Windows NT 4.0 Security

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:25

lượt xem

Windows NT 4.0 Security

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

In our next sections together we will consider the Windows NT and Windows 2000 operating systems. Windows NT was Microsoft’s first effort in building a production server operating system, and they made a number of changes and improvements in Windows 2000. We are going to take a quick look at the architecture and file system and then move into the tools that you can use to gather clues from your operating system.

Chủ đề:

Nội dung Text: Windows NT 4.0 Security

  1. Windows NT 4.0 Security Secure System Administration - SANS GIAC © 2000, 2001 1 In our next sections together we will consider the Windows NT and Windows 2000 operating systems. Windows NT was Microsoft’s first effort in building a production server operating system, and they made a number of changes and improvements in Windows 2000. We are going to take a quick look at the architecture and file system and then move into the tools that you can use to gather clues from your operating system. I am going to approach the tools in the following way: since NT has tools to implement security, we are going to learn to configure our system security policy and at the same time how to check it. As always, we will focus on learning to use the tools that are available with the operating system and possibly the Resource Kit, but we are also going to look at something new, your operating system’s interface to the network. In order to run a number of the exercises, you will need to be logged in as Administrator. As always, unless this is a scratch operating system that you loaded only for testing, make sure you have a good backup before trying privileged system commands. 1
  2. U S E User Processes: Outlook, Explorer …. R M O Subsystems: Security, Win32, POSIX …. D E K NT Executive E ( Object Manager, Virtual Memory Manager, I/O Manager ) R N E Windows NT Kernel L Hardware Abstraction Layer M ( Responsible for CPU and bus) O D E HARDWARE Secure System Administration - SANS GIAC © 2000, 2001 2 Windows NT is a synthesis of operating systems that came before it, including MACH, UNIX, and VMS. The hardware privilege model is straightforward: kernel mode can run anything and user mode is tightly constrained. Two things to note: • Though there are multiple subsystems, including POSIX, OS/2, and the Virtual DOS Machine (VDM), they are rarely used. The Win32 subsystem is the animal that is more equal than other animals and it operates with more privileges. • Application programmers are supposed to write to the subsystems via Application Programming Interfaces (APIs), not write direct calls into the kernel. The subsystems use system service calls to communicate with the kernel mode portion of the operating system. If programmers stick to APIs, their software is more portable and safer in some sense. The APIs communicate with device drivers and these manage the hardware. These layers of abstraction increase the size of the operating system, but make it easier to write software. 2
  3. Start -> Settings -> Control Panel -> Devices. What is Running? Secure System Administration - SANS GIAC © 2000, 2001 3 Attackers may target device drivers because they run in the kernel space with access to most of the system functions. For this reason, we need to know what drivers are installed on our system. To see which drivers are installed and their current status use: Start → Settings → Control Panel → Devices The above screen appears, showing the device name, its current status, and the configured startup behavior. Highlight a device name to start or stop the device or to change its startup behavior. Available options for startup behavior include Automatic, Manual, and Disabled. Other options may be available depending on the Service Pack applied and your current system configuration. New and reassigned systems often arrive with optional hardware that is not required. These can complicate configuring the server and may give attackers another door into the system. Experts do not recommend modems and removable media devices for critical systems. Physically remove these and their associated drivers and software. Protecting the devices involved in the boot process is critical. If at all possible, place servers in a locked room with limited access to maintain physical security. When this is not possible, secure the server with a power-on password and consider disabling the option to boot from the floppy drive. If the system doesn't need the floppy drive, remove it. 3
  4. Kernel Mode • Hardware Abstraction Layer (HAL) – directly interfaces with the hardware and allows NT to run on completely different hardware such as Intel and also Alpha chips • Windows NT Kernel – provides process and thread scheduling, multiprocessor support and interrupt handling • Windows NT Executive – uses the services of HAL and the kernel, handles file systems, device drivers and I/O Secure System Administration - SANS GIAC © 2000, 2001 4 This slide gives an overview of the kernel mode processes for NT. The NT kernel is fairly small in terms of size or lines of code compared to the NT Executive. It is responsible for core OS functionality such as hardware exceptions, interrupts and traps. This is supposed to be the most privileged process in the operating system. The kernel gets its configuration from the registry database. The startup information is kept in HKEY_LOCAL_MACHINE, which has the following registry keys: HARDWARE, SAM, SECURITY, SOFTWARE, and SYSTEM. In