home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
WINMX Assorted Textfiles
/
Ebooks.tar
/
Text - Tech - OS - NT - security guide 12.txt
< prev
next >
Wrap
Text File
|
2003-09-27
|
6KB
|
102 lines
NT security guideSection 12
For Administrators Only
12-1. How do I secure my server?
12-2. I'm an idiot. Exactly how do hackers get in?
12-1. How do I secure my server?
Upgrade to NT 4.0.
Physically secure all servers.
Disable remote logins to workstations.
No dual booting. NT only on the harddrives, and format NTFS only.
Remove the group Everyone from being able to read so much of the registry.
Use Auditing. Heavily if Internet connected.
Load the latest Service Pack (v.3 as of this writing will be out very soon).
Make sure program file directories have just Read and Execute permissions. Try
to separate public files from private files.
Note the owners of directories. The owner can still change things inside a
directory, despite permissions being reset.
Go into User Manager and create a restrictive password policy.
Disable the Last Logon username display.
Add the domain administrator's global group to all of your workstation's local
administrator group for control.
Remove the "Access this computer from network" logon right from administrators
on domain controllers.
If you can, remove Scheduler service.
Restrict access to certain executables you deem dangerous (possibly CMD.EXE or
NTBACKUP.EXE if you are real paranoid).
Re-read this FAQ and note every time you see "this attack won't work if the
Sys Admin did..." and actually do it.
Use a firewall. As a minimum, do not allow outside access to ports 135 through
139 for both TCP and UDP.
Put web, ftp, and any other public servers OUTSIDE the firewall, or in a DMZ
between a couple of firewalls.
Come to think of it, read a book on firewalls.
Consider using "internal" firewalls if you need to secure certain servers from
certain groups of users, i.e. protect the accounting server from the
disgruntled marketing group.
Use Jeremy Allison's PWAudit program to monitor the keys that PWDump accesses.
This way you can logs attempts at grabbing the password.
Read your logs. Daily. Use them as a guide, however don't blindly trust that
every action is in the logs, and every action reflected in the logs should not
be taken at face value. INVESTIGATE ODD THINGS.
Run C2Config after you have adjusted the INF file to meet your needs.
Regularly run virus scans, non-Microsoft-written security scanners, and your
C2Config utility (if you initially used it).
Subscribe to the mailing lists and read the newsgroups listed in section 10.
Daily. Read the NT Security FAQ. Repeatedly. Read all the pages at www sites
listed in section 10. Frequently.
Read Hobbit's paper on CIFS. If it's too technical, hire a new Sys Admin.
Don't panic, but be paranoid all the time. Take every security concern or
oddball alert seriously.
12-2. I'm an idiot. Exactly how do hackers get in?
I mentioned the World Star Holdings Inc. Cybertest '96 contest earlier in the
FAQ. I wish I could say that this contest involved some type of massive attack
rich in color and unbelievable hacking genius, but alas, it was too easy. Using
techiques outlined in this FAQ, I simply got a list of exported shares and
logged in as GUEST. I enjoyed trying to get past the special HTML scripting
language they were using, and only did it because I wanted the $50,000.00 prize
money. But I wasn't the first one in, and they changed the rules mid-contest
anyway.
Here's a scenario that pulls some of this together.
The Exploit
-----------
The attacker has a copy of Samba on his Linux machine, and applied the patches
from Hobbit's paper making smbclient a little more dangerous. He starts looking
at his target innocent.nmrc.org. Using a port scanner he determines that ports
135-139 are open, and suspects the box might be NT.
The target IP address is 10.10.10.2. So he tries his hack version of nmblookup
like so -
nmblookup -B 10.10.10.2 -S \*
The name INNOCENT is returned, and this is plugged into the hacked smbclient
like so -
smbclient \\\\INNOCENT\\WINNT$ -I 10.10.10.2 -d 3 -n WHATEVER -m
LANMAN2 -U ADMINISTRATOR
Note that the hacker is trying to access the C drive, is using debug level 3 to
see errors (and see how long before an error occurs), forged his computer's
name, and dummied down the passwords to try Lan Manager style (uppercase) only.
Several simple passwords are tried, and it looks like Administrator has not been
altered to lock out incorrect tries. However the usual easy passwords do not
work. The hacker is not frustrated. He decides to throw his uppercase dictionary
at it -
smbclient \\\\INNOCENT\\WINNT$ -I 10.10.10.2 -d 0 -n WHATEVER -m
LANMAN2 -U ADMINISTRATOR The hacked smbclient will continue until the dictionary file is exhausted, the
hacker stops the program, or he gets in. After a while, success.
The hacker uploads a trojan to \SYSTEM32 to capture passwords. Then the hacker
goes to \SYSTEM32\CONFIG\SAM and \REPAIR and finds copies of the SAM database.
These are copied down to his home machine.
The hacker disconnects and proceeds to use PWDump and L0phtcrack to get ALL
passwords. The hacker knows that some of the passwords might be old -- after
all, he couldn't grab the live SAM database. But between the old passwords and
the trojan, the hacker isn't even worried if the Administrator changes
passwords. The hacker will simply use another account name and check the \TEMP
directory for the collected passwords.