Windows (MS)

2010 Aug 21

Windows 2000 is really Windows NT 5.0.
See book: Windows NT/2000 Network Security by Eugene Schultz.
See: Ref [5].

Domains

An NT domain is a group of one or more Windows NT machines that share an authentication database. This allows users to log on the domain to acesss resources and servuces on various machines within the domain, rather than having to specifically log on to each server. This requires a special server called a domain controller (of which there can be more than one).

One of these servers is called the primary domain controller (PDC); which keeps the master copy of of te hdomain authentication database. This database contains account information (such as UserID and password hashes). The otehr servers are called backup domain controllers (BDC). THe BDC's contain a copy of the databse, but the PDC updates and distributes any changes over over the network. If the PDC crashes or becomes dysfunctional, a system administrator can (temporarily) proote a BDC to be the PDC. Other types of servers are called member servers. They contain resources such as files, directories, and pprinters that users wish to access.

Domains provide a common mechanism to set many critical parameters such as minimum password length, password expiration, policies that resrict what users can do, and more, for a group of systems. Workgroups, and alternative to organizing into domains, do not provide such a common mechanism, nor do they support priviliege control.

Environment Variables

• %OEM%
• %WINDIR% : directory where windows is installed, e.g. C:\WINNT or C:\WINDOWS
• %systemroot% : same as %WINDIR%

Logging (or Auditing)

Windows NT has: System Logging, Security Logging (or Auditing), and Application Logging. Security Logging is configurable with data about: logons/logoffs, file and object access, user and group management events, use of user rights, and more. By default auditing is disabled. It can be enabled via the Audit Policy in the User Manager for Domains tool. These are the categories:

• Logon/Logoff
• File and Object Access (expensive in CPU cycles and disk space)
• Use of User Rights
• User and Group Management
• Security Policy Changes
• Restart, Shutdown, and System
• Process Tracking

Network Security

See: Securing NT: A step-by-Step Guide and Windows 2000 Security Checklist. Windows NT supports a packet filter on srevers and workstations, as well as network encryption through a Virtual Private Network (VPN) based on Microsoft's implementation of the Point-to-Point Protocol (PPTP).

SMB/CIFS : Share access is based on an implementation of the Server Message Block (SMB) protocol that Microsoft calls CIFS - Common Intenet File System. This protocol sets up a session between the client and server that has weak authentication mechanisms as well as loopholes in backward compatibility mechanisms. These weaknesses can allow a bogus client to connect to a share, an attacker to conduct a person-in-the-middle attack between a lgeitimate client and the server, a malicious user to taigate into a share session that appears to have ended, and so on. Additionally, by default Windows NT systems allow null sessions, remote SMB sessions set up independently of any username or password entry. Null sessions can be used to extract information from a Windows NT System. Numerous service packs and hot fixes represent an attempt to correct some of the inherent problems in SMB.

NetBEUII and NetBIOS : Protocols such as NetBEUI (Network Basic Extended User Interface) and APIs such as NetBIOS (Network Basic Input/Output System) have outlived there usefulness and have potential for being used in denial-of-service attacks and gaining unauthroized access to resources.

Microsoft's Internet Information Service (IIS) : A buil-in Web server that comes with Windows NT servers. IIS uses a virtual directory system accesible through the Web interface that refers to actual directories on the server's file system. In IIS, IP address filtering of connections can be enabled for added security, but there still are a large number of security problems with the IIS web server. Apache and iPlanet are better but each has its own security issues. An IIS FTP server can also be installed on any Windows NT system.

There are important files in directory:
   \Windows\System32\Drivers\etc
such as the hosts file.

Organizational Units (OUs)

OUs in WIn 2000 allow for hierarchical (tree) arrangement of groups of users who can inherit properties and rights within a domain. They support delegation of privileges. Children OUs can never be given a more rights than the parent has. The downside is OUs are not recognized outside their domain, also beyond three levels in the tree there is a performance impact.