troubleshooting, HARDWARE and SYSTEM are the most important and SYSTEM is used heavily in bootup. If the registry gets corrupted, bootup and operation of the system is nearly impossible. You can back up the registry on the local system using the NTBACKUP program, but you must select it specifically. Another thought is to create an Emergency Repair Disk (ERD). The Emergency Repair Disk can be used to repair a corrupt Partition Boot Sector. The ERD is unique for each system. An ERD created on one workstation or server will probably not work with a different workstation or server. The ERD should be kept in a secure location since the disk contains security information from the machine on which it was created. To create an emergency repair disk, type RDISK /S at the command prompt. Please do this NOW. We will remind you several times in the course, but if you make a mistake, you will need an ERD. You MUST protect this disk! The /S switch copies the SAM database onto the floppy. Password crackers can crack the passwords from this disk. Also note, the Repair Disk is not a boot disk. Setup disks – bootable disks used in installing Windows NT – are created by running winnt32.exe with the /ox switch. 4
  5. Core NT File Systems • FAT 16 • FAT 32 • NTFS4 and NTFS5 Any discussion of NT or Windows 2000 should be based on the NTFS file system. The differences between NT 4.0 and NT 5.0 (Win 2K) are very small in regards to the file system Secure System Administration - SANS GIAC © 2000, 2001 5 The three file systems listed on your slide account for most Windows files. If you read system documentation you will see references that claim NT systems can support a number of file systems. This is not true in practice except for special purposes: • CDFS ISO 9660 disks • UDFS DVDs These are examples of Installable File Systems. Both Windows NT and Windows 2000 were designed around the NTFS file system and are happiest in an NTFS environment. Instead of FDISK, on NT you should use Disk Administrator. As the user Administrator, use Start → Programs → Administrative Tools → Disk Administrator to do partition and other FDISK work. [Editor’s note: vol will display the serial number and label for a disk with any of the Windows file systems. This can be used as a step in evidence collection, for instance vol c:\ > disklabel.txt. It will not, however display the file system, whereas chkdsk will. - SRN] 5
  6. NTFS • 64 bit address scheme, 2**64 bytes • Hierarchical database (Master File Table) MFT – Files are a record in this database • Provides for file and folder level security: – Full Control (all of the rest) – Modify – Write – Read & Execute – List Folder Contents Secure System Administration - SANS GIAC © 2000, 2001 6 NTFS is a major improvement over the FAT file systems. This applies to a number of dimensions: more files, bigger files, more naming flexibility, resistance to becoming fragmented, and so on. NTFS also makes more efficient use of the disk, limiting the available hiding places for malware. Like the FAT file system, the NTFS file system uses clusters as the fundamental unit of disk allocation. In NTFS, the default cluster size depends on the volume size. For volumes of 512MB or less, the default cluster size equals the sector size of 512 bytes. For volume sizes of 513MB or greater, the cluster size increases but the sector size remains constant. Very large drives may be formatted to make use of larger clusters to improve operating system performance at the cost of a bit of wasted disk space. All of these are certainly important, but the most important thing is that NTFS file security is more granular than FAT, allowing fine tuning of permissions at the file level through Access Control Lists (ACLs). FAT/FAT32 allows limited use of passwords to protect shared folders (no file-level security is available) and provides absolutely no protection when a user logs on locally. You can convert from FAT to NTFS with the convert utility. From the command line, first run vol to get your volume name. Then type: CONVERT /fs:ntfs You can also use the drive letter with the CONVERT command, e.g. ,CONVERT C: /fs:ntfs. 6
  7. Checking File Stamps • The DIR command can be used to check size and date/time • A good attacker can change this information to hide their files! • To check creation date/time and size of all EXE files: dir c:\winnt\*.exe /s/t:c > exefiles.txt Secure System Administration - SANS GIAC © 2000, 2001 7 One sign of system compromise is unauthorized modification of files. This slide shows an example of using options to the dir command to query one or more files as to their creation or last access time. Be aware that an attacker can change the file attributes, so this technique is not perfect. But, dir is still a useful tool for exploring what an attacker has done to a system during a given session. The example at the bottom of the screen is using the /t:c switch which will report the date and time stamp of when the file was created. You can substitute a “w” for the “c” to see the last time the file was written to, or an “a” to see the last access time. This implies that NTFS has more attributes than the four kept by the FAT file system. For more information on the dir switches available, type dir /? at the command prompt. Next let’s see how to configure our browser to see more file types. 7
