Sabin, Todd (Lsadump2 program), 178
SAC (System Access Control) permissions, 126
SAD (Security Association Database), 300
Safari browser, 350
salted hashes, 150
SAM hive, registry, 229
SAM password database, 150, 161
SAM (Security Accounts Manager), 80, 278
Samba protocol, 158
SANS Handler's Diary article about malware, 19
SAP Agent Service, 286
SAs (security associations), IPSec, 300
Saved Queries OU, 520
SC tool, 265–267
Sc.exe program, 256
.scf files, 201, 248
SChannel Authentication protocol, 85
scheduled tasks
malware using, 31
security options for, 504
scheduling priority, allowing increase of, 500
Schema Admins group, 74, 85, 111
Schema Master, FSMO role, 523
ScoopLM program, 168
scope of groups, 96
.scp files, 201
.scr files, 201
Scrap Shell (.shs) files, 191, 201, 248
screen saver files, 201
script kiddies, 10–11
scripting, IE settings for, 374, 377
scripts
for computers, startup and shutdown, 490
embedded in Word, malware in, 21
embedded using XSS, malware in, 21
file vulnerabilities in, 200, 201, 202, 248
for users, logon and logoff, 490
.sct files, 202, 249
Search service, Microsoft, 274
Secondary Logon service, 278
Secret Service report on insider attacks, 17
Secunia web site, 9
secure channel, 115
Security Accounts Manager (SAM), 80, 278
Security Association Database (SAD), 300
security associations (SAs), IPSec, 300
Security Center service, 278
Security certificate files, 195
Security Configuration Wizard, 289–290
security groups, 96
Security hive, registry, 229
Security Identifier. See SID
security log
allowing generation of, 500
managing, 501
Security Parameters Index (SPI), IPSec, 300
security policy database, IPSec, 299
security principal
authentication of, 80
delegation for, 92–94
GUID for, 82–83
identification of, 80
impersonation of, 90–92
security token for, 88
SID for
definition of, 83–84
multiple, 88, 130
security reference monitor, 81
security settings, group policy
account policies
account lockout policy, 493
Kerberos policy, 494
password policy, 492–493
event log settings, 511
file system settings, 513–514
IPSec policies, 514
local policies
audit policy, 494–496
security options, 502–511
user rights assignment, 496–502
registry settings, 513
restricted group settings, 512
software restriction policies (SRPs), 514
system services settings, 513
Security templates, group policy settings in, 481, 485, 527–528, 538–539
security token, 88, 117–119, 126
security-by-obscurity, 54
Self group, 85, 111
sender confirmation, anti-spam software using, 408
sender domain verification, anti-spam software using, 408
Sender ID Framework (SIDF), 409
Sender Policy Framework (SPF), 408–409
Server Message Block (SMB) protocol
attack tools for, 168–169
definition of, 158–159
Server Operators group, 74, 86, 111
Server service, 278
server software, running on non-default ports, 75–76
Server-Side Includes (SSI), for IIS, 448, 449
service accounts, password attacks on, 177–179
Service group, 85, 111
service principal name (SPN), 92
services
accounts for, 260–263, 292–293
allowing logons as, 500–501
controlling with SC tool, 265–267
default, list of, 268–283
definition of, 254–255
denying logons as, 499
dependencies for, 264–265
executable and path for, 257–258
failures of, recovery from, 263–264
identifying, 255–256
installed by default, 255
multiple, with one name, 258–259
nondefault, list of, 283–288
permissions for, 261, 290–293, 332
RPC (Remote Procedure Call) service, 253, 267, 277
running on non-default ports, 6–7, 75–76
securing
account for, 292–293
disabling or removing services, 290
guides for, 289
in high-security environment, 288
in normal security environment, 288–289
permissions for, 290–292
reasons for, 253–254
recommendations for specific services, 268–283, 289
Security Configuration Wizard for, 289–290
updating patches for, 293–294
Startup type for, 259–260
unsigned, 256
viewing in Services console
Dependencies tab, 264–265
General tab, 257–260
LogOn tab, 260–263
Recovery tab, 263–264
Services console
definition of, 256–257
Dependencies tab, 264–265
General tab, 257–260
LogOn tab, 260–263
Recovery tab, 263–264
Services.msc program, 256
session key, security options for, 505
Set Value permission, registry keys, 241
share password attacks, 169
Share Password Checker, 169
Share permissions
contributing to effective permissions, 130, 131
default settings for, 132–135
definition of, 119–122
shares
creating, 121
hidden shares, 121–122
.shb files, 201, 248
Shdocvw.dll file, 352
Shell Command files, 199
Shell Command files, Microsoft, 199
Shell Hardware Detection service, 278
Shell scrap objects, 201, 248
Shockwave Flash objects, 201, 249
shortcut links, 199
