Chapter 19

Section: Part VI:  Platforms and Security

Chapter 19. Microsoft

IN THIS CHAPTER

        DOS

        Windows for Workgroups, Windows 9x, and Windows Me

        Windows NT

        Internal Windows NT Security

        Windows 2000

        Modern Vulnerabilities in Microsoft Applications

In earlier years, Microsoft products earned a reputation for poor security. Windows NT introduced a breakthrough in security for the Microsoft platform. Microsoft has made great strides toward securing its platform with the introduction of Windows 2000, which Microsoft released in 2000. Windows 2000 ushers in even greater security with services such as Active Directory, Public Key Infrastructure (PKI), and Kerberos. Because the Windows 2000 operating system does offer the benefits of greater security, it would be in the best interest of your company to select Windows 2000 as your standard operating system. Microsoft officials have made their message clear: They have no intention of rewriting the security controls on Microsoft Windows for Workgroups, 95, 98, or Me.

Knowing this, I only briefly discuss DOS or earlier versions of the Windows operating system. (I needed the space to cover Windows NT and Windows 2000 more thoroughly.) To that end, this chapter begins with the minimum information necessary to break a non-Windows NT box.

URL 


 

Section: Chapter 19.  Microsoft

DOS

Microsoft Disk Operating System (DOS) is the most popular personal computer operating system in history. It is lightweight, requires little memory, and has few commands. In fact, DOS 6.22 has approximately one-sixteenth the number of commands offered by full-fledged UNIX.

Though the popularity of DOS has waned in recent years, many people still use it. (I often see the DOS/Windows for Workgroups mix on networked computers despite the fact that the DOS/Windows combination is inherently insecure.) In the following sections, I briefly address the vulnerabilities of such systems.

IBM Compatibles in General

DOS runs only on IBM-compatible hardware. IBM-compatible architecture was not designed for security. Thus, any DOS-based system is vulnerable to attack. That attack begins with the BIOS password.

The BIOS Password

BIOS passwords (which date back to the 286) can be disabled by anyone with physical access to the box.

Note

BIOS passwords are used to protect the workstation from unauthorized users at the console. The BIOS password forces a password prompt at boot time. Indeed, the boot is actually arrested until the user supplies the correct password.

 

To disable BIOS password protection in older machines, you remove, short out, or otherwise disable the CMOS battery on the main board. Most new machines have jumpers on their motherboards that can be set to disable the BIOS password. After the BIOS password is erased, a cracker can gain access to the system. Intruders can easily compromise network workstations in this manner. However, it is not always necessary for the attacker to take apart the machine. Instead, the attacker can employ a BIOS password-capturing utility, which allows anyone to read the BIOS password while the machine is on. A number of BIOS password-capturing utilities exist. The most popular utilities are as follows:

        Amidecod. This small utility is very reliable. It will retrieve the password last used on a motherboard with an American Megatrends BIOS.

                   http://www.system7.org/archive/Passwd-Cracking/Bios-Crackers/
  

        Aw.com. This utility will retrieve (or recover) the password used on any board with an Award BIOS. Download Award.zip at this site:

                   http://www.system7.org/archive/Passwd-Cracking/Bios-Crackers/
  

After the cracker has gotten inside, he will want to gain further, or leveraged, access. To gain leveraged access on a networked DOS box, the cracker must obtain IDs and passwords. To do that, he will probably use a key-capture utility.

Key-Capture Utilities

Key-capture utilities capture keystrokes that occur after a specified event. (The most common trigger event is a login.) These keystrokes are recorded in a hidden file.

The directory that keystrokes are captured to can also be hidden. The most popular way of creating a hidden directory is to use the space key character as the directory's name. In Windows, the directory name appears as an underscore, which is easy to miss. Kids use this technique to hide games and racy photographs on their home and school machines.

Tip

Hidden files are generally created using the attrib command, or by using the key-capture utility itself; in other words, the programmer has included this feature in the software.

 

A number of key-capture utilities are available for DOS. Table 19.1 lists the most popular ones and their filenames. You can find each of these utilities at http://www.system7.org/archive/Keyloggers/.

Table 19.1. Popular Keystroke-Capture Utilities

Utility

Filename

Characteristics

Keycopy

keycopy.zip

Captures 200 keystrokes at a time in WordPerfect, MultiMate, Norton Editor, and a standard command-line environment.

Playback

PB19C.zip

Records and plays back keystrokes in precisely the same sequence and time as they were issued. Good for simulating logins.

Phantom2

phantom2.zip

Captures keystrokes in any environment. This utility has many amenities, including time-based playback.

Keytrap

keytrap3.zip

Powerful keystroke capture that can be performed at a specific time of day. Versions 1 through 3 can be found at this site.

In general, however, a cracker doesn't need a keystroke-capture utility. DOS does not have mandatory or even discretionary access control. Therefore, if a cracker can get a prompt, the game is over. The only way to prevent this is to load third-party security software.

Access Control Software for DOS

The following sections introduce several good packages for adding access control to DOS.

Dir Secure 2.0

Secure 2.0 prevents any unauthorized user from accessing a given directory. However, Secure 2.0 does not obscure the directory's existence; it merely prevents unauthorized access to it. The unregistered version allows one directory to be restricted. Download Sd_v2.zip at the following URL:

    http://www.simtel.net/simtel.net/msdos/dirutl-pre.html/
  
Secure File System

Secure File System (SFS) is an excellent DOS security application suite. The suite offers high-level encryption for DOS volumes (as many as five disk volumes at one time), enhanced stealth features, and good documentation. Moreover, the SFS package conforms to the Federal Information Processing Standard (FIPS). Its compatibility with a host of disk-caching and memory-management programs makes the program quite versatile. Download version 1.17 from the University of Hamburg at the following URL:

    http://www.cs.auckland.ac.nz/~pgut001/sfs/
  
Sentry

Sentry 6.1 is quite complete for a shareware product, even allowing you to secure individual files. It also offers password aging and some support for Windows. Download Sentry61.zip at this site:

    http://www.simtel.net/simtel.net/msdos/security-pre.html
  
Encrypt-It

Encrypt-It offers high-level Data Encryption Standard (DES) encryption for DOS, and such encryption can be applied to a single file or to a series of files. The program also allows you to automate your encryption through macros of up to 1,000 keystrokes. The package comes with a benchmarking tool through which you can determine how well a particular file is encrypted. Check it out at this site:

    http://www.maedae.com/encrdos.html
  
LCK100

LCK100 locks the terminal while you are away. It is impervious to a warm reboot or interrupt keystrokes (Ctrl+Alt+Delete as well as Ctrl+Break). This might be useful in environments where users are strictly forbidden to restart machines. Download Lck100.zip at this site:

    http://www.simtel.net/simtel.net/msdos/security-pre.html
  
Gateway2

Gateway 2.05 intercepts Ctrl+Alt+Delete reboots and F5 and F8 function key calls. (Holding down the F5 or F8 key will halt the boot process and bypass configuration files such as AUTOEXEC.BAT and CONFIG.SYS. These keystrokes are one way to obtain access to a prompt.) Gateway2 also has other advantages, including password-protection support for up to 30 users on a single box. Download Gteway2.zip at the following URL:

    http://www.simtel.net/simtel.net/msdos/security-pre.html
  

Sites That House DOS Security Tools

The following sections name several sites from which you can acquire security tools for the DOS environment.

The Simtel DOS Security Index

The Simtel DOS Security Index page offers material about password protection, access restriction, and boot protection. It is located at this site:

    http://www.simtel.net/simtel.net/msdos/security-pre.html
  
The CIAC DOS Security Tools Page

The Computer Incident Advisory Capability (CIAC) page contains serious information about access restriction and includes one program that protects specific cylinders on a disk.

    http://ciac.llnl.gov/ciac/ToolsDOSSystem.html
  

URL 


 

Section: Chapter 19.  Microsoft

Windows for Workgroups, Windows 9x, and Windows Me

Windows for Workgroups, Windows 9x, and Windows Me have only slightly more security than DOS. All rely on the PWL password file scheme. PWL files are generated when you create your password. By default, PWL files are housed in the directory C:\ WINDOWS. However, you might want to check the SYSTEM.INI file for other locations. (SYSTEM.INI is where the PWL path is specified.)

The Password List (PWL) Password Scheme

The PWL password scheme is not secure and can be defeated simply by deleting the files.

Note

If the cracker wants to avoid leaving evidence of his intrusion, he probably won't delete the PWL files. Instead, he will reboot, interrupt the load to Windows (by pressing F5 or F8), and edit the SYSTEM.INI file. There, he will change the pointer from the default location (C:\ WINDOWS) to a temporary directory. In that temporary directory, he will insert another PWL file to which he already knows the password. He will then reboot again and log in. After he has done his work, he will re-edit the SYSTEM.INI, putting things back to normal.