Physical Security

In Win 2000, the Kerberos authentication service requires string physical security. On of the easiest ways to compromise Kerberos is to physically access a Kerebros server (called a Key Distibution Center, or KDC) to gain access to Kerberos credentials that reside there. Kerberos credentials are stored in workstation caches. The klist command can be used to flush out Kerberos tickets on workstations if the Software Ddvelopment Kit (SDK) has been installed. Also, anyone with physical access to a Win 2000 server or workstation can potentially use a DOS or Linux boot disk to gain unauthorized access to any file, just as in Win NT.

Policies

In Windows NT a system administrator can implement a variety of policies that affect secuirty. A policy is a set of configuartion settings for the system. The Policy Editor (which must be installed from the Resource Kit CD available seprately from Microsoft) is used to set secuirty restrictions. Installed on the PDC, polic settings can (among other things) restrict particular programs that users or groups can access.

The account policy applies to all accounts within a domain. It can specify Maximum Password age, Minimum Password Age (i.e. before being changed - needs to be non zero to prevent changing to old password), Minimum Password Length, Password Uniqueness (how many unique before repeating and old password), Lockout after x Bad Login Attempts, Reset Count after y Minutes (lockout if more than x bad logons in y minutes - resets after one good logon), Logout Duration in minutes (can be forever - i.e. until and Adminstrator clears it).

User properties are individually apply and are related to account policy. They include: User Must Change Password at Next Logon, User Cannot Change Password, Password Never Expires, Account Disabled.

Printers

Remote Access Service

RAS provides remote access to a Windows NT system and/or domain via: dial-up, ISDN, and X.25 networks. RAS clients can be Windows 95/98/ME/NT/2000 connected to a RAS server (a domain controller, a member server, or an NT workstation). The RAS server receives the SAM database from the PDC for use in authentication.

The main security issue with RAS is that it can bypass firewalls (especially if an inexperienced person sets it up). All that is necessary is to enter a correct username and password.

Repair Tools

unlocker - http://tinyurl.com/docs-unlock
Kilbox - http://tinyurl.com/docs-kill
CCleaner - http://tinyurl.com/docs-cc
hijackthis -http://tinyurl.com/docs-hjt
Revo unstaller - http://tinyurl.com/docs-revo
Trojan remover - http://tinyurl.com/trojrev
Autoruns - http://download.sysinternals.com/Files/Autoruns.zip
Process explorer - http://download.sysinternals.com/Files/ProcessExplorer.zip

Security program
AVAST - http://tinyurl.com/docs-avast

Security GUI Programs

Start
   Programs
      Security
         Administrative Tools
            Event Viewer (see below)
            Local Security Policy
            ...

Start
   Settings
      Control Panel
         Administrative Tools
            Event Viewer (see below)
            Local Security Policy
            ...

Win 2000 has no built-in non removable privileges like Win NT has. The Win 2000 Event Loggre has nine categories:

• Account Logon
• Account Management
• Directory Service Access
• Logon Events
• Object Access
• Policy Change
• Privilege Use
• Process Tracking
• System Events

Security Templates

The Win 2000 Security Configuration Tools include templates that can be used in securing just about everything that is important to security in Win 2000. Besides a GUI, the command line tool secedit can be used to analyze or configure the security of the system. Be default, nine templates (stored in %systemroot%\security\templates) are available to to set the security of various system types to Highly Secure or Basic. Besides these Microsoft recommended settings for various environments, custom templates can be developed and used.

Services

• DHCP servers
• DNS servers
• Gateways
• IIS : Internet Information Servers
• RAS servers
• Static IP addresses
• Subnets
• VPNs
• Web servers
• WINS servers

Share

A share is a connection to a particular network device (e.g. hard drive directory or printer). This is very similar to NFS in Unix but the protocols are very different. Users can connect to a share by running Windows Explorer, finding the icon with the appropriate drive and double cliking it. An alternative is to use the command prompt:

   C:net use \\[IP address or hostname]\[share name] -[username]:[password]

Shares are subject to permissions that are applied.

