NT security guideSection 12
For Administrators Only

12-1. How do I secure my server?
12-2. I'm an idiot. Exactly how do hackers get in?



12-1. How do I secure my server?
Upgrade to NT 4.0. 
  Physically secure all servers. 
  Disable remote logins to workstations. 
  No dual booting. NT only on the harddrives, and format NTFS only. 
  Remove the group Everyone from being able to read so much of the registry. 
  Use Auditing. Heavily if Internet connected. 
  Load the latest Service Pack (v.3 as of this writing will be out very soon). 
  Make sure program file directories have just Read and Execute permissions. Try 
  to separate public files from private files. 
  Note the owners of directories. The owner can still change things inside a 
  directory, despite permissions being reset. 
  Go into User Manager and create a restrictive password policy. 
  Disable the Last Logon username display. 
  Add the domain administrator's global group to all of your workstation's local 
  administrator group for control. 
  Remove the "Access this computer from network" logon right from administrators 
  on domain controllers. 
  If you can, remove Scheduler service. 
  Restrict access to certain executables you deem dangerous (possibly CMD.EXE or 
  NTBACKUP.EXE if you are real paranoid). 
  Re-read this FAQ and note every time you see "this attack won't work if the 
  Sys Admin did..." and actually do it. 
  Use a firewall. As a minimum, do not allow outside access to ports 135 through 
  139 for both TCP and UDP. 
  Put web, ftp, and any other public servers OUTSIDE the firewall, or in a DMZ 
  between a couple of firewalls. 
  Come to think of it, read a book on firewalls. 
  Consider using "internal" firewalls if you need to secure certain servers from 
  certain groups of users, i.e. protect the accounting server from the 
  disgruntled marketing group. 
  Use Jeremy Allison's PWAudit program to monitor the keys that PWDump accesses. 
  This way you can logs attempts at grabbing the password. 
  Read your logs. Daily. Use them as a guide, however don't blindly trust that 
  every action is in the logs, and every action reflected in the logs should not 
  be taken at face value. INVESTIGATE ODD THINGS. 
  Run C2Config after you have adjusted the INF file to meet your needs. 
  Regularly run virus scans, non-Microsoft-written security scanners, and your 
  C2Config utility (if you initially used it). 
  Subscribe to the mailing lists and read the newsgroups listed in section 10. 
  Daily. Read the NT Security FAQ. Repeatedly. Read all the pages at www sites 
  listed in section 10. Frequently. 
  Read Hobbit's paper on CIFS. If it's too technical, hire a new Sys Admin. 
  Don't panic, but be paranoid all the time. Take every security concern or 
  oddball alert seriously. 



12-2. I'm an idiot. Exactly how do hackers get in?
I mentioned the World Star Holdings Inc. Cybertest '96 contest earlier in the 
FAQ. I wish I could say that this contest involved some type of massive attack 
rich in color and unbelievable hacking genius, but alas, it was too easy. Using 
techiques outlined in this FAQ, I simply got a list of exported shares and 
logged in as GUEST. I enjoyed trying to get past the special HTML scripting 
language they were using, and only did it because I wanted the $50,000.00 prize 
money. But I wasn't the first one in, and they changed the rules mid-contest 
anyway. 
Here's a scenario that pulls some of this together. 

The Exploit
-----------
The attacker has a copy of Samba on his Linux machine, and applied the patches 
from Hobbit's paper making smbclient a little more dangerous. He starts looking 
at his target innocent.nmrc.org. Using a port scanner he determines that ports 
135-139 are open, and suspects the box might be NT. 
The target IP address is 10.10.10.2. So he tries his hack version of nmblookup 
like so - 

    nmblookup -B 10.10.10.2 -S \*
The name INNOCENT is returned, and this is plugged into the hacked smbclient 
like so - 

    smbclient \\\\INNOCENT\\WINNT$ -I 10.10.10.2 -d 3 -n WHATEVER -m
     LANMAN2 -U ADMINISTRATOR
Note that the hacker is trying to access the C drive, is using debug level 3 to 
see errors (and see how long before an error occurs), forged his computer's 
name, and dummied down the passwords to try Lan Manager style (uppercase) only. 
Several simple passwords are tried, and it looks like Administrator has not been 
altered to lock out incorrect tries. However the usual easy passwords do not 
work. The hacker is not frustrated. He decides to throw his uppercase dictionary 
at it - 

    smbclient \\\\INNOCENT\\WINNT$ -I 10.10.10.2 -d 0 -n WHATEVER -m
     LANMAN2 -U ADMINISTRATOR The hacked smbclient will continue until the dictionary file is exhausted, the 
hacker stops the program, or he gets in. After a while, success. 
The hacker uploads a trojan to \SYSTEM32 to capture passwords. Then the hacker 
goes to \SYSTEM32\CONFIG\SAM and \REPAIR and finds copies of the SAM database. 
These are copied down to his home machine. 
The hacker disconnects and proceeds to use PWDump and L0phtcrack to get ALL 
passwords. The hacker knows that some of the passwords might be old -- after 
all, he couldn't grab the live SAM database. But between the old passwords and 
the trojan, the hacker isn't even worried if the Administrator changes 
passwords. The hacker will simply use another account name and check the \TEMP 
directory for the collected passwords.