 

In more complex cracking schemes, the attacker might actually need the password (for example, when the cracker is using a local Windows 95 box to authenticate to and crack a remote Windows NT 4.0 server). In such environments, the cracker has two choices: He can either crack the 95 PWL password file or he can flush the password out of cached memory while the target is still logged in. Both techniques are briefly discussed here.

Cracking PWL Files

Cracking standard PWL files generated on the average Windows 95 box is easy. For this, you need a utility called Glide.

Glide

Glide cracks PWL files. It comes with source code for those interested in examining it. To use Glide, enter the filename (PWL) and the username associated with it. Glide is quite effective and can be found online at the following location:

    http://morehouse.org/hin/blckcrwl/hack/glide.zip
  

Note

To make your PWL passwords secure, you should install third-party access control software. However, if you are forced to rely on PWL password protection, you can still better your chances. Glide will not crack PWL password files that were generated on any box with Windows 95 Service Pack 1 or later installed. You should install, at a minimum, the latest service packs.

 

Flushing the Password out of Cached Memory

Two different functions are used in the PWL system: one to encrypt and store the password and another to retrieve it. Those routines are as follows:

        WNetCachePassword()

        WNetGetCachedPassword()

The password remains cached. You can write a routine in Visual C++ or Visual Basic (VB) that will get another user's password. The only restriction is that the targeted user must be logged in when the program is executed (so the password can be trapped). The password can then be cached out to another area of memory. Having accomplished this, you can bypass the password security scheme by using that cached version of the password. (This technique is called cache flushing. It relies on the same principle as using a debugger to expose authentication schemes in client software.)

You can also force the cached password into the swap file. However, this is a cumbersome and wasteful method; there are other, easier ways to do it.

Tip

One method is to hammer the password database with multiple entries at high speed. You can use a utility like Claymore for this, which you can download at http://www.system7.org/archive/Passwd-Cracking/windows.html. You fill the available password space by using this technique. This causes an overflow, and the routine then discards older passwords. However, this technique leaves ample evidence behind.

 

Either way, the PWL system is inherently flawed and provides very little protection against intrusion. If you are using Windows 9x or Windows Me, you need to install third-party access control. This chapter provides a list of such products and their manufacturers in the "Access Control Software" section later in this chapter. Not all products have a version for Windows Me. Check with the manufacturers for availability.

Summary on DOS, Windows for Workgroups, Windows 9x, and Windows Me

DOS, Windows for Workgroups, Windows 9x, and Windows Me are all excellent systems. However, none of them are secure. If your firm uses these operating systems at all, the boxes that run them should be hidden behind a firewall. This is especially so with Windows Me because it has received little scrutiny. It might contain many vulnerabilities that have yet to be revealed.

With that settled, let's examine Windows NT security.

URL 


 

Section: Chapter 19.  Microsoft

Windows NT

Microsoft might be traditionally known for poor security, but not when it comes to Windows NT 4.0. Out of the box, Windows NT 4.0 has security measures as good as most other server platforms. The catch is that you must keep up with recent developments. If you have a connection to the Internet, you should consider subscribing to Windows Update so that it will automatically notify you about new service packs/updates.

Before you read any further, ask yourself this: Have I installed Windows NT 4.0 using NT File System (NTFS) and installed the service packs in their proper order? If not, your Windows NT 4.0 system is not secure and the rest of this chapter cannot help you. If you have not installed your system in this manner, go back, reinstall the service packs, and install with NTFS enabled.

Note

One would think that the order in which service packs is installed doesn't matter. Unfortunately, that is simply not true. There have been documented instances of users installing service packs in disparate order only to later encounter trouble. I recommend keeping a running record of when the packs were installed and any problems that you encounter during installation.

 

General Windows NT Security Vulnerabilities

Windows NT, like most operating systems, has vulnerabilities. Please note that the list of vulnerabilities discussed here is not exhaustive. Other vulnerabilities of lesser severity exist.

The Netmon Protocol Parsing Vulnerability

Windows NT Version: All versions

Impact: An attacker can gain control of your server.

Class: Critical

Fix for Windows NT 4.0 Server and NT 4.0 Server, Enterprise Edition can be found at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25487.

As of this writing, no fix exists for Windows NT 4.0 Server, Terminal Server Edition.

Additional Information: http://www.microsoft.com/technet/security/bulletin/MS00-083.asp. The fix for this vulnerability will be included in Service Pack 7.

Credit: COVERT Labs at PGP Security, Inc., and the ISS X-force

Note

According to http://www.microsoft.com/ntserver/terminalserver/default.asp, Microsoft discontinued NT Terminal Server Edition in August 2000, so there is little hope that this problem will be resolved for this platform.

 

Several protocol parsers in Netmon have unchecked buffers. When an attacker sends a malformed frame to a server that is monitoring network traffic, and if the administrator happens to be using a protocol parser with unchecked buffers, the malformed frame would either cause Netmon to fail or cause code of the attacker's choice to run on the server. If you are running Netmon under a local administrator's account, the attacker can gain complete control over the server, but not over the domain. However, if you are running Netmon under a domain administrator's account, the attacker might be able to gain control over the domain as well.

The Predictable LPC Message Identifier Vulnerability

Windows NT Version: All versions

Impact: A local intruder can impersonate your privileges, eavesdrop on your session, or cause your server or workstation to fail.

Class: Critical Denial of Service

Fix: http://www.microsoft.com/ntserver/nts/downloads/critical/q266433/default.asp. The fix for this vulnerability will be included in Service Pack 7.

Additional Info: http://www.microsoft.com/technet/security/bulletin/ms00-070.asp

Credit: BindView's Razor Team

An intruder can only exploit this vulnerability locally. The intruder causes a denial of service attack on either a client or server box by sending large packets of random data to them. If the intruder identifies a system process that has an existing Link Control Protocol (LCP) connection with a privileged thread, he can then spoof the client and make requests that he wouldn't ordinarily be able to perform. The amount of damage he can perform depends on what processes are running in the thread and what they permit him to do. The intruder can also eavesdrop on your session and potentially gather privileged information.

The Registry Permissions Vulnerability

Windows NT Version: All versions

Impact: Default permissions on certain Registry values can allow an attacker to gain additional privileges on a box.

Class: Moderate to Severe

Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24501 The Terminal Server Edition doesn't have a fix at the time of this writing.

Additional Information: http://www.microsoft.com/technet/security/bulletin/MS00-095.asp

Credit: Chris Anley, Milan Dadok, and Glenn Larsson

The SNMP Parameters key, the RAS Administration key, and the MTS Package Administration key all have inappropriately loose default permissions. This vulnerability could enable an attacker to manage or configure devices on the network, such as misconfiguring routers and firewalls, and starting or stopping services on a machine.

The Remote Registry Access Authentication Vulnerability

Windows NT Version: All versions

Impact: Remote users can cause a Windows NT 4.0 box to fail.

Class: Critical Denial of Service

Fix for Windows NT 4.0 Workstation, Server, and Enterprise Server Edition: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23077 At the time of this writing, there is no fix available for the Terminal Server Edition.

Additional Info: http://www.microsoft.com/technet/security/bulletin/ms00-040.asp

Credit: Renaud Deraison

When an attacker sends a malformed request for remote Registry access, the request can cause the Winlogon process to fail, which in turn can cause the entire system to fail.

The Winsock Mutex Vulnerability

Windows NT Version: All versions

Impact: Local user can cause a box to stop responding to network traffic.

Class: Moderate Denial of Service

Fix for Windows NT 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27272

Fix for Windows NT 4.0 Terminal Server: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27291

Additional Information: http://www.microsoft.com/technet/security/bulletin/MS01-003.asp

Credit: Arne Vidstrom

Inappropriate permissions assigned to a networking mutex can permit an intruder to run code to gain control of the mutex and then deny access to it. Doing this prevents other processes from being able to perform network operations with the machine.

Other Important Vulnerabilities of Lesser Significance

Windows NT is also vulnerable to a wide range of other things, which might not be absolutely critical but are serious nonetheless. Table 19.2 lists these problems in Table 19.2, along with URLs where you can learn more.

Table 19.2. Other Important Windows NT Vulnerabilities

Vulnerability

Facts and URL

Out of Band

Out-of-band (OOB) attacks are denial of service attacks with a vengeance. Many platforms are susceptible to OOB attacks, including Windows NT 3.51 and Windows NT 4.0. The fix for Microsoft is available at the following site:

ftp://ftp.microsoft.com/bussys/winnt/winntpublic/fixes/usa/NT351/hotfixes-postSP5/oob-fix/.

Port 1031

If a cracker telnets to port 1031 of your server and issues garbage, this will blow your server off the Net. This exploits a vulnerability in the file INETINFO.EXE. Check with Microsoft for recent patches.

