Defenses


The following defenses will help prevent malicious attacks against Windows computers.

Don't Let Non-Admin Users Be Logged on as Administrators

The number one way to prevent malicious attacks on the registry is to not give non-admin users Administrator-privileges. By default, as shown in Table 6-3, non-admin users usually only have Read-only access to most registry keys. If you have chosen to allow your regular end users to be logged on as administrators, consider manually hardening the high-risk registry locations listed in Tables 1-1 and 6-4 so that the user only has Read permissions (instead of Full Control).

Harden HKCU Registry Permissions

By default, even non-admin users have Read and Write permissions to the HKCU subtree. Consider giving users Read-only permissions to high-risk registry keys listed in Tables 1-1 and 6-4 for high-risk HKCU entries. Pay special attention to the HKCU\Software\Classes and HKCU\Software\Microsoft\ Windows entries.

Block High-Risk File Associations

By default, Windows installs with hundreds of file associations (in HKCR, HKLM\Software\Classes, and HKCU\Software\Classes). Consider making a list of file extensions that should be allowed in your environment. Use Table 5-1 as your guide. Then, using registry permissions, block non-admin users access to high-risk file associations. For example, if your company does not normally use encoded VBScript files (file extension .VBE), block access to them. Take away the user's capability to read the file association key. Note that I didn't say give Read-Deny permissions to the Users group. Doing so, as some readers might have after having read the previous sentences, would result in Administrators (who are Users) from being able to access the key. Table 6-5 shows the especially high-risk file associations that should be blocked from casual use.

Table 6-5
Open table as spreadsheet

File Extension

File Type

Malicious Use Details

.ani

Windows Animated Cursor

Two exploits were announced by Flashsky Fangxing (flashsky@xfocus.org) on Dec. 23, 2004. First, a Windows Kernel DoS exploit, Windows XP SP2 not vulnerable, but most other Windows versions (NT to 2003) are. Second, an Integer buffer overflow, most Windows versions are vulnerable (NT to 2003), caused by LoadImage API in USER32.Lib.

.asf, .lsf, .lsx

Streaming audio or video file

Can be exploited through buffer overflows, head malformation, or dangerous scriptable content

.bat

DOS batch file

Can contain malicious DOS command interpreter instructions

.chm

Windows Compiled Help File

Windows Help Files (.hlp) can be compiled for better performance and feature sets. Malformed Compiled Help Files have been involved in many announced exploits over the years, including Microsoft Security Bulletin MS05-031. Can be opened in Internet Explorer automatically without user intervention using Ms — its moniker.

.cmd

Command file

Contains batch-file-like DOS interpreter script commands. Can contain malicious instructions.

.com

Program executable

Older, some legacy DOS executables. Still work under all Windows versions, except newer 64-bit Windows.

.cur

Windows cursor graphic file

Integer buffer overflow, announced by Flashsky Fangxing (flashsky@xfocus.org) on Dec. 23, 2004, most Windows versions are vulnerable (NT to 2003), caused by LoadImage API in USER32.Lib.

.dbg

Debug file

Can contain malicious machine-language instructions that can be compiled by debug.exe into malware

.dsm, .far, .it, .stm, .ult, .wma

Nullsoft WinAmp media file

Has been involved in malicious exploits

.dun

DUN export file

Can contain malicious dial-up connection information that initiates outward calls

.eml, .email

Outlook Express e-mail message

Used by Nimda and many other worms

.hta

HTML application

Frequently used by worms and trojans

.pdc

Microsoft compiled script

Can contain dangerous code

.pif

Program information file

Can run malicious programs

.png

Portable Network Graphics file

PNG is an open-source graphics format with lossless compression (www.libpng.org/pub/png). Has been involved in several exploits, including multi-browser buffer overflows. Last PNG IE buffer overflow resolved by MS05-025.

.pol

Windows Policy File

Could be used to lower security settings on Windows 9x and later machines

.reg, .key

Registry entry file

Can create or modify registry keys

.scf

Windows Explorer command

Could be used maliciously in future attacks

.shs, .shb

Shell scrap object

Can mask rogue programs by containing links to other programs. Shell scrap file objects can have hidden extensions even when Windows is told to display hidden file extensions. This file type can itself run raw code.

