access control, 80–82. See also authentication; NTFS permissions
Access Control Entry (ACE) permissions, 126
Access Control List (ACL), 126
access mask, 118
Access (Microsoft), file vulnerabilities in, 193, 199
access module shortcut files, 199
access token (security token), 88, 117–119, 126
Access11 .adm template, 516
account lockouts
enabling, 185–186
group policy settings for, 493
Account Operators group, 74, 86, 102
accounting phase, access control, 81
accounts. See also specific accounts
built-in, list of, 99–101
computer accounts
definition of, 115–116
password attacks on, 177–179
highly-privileged accounts
password protections for, 186–187
renaming, 73–75, 186
service accounts, 260–263, 292–293
ACE (Access Control Entry) permissions, 126
ACL (Access Control List), 126
action-based groups, 95–96
Active Directory. See also group policy
accessing with LDAP, 525
applying group policy in, 481, 482–483
baseline security policy for, 539
container objects in, 481
definition of, 519–520
domains in, 521–523
finding GUID for objects in, 82
forests in, 521
FSMO (Forest Single Master Operations) roles, 523–524
group policy objects in, 481, 482–483
guidelines for, 536–542
organizational units in
default, list of, 520
definition of, 481, 520–521
role-based structure for, 537–538
partitions in, 525
parts of, 525
RBAC (Role-Based Access Control) for, 537
role-based incremental security policy for, 539
role-based OU structure for, 537–538
sites in, 524
trusts in, 522–523
Active Directory Domains and Trusts console, 482
Active Directory Integration, for IIS, 446
Active Directory mixed-mode, 96
Active Directory Users and Computers console, 96, 482
Active Server Pages (ASP), for IIS, 447, 449
Active Sites and Services console, 482
ActiveX controls
IE settings for, 368–370, 375–376
IE 7 features restricting, 349
kill bit for, 335–336
vulnerabilities of, 29, 199
Ad-Aware (Lavasoft), 70
add-ons, exploitation of, 364–365
address lookups, anti-spam software using, 407–409
.ade files, 193
Administrative templates, group policy settings in, 481, 485, 515–517
Administrator account
compared to other administrators, 88
DCPromo effects on, 100
definition of, 99–100
as DRA (Data Recovery Agent), 100
password protections for, 186–187
renaming, 73–75, 186
security options for, 502–503
SID enumeration identifying, 75
Administrators group
computer accounts in, 116
default GPO permissions for, 535
definition of, 102
not allowing end users to log in as, 329–330, 366
not including end users in, 58–63, 246
password protections for, 186–187
renaming, 74, 186
SID for, 86
.adp files, 193
ADS (Alternate Data Streams)
definition of, 214–215
vulnerabilities of, 21, 215–216
Adsiedit.msc console, 82
Advanced Windows Password Recovery program, 181
adware, 18–19
AES (Advanced Encryption Standard), 299, 464
AGULP method, 97–99
AH (Authentication Header) protocol, 298, 299
Aim URI handler, 249
Alerter service, 268
Allow permissions
overriding Deny permissions, 128
setting, 122–123
%ALLUSERSPROFILE% folders, 28
Alternate Data Streams (ADS)
definition of, 214–215
vulnerabilities of, 21, 215–216
.ani files, 193, 247
Anonymous authentication, IIS, 429, 431, 449
anonymous enumeration, 6, 75
Anonymous Logon group, 85, 103, 113
Anonymous SID, 113
ANSI-bombs, 189
Ansi.sys file, 189
Anti-Phishing Workgroup, 5
anti-spam software. See also spam
client-based solutions for, 417
definition of, 69–70
gateway appliances or software for, 415–416
hosted services for, 414–415
methods used by
address lookups, 407–409
comparisons of, 414
distribution analysis, 410
fingerprinting, 413
human analysis, 413
message analysis, 411–413
rate controls, 409–410
real-time blacklists (RBLs), 410–411
