Introduction
The SANS Top 20 Internet Security Vulnerabilities
The vast majority of worms and other successful cyber attacks
are made possible by vulnerabilities in a small number of common
operating system services. Attackers are opportunistic. They take the
easiest and most convenient route and exploit the best-known flaws with
the most effective and widely available attack tools. They count on
organizations not fixing the problems, and they often attack
indiscriminately, scanning the Internet for any vulnerable systems. The
easy and destructive spread of worms, such as Blaster, Slammer, and
Code Red, can be traced directly to exploitation of unpatched
vulnerabilities.
Four years ago, the SANS Institute and the National Infrastructure
Protection Center (NIPC) at the FBI released a document summarizing the
Ten Most Critical Internet Security Vulnerabilities. Thousands of
organizations used that list, and the expanded Top-20 lists that
followed one, two, and three years later, to prioritize their efforts
so they could close the most dangerous holes first. The vulnerable
services that led to worms like Blaster, Slammer, and Code Red, as well
as NIMDA worms - are on that list.
This SANS Top-20 2004 is actually two Top Ten lists: the ten most
commonly exploited vulnerable services in Windows and the ten most
commonly exploited elements in UNIX and Linux environments. Although
there are thousands of security incidents each year affecting these
operating systems, the overwhelming majority of successful attacks
target one or more of these twenty vulnerable services.
The Top-20 is a consensus list of vulnerabilities that require
immediate remediation. It is the result of a process that brought
together dozens of leading security experts. They come from the most
security-conscious government agencies in the UK, US, and Singapore;
the leading security software vendors and consulting firms; the top
university-based security programs; many other user organizations; and
the SANS Institute. A list of participants may be found at the end of
this document.
The SANS Top-20 is a living document. It includes step-by-step
instructions and pointers to additional information useful for
correcting the security flaws. We will update the list and the
instructions as more critical threats and more current or convenient
methods of protection are identified, and we welcome your input along
the way. This is a community consensus document -- your experience in
fighting attackers and in eliminating the vulnerabilities can help
others who come after you. Please send suggestions via e-mail to top20@sans.org
Top Vulnerabilities to Windows Systems
W1 Web Servers & Services
W2 Workstation Service
W3 Windows Remote Access Services
W4 Microsoft SQL Server (MSSQL)
W5 Windows Authentication
W6 Web Browsers
W7 File-Sharing Applications
W8 LSAS Exposures
W9 Mail Client
W10 Instant Messaging
Top Vulnerabilities to UNIX Systems
U1 BIND Domain Name System
U2 Web Server
U3 Authentication
U4 Version Control Systems
U5 Mail Transport Service
U6 Simple Network Management Protocol (SNMP)
U7 Open Secure Sockets Layer (SSL)
U8 Misconfiguration of Enterprise Services NIS/NFS
U9 Databases
U10 Kernel
|
|
PDF | Printer Friendly Version >>
|
|
Tools That Find the Top 20
|
nCircle.s IP360 vulnerability checks are mapped to the SANS Top 20
categories, allowing customers to easily filter results to produce
clear visibility into their SANS Top 20 exposure. nCircle's unique
profiling technology produces the most accurate results, facilitating
the most effective remediation efforts. For more information, please
visit or email
.nCircle
sales@ncircle.com
|
|
Related Resources
|
|
|
|
Top 20 Archive
|
|
|
|
Upcoming Conferences
|
- St. Louis, MO - Feb. 20, 06
- Orlando, FL - Feb. 24, 06
- Orlando, FL - Feb. 27, 06
- Orlando, FL - Mar. 1, 06
- Orlando, FL - Mar. 3, 06
- Boston, MA - Mar. 13, 06
- Monterey, CA - Mar. 16, 06
- Honolulu, HI - Mar. 19, 06
- Whippany, NJ - Mar. 20, 06
- Boca Raton, FL - Mar. 20, 06
- San Antonio, TX - Mar. 20, 06
- Colorado Springs, CO - Apr. 3, 06
- Munich, Germany - Apr. 3, 06
- Denver, CO - Jun. 1, 06
- London, UK - Jun. 26, 06
- Stay Sharp Program
- SANS On Demand
- SANS@Home
- Mentor Program
- Security Awareness Training
|
|
Top 20 List v5 Update Log
|
Oct. 18, 04 General revisions & CVE/CAN updates
Oct. 15, 04 PSEPC & CESG Statements of Support
|
|
Top 20 Translations
|
Contact top20@sans.org to collaborate in the translation of the Top 20 to your own language.
