home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
WINMX Assorted Textfiles
/
Ebooks.tar
/
Text - Tech - Networking - Security Tools for Windows NT Networks.txt
< prev
next >
Wrap
Text File
|
2003-09-27
|
23KB
|
456 lines
Security Tools For Windows NT NetworksSecurity Tools For Windows NT Networks
Gary C. Kessler
April 1999
An edited version of this paper appeared with the title "Add Fuel to Your
Firewall" in the October 1999 issue of Windows NT Magazine.
It is common practice today that any network connected to the Internet be
protected with some sort of firewall. While firewalls are a necessary component
in the arsenal of tools for the network administrator, they are no longer
sufficient. Firewalls are relatively static devices in that they enforce a
particular ruleset. But what happens when valid, legal packets, at least
according to the rules, are being used to formulate an attack on your network or
execute an attack against one of your servers? Additional tools must be used for
additional protection, particularly for the Windows NT environment and TCP/IP
protocols.
This article will discuss several security tools that can be implemented on
Windows NT systems to spot potential problems before they are exploited by
attackers from both the inside and outside, namely port scanners, vulnerability
testers, log analyzers, and intrusion detectors.
Port Scanning
The Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
identify higher layer services by use of a port number. Port scanners are tools
used to determine what TCP/UDP services are available on a particular server.
One of the cardinal rules of server security is to disable any service that is
not being used. A port scanner can be used by a system administrator to ensure
that only the desired TCP/UDP services are running. Any open TCP/UDP service
offers an attacker a possible entree into your system. Having any port open that
is not absolutely necessary, then, should be avoided, particularly because if
there is a service running that you don't know about, then you won't be
monitoring it.
The so-called Well Known Ports are of particular interest; these are port
numbers between 0 and 1023, and are generally implemented so that these services
can only be used by system processes or by programs executed by privileged
users. Exploiting a well known port, then, gives an attacker potential control
of a server. Some of the well known TCP/UDP ports are listed below; a complete
list of assigned port numbers can be obtained from the Internet Assigned Numbers
Authority (IANA, http://www.isi.edu/in-notes/iana/assignments/port-numbers):
Port # Common
Protocol Service Port # Common
Protocol Service
7 TCP echo 70 TCP gopher
9 TCP discard 79 TCP finger
13 TCP daytime 80 TCP http
19 TCP chargen 110 TCP pop3
20 TCP ftp-control 111 TCP sunrpc
21 TCP ftp-data 119 TCP nntp
23 TCP telnet 123 UDP ntp
25 TCP smtp 137 TCP/UDP netbios-ns
37 UDP time 138 UDP netbios-dgm
43 TCP whois 139 TCP netbios-ssn
53 TCP/UDP dns 143 TCP imap
67 UDP bootps 161 UDP snmp
68 UDP bootpc 162 UDP snmptrap
69 UDP tftp 520 UDP rip
There are several generic schemes that can be employed to scan ports, although
most focus on TCP:
TCP connect() scanning: The most basic form of TCP scanning, where the
attacker's host issues a connect() system call to every interesting port on
the target machine. If the port is listening, connect() will succeed;
otherwise the port is not reachable and the service is not available. This
scheme is fast and requires no special privileges, but can be easily detected
and blocked at the target system.
TCP SYN scanning: Establishing a TCP virtual connection requires what is
called a three-way handshake: one host sends a TCP segment with the
synchronize (SYN) flag set, the other responds with a segment with both the
acknowledge valid (ACK) and SYN flags set, and the first host sends a segment
with just the ACK flag set. With SYN scanning, the querying host sends a SYN
segment to every port; if the server responds with a SYN-ACK segment, then the
service is available; if the server responds with a reset (RST) segment, then
this service is not available. These probes can typically be logged by the
target site.
TCP FIN scanning: With this scheme, the querying host skips the three-way
handshake entirely and just sends a finish (FIN) segment to all interesting
TCP ports (which, under ordinary circumstances, would close an open TCP
connection). If the port is open (i.e., listening or active), the FIN is
supposed to be ignored (because there is no existing connection); if the port
is closed (i.e., not listening or inactive), a RST segment is generated. Thus,
lack of a response indicates an active port. This is a clever way around the
problems of SYN scanning and very hard to trace. Ironically, this method
doesn't work very well on most Windows systems because Microsoft's TCP
implementation always sends a RST in response to a FIN.
FTP bounce attack: This type of attack uses the FTP PORT command and the
upload capability (if present) at an FTP server behind a firewall to allow a
client to connect with other systems that would not be otherwise accessible.