  8. Viewing all files Secure System Administration - SANS GIAC © 2000, 2001 8 As you probably discovered in the previous section on Windows 9x, while dir has a large number of options, it really has some limitations. The default viewing options in NT hide the following files: .dll, .sys, .vxd, .386, .drv, and .pnf files. These initial options also hide extensions for known file types, such as .bat, .txt, .htm, .rtf, .doc, .exe, etc. This represents a security risk since an attacker can hide rogue code under a known file extension or disguise the file type by using multiple extensions such as YourReport.rpt.exe. 8
  9. Viewing all files (2) Secure System Administration - SANS GIAC © 2000, 2001 9 You will note, we have an option to view hidden files and while we are learning the operating system we should see all files. Windows 2000 users will have a new attribute called superhidden files. These are system files with the hidden attribute set. Tools → Folder Options → View Tab → Show Hidden Files and Folders and the Hide Protected Operating System Files is where the superhidden attribute is maintained. 9
  10. Setting the Account Policy Secure System Administration - SANS GIAC © 2000, 2001 10 To begin our discussion of checking and setting system policies, our first stop is Account Policy. Hitting “Cancel” to bypass a password will not work on an NT machine. The first thing to notice at the top of the screen is the word “Domain.” For NT and Windows 2000, domains are security entities. If your workstation or server is a member of a domain, you obtain your authentication from a special server. These are called Primary Domain Controllers (PDCs) and Backup Domain Controllers (BDCs). If you are installing a machine that does not need to share credentials with other machines, you can make it a member of a workgroup and it can still do file and print sharing with other systems on its network. The “Account Policy” under User Manager for Domains sets the general domain-wide password policy for all network accounts. However, for each user account, “User Properties” also affects passwords for a specific account. It is important to note that settings in User Properties override the settings in the Account Policy. For example, an Account Policy requiring a password change every “X” days can be overridden for a particular user by selecting “Password never expires” in the User Properties for that particular user. 10
  11. Setting the Audit Policy Audit Must Be Enabled Secure System Administration - SANS GIAC © 2000, 2001 11 Friends of mine in the trade continue to be amazed that auditing is not enabled on production machines. It never occurs to people to track logons and logoffs until they get into an incident situation and need the information. Before we discuss setting the audit policies, we need to talk a bit about the scope of the audit policies. NT logging policies apply only to an individual machine. The one exception to this is that policies established on any Domain Controller also apply to all other Domain Controllers. Resulting drawbacks are the necessity of setting multiple policies and the need to consolidate audit logs to obtain a coherent picture of network activity. A benefit is that systems containing more sensitive information can have a more extensive audit policy than those with less sensitive data. In this screenshot, note that the policy applies to the computer SKYLAR. When we get to the next slide, the policy is on a Domain Controller as evidenced by the name in the upper left corner. There are urban legends that auditing will slow down the system. If you start logging File and Object Access or Process Tracking it may, but Logon and Logoff and Security Policy Changes have negligible effect and in general, should be enabled. Of course, if the NT machine is your machine, say your laptop, you mostly work standalone, and are concerned that someone may audit you if you lose physical control of the system, you may wish to select to not audit. In any case, you should know your audit status and can check it through User Manager (NT Workstation or member server) or User Manager for Domains (NT Server configured as a Domain Controller) by selecting Policies → Audit. In Windows 2000, you set Windows 2000 auditing by going to Administrative Tools → Local Security Policy → Local Policies → Audit Policy. Alternatively, you could use the Microsoft Management Console (MMC) snap-in to accomplish the same purpose. 11
  12. Audit Best Practice Secure System Administration - SANS GIAC © 2000, 2001 12 Auditing doesn’t do any good at all if you don’t look at the audit logs or manage them. On this system, File and Object access is selected. These selections enable the ability to audit file and object access. The actual folders or directories to be audited and the audit settings are determined through Windows Explorer. The auditing of files and folders should be used sparingly since excessive entries can make the logs fill up pretty durn fast. In our last section we introduced the concept of attackers hiding in the noise. We do not want to make it easy for them by logging events that have no value. Also note: if your workstations are running Win95 or Win98, all logon and logoff entries are written to the domain controller(s). However, if you are running WinNT Workstation, the logon and logoff entries are written to the workstation log files. This makes it very difficult to get a coherent picture of logon activity. Unless you are using third-party tools to consolidate the logs, you must search through the workstation logs for entries, for example, of failed logon attempts. Crystal Reports, available in a limited form in the Resource Kit, will help with consolidating the logs but you must create the reports to show the entries you want. 12