Chinese - v. 5.0 - Added May 16, 2005
Croatian - v. 5.0 - Added Oct. 8, 2004
Bulgarian - v. 5.0 - Added Oct. 8, 2004
Dutch - v. 5.0 - Added Oct. 8, 2004
German - v. 5.0 - Added Oct. 8, 2004
Italian - v. 5.0 - Added Oct. 8, 2004
Japanese - v. 5.0 - Added Oct. 8, 2004
Lithuanian - v. 5.0 - Added Oct. 20, 2004
Polish - v. 5.0 - Added Oct. 8, 2004
Portuguese - v. 5.0 - Added Oct. 18, 2004
Romanian - v. 5.0 - Added Oct. 8, 2004
NOTE: These translations are a volunteer effort. Our deep gratitude to
the individuals and organizations that invested their time and work to
help the community.
|
|
|
Top Vulnerabilities to Windows Systems (W)
|
|
W1. Web Servers & Services
|
W1.1 Description
Default installations of various HTTP servers and additional components
for serving HTTP requests as well as streaming media to the internet
from Windows platforms have proven vulnerable to a number of serious
attacks over time. The impact of these vulnerabilities can include:
- Denial of service
- Exposure or compromise of sensitive files or data
- Execution of arbitrary commands on the server
- Complete compromise of the server
HTTP servers including IIS, Apache, and iPlanet (now SunOne) have had
numerous issues that have been patched as they have been discovered.
Ensure that all patches are up to date for the server and that a
current version is running. In most HTTP server software the default
configuration is rather open leaving large avenues for exploit. Whilst
this has been changed to a 'secure by default' posture for IIS 6.0, it
is crucial that administrators take the time to fully understand their
web server and adjust the configuration to allow only those features
and services required.
IIS uses a programming hook known as ISAPI to associate files
having certain extensions with DLLs (known as ISAPI extensions).
Preprocessors such as ColdFusion and PHP use ISAPI, and IIS includes
many ISAPI extensions to handle functions such as Active Server Pages
(ASP), .Net web services, and web-based printer sharing. Many ISAPI
extensions installed by default with version 5.0 and earlier of IIS are
not required in most installations, and many of those filters are
exploitable. Examples of malicious programs that use this type of
propagation mechanism include the well-known Code Red and Code Red 2
worms. Enable only the ISAPI extensions that the web server will need
to recognize and restrict the HTTP options that can be used with each
allowed ISAPI extension. This tightening of security is best achieved
via the IIS LockDown tool available freely from Microsoft.
Most web servers include sample applications or web sites that were
designed to demonstrate the functionality of the web server. These
applications were not designed to operate securely in a production
environment. Versions of IIS before 6.0 include sample applications
that can be exploited to allow remote viewing or overwriting of
arbitrary files as well as remote access to other sensitive server
information, such as system configuration settings and paths to
binaries. Remove these applications prior to placing the server into
production.
Any webserver installation that is not regularly maintained is
also subject to vulnerabilities discovered since the software release
date. Examples include the PCT and SSL vulnerabilities that are
addressed by the Microsoft patch MS04-011, which could allow a Denial
of Service condition or allow the attacker to take control of the
server. Timely patching of publicly accessible web servers is critical.
Third-party web add-ons such as ColdFusion and php can
introduce further vulnerabilities in a webserver installation, either
through misconfiguration or through vulnerabilities inherent in the
product.
W1.2 Operating Systems Affected
Any Microsoft Windows system with a web server installed could be affected. This includes, but is not limited to:
- Microsoft IIS: Windows NT4.0 and above, including XP Professional
- Apache HTTP server: Windows NT4.0 SP3 and above are supported, though it is believed to run on Win95 and Win98
- Sun Java System/Sun One/iPlanet Web Server: Windows NT4.0 SP6 and above
Please note: Windows 2000 Server ships with IIS installed by
default, as many administrators discovered during the infamous Nimda
and Code Red outbreaks. As part of the Trustworthy Computing
initiative, Windows Server 2003 does not enable the IIS server in a
standard installation, and the default settings are configured for
security. Furthermore, some third-party applications require
functionality provided by IIS, possibly resulting in administrators
unknowingly installing this software. Never assume a network to be
immune to web server attacks simply because no such server was
intentionally installed; regularly audit networks for the presence of
any "rogue" web servers. See "How to Determine if you are at risk"
below for more information.
