com/security for its latest responses, patches,
and fixes.
As you lock down the vulnerabilitiesin your systems, you can be sure hackers are finding new ones. Systems
administrators who budget their time to stay informed, monitor their systems, and apply new patches and fixes
can stay onestep ahead.
Contributing Editor Al Berg is a CNE and director/strategic technologies at NETLAN Inc., a networking
and integration company in New York. He can be contacted by fax at (415) 513-6819 or at
al_berg@netlan.com.
___________________________________________________________________________
Con Zymaris conz@cyber.com.au Web: www.cyber.com.au
Cybersource Pty Ltd: Windows/Unix Integration and TCP/IP
Network Management
+61 3 9642 5997 Fax:+61 3 9642 5998, 8/140 Queen Street,
Melbourne, Australia