.shs (Scrap Shell) files, 191, 201, 248
.shtml files, 197
shutdown scripts, 490
shutdowns
allowing, 502
security options for, 503, 510
SID (Security Identifier)
anonymous enumeration of, 6, 75
definition of, 83–84
enumeration of, 75, 89
filtering of, 90
list of, 84–86
multiple, for one security principal, 88, 130
RID value of, 84
in security token, 117
Top-Level Authority value of, 83–84
viewing tools for, 87–89
SIDF (Sender ID Framework), 409
SIDHistory field, 89–90
Sid2user.exe program, 87, 89
Simple File Sharing, 131
Simple Mail Transfer Protocol (SMTP) service, 286, 446
Simple TCP/IP Services, 286
Single Instance Storage Groveler Service, 286
Site Replication service, Microsoft Exchange, 285
Site Server Authority, 86
sites, in Active Directory, 524
SKEME protocol, 300
Skrenta, Richard (Elk Cloner virus), 12
Slammer SQL worm, 75
.slk files, 201, 248
Smart Card Helper service, 278
Smart Card service, 278
smart cards, security options for, 506
SmartSearch adware, 47
SMB Auditing Tool, 169
SMB Downgrade Attacker, 169
SMB (Server Message Block) protocol
attack tools for, 168–169
definition of, 158–159
SMBGrind program, 168
SMBRelay program, 168
SMTP (Simple Mail Transfer Protocol) service, 286, 446
snews URI handler, 249
sniffing attacks, 16–17, 168–171
SNMP and SNMP Trap Services, 286
social engineering, 18
sockets, setting permissions based on, 126
software. See also executable files
defending against attacks of, 56
installation of, by users, 59
installing to non-default folders, 76
malicious, from browser downloads, 363
misconfigurations of, 9, 16
patching of, as sign of attack, 10
permissions for, 135
popularity of, attracting hackers, 52–53
preventing installation of, 331–332
preventing unauthorized execution of, 329–336
removing, 330
researching vulnerabilities of, 9
unauthorized execution of, 8, 54
unregistering, 332–334
unused, dangers from, 217
updating patches for, 225
Software hive, registry, 229
software publishing, 488–490
software restriction policies (SRPs)
benefits of, 326
compared to NTFS permissions, 344
definition of, 221, 325, 336
deny-by-default software execution policy, 325–326
developing, 327–329
disadvantages of, 327
exception rules for, 222–224, 340–344
group policy, 514
management console for, 221, 337
planning, 222, 337–340
security levels in, 344–346
third-party applications for, 224, 346
when to use, 327
Software settings, group policy, 488–490
spam. See also anti-spam software; malware
definition of, 18–19
methods used by spammers, 394–396
motivation of spammers, 393–394
spam bots, 5, 395, 409, 419
spawners (companion viruses), 12
spearfishing, 396
Special Administration Console Helper service, 279
Special permissions
for GPOs, 534
guidelines for, 136
list of, 124–126
SPF (Sender Policy Framework), 408–409
SPI (Security Parameters Index), IPSec, 300
.spl files, 201, 249
SPN (service principal name), 92
spoofing
ARP spoofer, 168
IE 7 features defending against, 348
URL spoofing, 354–357
spyware. See also malware
anti-spyware software, 70
definition of, 18–19
prevalence of, 6
Spyware Eblaster trojan, 38
SQL Auditing Tool, 165
SQL Server, 6, 165
SQLAgent$ Service, 286
Sqlbf-all program, 165
SQL.Slammer worm, 5, 14
SRPs. See software restriction policies
SSDP Discovery Service, 279
SSI (Server-Side Includes), for IIS, 448, 449
SSL Client-Side Mapping, IIS, 430–431
SSL, IE settings for, 383
Stanton, Anne (The Complete Patch Management Book), 64
StartPage.I trojan, 45
StartPage.O trojan, 43
startup scripts, 490
.stl files, 201
.stm files, 196, 248
streaming audio/video files, 194, 247
Streams (Sysinternals), 216
strong passwords, 146
subtrees (hives), in registry, 228–229
Support_<number> account, 101
.swf files, 201, 249
Symantec
botnets tracked by, 13
Internet Security Threat Report, 19, 394
Synchronize permission, 125, 126
.sys files, 201
Syskey utility
for EFS, 477
protecting password hashes, 150–152
System Access Control (SAC) permissions, 126
System account, 101–102, 261
System Attendant service, Microsoft Exchange, 285
system cryptography, security options for, 510
System Event Notification service, 279
System folder, 28
System hive, registry, 229
System Management Server, 64
system objects, security options for, 503, 511
system performance, profiling, 501
System Restore feature, 30
System Restore Service, 279
system services settings, group policy, 513
system settings, security options for, 511
system time, changing, 498
System Volume Information folder, 132, 135, 485
System.adm template, 515
%SystemDrive% folder, permissions for, 132, 134
SYSTEM.INI file, 26–27, 133
System32 folder
malware in, 28
permissions for, 133–134, 135
Sysvol folder, 132, 135, 485