W1.3 Related CVE Entries
a. IIS
CAN-2003-0225, CAN-2003-0377, CAN-2003-0227, CAN-2003-0349, CERT-VU-288308, Secunia-12647, Secunia-12638, Secunia-11563
Searchable CVE entries for IIS 2.0, CVE entries for IIS 3.0, CVE entries for IIS 4.0, CVE entries for IIS 5.0. To date no security exposures have been identified in IIS 6.0
b. Apache
CAN-2003-0987, CAN-2003-0842, CVE-2004-0009, CVE-2004-0113, CVE-2003-0993, CAN-2004-0174, CAN-2004-0492, CAN-2004-0488, CAN-2004-0748, CAN-2004-0700, CAN-2004-0751, CAN-2004-0809, CAN-2004-0786, CAN-2004-0811
CVE-2003-0016, CVE-2003-0017, CAN-2003-0460, CAN-2003-0844, CAN-2004-0493
Apache modules: CAN-2003-0844, CAN-2004-0492
c. iPlanet/Sun
CAN-2003-0411, CAN-2003-0412, CAN-2003-0414, CAN-2003-0676
CAN-2002-1315, CAN-2002-1042, CVE-2002-0845, CAN-2003-0676
d. Add-ons
CAN-1999-0455, CAN-1999-0477, CAN-1999-1124, CAN-2001-0535, CAN-2001-1120, CAN-2002-1309, CAN-2003-0172
CVE-1999-0756, CVE-1999-0922, CVE-1999-0924, CVE-2000-0410, CVE-2000-0538
ColdFusion: CAN-2002-1309, CAN-2004-0407, CVE-2000-0189, CVE-2000-0382, CVE-2000-0410, CVE-2000-0538, CVE-2002-0576
PHP: CAN-2002-0249, CAN-2003-0172
e. Other Services
CAN-1999-1369, CAN-2003-0227, CAN-2003-0349, CAN-2003-0725, CVE-2003-0905
CVE-1999-0896, CVE-1999-1045, CVE-2000-0211, CVE-2000-0272, CVE-2000-0474, CVE-2000-1181, CVE-2001-0083, CAN-2001-0524
W1.4 How to Determine if you are at risk
Any default or unpatched web server installations should be presumed vulnerable.
Most web server and service vendors provide a wealth of information regarding current security issues. Examples include:
Also check any web server and associated service's patch and
software revision levels, including configurations, against the
vendor-supplied security information and the CVE database on a regular basis
to assess potential vulnerability. It is important to realize that new
issues are discovered regularly and it is best practice to consult to
make good use of the Windows Update website, Microsoft Security Baseline Analyzer and Automatic Updates feature to properly assess and eliminate potential vulnerabilities.
Some remote and local vulnerability assessment tools exist to aid web
server administrators in auditing their networks, including:
It is recommended that remote vulnerability assessment tools be
run on a network-wide basis, rather than just against known servers, to
assess potential vulnerability of "rogue" web server installations.
W1.5 How to protect against these vulnerabilities
For most systems
- Apply the latest service packs and security updates or the HTTP
service as well as for the Operating System and any applications loaded
on this same host. Once the patches are up-to-date, consider using the
automatic update feature to enable a higher level of security.
- Install host-based anti-virus and Intrusion Detection software. Be
sure to keep both current on patches and review the log files
frequently.
- Disable unused script interpreters and remove their binaries. For
example; perl, perlscript, vbscript, jscript, javascript, and php.
- Enable logging if it is an option and review the logs frequently,
preferably through an automated process that summarizes the events and
reports exceptions and suspicious events.
- Use a syslog-like system to store Operating System and HTTPd logs safely on another system.