NTCrash

A powerful denial of service utility called NTCrash will bring a Windows NT server to its knees. Source code is available on the Net here: http://www3.ncr.com/support/nt/tools/ntcrash.zip. Test it and see what happens.

URL 


 

Section: Chapter 19.  Microsoft

Internal Windows NT Security

The majority of this chapter focuses on remote security, in which the attackers are on foreign networks. Unfortunately, foreign networks are not always the source of the attack. Sometimes, your very own users attack your server. That is what the next section is all about.

Internal Security in General

In general, Windows NT has only fair-to-good local security. This is in contrast to its external security, which I believe is very good (providing you stay up on the latest patches). At a bare minimum, you must use NTFS. If you don't, there is no point in even hoping to secure your boxes. Here's why: There are just too many things that local users can do, and too many files and services they can use.

Some system administrators argue that they don't need NTFS. Instead, they argue that between policy and careful administration and control of who accesses their machines, they can maintain a more or less tight ship. They are dreaming.

The RDISK Hole

A perfect example is the RDISK hole. RDISK is a Windows NT utility that allows you to create emergency repair disks. This is a valuable utility for a system administrator. However, when accessible to the wrong person, RDISK is an enormous security hole. Here's why: A user can instruct RDISK to dump all security information (including passwords and Registry information) into the directory C:\WINNT\REPAIR. From there, an attacker can load a password cracker. Within hours, the box will be completely compromised. This is just another reason you should not walk away from your computer and leave it logged on. Would you like to try it yourself? Issue this command at a prompt: rdisk /s.

Then go to the directory C:\ WINNT\ REPAIR. You will find the necessary information you need to crack the box.

Achieving Good Internal Security

Achieving good internal security is not an end. There is no list of tools that you can install that will permanently secure your box. New holes always crop up. Also, although Microsoft has done wonders to improve the security of Windows NT, pervading user-friendliness in their products continues to hamper efforts at serious security.

An amusing example of this was described by Vacuum from Rhino9 (a prominent hacker group), who made the observation that restricting user access to the Control Panel was a fruitless effort. He wrote

If you do not have access to the Control Panel from Start/Settings/Control Panel or from the My Computer Icon, click Start/Help/Index. All of the normally displayed icons appear as help topics. If you click on "Network," for example, a Windows NT Help Screen appears with a nice little shortcut to the Control Panel Network Settings.

The problem sounds simple and not very threatening. However, the rule holds true for most system resources and even administrative tools. (Microsoft probably won't change it, either. Their defense would probably be this: It enhances user-friendliness to provide a link to any program discussed in Help.)

At a bare minimum, you should install logging utilities and a sniffer. I also recommend making a comprehensive list of all applications or resources that have no logging. If these applications and resources have no native logging (and also cannot be logged using other applications), I recommend deleting them, placing access restrictions on them, or at a minimum, removing them from their default locations.

A Tip on Setting Up a Secure Windows NT Server from Scratch

To effectively erect a secure Windows NT server, you must start at installation time. To ascertain whether you should reinstall, you should measure your original installation procedure against typical preparations for a C2 system. To do that, I recommend downloading the Secure Windows NT Installation and Configuration Guide, which was authored by the Department of the Navy Space and Naval Warfare Systems Command Naval Information Systems Security Office. That document contains the most comprehensive secure installation procedure currently available in print. It is located at this site:

    https://infosec.navy.mil/TEXT/COMPUSEC/ntsecure.html
  

Note

C2 is an evaluation level in the US Government's Trusted Computer Security Evaluation Criteria (TCSEC) program. TCSEC provides a standard set of criteria for judging the security that computer products provide. TCSEC has also come to be known as the "Orange Book" because the base set of criteria specified by TCSEC is provided in a book with an orange cover.

 

The Navy guide takes you through configuration of the file system, audit policy, the Registry, the User Manager, user account policy, user rights, trust relationships, system policy, and Control Panel. It also has a blow-by-blow guide that explains the rationale for each step taken. This is invaluable because you can learn Windows NT security on-the-fly. Even though it spans only 185 pages, the Navy guide is worth 10 or even 100 books like this one. By using that guide, you can guarantee yourself a head start on establishing a reasonably secure server.

Summary of Windows NT

Windows NT 4.0 was the first step Microsoft took toward securing your network. Although Windows NT 4.0 and third-party software vendors provide you with many features to secure your Windows NT 4.0 network, Windows 2000 possesses even greater security. If you haven't yet taken the plunge to upgrade to Windows 2000, you should seriously consider doing so.

Let's move on now to examine Windows 2000 security.

URL 


 

Section: Chapter 19.  Microsoft

Windows 2000

As with Windows NT 4.0, it is very important to install Windows 2000 using NTFS. If you don't install NTFS on your Windows 2000 domain controller, you will not have a secure installation. The focus of this section on Windows 2000 will be on improvements to security and on general Windows 2000 security vulnerabilities.

Improvements to Security

Microsoft has paid more attention to security this time around, and has fully integrated security with the new Active Directory directory service structure. Microsoft has also designed the Windows 2000 platform to be more reliable than previous versions of Windows.

Some of the security features that are new to Windows 2000 are briefly discussed in the following list:

        First and foremost is the introduction of Active Directory. It is the core of the flexibility of the Windows 2000 security model and provides information about all objects on the network. It is the basis for Windows 2000 distributed networking and facilitates the use of centralized management techniques, such as Group Policy and remote operating system operations. Active Directory replaces the security accounts manager (SAM) database area of the Registry on domain controllers storing security information such as user accounts, passwords, and group. Consequently, Active Directory becomes a trusted component of the Local Security Authority (LSA). Active Directory stores both access control information to support authorization to access system resources, and user credentials to support authentication within the domain. Windows 2000 Professional and member servers still retain the local SAM database for locally defined users and groups.

Active Directory provides a single point of management for Windows clients, servers, applications, and user accounts. With Active Directory, you can delegate specific administrative tasks and privileges to individual users and groups, thus enabling the distribution of system administration tasks to either localized or centralized administration. For example, you can assign a specific management task, such as resetting a user's password, to office administrators in specific departments of your organization so that you can free up your time for more complex tasks.

Active Directory includes built-in support for secure Internet-standard protocols such as Public Key Infrastructure (PKI), Kerberos, and Lightweight Directory Access Protocol (LDAP). Learn more about Active Directory at http://www.microsoft.com/windows2000/guide/server/features/directory.asp.

        Public Key Infrastructure (PKI) also lies at the core of many of the security features in Windows 2000. PKI makes use of Microsoft Certificate Services, allowing the deployment of enterprise certificate authorities (CA) in your enterprise and is integrated into Active Directory. Active Directory uses the directory service to publish information about certificate services, which includes the location of user certificates and certificate revocation lists. When your organization begins to manage digital certificates, a range of enhanced security features becomes available to you in order to secure such technologies as Digitally Signed Software, the Encrypted File System (EFS), e-mail, IP Security, and Smart Card Security.

        The EFS presents your users with the option to encrypt sensitive data on their hard disks, thus ensuring confidentiality should an intruder compromise or steal the disk.

        Kerberos is the default authentication protocol on Windows 2000, replacing Windows NT Challenge Response (NTLM) authentication. Kerberos has been around for a number of years, having been developed at the Massachusetts Institute of Technology during the 1980s.

        Internet Protocol Security Protocol (IPSec) provides advanced network security for you and your enterprise users.

Windows 2000 Distributed Security Overview

The Windows 2000 distributed security services include the following key business requirements:

        Strong user authorization and authentication

        Users log on once to access all enterprise resources

        Secure communications between external and internal resources

        Automated security auditing

        Interoperability with other operating systems

Microsoft bases Windows 2000 security on a simple model of authentication and authorization. After Windows 2000 identifies the user through authentication with a domain controller, the user is granted access to specific network resources based on permissions. This security model enables authorized users to work on a secure, extended network. The Windows 2000 distributed security model is based on delegation of trust between services, trusted domain controller authentication, and object-based access control.

Learn more about Microsoft Windows 2000 distributed security at http://microsoft.com/windows2000/library/unzippeddocs/SecTech.doc. Now that we've briefly examined some of the new security features in Windows 2000, let's move on to some potentially harmful vulnerabilities.

General Windows 2000 Security Vulnerabilities

Windows 2000, like most operating systems, has vulnerabilities. Please note that the list of vulnerabilities discussed here is not exhaustive. Other vulnerabilities of lesser severity exist.

The Windows 2000 Directory Service Restore Mode Password Vulnerability

Microsoft Windows Version: Windows 2000 Server and Advanced Server

Impact: A malicious user can install malicious code onto a domain server.

Class: Moderate to Severe

Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27500. The fix for this vulnerability will be included in Windows 2000 Service Pack 2.