Consider this scenario: an attacker creates a text file containing the Simple
Mail Transfer Protocol (SMTP) dialog of a spoofed e-mail message and uploads
it to an FTP server behind a firewall. The attacker could then issue an FTP
PORT command to the server, providing the IP address of the intended target
system (say, the mail server) and the SMTP port number. The attacker then
sends the file to the victim machine where the e-mail is sent and appears to
have come from the FTP server. Obviously, other types of Trojan horse programs
or viruses could be inserted behind a firewall in this way, and might also
allow a querying client to connect to an FTP server and scan services behind a
firewall. Microsoft's FTP server implementation is reportedly immune from this
type of attack because it requires that the IP address contained in the PORT
command match the original IP address provided on the FTP control channel (TCP
port 21). In addition, by default, the PORT command cannot be used to specify
any privileged ports (those below 1024) except the FTP data channel (TCP port
20).
UDP Internet Control Message Protocol (ICMP) port unreachable scanning:
Because UDP is a connectionless protocol, it is harder to perform a port scan
than in TCP because ports are not required to respond to probes. Most
implementations, though, do generate an ICMP port_unreachable error when a
packet is sent to a closed UDP port; as in TCP FIN scanning, then, lack of a
response indicates an active port.
Screen 1: TCP/UDP vulnerabilities display from WebTrends Security Analyzer.
There are several tools that perform port scanning and they may use any
combination of the methods mentioned above (or other methods); this software can
be run from either a Unix system (e.g., SATAN, nmap) or a Windows system (see
Table 1). Screen 1 shows the Web-based display after scanning a group of four
Windows NT servers for TCP/UDP vulnerabilities using the WebTrends Security
Analyzer:
The Most Vulnerable Services graph and table shows that four services are open
on these systems, namely the File Transfer Protocol (FTP, on TCP port 21), the
Hypertext Transfer Protocol (HTTP, on TCP port 80), the Post Office Protocol
version 3 (POP3, on TCP port 110), and SMTP (TCP port 25). The graph shows
that FTP is running on two servers, one having a medium risk vulnerability and
one a low risk vulnerability. The web (HTTP) is also running on two servers,
one a high risk and one a low risk. Finally, POP3 and SMTP are each running on
one server, a low risk vulnerability.
The Service Vulnerabilities table describes the risks in more detail. The FTP
and HTTP services, for example, are low risk vulnerabilities merely because
they are running. The medium-risk vulnerability FTP service is one that has
enabled anonymous access; the high-risk HTTP service is so noted because the
$DATA hole is NT's Internet Information Server (IIS) can be exploited. This
latter vulnerability affects many IIS installations, where an attacker can
download the active server page (ASP) source by appending the string "::$DATA"
to the URL. This can expose usernames and passwords that are hard coded within
scripts; SQL and other administrator passwords, for example, are often placed
within scripts in this fashion.
After listing these vulnerabilities, many port scanners will suggest possible
fixes, such as shutting down the service or installing a hotfix. Of course,
shutting the service off may not be an option, but we should know that there is
a possible risk so that we can balance the exposure with the benefit. But this
type of scan can also remind sysadmins to turn off any service that they are not
actually using, such as Gopher (which comes standard with IIS, and defaulted to
enabled in IIS 3).
Vulnerability Testing
There are many security vulnerabilities that are operating system specific.
Vulnerability testing is similar to port scanning but whereas port scanning is
directed at the TCP/IP communications protocols, vulnerability testing is
directed towards specific operating systems. Although another rule of secure
management is to avoid advertising the operating system of your servers,
attackers already have many clues: .asp file extensions, use of .htm rather than
.html, and home pages named default.htm almost always indicate an IIS server. In
addition, there are many tools available that allow attackers to determine the
operating system of another computer and all the attacker needs to use such a
tool is the server's IP address.
Screen 2: Windows NT operating system vulnerabilities display from WebTrends
Security Analyzer.
System and network administrators, then, are well-advised to examine their
systems for operating system vulnerabilities. Screen 2 shows a sample display
from the WebTrends Security Analyzer directed at four servers. As in the port
scan report, vulnerabilities are ranked as high, medium, and low risk. This
report shows that:
All of the servers were found to have at least one user account with a blank
password and at least one user account with a password that is too short (less
than 6 characters); in addition, none had the LSA-2 fix installed.
Two of the servers were found to have at least one user account locked out and
at least one user account with the password the same as the username; in
addition, two of the servers use the File Allocation Table (FAT) disk file
system instead of the NT File System (NTFS).
One of the servers is vulnerable to the $DATA hole exploit.
This screen also lists about a dozen medium-risk vulnerabilities, followed by
low-risk vulnerabilities. But knowing about the vulnerabilities is only half the
battle. Most vulnerability testers will also tell you where you can get more
information and suggest corrective measures, such as pointers to Microsoft
knowledge base articles, links to hotfixes and service packs, instructions for
updating the Registry, or other guidelines. Screen 3, in particular, shows a
portion of the WebTrends Security Analyzer display listing the suggested fixes
for the vulnerabilities listed in the previous screen.