.slk

Excel SLK data-import file

Can contain hidden malicious macros

.swf, .spl

Shockwave Flash object

Can be exploited

.vb, .vbe, .vbs

VBScript file

Can contain malicious code. VBE files are encoded VBScript files that can easily be decoded and read by Windows and IE. These files are executed by Wscript.exe, Cscript.exe, or VBScript.dll.

.vcf

vCard file format

Used in many e-mail clients, including Outlook and Outlook Express, to communicate recipient addressing details. Has been involved in a few exploits.

.ws, .cs, .wsf, .wsc, .sct

WSH file

Can execute malicious code

These file associations were chosen for the following reasons:

  • They are frequently exploited by malware or attackers.

  • They are infrequently used legitimately.

  • Removal would cause few problems in most environments.

Modify your list based upon your environment's needs and expectations.

Block High-Risk URI Handlers

Don't forget to block non-admin access to dangerous URI handlers (e.g., news://, aim://, telnet://, rlogin://). URI handlers are the special keywords that can be added to the beginning of a URL to launch an external program. Not all URI handlers are dangerous. Http:// and Https:// are used legitimately most of the time, but malware has used a few other URI handlers in the past to exploit computers. Table 6-6 lists high-risk and other unused URI handlers that should be reviewed.

Table 6-6
Open table as spreadsheet

URI Handler

Description

Aim

America Online Instant Messenger (AIM) program can be launched from an embedded HTML link. Has been used a few times in the past to conduct buffer overflows and steal files.

Callto

Will launch NetMeeting to call dial-up phone number. Has been used by malware to make expensive long-distance calls.

News, nntp, snews

Network News Transport (NNTP) protocol. Will launch Outlook Express (OE), even if OE is not used (and not patched). Has been used to spread malware. Involved in a Windows buffer over exploit as recently as June 2005.

ftp

File transfer protocol (FTP). Will launch Internet Explorer (IE) in FTP-mode. Can be used to download malicious files. Can be used to exploit other ftp vulnerabilities, such as user name and password disclosures.

Gopher

Early Internet protocol. Can be used to launch IE, although Gopher has been disabled in IIS and IE for many years now by default. Not really a high risk, but it should be disabled because it is no longer used.

Ldap

Lightweight Directory Access (LDAP) protocol. Will launch OE by default. Not abused much by malware, but could be used to do e-mail address directory harvesting and to send malicious e-mails.

Ms-its

Allows compiled help files (.CHM) to be launched. Compiled help files have been used in nearly a half dozen different exploits over the years.

Rlogin

Remote logon is a Unix-style telnet utility (Rlogin.exe) included in several versions of Windows. Essentially a telnet utility. Not abused by malware, yet, but should be disabled because it is rarely used legitimately.

Telnet, Tn3270

Can be used to launch a remote telnet session. Not popularly exploited, but has been used in the past.

The URI handlers installed in Windows vary in each environment according to the version of Windows and what software has been installed. Administrators should query workstation registries to determine whether any other high-risk entries should be blocked. You can find URI handlers by searching for the data field, URL:, under HKCR.

Remove High-Risk NeverShowExt Values

Search for and delete the NeverShowExt values for high-risk file associations in HKCR, HKLM\Software\ Classes, and HKCU\Software\Classes. At the very least, remove this registry value for the following file types:

  • SHS

  • SHB

  • SHC

  • LNK

  • PIF

  • XNK

Block File Association Changes

By default, only Administrators (and Power Users) can create or change file associations. If end users are logged in as Administrators, you can still deny them the ability to change file associations through the Windows Explorer GUI (although they still could do it programmatically or using Regedit.exe). To enable the admin blocking feature, write a Dword value of 00000000 to the NoFileAssociate value (you may need to create) under HKLM\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer.

Use Group Policy or Security Templates to Automate Registry Permission Changes

Lastly, use a group policy object, local computer policy, or security template to automate hardening registry permissions. Chapter 14 covers this advice in more detail.



Professional Windows Desktop and Server Hardening
Professional Windows Desktop and Server Hardening (Programmer to Programmer)
ISBN: 0764599909
EAN: 2147483647
Year: 2004
Pages: 122

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net