Additional Info: http://www.microsoft.com/technet/security/bulletin/MS01-006.asp

Credit: John Sherriff of the Wool Research Organization

A malicious user with physical access to and administrative logon privileges on your domain server can install malicious code if the server was promoted to a domain server using the "Configure Your Server" tool. The only domain server in the forest that can be affected by this vulnerability is the one that was installed first.

The Netmon Protocol Parsing Vulnerability

Microsoft Windows Version: Windows 2000 Server and Advanced Server

Impact: An attacker can gain control of your server.

Class: Critical

Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25485. The fix for this vulnerability will be included in Windows 2000 Service Pack 2.

Additional Information: http://www.microsoft.com/technet/security/bulletin/MS00-083.asp

Credit: COVERT Labs at PGP Security, Inc., and the ISS X-force

Refer to the NT vulnerabilities section for an explanation of this vulnerability. This vulnerability affects both.

The Network DDE Agent Request Vulnerability

Microsoft Windows Version: All Windows 2000 versions

Impact: An attacker can gain complete control over your box.

Class: Severe

Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27526. The fix for this vulnerability will be included in Windows 2000 Service Pack 3.

Additional Info: http://www.microsoft.com/technet/security/bulletin/MS01-007.asp

Credit: Dildog of @Stake

This is privilege elevation vulnerability. An attacker would be able to exploit this vulnerability to take any action he wanted to on your box because it enables him to run commands and programs with the privileges of the operation system itself.

The Phone Book Service Buffer Overflow Vulnerability

Microsoft Windows Version: Windows 2000 Server and Advanced Server

Impact: An attacker can execute hostile code on a remote server that is running the Phone Book Service.

Class: Critical

Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25531. The fix for this vulnerability will be included in Windows 2000 Service Pack 2.

Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-094.asp

Credit: CORE-SDI and @Stake

The Phone Book Service is used with Dial-Up Networking clients to provide a prepopulated list of Dial-Up Networking servers to the client. This service has an unchecked buffer in a portion of the code that does the processing of requests for phone book updates. When an attacker sends a malformed request, it can result in overrunning the buffer. This enables the attacker to execute any code that a user logged into the server can run. In other words, the attacker can install and run code of his choice; add, delete or change Web pages; reformat the hard drive; or do any number of other tasks.

The Telnet Client NTLM Authentication Vulnerability

Microsoft Windows Version: All Windows 2000 versions

Impact: An attacker could obtain another user's NTLM authentication credentials without the user's knowledge.

Class: Moderate to Critical

Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24399. The fix for this vulnerability will be included in Windows 2000 Service Pack 2.

Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-067.asp

Credit: DilDog of @Stake Inc.

If a malicious Webmaster operated a Telnet server and you initiate a session with that server, the Webmaster could collect your NTLM responses and then use them to possibly authenticate to your box. This is possible because, as part of the session, your box might pass your cryptographically protected NTLM authentication credentials to his server. After he has obtained these credentials, he could then use an offline brute-force attack to gain your plaintext password.

The Telnet Server Flooding Vulnerability

Microsoft Windows Version: All Windows 2000 versions

Impact: A remote user can prevent your box from providing Telnet services.

Class: Moderate to Severe Denial of Service

Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22753

Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-050.asp

Credit: Unknown

This is a remote denial of service vulnerability. A malicious remote user can send a malformed input string from his box, which would then cause the Telnet server to fail, causing the loss of any work in progress.

Summary of Windows 2000

Even though security for Windows has improved greatly with the introduction of Windows 2000, new security violations occur all the time. Hence, it is important that you keep up with new advisories related to security holes in Windows 2000.

URL 


 

Section: Chapter 19.  Microsoft

Modern Vulnerabilities in Microsoft Applications

In this section, I enumerate security weaknesses in some very commonly used Microsoft applications. Microsoft Internet Explorer (Microsoft's Web browser, also known as MSIE), Microsoft Exchange Server (a mail administration package), and Internet Information Server (IIS) are three key networking applications.

Microsoft Internet Explorer

Microsoft Internet Explorer has several serious vulnerabilities; some of them are covered briefly here. Those vulnerabilities that are classified as either critical or severe can result in system compromise, and are therefore of great interest to system administrators.

The Active Setup Download Vulnerability

Microsoft Internet Explorer Version: 4.x, 5.x

Impact: Malicious Webmasters can download a .CAB file to any disk on your box.

Class: Severe

Fix for MSIE 4.x and 5.01: http://www.microsoft.com/windows/ie/download/critical/patch8.htm

Fix for MSIE 5.5: http://www.microsoft.com/windows/ie/download/critical/patch11.htm

Additional Info: http://www.microsoft.com/technet/security/bulletin/ms00-042.asp

Credit: Unknown

A malicious Web site can download a .CAB file to any disk on your box and then use the .CAB file to overwrite files, including system files. This could render your machine inoperable and create a denial of service on your box.

The Cached Web Credentials Vulnerability

Microsoft Internet Explorer Version: 4.x and 5.x prior to version 5.5

Impact: Malicious intruders can obtain your user ID and password to a Web site.

Class: Moderate to Severe

Fix: http://www.microsoft.com/windows/ie/download/critical/q273868.htm

Additional Info: http://www.microsoft.com/technet/security/bulletin/ms00-076.asp

Credit: ACROS Security

When you use Basic authentication to authenticate to a secured Web page, MSIE caches your user ID and password. MSIE does this to minimize the number of times you must authenticate to the same site. Although MSIE should only pass your cached credentials to secured pages on the site, it will also send them to the site's nonsecured pages. If an attacker has control of your box's network communications when you log on to a secured site, the attacker can spoof a request for a nonsecured page and then collect your credentials.

The IE Script Vulnerability

Microsoft Internet Explorer Version: 4.01 SP2 and higher, when Microsoft Access 97 or Microsoft Access 2000 is present on the machine

Impact: Permits an attacker to run code of his choice on your box, potentially allowing the attacker to take full control of it.

Class: Extremely Severe

Fix: http://www.microsoft.com/windows/ie/download/critical/patch11.htm or set an Administrator password for Microsoft Access

Additional Info: http://www.microsoft.com/technet/security/bulletin/ms00-049.asp

Credit: Georgi Guninski

This vulnerability enables an attacker to embed malicious VB code into Microsoft Access via Internet Explorer. Simply visiting a malicious Web site or previewing an e-mail that contains malicious code can compromise your box.

The Microsoft Internet Explorer GetObject() File Disclosure Vulnerability

Microsoft Internet Explorer Version: 5.x

Impact: If you visit a malicious Web site or read a mail message with Active Scripting enabled, MSIE might disclose files on your box.

Class: Moderate to Severe

Fix: Until Microsoft releases a patch to fix this problem, you should disable Active Scripting in Internet Explorer in any zone with untrusted hosts. If you run any other products that respect Internet Explorer security zones, you should configure them to run VBScript in trusted zones only. In addition, Microsoft recommends configuring Outlook using the guidelines found at: http://www.microsoft.com/office/outlook/downloads/security.htm

Additional Info: http://www.kb.cert.org/vuls/id/800893

Credit: Georgi Guninski

Microsoft designed IE to prevent programs on Web sites from reading files on your box without authorization. Microsoft also designed Outlook and Outlook Express to prevent programs embedded in mail messages from reading files on your box without authorization. Unfortunately, a flaw in the behavior of the GetObject call in VBScript permits access to files despite the fact that VBScript doesn't include file I/O or direct access to the underlying operating system. This flaw can cause a malicious VBScript to forward the contents of a document through electronic mail or back to the Web site.

The Office HTML Script Vulnerability

Microsoft Internet Explorer Version: 4.01 SP2 or higher when Microsoft Excel 2000, Microsoft Powerpoint 2000, or Microsoft PowerPoint 97 are present on the machine

Impact: Permits an attacker to run code of his or her choice on a victims's box, potentially allowing the attacker to take full control of that box.

Class: Extremely Severe

Fix for Microsoft Excel 2000 and PowerPoint 2000: http://officeupdate.microsoft.com/2000/downloaddetails/Addinsec.htm

Fix for Microsoft PowerPoint 97: http://officeupdate.microsoft.com/downloaddetails/PPt97sec.htm

Additional Info: http://www.microsoft.com/technet/security/bulletin/ms00-049.asp

Credit: Unknown

This vulnerability enables a script that is stored either on a malicious Web operator's site or in an HTML e-mail message to save an Excel 2000, Powerpoint 2000, or Powerpoint 97 file to a victim's box. The attacker can code this file to launch automatically. If this file successfully launches, it could cause a macro or Visual Basic for Applications (VBA) code to run that will potentially allow the attacker to take full control of that box.