  13. File and Object Access Secure System Administration - SANS GIAC © 2000, 2001 13 Once File and Object Access is enabled in Audit Policies, the audit properties of each object (files, folders, printers, etc.) you want to audit must be set. Clicking on the Security tab in the object’s properties brings up the screen on the left. Click the Auditing button to set the audit properties for the object. Note that you can choose to audit access by groups or individual users. In addition, the Events to Audit is set separately for each user or group. The screen on the right shows settings for either an extremely sensitive folder, a highly untrusted user or, perhaps, both. Auditing of File and Object Access should be used sparingly to prevent excessive entries in the security log. 13
  14. Secure System Administration - SANS GIAC © 2000, 2001 14 The Event Viewer is a Graphical User Interface (GUI) that can be used to investigate log events. The event on your screen is the result of an attack from a network and so this event was stored in the Security log. Speaking of events, a really good idea is to make using the Administrator account an event! You may not delete it, but as administrator you can create a new account, Start → Programs → Administrative Tools → User Manager and make the new account a member of the Administrator group. Then you remove the Administrator account from the Administrators and Domain Admins groups. Then log on to it at least once so it appears “active.” Now, since you are logging logons and logoffs, if someone logs on to Administrator, either success or failure, it will be logged and you know you have something worth checking into. Log files are kept in an NT special format. If you want to save them as ASCII text, there is a command line tool in the Resource Kit called DUMPEL. DUMPEL -l -f -t The command above will create a tab-delimited log file, if you prefer comma delimited use -c and if you do not specify a format, it remains in Event Viewer (*.evt) format. If you are not batch processing the events looking for keywords, you can inspect them via a GUI. 14
  15. Log--> Log Settings Secure System Administration - SANS GIAC © 2000, 2001 15 The default event log size is 512KB. As you can see, we have bumped it up a bit. From the Event Log, Settings dialog box, we can use the “Change settings for” pull down menu to view settings for each of the three logs. If you are running Windows 2000, you want to highlight a log then select Action → Properties. Note that when you change the log size, it only effects a single log. With NT this will be whichever log is shown in the “Change settings for” display. With Windows 2000, it will be for whichever log you had highlighted prior to selecting Properties. Now take a look at event log wrapping. By default, NT will overwrite events older than seven days if the maximum log size is reached. The “as needed” option will let NT overwrite entries prior to seven days if needed and the last setting never overwrites entries and requires you to clear the log manually. Which setting to use is a judgment call on your part. If you choose "Do not overwrite" you must rely on the vigilance of system administrators to ensure that logs are not filling up. If they do fill up, systems become unstable (often causing them to bluescreen) or, if you are lucky, log entries get randomly overwritten. It is generally better to either "Overwrite events as needed" (this way you will not lose any log data unless you have to, and the oldest entries are overwritten first if need be) or "Overwrite events older than X days" (where X is something like seven – if you make a full backup once a week, this is a great selection). 15
  16. The Registry Secure System Administration - SANS GIAC © 2000, 2001 16 Now that we have auditing turned on, we want to consider the fundamental security token of most operating systems: the password. Windows NT and Windows 2000 have a tool called passfilt.dll of dubious value, but it prevents some of the classic user errors such as the use of simple dictionary passwords that are easily guessable. We can use passfilt.dll as an opportunity to examine the Windows NT configuration database, called the registry. Windows NT has two tools for editing the registry: regedit and regedt32. regedit has fewer capabilities, but better search functions. regedt32 is more powerful. Whichever one you use, your really should have a good backup and an ERD before making any changes, since either tool can easily modify the registry to the extent that the system is unrecoverable. Start → Run → REGEDT32 will launch your registry editor. You can click the tabs shown below to see if someone has installed passfilt.dll as shown on your slide. Please do not edit ANYTHING, just look. Hive: HKEY_LOCAL_MACHINE Key: \System\CurrentControlSet\Control\Lsa Value Name: Notification Packages Value Type: REG_MULTI_SZ On Windows 2000, you can check to see if passfilt.dll is enabled from the Group Policy console for Active Directory. Let’s do a quick recap: we know how to examine files for their modified date, list hidden files, set the Account Policy, set the Audit Policy, manage logs and write them in a spreadsheet format. We are well on our way to being able to secure and audit Windows NT and 2000. Next, we will examine one of the most important things you can do to secure your OS. UPDATE it with a Service Pack. 16