Screen 3: Suggested fixes to Windows NT operating system vulnerabilities
displayed from WebTrends Security Analyzer.
New operating system vulnerabilities, particularly with NT, are appearing all
the time. Just like antivirus software, then, the database of operating system
vulnerabilities has to be updated periodically. You can't just run a
vulnerability test once, fix the problems, and walk away; this is a tool that
has to be used frequently with the most up-to-date information.
It is important to note that many versions of tools such as port scanners and
vulnerability testers can be used across a network. Therefore, they can be used
by network administrators to test their own network as well as by attackers to
probe someone else's network for weaknesses. Isaac Asimov fans are certainly
familiar with the adage:
"It's a poor ... blaster that won't point both ways."
Salvor Hardin, mayor of Terminus,
Foundation (Isaac Asimov, 1951)
Log Analyzer
A third rule of security management is to maintain system logs, particularly for
your servers and routers. And many sites do diligently maintain logs and turn on
auditing at the servers. But does anyone read the logs? Log files are typically
quite large and it is difficult to read a multi-megabyte text file and see any
serious trends. Log analyzers are programs that read the log files (most audit
tools, including those with Windows NT, use one of a few standard log formats)
and prepare a graphical or tabular representation of the data. In the NT
environment, in particular, some log analyzer products run as stand-alone
software while others run in conjunction with the operating systems own
management capabilities.
Different log analyzers report different types of information, of course, but
the kinds of events to look for include:
Bandwidth utilization patterns
Top users by bandwidth utilization
Incoming and outgoing protocol/service usage (e.g., FTP, Web, Telnet)
Critical events and host addresses
Errors and warnings, and the host addresses
VPN usage statistics and external host address
Login attempts and failures (and host address is via remote access)
Top e-mail senders' and recipients' host addresses (internal and external)
Top FTP download (and upload) host address
Top Telnet host address
Unsuccessful TCP connection setup requests
Packets/addresses blocked at firewall/router
Screen 4: Web traffic log display from SessionWall-3.
Screen 4 shows sample output from the SessionWall-3 product, available from
Platinum Technology (formerly Memco, formerly AbirNet ). This output is a simple
graphic representation of the outgoing web traffic log, displaying users, type
of site visited, and number of visits. Screen 5 shows a display from Centrax Log
Analyst (this product is now available from CyberSafe). This display shows
information from the error log, indicating failed login and virus/Trojan horse
events. All of this information, of course, is available in the log files that
should be enabled anyway. But it may be hard to find a few "bad" events
interspersed in a large log file and people tend to be able to spot trends
better in a graphical format than in a list.
Screen 5: Error log information display from Centrax Log Analyst.
It is a general truism that you shouldn't log events that you don't care about
and you shouldn't turn logging on if you're not going to read the logs. These
aren't merely tongue-in-cheek quips; whether you read the information or not,
there is data in them there log files and you are, therefore, responsible (and
possibly legally liable) for the information they contain whether you are
looking at the data or not. Log analyzers, then, are important tools because
they allow administrators to quickly make sense of trends and patterns of the
network traffic, server operations, and internal and external users. They also
make the logs relevant! Too many sites maintain NT auditing and never look at
the files.
Intrusion Detection
Firewalls, proxy servers, port scanners, vulnerability testers, and log
analyzers are wonderful for blocking unauthorized access, indicating the
presence of a potential problem, or determining if an attack might have already
occurred. Only intrusion detectors, however, tell you in real time when unusual
or suspicious activity is occurring.
There are a number of common threats that can be aimed at your systems and
detected in real time, as listed below. Additional information on all of the
"attacks" mentioned below can be found at Microsoft's Security Bulletin page
(http://www.microsoft.com/security), CERT/CC (http://www.cert.org), or at
vendors' Web sites of these products):
Denial of Service (DoS) attacks are intended to block access between a
victim's network and the general Internet, generally by overloading critical
system resources or usurping all available bandwidth. Examples of DoS attacks
include WinNuke (Windows Out of Band), TCP SYN Flooding, Ping Flooding, Ping
of Death, ICMP Bombing, Smurf, TearDrop, and Land.
Unauthorized access to restricted files and/or commands, as the name implies,
are attempts by an attacker to read, write, or modify files and/or execute
commands for which he/she does not have permission. These types of attacks may
use domain name system (DNS), finger, POP, and sendmail buffer overflow; FTP
hijacking; HTTP, IIS, and/or Internet Explorer vulnerabilities; and password
attacks on the root (Unix), administrator (Windows NT), or supervisor
(NetWare) account.