The SSL Certificate Validation Vulnerability

Microsoft Internet Explorer Version: 4.x, 5.0, and 5.01

Note: MSIE 5.01 Service Pack 1 and MSIE 5.5 are not affected.

Impact: Two flaws exist in MSIE that can allow a malicious Web site to pose as a legitimate Web site. The attacker can trick users into disclosing information (such credit card numbers or personal data) intended for a legitimate Web site.

Class: Moderate

Fix: http://www.microsoft.com/windows/ie/download/critical/patch11.htm or upgrade to MSIE 5.5.

Additional Info: http://www.microsoft.com/technet/security/bulletin/ms00-039.asp

Credit: ACROS Penetration Team, Slovenia

When a connection to a secure server is made through either a frame or an image on a Web site, MSIE only verifies that the server's Secure Sockets Layer (SSL) certificate was issued by a trusted root, and does not verify either the server name or the expiration date of the certificate. When you make a secure connection via any other means, MSIE performs the expected validation. If a user establishes a new SSL session with the same server during the same MSIE session, MSIE does not revalidate the certificate.

The Unauthorized Cookie Access Vulnerability

Microsoft Internet Explorer Version: 4.x, 5.0, and 5.01

Note: MSIE 5.01 Service Pack 1 and MSIE 5.5 are not affected.

Impact: This vulnerability can allow a malicious Webmaster to obtain personal information from a user's box.

Class: Moderate

Fix: http://www.microsoft.com/windows/ie/download/critical/patch11.htm

Additional Info: http://www.microsoft.com/technet/security/bulletin/FQ00-033.asp#B.

Credit: Unknown

A malicious Web site operator could entice a user to click a link on the operator's site that would allow the operator to read, change, or add a cookie to that user's box.

Microsoft Exchange Server

The following sections list important vulnerabilities in Microsoft Exchange Server 2000 and Exchange Server 5.x.

Microsoft Exchange Encapsulated SMTP Address Vulnerability

Microsoft Exchange Server Version: 5.5

Impact: Intruder can perform mail relaying.

Class: Moderate Denial of Service

Fix: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/PostSP2/imc-fix/

Additional Info: http://www.microsoft.com/technet/security/bulletin/fq99-027.asp

Credit: Laurent Frinking of Quark Deutschland GmbH

This vulnerability could enable an intruder to get around the antirelaying features of an Internet-connected Exchange server. Because encapsulated Simple Mail Transfer Protocol (SMTP) addresses are not subject to the same antirelaying protections as nonencapsulated SMTP addresses, an intruder can cause a server to forward an encapsulated SMTP address from the attacker to any e-mail address he or she wants as though the server were the sender of the e-mail.

Microsoft Exchange Malformed Bind Request Vulnerability

Microsoft Exchange Server Version: 5.5

Impact: An intruder can cause denial of service attacks or can run code on the server.

Class: Severe Denial of Service

Fix for X86-based Exchange: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/PostSP2/DIR-fix/PSP2DIRI.EXE

Fix for Alpha-based Exchange: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/PostSP2/DIR-fix/PSP2DIRA.EXE

Additional Info: http://www.microsoft.com/technet/security/bulletin/ms99-009.asp

Credit: ISS X-Force

The Bind function has an unchecked buffer that can pose two threats to operation: An attacker could send a malformed Bind request, causing the Exchange Directory service to crash. A carefully constructed Bind request can be sent by an attacker whose purpose is to cause arbitrary code to execute on the server using a classic buffer overrun technique.

Microsoft Exchange Malformed MIME Header Vulnerability

Microsoft Exchange Server Version: 5.5

Impact: A malicious user can cause an Exchange Server to fail.

Class: Severe Denial of Service

Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25443 or Exchange 5.5 SP4

Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-082.asp

Credit: Art Savelev

The Exchange Server normally checks for invalid values in the MIME header fields. However, the Exchange service will fail if a particular type of invalid value is present in certain MIME header fields. You can restore normal operations by restarting the Exchange Server and then deleting the offending mail. The offending mail will be at the front end of the queue after you restart the Exchange service.

Microsoft Exchange NNTP Denial-of-Service Vulnerability

Microsoft Exchange Server Versions: 5.0 and 5.5

Impact: An attacker can cause the Server Information Store to choke.

Class: Medium Denial of Service

Fix: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.0/Post-SP2-STORE/Exchg5.0/Post-SP2-STORE/ or install SP1 or later

Additional Info: http://www.microsoft.com/technet/security/bulletin/ms98-007.asp

Credit: Internet Security Systems, Inc.'s X-Force team

When an attacker issues a series of incorrect data, an application error can result in the Server Information Store failing. It also causes users to fail in their attempt to connect to their folders on the Exchange Server.

Microsoft Exchange SMTP Denial of Service Vulnerability

Microsoft Exchange Server Versions: 5.0 and 5.5

Impact: An attacker can cause the Internet Mail Service to choke.

Class: Medium Denial of Service

Fix: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.0/post-sp2-ims/ or install SPI or later

Additional Info: http://www.microsoft.com/technet/security/bulletin/ms98-007.asp

Credit: Internet Security Systems, Inc.'s X-Force team

When an attacker issues a series of incorrect data, an application error can result in the Internet Mail Service failing.

Microsoft Exchange Error Message Vulnerability

Microsoft Exchange Server Versions: 5.0 and 5.5

Impact: An intruder might be able to recover encrypted data from your network.

Class: Moderate to Severe

Fix: Download the latest version of Schannel.dll. Check out this URL for information on where to obtain the latest version http://support.microsoft.com/support/kb/articles/q148/4/27.asp

Additional Info: http://www.microsoft.com/technet/security/bulletin/ms98-002.asp

Credit: Daniel Bleichenbacher

An intruder, running a sniffer on your network, might be able to observe an SSL-encrypted session, interrogate the server involved in that session, recover the session key used in that session, and then recover the encrypted data from that session.

Microsoft Exchange User Account Vulnerability

Microsoft Exchange Server Version: 2000

Impact: An intruder can remotely log on to an Exchange 2000 Server and possibly onto other servers in the affected Exchange Server's network.

Class: Moderate to Severe

Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25866

Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-088.asp

Credit: Unknown

A malicious user can log on to Exchange by using an account with a known username (EUSR_EXSTOREEVENT) and a password that Exchange creates during the setup process. Normally this account has only local user rights, meaning that the account is neither a privileged account nor can it gain access to Exchange 2000 data. However, when you install Exchange 2000 on a domain controller, the system automatically gives Domain User privileges to the account, and so it can gain access to other resources on the affected domain. Microsoft recommends that you disable or delete this account after the setup process has completed.

IIS (Internet Information Server)

IIS is a very popular Internet server package and like most server packages, it has vulnerabilities. IIS is covered here in detail. However, please note that the list of vulnerabilities discussed is not exhaustive. Other vulnerabilities of lesser severity exist.

The IIS Cross-Site Scripting Vulnerabilities

IIS Version: 4.0 and 5.0

Impact: An attacker can run code on your machine masquerading as a third-party Web site.

Class: Severe

Fix for IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25534

Fix for IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25533

Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-060.asp

Credit: Peter Grundl of Defcom

When a malicious user runs code masquerading as a third-party Web site, that code can take any action on your box that the third-party Web site is permitted to take. If you designate that Web site as a trusted site, the attacker's code could take advantage of the increased privileges. The attacker can make the code persistent, so that if you return to that Web site in the future, the code will begin to run again.

The IIS Malformed Web Form Submission Vulnerability

IIS Version: 4.0 and 5.0

Impact: An attacker can prevent a Web server from providing service.

Class: Severe Denial of Service

Fix for IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26704

Fix for IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26277

Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-100.asp

Credit: eEye Digital Security

FrontPage Server Extensions ship with IIS 4.0 and IIS 5.0 and provide browse-time support functions. A vulnerability exists in some of these functions that allows an attacker to levy a malformed form submission to an IIS server that would cause the IIS service to fail. In IIS 4.0, you have to restart the service manually. In IIS 5.0, the IIS service will restart by itself.

The IIS New Variant of File Fragment Reading via .HTR Vulnerability

IIS Version: 4.0 and 5.0

Impact: An attacker can read fragments of files from a Web server.

Class: Moderate

Fix for IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27492

Fix for IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27491

Additional Info: http://www.microsoft.com/technet/security/bulletin/MS01-004.asp

Credit: Unknown

An attacker can cause a requested file to be processed by the .HTR ISAPI extension in such a way as to cause fragments of server-side files, such as .ASP files, to be sent to the attacker.

The IIS Session ID Cookie Marking Vulnerability

IIS Version: 4.0 and 5.0

Impact: A malicious user can hijack another user's secure Web session.