  17. Secure System Administration - SANS GIAC © 2000, 2001 17 Each of the operating systems we discuss in this course is very complex and from time to time they may need patching to handle security vulnerabilities. The easiest way to check the Service Pack level on an NT system is Start → Run → winver and a popup screen will give some information about the system, including the Service Pack version. Windows NT Service Packs are cumulative, each containing all the changes of all previous packs. Applying a Service Pack only updates the current system configuration. If changes are made to the system, such as adding services, the Service Packs must be reinstalled. If in doubt, reapply the Service Pack! Microsoft also releases patches (hotfixes) between Service Packs to correct individual bugs in the system. Sometimes the patches deal with serious security holes so it is important to keep tabs on what is being released. It is also important to keep a log of what Service Packs and patches were installed on the system. To install a Service Pack, the update command is used. WARNING! I have trashed a number of systems with Service Packs, so always test these on non-production machines before installing on production systems. If you can get the Service Pack on a CD-ROM, Microsoft sometimes gives out neato tools. 17
  18. Why is TCP/2251 open? Secure System Administration - SANS GIAC © 2000, 2001 18 This slide was created by the command prompt, and netstat -a | more. This will work for NT and Windows 2000. If you take a look at the slide, you’ll see a screen capture from one of my systems. This computer has four ports listed as listening. The last three are used by Windows for file and print sharing but the first entry is an odd ball. I am unaware of any process running on this system that should be listening on TCP port 2251. So why is this port open? Obviously I need to do some investigation work to find out exactly what is running on this machine. This is one of the cool things about auditing - it forces you to look at the system in great detail and come up with a logical explanation for everything you see. What better way to figure out all of the nuances of how your system functions? Outside of malicious code which can attack your system via email attachments or removable media, the highest attack vector will be from a network, so it is important to know commands to investigate your network interface. 18
  19. NETSTAT Active Connections • Open a command prompt • Type: netstat -a |more • Look for lines marked “listening” • These are open service ports • Can you identify them all? • Built in netstat may not identify all processes Secure System Administration - SANS GIAC © 2000, 2001 19 The previous slide shows the connection table for my system. The Local Address column will show the communication port your system is using, while the Foreign Address column will identify the name of the remote system, as well as the communication port that system is using. If you look at the State column, any connections listed as “established” are active connections. You may also see a few “time wait” or “syn sent” entries. The real interesting entries are the ones labeled “listening.” These are open service ports on your system which are waiting for a remote system to connect to your machine. We focused on port 2251 in the previous slide. In other words, there is some active process running on your system that is offering services to any system on the network that tickles this port. netstat has other options including -e, -n, -p, -r, -s. At the command prompt, entering netstat /? will bring up a definition of each of these switches. If the dialog scrolls off the screen, adding “| more” will present the information a page at a time. If your system is networked, you should give these a try. Another command line utility to try is ipconfig /all. If your system is networked, these two commands will tell you a lot about your system. [Editors note: you may wish to examine the netstat available from as it is considered a better tool by many security professionals. - SRN] 19
  20. Secure System Administration - SANS GIAC © 2000, 2001 20 This slide describes the most famous network reconnaissance attack against Windows. Every Windows security course teaches you how to defend against it and a fix is available for configurations with Service Pack 4 or later. A null session allows you to connect to a share with a user name and password that are both “null” values. This should not be confused with the Anonymous account, which is used by Microsoft’s web server software, Internet Information Server. The Anonymous account is generally named IUSER_. Also, the null session vulnerability is not “fixed” simply by installing Service Pack 4 (though SP4 did provide some important security enhancements to Windows NT). The null session vulnerability can be prevented by making a change to the Windows NT registry, as described in the next slide. A full discussion of null session attacks is beyond the scope of this course, but is covered in other SANS courses. [Editor’s note: The UID field in the SMB packets will be blank in a null session. - SRN] In the slide, we try a net view command, it fails. We then issue a net use, which is essentially a logon. It succeeds, as we see in the next net view command. To fix this on older systems, we have to edit the registry. We introduced the registry in our discussion on passwords. A discussion of the registry opens up a number of terms and concepts. The top of one of the primary hives for a machine is HKEY_LOCAL_MACHINE. The five main registry keys as you have learned are: HARDWARE, SAM, SECURITY, SOFTWARE, and SYSTEM. LSA (the Local Security Authority), which controls the security mechanisms integrated into NT, is a subkey of the SYSTEM key. That said, take a deep breath, go to the next slide, and we will fix null sessions. 20
Đồng bộ tài khoản