2010 Aug 21
Accounts Groups |
Attack Info. Links |
Commands | Domains | Environment Variables |
Logging, Auditing |
Microsoft Links |
Network Security |
NT Architecture |
NTFS | Organizational Units |
Physical Security |
Policies | Printers | PowerShell |
Remote Access Service |
Repair Tools |
Security GUI Programs |
Security Templates |
Services | Share | Startup |
System Files |
TCP/IP Filtering |
Tools | Trust | Unsafe ext |
Windows 2000 |
Windows 2000 is really Windows NT 5.0.
See book: Windows NT/2000 Network Security by Eugene Schultz.
See: Ref [5].
An NT domain is a group of one or more Windows NT machines that share an authentication database. This allows users to log on the domain to acesss resources and servuces on various machines within the domain, rather than having to specifically log on to each server. This requires a special server called a domain controller (of which there can be more than one).
One of these servers is called the primary domain controller (PDC); which keeps the master copy of of te hdomain authentication database. This database contains account information (such as UserID and password hashes). The otehr servers are called backup domain controllers (BDC). THe BDC's contain a copy of the databse, but the PDC updates and distributes any changes over over the network. If the PDC crashes or becomes dysfunctional, a system administrator can (temporarily) proote a BDC to be the PDC. Other types of servers are called member servers. They contain resources such as files, directories, and pprinters that users wish to access.
Domains provide a common mechanism to set many critical parameters such as minimum password length, password expiration, policies that resrict what users can do, and more, for a group of systems. Workgroups, and alternative to organizing into domains, do not provide such a common mechanism, nor do they support priviliege control.
Windows NT has: System Logging, Security Logging (or Auditing), and Application Logging. Security Logging is configurable with data about: logons/logoffs, file and object access, user and group management events, use of user rights, and more. By default auditing is disabled. It can be enabled via the Audit Policy in the User Manager for Domains tool. These are the categories:
See: Securing NT: A step-by-Step Guide and Windows 2000 Security Checklist. Windows NT supports a packet filter on srevers and workstations, as well as network encryption through a Virtual Private Network (VPN) based on Microsoft's implementation of the Point-to-Point Protocol (PPTP).
SMB/CIFS : Share access is based on an implementation of the Server Message Block (SMB) protocol that Microsoft calls CIFS - Common Intenet File System. This protocol sets up a session between the client and server that has weak authentication mechanisms as well as loopholes in backward compatibility mechanisms. These weaknesses can allow a bogus client to connect to a share, an attacker to conduct a person-in-the-middle attack between a lgeitimate client and the server, a malicious user to taigate into a share session that appears to have ended, and so on. Additionally, by default Windows NT systems allow null sessions, remote SMB sessions set up independently of any username or password entry. Null sessions can be used to extract information from a Windows NT System. Numerous service packs and hot fixes represent an attempt to correct some of the inherent problems in SMB.
NetBEUII and NetBIOS : Protocols such as NetBEUI (Network Basic Extended User Interface) and APIs such as NetBIOS (Network Basic Input/Output System) have outlived there usefulness and have potential for being used in denial-of-service attacks and gaining unauthroized access to resources.
Microsoft's Internet Information Service (IIS) : A buil-in Web server that comes with Windows NT servers. IIS uses a virtual directory system accesible through the Web interface that refers to actual directories on the server's file system. In IIS, IP address filtering of connections can be enabled for added security, but there still are a large number of security problems with the IIS web server. Apache and iPlanet are better but each has its own security issues. An IIS FTP server can also be installed on any Windows NT system.
There are important files in directory:
\Windows\System32\Drivers\etc
such as the hosts file.
OUs in WIn 2000 allow for hierarchical (tree) arrangement of groups of users who can inherit properties and rights within a domain. They support delegation of privileges. Children OUs can never be given a more rights than the parent has. The downside is OUs are not recognized outside their domain, also beyond three levels in the tree there is a performance impact.
In Win 2000, the Kerberos authentication service requires string physical
security. On of the easiest ways to compromise Kerberos is to physically
access a Kerebros server (called a Key Distibution Center, or KDC) to gain
access to Kerberos credentials that reside there. Kerberos credentials are
stored in workstation caches. The klist
command can be used to
flush out Kerberos tickets on workstations if the Software Ddvelopment Kit
(SDK) has been installed. Also, anyone with physical access to a Win 2000
server or workstation can potentially use a DOS or Linux boot disk to gain
unauthorized access to any file, just as in Win NT.
In Windows NT a system administrator can implement a variety of policies that affect secuirty. A policy is a set of configuartion settings for the system. The Policy Editor (which must be installed from the Resource Kit CD available seprately from Microsoft) is used to set secuirty restrictions. Installed on the PDC, polic settings can (among other things) restrict particular programs that users or groups can access.