Class: Critical

Fix for IIS 4.0 x86 platforms: http://www.microsoft.com/ntserver/nts/downloads/critical/q274149

Fix for IIS 4.0 Alpha platforms: Available from Microsoft Product Support Services

Fix for IIS 5.0: http://www.microsoft.com/Windows2000/downloads/critical/q274149

Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-080.asp

Credit: ACROS Security and Ron Sires and C. Conrad Cady of Healinx

IIS uses the same Session ID for both secure and nonsecure pages on the same Web site. What this means to you is that when you initiate a session with a secure Web page, the Session ID cookie is protected by SSL. If you subsequently visit a nonsecure page on the same site, that same Session ID cookie is exchanged, only this time in plaintext. If a malicious user has control over the communications channel of your box, she could then read the plaintext Session ID cookie and use it to take any action on the secure page that you can.

The IIS Web Server File Request Parsing Vulnerability

IIS Version: 4.0 and 5.0

Impact: Remote users can run operating system commands on a Web server.

Class: Critical

Fix for IIS 4.0: http://www.microsoft.com/ntserver/nts/downloads/critical/q277873

Fix for IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25547

Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-086.asp

Credit: NSFocus

An attacker can execute operating system commands that would enable her to take any action that any interactively logged-on user could take. This would enable her to add, delete, or change files on the server; modify Web pages; reformat the hard drive; run existing code on the server; or upload code onto the server and then run it.

The Invalid URL Vulnerability

IIS Version: 4.0

Impact: Attacker can cause IIS service to fail.

Class: Severe Denial of Service

Fix for NT 4.0 Workstation, Server and Server Enterprise Editions: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24403

Credit: Peter Grundl of VIGILANTe

An attacker can send an invalid URL to the server which, through a sequence of events, could result in an invalid memory request that would cause the IIS service to fail. Microsoft engineers believe that the underlying problem actually exists within Windows NT 4.0 itself.

The Myriad Escaped Characters Vulnerability

IIS Version: 4.0 and 5.0

Impact: An attacker can slow an IIS server's response or prevent it from providing service.

Class: Medium to Severe Denial of Service

Fix for IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20292

Fix for IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20286

Credit: Vanja Hrustic of the Relay Group

By sending a malformed URL with an extremely large number of escape characters, an attacker can consume large quantities of CPU time and thus slow down or prevent the IIS server from providing service for a period of time.

The Web Server Folder Traversal Vulnerability

IIS Version: 4.0 and 5.0

Impact: An attacker can take destructive actions against a Web server.

Class: Critical

Fix: http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp

Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-078.asp

Credit: Rain Forest Puppy

An attacker can change or delete files or Web pages, run existing code on the Web server, upload new code and run it, format the hard disk, or take any number of other destructive actions.

Tools

After you establish your Windows NT 4.0 or Windows 2000 server, you can obtain several indispensable tools that will help you keep it secure. No Windows NT 4.0 or Windows 2000 administrator should be caught without these tools.

Administrator Assistant Tool Kit

Administrator Assistant Tool Kit is an application suite that contains utilities to streamline system administration on Windows NT boxes.

Aelita Software

3978 North Hampton Drive

Powell, OH 43065

800-263-0036

Windows Version: Windows NT 4.0 or Windows NT 3.51

Email: Services@aelita.com

URL: http://www.aelita.net/products/AdminAssist.htm

Administrator's Pak

The Administrator's Pak includes a variety of tools for recovering crashed Windows 2000 and Windows NT 4.0 systems. This bundle includes the NT Locksmith, NTRecover, Remote Recover, and NTFSDOS Pro tools, just to name a few. The Administrator's Pak bundle is a great value for tools that will help with recovering your Windows 2000 and Windows NT boxes.

Winternals Software LP

3101 Bee Caves Road, Suite 150

Austin, TX 78746

512-330-9130

Windows Version: Windows 2000 or Windows NT 4.0

Email: info@winternals.com

URL: http://www.winternals.com/

AntiSniff 1.021

AntiSniff 1.021 is a proactive security monitoring tool that searches for computers that are in promiscuous mode. This product help administrators and security teams detect who is watching traffic at their site.

Security Software Technologies, Inc.

Windows Version: Windows NT 4.0 or Windows 9x. SST expects to release the Windows 2000 version soon.

Email: sst@securitysoftwaretech.com

URL: http://www.securitysoftwaretech.com/antisniff/index.html/

FileAdmin

FileAdmin is an advanced tool for manipulating file permissions on large Windows NT-based networks. This utility can save you many hours of work.

Aelita Software

3978 North Hampton Drive

Powell, OH 43065

800-263-0036

Windows Version: Windows NT 4.0 or Windows NT 3.51

Email: Services@aelita.com

URL: http://www.aelita.net/products/FileAdmin.htm

Kane Security Analyst 5.0

Kane Security Analyst provides real-time intrusion detection for Windows NT 4.0 and Windows 2000. This utility monitors and reports security violations and is very configurable. It assesses six critical security areas: access control, data confidentiality, data integrity, password strength, system monitoring, and user account restrictions.

Intrusion.com, Inc. USA

1101 East Arapaho Rd, Suite 100

Richardson, TX 75081

888-637-7770

Windows Version: Windows 2000, Windows NT, or Windows 9x

Email: info@intrusion.com

URL: http://www.intrusion.com/Products/analystnt.shtml

L0phtCrack 3.0

L0phtCrack is a tool that audits Windows 2000 and Windows NT passwords. L0phtCrack is a powerful tool that really needs to be part of every administrator's toolkit. You can display various information about the password tests, including how long it took to crack each password, the cracked passwords, and encrypted password hashes.

Security Software Technologies, Inc.

Windows Version: Windows 2000 or Windows NT 4.0

Email: sst@securitysoftwaretech.com

URL: http://www.securitysoftwaretech.com/l0phtcrack/

LANguard Internet Access Control

Internet Access Control not only enables you to monitor and control Internet usage on your network, it also monitors network traffic to detect break-ins from outside your network. With Internet Access Control, you use keywords to block access to unwanted sites (such as IRC). You can also use keywords to block searches for objectionable material at search engine sites without blocking the entire search engine. With the network monitor, you can watch for suspicious incoming traffic to a specific server that shouldn't be accessible to outside traffic.

GFI Fax & Voice USA

105 Towerview Court

Cary, NC 27513

888-2GFIFAX

Windows Version: Windows 2000 or Windows NT 4.0

Email: sales@gfi.com

URL: http://www.gfi.com/

LANguard Security Reporter

Security Reporter collects data about your Windows NT 4.0 or Windows 2000 network, such as user rights, users having administrative rights, and resource permissions, among others. This information is stored in a central database. You use the information in this database to generate reports that help you to identify and fix potential security problems.

GFI Fax & Voice USA

105 Towerview Court

Cary, NC 27513

888-2GFIFAX

Windows Version: Windows 2000 or Windows NT 4.0

Email: sales@gfi.com

URL: http://www.gfi.com/

NT Crack

NT Crack is a tool that audits Windows NT passwords. This is the functional equivalent of Crack for UNIX.

Secure Networks, Inc.

Suite 330 1201 5th Street S.W.

Calgary, Alberta Canada T2R-0Y6

Windows Version: Windows NT (all versions)

URL: http://www.system7.org/archive/Nt-Hacking/windows.html

NT Locksmith

NT Locksmith will access a Windows NT box without a password. It is a recovery utility that allows you to set a new admin password.

Winternals Software LP

3101 Bee Caves Road, Suite 150

Austin, TX 78746

512-330-9130

Windows Version: Windows 2000 or Windows NT 4.0

Email: info@winternals.com

URL: http://www.winternals.com/

NTFSDOS Pro

NTFSDOS Pro allows you to copy and rename permissions on Windows 2000 and Windows NT 4.0 from a DOS diskette. This is a great tool to keep around for emergencies (for example, when you lose that Administrator password).

Winternals Software LP

3101 Bee Caves Road, Suite 150

Austin, TX 78746

512-330-9130

Windows Version: Windows 2000 or Windows NT 4.0

Email: info@winternals.com

URL: http://www.winternals.com/

NTHandle

NTHandle identifies open processes in Windows NT and thus allows you to keep an eye on your users.

NT Internals Mark Russinovich

Windows Version: Windows 9x/Me, Windows NT 4.0, Windows 2000, or Whistler Beta 1

Email: mark@sysinternals.com

URL: http://www.sysinternals.com

NTRecover

NTRecover is a salvage program. It allows you to access dead Windows NT drives via serial lines now is that cool or what? NTRecover uses a serial cable to access files and volumes on a dead NT box. You use the serial cable connection to make the disks on the dead box seem as though they are mounted on your own system.

