[10209] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Possible security hole

daemon@ATHENA.MIT.EDU (M. Adam Kendall)
Wed Apr 14 14:03:43 1999

Date: 	Tue, 13 Apr 1999 13:41:35 -0400
Reply-To: "M. Adam Kendall" <makendal@NSCORP.COM>
From: "M. Adam Kendall" <makendal@NSCORP.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <37133B73.182FF65B@ac.salcom.se>

This is a multi-part message in MIME format.

------=_NextPart_000_0005_01BE85B3.594532E0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

>During this time the machine is very slow but I succeeded to do
>something "bad" on this time since I mapped the c: which is shared by
>default on NT.
>So what do we learn?
>1) Don't run FW-1 on NT.
>2) If you do it anyway, be very careful with the configuration and strip
>it from every service not needed!!!!!!

This brings up a very good point.  But, this is not really a problem with
NT, but is a problem with not locking down the operating system that
serves as your base for the product.

In the *nix world, you would be able to contact any service that is running,
etc. In the NT world, you have to make sure you are not running services in
the Network Control Panel that aren't needed.  One of which is the "Server"
service which exports the administrative shares (\\MYSERVER\C$).

Attached is a HTML file I wrote that should help solve this problem
for the NT side of the house.  This is a very rough document so YMMV.


Regards,
Adam
--
M. Adam Kendall         Senior Developer
PH:  540-855-6289       Customer Integration Services
FAX: 540-855-6404       Norfolk Southern Corporation
makendal@nscorp.com     http://www.nscorp.com

------=_NextPart_000_0005_01BE85B3.594532E0
Content-Type: text/html;
	name="NT-bugtraq.html"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="NT-bugtraq.html"

<HTML>
<HEAD>
<TITLE>Securing WindowsNT 4.0 Server</TITLE>
</HEAD>
<BODY BGCOLOR=3DWHITE TEXT=3DBLACK>
<CENTER><H3>Securing WindowsNT 4.0 Server from Internet =
Attack</H3></CENTER>
<HR>
This document describes ways to secure a WindowsNT 4.0 Server, hopefully =
making it less prone to attack from malicious users on the Internet.  =
These steps could also be applied to a WindowsNT 4.0 Workstation, =
Terminal Server, Enterprise Server, etc.
<HR>
<DL>
<LI><B>Install WindowsNT 4.0</B>
<DD>Install WindowsNT as you would normally, making sure that you select =
NTFS for your partitions.  This provides added security over FAT, so we =
will want enable this on our target installation partition.
<LI><B>Apply newest Service Pack and HotFixes</B>
<DD>The first thing that needs done after a fresh install of WindowsNT =
is to insall the latest Service Pack (preferably 128Bit) and any added =
HotFixes that have been released after the Service Pack (particularly =
ones pertaining to TCP/IP)
<LI><B>Rename Administrator</B>
<DD>Rename the Administrator account to something that isn't obvious.  =
Don't name administrator the same thing as the machine name, or one of =
the services that the machine provides.  In other words, if this is a =
firewall, don't name the Admin account FWAdmin.
<LI><B>Rename and disable Guest</B>
<DD>We really don't need a Guest account in the first place on a secure =
machine, but Microsoft decided that we aren't allowed to remove the =
account, so rename it to something else and disable all it's rights.  =
This name should be something fairly obscure, consisting of numbers and =
letters preferably.
<LI><B>The Network Control Panel</B>
	<DL>
	<LI>Change the WorkGroup
	<DD>As a secure machine, we shouldn't be participating in any workgroup =
or NT Domain communication, so make the server part of a workgroup, not =
a domain, and make the workgroup name fairly obscure.  I usually use the =
workgroup name of NONE.
	<LI>Name the machine
	<DD>Ideally, the name of the machine should be something totally =
unrelated to the function it performs.  Obvious bad choices for a =
firewall machine would be, FW, FW1, FIREWALL, FWALL, etc.  There are =
ways to "describe" what the machine does using the machine name without =
making it to obvious.
	<LI>Delete the Services
	<DD>Go to the Services tab.  See all those nice services?  Remove them. =
 All of them.  That's right, we really don't need any of these services =
to have a functional machine. <I>NOTE: If this machine has a newer 3Com =
NIC, there may be a 3Com specific service, this service should remain if =
this is the case.</I>
	<LI>Protocols
	<DD>Go to the Protocols tab in the Network control panel.  All we need =
here is TCP/IP and that's it.  No IPX, no NetBIOS, no NetBEUI, just =
TCP/IP. You will want to go over the TCP/IP Configuration as well, so =
click on TCP/IP and click on Properties.
		<DL>
		<LI><I>IP ADDRESS Tab</I>
		<DD>Specify the IP Address, Subnet Mask and Default Gateway
		<LI><I>DNS Tab</I>
		<DD>Specify the hostname (Same as machine name), the default domain, =
DNS servers, the the domain under Domain Suffix Search Order
		<LI><I>WINS Address Tab</I>
		<DD>Do NOT specify any WINS Servers, do NOT check DNS for Windows =
Resolution, do NOT check LMHOSTS lookup
		</DL>
	<LI>Adapters
	<DD>Make sure you have at least one NIC card listed in the Adapters tab =
in the Network control panel.  Usually, there should only be one listed, =
unless you know that there are two cards in the system.
	<LI>One final note...</LI>
	<DD>The next time you try to go into the Network control panel, =
WindowsNT will tell you that Networking has not been installed.  It then =
asks if you want to install Networking now.  Click on NO.  Networking =
actually is installed, it just thinks it isn't because we removed the =
Server service.  After clicking NO, it should allow you to go into the =
Network control panel normally.
	</DL>
</DL>
<hr>
This should provide the basis for a secure system ready to put on the =
Internet.  You should probably run some tests on the machine to make =
sure everything is working properly, like login as the renamed =
Administrator account, portscan the machine to see what any hacker can =
see, and check the box for vulnerabilities such as PING attacks, LAND =
attacks, and OOB attacks.  If the box seems stable after these quick =
checks, congratulations, we have a more secure machine.  This does not =
guarantee that a hacker can't do something with this machine, but all =
these measures should inhibit or deter the hacker from trying to break =
the machine.

------=_NextPart_000_0005_01BE85B3.594532E0--

home help back first fref pref prev next nref lref last post