The account policy applies to all accounts within a domain. It can specify Maximum Password age, Minimum Password Age (i.e. before being changed - needs to be non zero to prevent changing to old password), Minimum Password Length, Password Uniqueness (how many unique before repeating and old password), Lockout after x Bad Login Attempts, Reset Count after y Minutes (lockout if more than x bad logons in y minutes - resets after one good logon), Logout Duration in minutes (can be forever - i.e. until and Adminstrator clears it).
User properties are individually apply and are related to account policy. They include: User Must Change Password at Next Logon, User Cannot Change Password, Password Never Expires, Account Disabled.
If deleting a print job gets hung, then: * run program services.msc, * select Print Spooler - stop then restart it. |
Make sure only one instance of each printer driver exists. |
RAS provides remote access to a Windows NT system and/or domain via: dial-up, ISDN, and X.25 networks. RAS clients can be Windows 95/98/ME/NT/2000 connected to a RAS server (a domain controller, a member server, or an NT workstation). The RAS server receives the SAM database from the PDC for use in authentication.
The main security issue with RAS is that it can bypass firewalls (especially if an inexperienced person sets it up). All that is necessary is to enter a correct username and password.
unlocker - http://tinyurl.com/docs-unlock Kilbox - http://tinyurl.com/docs-kill CCleaner - http://tinyurl.com/docs-cc hijackthis -http://tinyurl.com/docs-hjt Revo unstaller - http://tinyurl.com/docs-revo Trojan remover - http://tinyurl.com/trojrev Autoruns - http://download.sysinternals.com/Files/Autoruns.zip Process explorer - http://download.sysinternals.com/Files/ProcessExplorer.zip Security program AVAST - http://tinyurl.com/docs-avast
|
|
Win 2000 has no built-in non removable privileges like Win NT has. The Win 2000 Event Loggre has nine categories:
The Win 2000 Security Configuration Tools include templates that can be
used in securing just about everything that is important to security in
Win 2000. Besides a GUI, the command line tool secedit
can be used to analyze or configure the security of the system. Be default,
nine templates (stored in %systemroot%\security\templates
) are
available to to set the security of various system types to Highly Secure or
Basic. Besides these Microsoft recommended settings for various environments,
custom templates can be developed and used.
A share is a connection to a particular network device (e.g. hard drive directory or printer). This is very similar to NFS in Unix but the protocols are very different. Users can connect to a share by running Windows Explorer, finding the icon with the appropriate drive and double cliking it. An alternative is to use the command prompt:
C:net use \\[IP address or hostname]\[share name] -[username]:[password]
Shares are subject to permissions that are applied.
Click Start Menu Select Run Type msconfig Click OK> Click Startup Tab Select/Deselect invalid apps Click OK
On Network and Dial-up Connections dialog left click My Network Places, right click properties On Local Area Connection Properties dialog left click Internet Protocol (TCP/IP) left click Properties left click Advanced On Advanced TCP/IP Settings dialog left click Options tab left click TCP/IP filtering left click Properties On TCP/IP Filtering dialog left click Enable TCP/IP Filtering (All adapters) check box change settings by clicking on Permit Only radio button left click Add... allowed TCP ports and UDP Ports left click Add... allowed IP Protocols
Trust in Windows NT extends the single domain logon to other domains. Users can double click on the name of a drive to connect to these resources on the trusting domain - no additional login is required. Trusting access cannot occur until at least one global group in a trusted domain is included in at least one local group in a trusting domain. Members of the global group obtain only the level of privileges and access that the local group has. The trust models are:
Periodically check trust relationships to verify an attacker has not changed them.
New features:
New security features
Windows 2000 servers can run in either Native Mode or Mixed Mode. In Native Mode all domain controllersr are Win 2000 servers, which in Mixed Mode some Windows NT serevers are allowed (resulting in same NT 4.0 security problems).
In some way Domains got in the way by creating boundarys between network resources. Active Directory helps solve this by de-emphasizing domains. A Domain in WIn 2000 is characterized by a common set of policy settings. Win 2000 does not have PDCs or BDCs - all Win 2000 domain controllers are authoritative. This has plusses and minuses from the secuity viewpoint: no central server to take down but also any succesful attack gets access to all.
Active Directory depends on whether DNS is running properly. DDNS, Dynamic DNS,
provides updates such as when a new site (a host or set of hosts running Acive
Directory) connects to the network. Active Directory stores information about
accounts, Organization units (OUs), security policies, files directories, printers,
services, domains, inheritance rules, and itself. User passwords are stored in file
ntds.nit
which is subject to password crackering.
http://www.microsoft.com | main site |
http://support.microsoft.com | contains knowledge base for problems and solutions |
http://search.microsoft.com/search/search.asp?st=a&View=en-us | Info on MS products, API calls, security notes, etc. |
http://www.ntfs.com | Info on NTFS and FAT (16 & 32) |
http://annoyances.org | Collocation of MS related annoyances and workarounds |
http://www.mydigitallife.info/2008/02/23/how-to-disable-uninstall-and-remove-windows-media-center-in-vista/ | How disable windows media player in Vista. |
2005-2009