Startup

Click Start Menu
Select Run
Type msconfig
Click OK>
Click Startup Tab
Select/Deselect invalid apps
Click OK

System Files

• BOOT.INI
• WIN.INI
• SYSTEM.INI
• system.dat & user.dat (Registry)

TCP/IP Filtering

On Network and Dial-up Connections dialog
    left click My Network Places,
    right click properties
On Local Area Connection Properties dialog
    left click Internet Protocol (TCP/IP)
    left click Properties
    left click Advanced
On Advanced TCP/IP Settings dialog
    left click Options tab
    left click TCP/IP filtering
    left click Properties
On TCP/IP Filtering dialog
    left click Enable TCP/IP Filtering (All adapters) check box
    change settings by clicking on Permit Only radio button
    left click Add... allowed TCP ports and UDP Ports
    left click Add... allowed IP Protocols

Tools

• Registry
  • Which icon is displayed for a given file type or extension is stored in the HKEY_CLASSES_ROOT key (see ASSOC)
• Task Manager - does not show path of process, activate by: Ctrl-Alt-Del
• net (a program)
• Event Log
• Event Viewer
• netstat -an (run from CLI)
• Windows Scripting Host
• Task Scheduler
• MMC - Microsoft Management Console (2000)
• metabase - a binary file used by IIS Ver 4.0 and beyond (instead of Registry)
• change in last access time of files
• ".\Documents and Settings\" directory
• Microsoft Resource Kit
• Volitile information
  • process information
  • network connections
  • clibboard contents

Trust

Trust in Windows NT extends the single domain logon to other domains. Users can double click on the name of a drive to connect to these resources on the trusting domain - no additional login is required. Trusting access cannot occur until at least one global group in a trusted domain is included in at least one local group in a trusting domain. Members of the global group obtain only the level of privileges and access that the local group has. The trust models are:

• No Trust: Requires logon to other domains.
• Complete Trust: Every domain trusts every other domain.
• Master Domain: User accounts are set up in a central Accounts Domain and resources (files, printers, ...) are placed in Resource Domains. Users obtain access to resources via trust relationships.
• Multiple Master Domain: Similar to Master Domain but there are multiple account domains.

Periodically check trust relationships to verify an attacker has not changed them.

Windows 2000

New features:

• Power Management
• Built-in terminal services
• The Mircosoft Management Console
• The Mircosoft Recovery Console
• Plug and Play

New security features

• MS Kerberos - a proocol that provides strong network authentication of users
• The Security Support Provider Interface (SSPI) - for authentication
• MS Internet Protocol Security (IPSec) - an extension to IP to provide system authentication, packet integrity checks, and confidentiality services at the network level.
• The Layer Two Tunneling Protocol (L2TP) - which provides encrypted network transmissions
• Active DIrectory - which acts as the central nervous system of all Win 2000 functionality, including all security related capabilities
• Support for smart cards, which can be used in authentication, certificat issuance, and other contexts
• The Encrypted File System (EFS)

Windows 2000 servers can run in either Native Mode or Mixed Mode. In Native Mode all domain controllersr are Win 2000 servers, which in Mixed Mode some Windows NT serevers are allowed (resulting in same NT 4.0 security problems).

In some way Domains got in the way by creating boundarys between network resources. Active Directory helps solve this by de-emphasizing domains. A Domain in WIn 2000 is characterized by a common set of policy settings. Win 2000 does not have PDCs or BDCs - all Win 2000 domain controllers are authoritative. This has plusses and minuses from the secuity viewpoint: no central server to take down but also any succesful attack gets access to all.

Active Directory depends on whether DNS is running properly. DDNS, Dynamic DNS, provides updates such as when a new site (a host or set of hosts running Acive Directory) connects to the network. Active Directory stores information about accounts, Organization units (OUs), security policies, files directories, printers, services, domains, inheritance rules, and itself. User passwords are stored in file ntds.nit which is subject to password crackering.

Attack Information Links

• www.attrition.org
• nipc.gov

Microsoft Links

2005-2009