A pre-attack probe is an attempt by an attacker to gain basic information
about users, servers, or a network that can be used in subsequent break-in
attempts. Examples of pre-attack probes include use of tools such as SATAN or
nmap, DNS zone transfers, excessive use of traceroute (Unix) or tracert
(Windows), or use of SMTP EXPN (name expansion) and VRFY (verify) commands.
Suspicious activity can be any network traffic that is outside of the
expected, normal traffic patterns; while often due to error, these aberrant
behaviors can also indicate undesired activity on the network. Examples of
suspicious activity include use of IP source routing, IP unknown protocol
events, excessive FTP uploads, Trivial File Transfer Protocol (TFTP) traffic,
Windows NT connections between unrelated systems, access to server Registry
files, excessive unsuccessful login attempts to one or more account names, or
attempts to delete, modify, deactivate, or flood log/audit files.
Hostile code insertion includes the spectrum of programs that can alter the
behavior of the system or network, including virus, Trojan horse, and
back-door programs, malicious applets, and packet sniffers.
Infrastructure attacks are those that target the very systems and facilities
that comprise the operational network. Examples of these threats are firewall
modifications, router modifications, user account additions/modification, file
permission/access control list (ACL) modification, and DNS modification.
Screen 6: ISS RealSecure console screen.
Screen 6 shows the Console screen from ISS's RealSecure. Intrusion detectors
constantly monitor the activity on the network and protected systems. If a
particular usage pattern that matches a known attack signature is found, the
intrusion detector software responds by sending a warning to the system manager,
either via the software's interface, e-mail, pager, and/or by other means. This
interface allows a network administrator to view real time events, categorized
as high, medium, and low priority.
Intrusion detection software is coming into more common usage as security
incidents themselves become more common and serious. As the attacks become more
complex and involve multiple sites, it would be advantageous if different
vendors' intrusion detection software could communicate across sites and share
data about an ongoing attack. To address this challenge, the Internet
Engineering Task Force (IETF) created the Intrusion Detection Exchange Format
Working Group (idwg) to define data formats and protocols for sharing
information between intrusion detection and response systems, and network
management systems with which they may interact. Initial specifications are
expected by the end of 1999. More information about this group can be found at
http://www.ietf.org/html.charters/idwg-charter.html.
Products for Windows NT
There are several port scanners, vulnerability testers, log analyzers, and
intrusion detectors that run on Windows NT systems, as listed in Table 1. These
tools, however, are just a part of the network managers' toolkit and they must
be employed on a regular basis. Note that although these particular products run
on NT systems, there is a plethora of software that can detect and probe Windows
NT systems from non-NT platforms, notably Unix.
TABLE 1: Some Windows NT security monitoring tools.
Company/Product Name Port Scanner/
Vulnerability Tester Log
Analyzer Intrusion
Detector
Axent (www.axent.com)
Intruder Alert
NetProwler
NetRecon
╖
╖
╖
Check Point Software Technologies (www.checkpoint.com)
RealSecure
╖
CyberSafe (nΘe Centrax) (www.centraxcorp.com)
Centrax Log Analyst (CLA)
eNTrax Security Suite 2.1
╖
╖
╖
En Garde Systems (www.engarde.com)
T-sight
╖
Internet Security Systems (ISS) (www.iss.net)
SAFEsuite Adaptive Network Security Products
Internet Scanner
RealSecure
System Scanner
╖
╖
╖
Network Associates (www.nai.com)
CyberCop
╖
Network-1 (www.network-1.com)
CyberwallPLUS
╖
Platinum Technology (nΘe AbirNet) (www.abirnet.com)
Session Wall-3
╖
╖
Security Dynamics (www.securitydynamics.com)
Kane Security Analyst
Kane Security Monitor
╖
╖
Tripwire Security Systems (www.tripwiresecurity.com)
Tripwire 2.1 for Windows NT
╖
WebTrends (www.webtrends.com)
WebTrends Security Analyzer
WebTrends for Firewalls & VPNs
╖
╖
Internet Security With Windows NT by Mark Joseph Edwards (Duke Press) is a good
place to start to learn about securing your NT boxes. Also check out Maximum
Security: A Hacker's Guide to Protecting Your Internet Site and Network, 2/e by
Anonymous (SAMS) and Internet Security, 2/e by Atkins et al. (New Riders), two
excellent books that offer detailed information about security and tools for
attacks and defenses. Both books discuss Windows NT within the broad spectrum of
the general security problem. Don't limit your thinking to just NT; the bad guys
aren't!!
About the Author: Gary C. Kessler is a senior network security/WAN consultant at
SymQuest Group (http://www.symquest.com), a network integration consulting
company in South Burlington, VT. His e-mail address is kumquat@sover.net.