Winternals Software LP

3101 Bee Caves Road, Suite 150

Austin, TX 78746

512-330-9130

Windows Version: Windows 2000 or Windows NT 4.0

Email: info@winternals.com

URL: http://www.winternals.com/

PC Firewall ASaP

PC Firewall ASaP is a bi-directional packet filter suite for Windows 9x/Me and Windows NT 4.0 clients.

myCIO.com (Network Associates, Inc.)

3965 Freedom Circle

Santa Clara, CA 95054

877-796-9246

Windows Version: Windows 9x/Me or Windows NT 4.0

Email: support@mycio.com

URL: http://www.mycio.com/

RedButton

RedButton is a tool for testing remote vulnerabilities of a publicly accessible Registry. Download Rbutton.zip.

Midwestern Commerce, Inc.

1601 West Fifth Avenue, Suite 207

Columbus, OH 43212

Windows Version: Windows NT (all versions)

URL: http://www.system7.org/archive/Nt-Hacking/windows.html

RegAdmin

RegAdmin is an advanced tool for manipulating Registry entries on large networks, which is a big timesaver.

Aelita Software

3978 North Hampton Drive

Powell, OH 43065

800-263-0036

Windows Version: Windows NT 4.0 or Windows NT 3.51

Email: Services@box.omna.com

URL: http://www.aelita.net/products/RegAdmin.htm

Remote Recover

Remote Recover acts in the same way as NTRecover. The difference is that it treats remote drives as though they were locally installed. It allows you to access and modify drives on unbootable or new boxes using the network and a bootable floppy.

Winternals Software LP

3101 Bee Caves Road, Suite 150

Austin, TX 78746

512-330-9130

Windows Version: Windows 2000 or Windows NT 4.0

Email: info@winternals.com

URL: http://www.winternals.com/

ScanNT Plus

ScanNT Plus is a dictionary password attack utility. Test your NT passwords.

Midwestern Commerce, Inc. (Ntsecurity.com)

1601 West Fifth Avenue Suite 207

Columbus, OH 43212

Windows Version: Windows NT 4.0

Email: Services@box.omna.com

URL: http://hotfiles.zdnet.com/cgi-bin/texis/swlib/hotfiles/info.html?b=pcm&fcode=000H36

Sniffer Basic

Sniffer Basic (formerly named NetXRay Analyzer) is a powerful protocol analyzer (sniffer) and network monitoring tool for Windows NT. It is probably the most comprehensive NT sniffer available.

Sniffer Technologies

3965 Freedom Circle

Santa Clara, CA 95054

800-SNIFFER

Windows Version: Windows NT (all versions) or Windows 98

Note: Sniffer Technologies released Sniffer Pro 4.5 for laptop platforms in January, 2001. This version includes support for Windows 2000.

Email: bcahillane@nai.com

URL: http://www.sniffer.com/products/sniffer-basic/default.asp?A=2

Somarsoft DumpSec

Somarsoft DumpSec dumps permissions for the Windows NT file system in the Registry, including shares and printers. It offers a bird's-eye view of permissions, which are normally hard to gather on large networks.

SystemTools LLP

P.O. Box 1209

La Vernia, TX 78121

877-797-8665

Windows Version: Windows NT (all versions)

Email: sales@systemtools.com

URL: http://www.somarsoft.com/

Somarsoft DumpEvt

Somarsoft DumpEvt dumps Event Log information for importation into a database for analysis.

SystemTools LLP

P.O. Box 1209

La Vernia, TX 78121

877-797-8665

Windows Version: Windows 2000 or Windows NT (all versions)

Email: sales@systemtools.com

URL: http://www.somarsoft.com/

Somarsoft DumpReg

Somarsoft DumpReg dumps Registry information for analysis. It also allows incisive searching and matching of keys.

SystemTools LLP

P.O. Box 1209

La Vernia, TX 78121

877-797-8665

Windows Version: Windows NT (all versions) or Windows 98

Email: info@somarsoft.com

URL: http://www.somarsoft.com/

Virtuosity

Virtuosity is a wide-scale management and Windows NT rollouts tool. (Good for heavy-duty rollouts.)

Raxco, Ltd.

Orchard House

Narborough Wood Park

Enderby, Leicester, UK LE9 5XT

+44 (0)116 239-5888

Windows Version: Windows NT 4.0 or Windows NT 3.51

URL: http://www.domainmigration.com/fp_virtuosity.html

Access Control Software

The following section introduces several good packages for adding access control to Windows 2000, Windows NT, and Windows 9x/Me.

Cetus StormWindow

Cetus Software, Inc.

P.O. Box 1450

Marshfield, MA 02050

781-834-4411

Windows Version: Windows 2000, Windows NT 4.0 or Windows 9x/Me

Email: cetussoft@aol.com

URL: http://www.cetussoft.com/

Cetus StormWindow allows you to incisively hide and protect almost anything within the system environment, including the following:

        Links and folders

        Drives and directories

        Networked devices and printers

In all, Cetus StormWindow offers very comprehensive access control. (This product will also intercept most alternate boot requests, such as warm boots, Ctrl+Alt+Delete, and function keys.)

Clasp2000

Clasp2000

4 Grand Banks Circle

Marlton, NJ 08053

FAX: 810-821-6250

Windows Version: Windows 2000 or Windows 9x

Email: service@claspnow.com

URL: http://www.cyberenet.net/~ryan/

Clasp2000 offers strong password protection, disables access to Windows 95 and Windows 98, and intercepts warm boot Ctrl+Alt+Delete sequences.

ConfigSafe Complete Recovery v4 by imagine LAN, Inc.

imagine LAN, Inc.

74 Northeastern Blvd. Suite 12

Nashua, NH 03062

800-372-9776

Windows Version: Windows 2000, Windows 4.0 or Windows 9x/Me

Email: feedback@imagelan.com

URL: http://www.configsafe.com

ConfigSafe Complete Recovery v4 records changes and updates made to the Registry, system files, drivers, directory structures, DLL files, and system hardware. You can instantly restore a system to a previously working configuration with ConfigSafe.

DECROS Security Card by DECROS, Ltd.

DECROS, Ltd.

J. S. Baara 40

370 01 Ceske Budejovice Czech Republic

420-38-731 2808

Windows Version: Windows 2000, Windows NT 4.0 or Windows 9x/Me

Email: info@decros.cz

URL: http://www.decros.com/security_division/p_list_hw.htm

DECROS Security Card provides C2-level access control using physical security in the form of a card key. Without that card, no one will gain access to the system.

Desktop Surveillance Enterprise and Personal Editions

Omniquad, Ltd.

Hanovia House

28/29 Eastman Road

London W3 7YG, UK

+44 (0) 181 743 8093

Windows Version: Windows NT 4.0 or Windows 9x

Email: support@omniquad.com

URL: http://www.omniquad.com/

Desktop Surveillance is a full-fledged investigation and access control utility. (This product has strong logging and audit capabilities.)

HDD-Protect 2.5c

Gottfried Siehs

Tiergartenstrasse 99

A-6020 Innsbruck, Austria / Europe

Windows Version: Windows 98 or Windows 95

Email: g.siehs@tirol.com

URL: http://www.geocities.com/SiliconValley/Lakes/8753/

HDD-Protect has hardware-level access control and actually restricts access to the hard disk drive.

Omniquad Detective 2.1

Hanovia House

28/29 Eastman Road

London W3 7YG, UK

+44 (0) 181 743 8093

Windows Version: Windows NT 4.0 or Windows 9x

Email: support@omniquad.com

URL: http://www.omniquad.com/

The Detective is a simple but powerful tool for monitoring system processes. Omniquad Detective enables you to monitor computer usage, reconstruct activities that have occurred on a workstation or server, identify intruders who try to cover their tracks, perform content analysis, and define user search patterns. In all, this very comprehensive tool is tailor-made to catch someone in the act, and is probably suitable for investigating computer-assisted crime in the workplace.

Secure4U 5.0

Sandbox Security AG

Lilienthalstr. 1

82178 Puchheim

Germany

+49 (0) 89 800 70 0

Windows Version: Windows 2000, Windows NT 4.0 or Windows 9x/Me

Email: sales@SandboxSecurity.com

URL: http://www.sandboxsecurity.com/main.htm

Secure4U provides powerful filtering and access control. It specifically targets ActiveX, Java, and other embedded-text plug-ins and languages from flowing into your network.

StopLock Suite by Conclusive Logic, Inc.

Conclusive Logic, Inc.

800 W. El Camino Real

Suite 180

Mountain View, CA 94040 USA

650-943-2359

Windows Version: Windows 2000, Windows 4.0 or Windows 9x

Email: info@conclusive.com

URL: http://www.conclusive.com/

StopLock provides access control. The package also includes boot control, auditing functionality, and logging tools.

TrueFace

eTrue, Inc.