server software for, 416
anti-spyware software, 70
antivirus software. See also viruses
best practices for, 68–69
effectiveness of, 12, 57
failure of, assuming, 55
for incoming e-mail, 406–407
multiple, using, 57
Append Data permission, 125, 126
application control. See software restriction policies
Application Experience Lookup Service, 268
application files. See executable files; software
Application Layer Gateway Service, 268
Application Management service, 268
application pools, IIS, 422–425, 453–455
Application Server Console, IIS, 444
Apply Group Policy permission, for GPOs, 534
.arc files, 194
archive files, vulnerabilities of, 20, 199, 200, 202. See also compressed files
.arj files, 194
Aronoff, Andrew
IERESET.INF attack proposal, 24, 210
registry vulnerabilities discovered by, 36, 37, 39, 43, 45–48, 244–246
ARP spoofer, 168
.asf files, 194, 247
ASP (Active Server Pages), for IIS, 447, 449
ASP.NET, for IIS, 444, 449
ASP.NET State Service, 283
associations
file associations
hidden, 212
high-risk, blocking, 247–249
permission to change, 250–251
in registry, 231–235
vulnerabilities of, 30, 38, 39, 203, 243
in Windows Explorer, 235
security associations (SAs), IPSec, 300
.atf files, 194
attachments
blocking, 398–401
malicious, 391–392
attack surface, lessening, 253
attack vectors, decreasing, 57
attackers
dedicated attackers
compared to automated malware, 4–7
defeating, inability to, 52
defending against, 6–7
forensic analysis of attacks by, 10
methodology used by, 8–10
types of, 10–11
insider attacks, 17
knowing, importance of, 3
attacks. See also defense strategy; malware; password cracking
in IE (Internet Explorer)
browser interface manipulation, 364
buffer overflow attacks, 357
cookie manipulation, 363–364
cross-site scripting, 357–358
directory transversal attacks, 362
file execution attacks, 361–362
malicious content, 363
MIME type mismatches, 363
plug-in exploits, 364–365
URL spoofing, 354–357
zone manipulation, 358–361
increasing number of, 52
prevalence of, 4–7, 13–14, 19, 51
types of
adware, 18–19
automated, 4–7, 11–14
dedicated attacker, 4–7, 8–11, 52
directory transversal attacks, 18, 362
insider attacks, 17
local, 7–8
obscurity attacks, 17–18, 355–357
pharming attacks, 18–19, 397, 418
phishing attacks, 5–6, 18–19, 354–357, 396–397
physical attacks, 17, 56, 70–71
remote, 7–8, 14–17
social engineering, 18
spam, 18–19, 393–396
spyware, 6, 18–19
auditing
group policy settings for, 494–496
managing, 501
for Object Access, 224–225
as part of accounting phase, 81
auditing permissions, 126
Austrumi, 163
Authenticated Users group
computer accounts in, 115, 116
default GPO permissions for, 535
definition of, 103
replacing Everyone group with, 219
SID for, 85
Windows trusts and, 117
authentication. See also passwords
of e-mail, 417–418
IE settings for, 375, 377, 381–382
IIS (Internet Information Server), 182, 428–433, 449–450
for IPSec rules, 308–309
logon process for, 159–160
mistakes in, vulnerabilities caused by, 182–183
as part of access control, 80
password hashes protected during, 152
Password Reset Diskette, 182
protocols for
choosing, 156–159
Kerberos authentication, 154–156, 157
LM authentication, 152–153, 183–184
NTLM authentication, 153, 450
NTLMv2 authentication, 153–154
token-based authentication, 187
two-factor authentication, 187
Authentication Header (AH) protocol, 298, 299
authorization phase, access control, 81
Autoexec.bat file, 22, 132
Autoexec.nt file, 22
automated malware. See malware
Automatic Updates, 65
Automatic Updates service, 268
automation of defense strategy, 58
AutoPreview pane, disabling, 404–405
auto-run application files, 21
AUTORUN.INF file, 22
Autoruns program (Sysinternals), 256