144 Turnpike Rd.

Suite 100

Southboro, MA 01772

508-303-9901

Windows Version: Windows 32-bit platforms

URL: http://www.miros.com/solutions/face.htm

TrueFace is a face recognition program. The software recognizes only those faces that are registered in its face database. The machine actually looks at you to determine whether you are an authorized user. The company claims that the technology on which TrueFace is based is neural net technology.

Windows Task-Lock by Posum LLC

Posum LLC

P.O. Box 21015

Huntsville, AL 35824

256-895-9857

Windows Version: Windows 2000, Windows 4.0, or Windows 9x/Me

Email: support@posum.com

URL: http://posum.com/

Windows Task-Lock 6.0 provides a simple, inexpensive, and effective way to password-protect specified applications no matter how you (or someone else) execute them. It is easy to configure and requires little to no modifications to your current system configuration. Optional Sound events, stealth mode, and password timeout are also included.

WP WinSafe

PBNSoft

Windows Version: Windows NT or Windows 9x

Email: info@pnbsoft.com

URL: http://www.pbnsoft.com/

WinSafe, a promising utility, allows you to encrypt your files using strong cryptography algorithms such as Blowfish and CAST. With WinSafe you can choose from among 28 different algorithms. Other tools included with this package are File Wiping and Merge Files. File Wiping will rewrite deleted files with random trash for the number of times that you specify. Merge Files enables you to merge two files so that you can hide one file into another.

Caution

The documentation suggests that using the Windows Policy editor to set the real-mode DOS settings could potentially conflict with WinSafe.

 

SafeGuard Easy

Utimaco Safeware, Inc.

2 Chestnut Place

Suite 310

22 Elm Street

Worcester, MA 01608 USA

508-799-4333

Windows Version: Windows 2000, Windows NT 4.0, Windows 9x, or MS-DOS

Email: info.us@utimaco.de

URL: http://www.utimaco.de/newpage/indexmain.html

SafeGuard Easy offers hard disk drive encryption, protection against booting from a floppy, password aging, and password authentication for Windows operating systems. SafeGuard supports several strong encryption algorithms, including both DES and International Data Encryption Algorithm (IDEA). The SafeGuard line of products includes SafeGuard VPN, SafeGuard LAN Crypt, and SafeGuard Personal FireWall. Of special interest is that these products can be installed over a network (thereby obviating the need to make separate installations).

Secure Shell

F-Secure, Inc.

5007 Lincoln Avenue, Suite 310

Lisle, IL 60532 USA

630-810-8901

Windows Version: Windows 2000, Windows NT 4.0, Windows 9x, or Windows 3x

Email: Chicago@F-secure.com

URL: http://www.f-secure.com/products/network_security/

Secure Shell (SSH) provides safe, encrypted communication over the Internet or other untrusted networks. SSH is an excellent replacement for Telnet or rlogin. SSH uses IDEA and Rivest-Shamir-Adelman (RSA) encryption and is therefore extremely secure. It is reported that the keys are discarded and new keys are made once an hour. SSH completely eliminates the possibility of third parties capturing your communication (for example, passwords that might otherwise be passed in clear text). SSH sessions cannot be overtaken or hijacked, nor can they be sniffed. The only real drawback is that for you to use SSH, the other end must also be using it. Although you might think such encrypted communication would be dread fully slow, it isn't.

Good Online Sources of Information

This section contains many good Windows resource links. Most are dynamic and house material that is routinely updated.

The Windows NT Security FAQ

If you are new to Windows NT security, the Windows NT Security Frequently Asked Questions document is an absolute must. I would wager that better than half of the questions you have about NT security are answered in this document.

    http://www.it.kth.se/~rom/ntsec.html
  
NTBugTraq

NTBugTraq is an excellent resource provided by Russ Cooper of RC Consulting. The site includes a database of Windows NT vulnerabilities, plus the archived and searchable versions of the NTBugTraq mailing list.

  http://www.ntbugtraq.com
  
NTSECURITY.COM for Windows 2000 and Windows NT

This site is hosted by Aelita Software Group division of Midwestern Commerce, Inc., a well-known development firm that designs security applications for Windows 2000 and Windows NT, among other things.

    http://www.ntsecurity.com/default.htm
  
Expert Answers for Windows 2000, Windows NT, and Windows 9x/Me

This is a forum in which advanced Windows 2000, Windows NT, and Windows 9x/Me issues are discussed. It is a good place to find possible solutions to very obscure and configuration-specific problems. Regulars post clear, concise questions and answers along the lines of "I have a PPRO II w/ NT 4.0 and IIS 3 running MS Exchange 5.0, with SP3 for NT and SP1 for Exchange. So, why is my mail server dying?"

    http://community.zdnet.com/cgi-bin/podium/show?ROOT=331&MSG=331&T=index
  
Windows IT Security (Formerly NTSecurity.net)

The Windows IT Security site, hosted by Windows 2000 Magazine, is full of information about the latest in security. You can subscribe to discussion lists about advanced vulnerabilities in the Windows 2000 and Windows NT operating systems. You can find it at the following URL:

  http://www.ntsecurity.net/
  
"An Introduction to the Windows 2000 Public Key Infrastructure"

"An Introduction to the Windows 2000 Public Key Infrastructure" is an article written by Microsoft Press. It presents and introduction to one of Windows 2000 new security features, PKI.

    http://www.microsoft.com/WINDOWS2000/library/howitworks/security/pkiintro.asp
  
Windows 2000 Magazine Online

I know what you're thinking that commercial magazines are probably not very good sources for security information. I am happy to report that this site is an exception. Some very valuable articles and editorials about Windows NT 2000 and Windows NT 4.0 appear here.

  http://www.winntmag.com/
  
Securing Windows NT Installation

Securing Windows NT Installation is an incredibly detailed document from Microsoft on establishing a secure Windows NT server. You can find it at this site:

    http://www.microsoft.com/ntserver/security/exec/overview/Secure_NTInstall.asp
  
Checklist for Upgrading to Windows 2000 Server

Microsoft lists the steps necessary to upgrade to Windows 2000. They include how to check whether your hardware and software is compatible with Windows 2000 and how to choose a file system. You can find it here:

    http://www.microsoft.com/TechNet/win2000/srvchk.asp
  
The University of Texas at Austin Computation Center NT Archive

This site contains a wide (and sometimes eclectic) range of tools and fixes for Windows NT. (A good example is a fully-functional Curses library for use on NT.)

    ftp://microlib.cc.utexas.edu:/microlib/nt/
  

Books on Windows 2000 and Windows NT Security

The following titles are assorted treatments on Windows 2000 and NT security.

Securing Windows NT/2000 Servers for the Internet. Stefan Norberg, Deborah Russell. O'Reilly & Associates. 1-56592-768-0. 2000.

Windows 2000 Security. Roberta Bragg. New Riders Publishing. 0-73570-991-2. 2000.

Windows 2000 Security: Little Black Book. Ian McLean. The Coriolis Group. 1-57610-387-0. 2000.

Configuring Windows 2000 Server Security. Thomas W. Shinder and D. Lynn White. Syngress Media, Inc. 1-92899-402-4. 1999.

Microsoft Windows 2000 Security Technical Reference. Internet Security Systems, Inc. Micro soft Press. 0-73560-858-X. 2000.

Microsoft Windows 2000 Security Handbook. Jeff Schmidt. Que. 0-78971-999-1. 2000.

Microsoft Windows NT 4.0 Security, Audit, and Control (Microsoft Technical Reference). James G. Jumes. Microsoft Press. 1-57231-818-X. 1998.

NT 4 Network Security. Matthew Strebe. Sybex. 0-78212-425-9. 1999.

Windows NT/2000 Network Security (Circle Series). E. Eugene Schultz. New Riders Publishing. 1-57870-253-4. 2000.

Windows 2000 Security Handbook. Phillip Cox. McGraw-Hill Professional Publishing. 0-07212-433-4. 2000.

Windows NT Server Security Guide (Prentice Hall Series on Microsoft Technologies). Marcus Goncalves. Prentice Hall Computer Books. 0-13679-903-5. 1998.

Windows NT Security Handbook. Thomas Sheldon. Osborne McGraw-Hill. 0-07882-240-8. 1996.

URL 


 

Section: Chapter 19.  Microsoft

Summary

Microsoft offers a number of excellent applications, and Windows 2000 and Windows NT 4.0 are excellent server platforms. However, like their counterparts, they are not secure out of the box. To run secure Microsoft applications and servers, you must do three things:

        Patch the vulnerabilities discussed in this chapter.

        Apply general security techniques discussed in other chapters.

        Constantly keep up with advisories.

If you cover these bases, you should be fine.

URL 


 



Enterprises - Maximum Security
We Only Played Home Games: Wacky, Raunchy, Humorous Stories of Sports and Other Events in Michigans
ISBN: 0000053155
EAN: 2147483647
Year: 2001
Pages: 38

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net