- Remove or restrict the system tools that are commonly used by
attackers to assist with both the initial compromise and expansion
beyond the initial victim host. For example; tftp(.exe), ftp(.exe),
cmd.exe, bash, net.exe, remote.exe, and telnet(.exe).
- Limit the applications running on the host to the HTTP service/daemon and its supporting services.
- Be aware of and minimize any vectors into the inner network that
enter through public web server(s). For example, NetBIOS shares or
trust relationships.
- Use different account naming conventions and unique passwords on
public facing systems than on internal systems. Any information leakage
from a public facing system should not aid an attack on the internal
systems.
a. IIS
Consider upgrading your IIS installation to IIS 6.0, which offers
dramatically increased security. Patching a server on installation is
necessary but not sufficient. As new IIS weaknesses are uncovered,
patch accordingly. Windows Update and Automatic Updates are options for single-server installations. Systems Management Server (SMS) and Software Update Services
(SUS) are also very good options for managed environments or
administrators that have responsibilities for multiple disparate
systems. MBSA,
the network security Hotfix checker, assists the system administrator
in scanning local or remote systems for current patches. The tool works
on Windows NT 4, Windows 2000, Windows XP and Windows 2003. The current
version can be downloaded from Microsoft at http://www.microsoft.com/technet/security/tools/mbsahome.mspx.
Use IIS Lockdown Wizard to harden the installation
Microsoft has released a simple tool to aid in securing IIS
installations known as the IIS Lockdown Wizard. The current version can
be downloaded from Microsoft at
http://www.microsoft.com/technet/security/tools/locktool.asp
Running the IIS Lockdown Wizard in "custom" or "expert" mode
will allow the following recommended changes to be made to an IIS
installation:
- Ensure the latest version of WebDAV is employed on the server. IIS
6.0 allows administrators to select whether or not to enable WebDAV.
- Unmap all unnecessary ISAPI extensions (including .htr, .idq, .ism, and .printer in particular).
- Eliminate sample applications.
- Restrict permissions and the availability of binaries commonly
found on a webserver and often used as part of an attack and compromise
(e.g. cmd.exe and tftp.exe).
The SANS Reading Room contains the papers Understanding and installing the IISlockdown tool and Securing a Windows 2000 IIS Web Server - Lessons Learned. The Microsoft Security Centre also contains a wealth of prescriptive guidance for protecting and managing IIS.
Use URLScan to filter HTTP requests
Many IIS exploits, including Code Blue and the Code Red family use
maliciously formed HTTP requests in directory traversal or buffer
overflow attacks. The URLScan filter can be configured to reject such
requests before the server attempts to process them. The current
version has been integrated into the IIS Lockdown Wizard, but can be
downloaded separately from Microsoft at
http://www.microsoft.com/technet/security/tools/urlscan.mspx.
b. Apache
The issues of access control, restriction by IP and the Apache security
modules, along with many other topics, are discusses on the Apache Tutorials page.
In addition, Securing Apache: Step-by-Step
by Artur Maj is a very helpful paper found in the SANS Reading Room
that covers in detail the tasks of securing an Apache server.
c. iPlanet/Sun One
Edmundo Farinas addresses securing iPlanet in his paper Security Considerations for the iPlanet Enterprise Web Server on Solaris which is located in the SANS Reading Room.
In addition, Sun provides the Sun ONE Application Server Security Goals paper which details the recommended steps for securing an iPlanet/Sun One server.
d. Add-ons
If third-party add-ons such as ColdFusion, PerlIIS, or PHP are
used check the third-party vendors' web sites for patches and
configuration tips as well. For obvious reasons, Microsoft does not
include third-party patches in Windows Update and related update
services.
For information on securing ColdFusion, see the SANS Reading Room paper Web Application Security, with a Focus on ColdFusion by Joseph Higgins
Located in the SANS Reading Room, Securing PHP: Step-by-step by Artur Maj illustrates the process of securing PHP applications.
In addition, a helpful resource is the PHP Manual, Chapter 16. Security, which addresses PHP security in detail.
e. Other services
While there are general steps listed above that can be taken to
secure most web services, each usually has its own unique set of vendor
supplied updates and patches, recommended configurations, and logging
features.
Review the documentation including any information posted at the
vendor's web site and make sure to sign-up for each vendor's
notification service and newsletter. This will help to stay informed of
relevant security issues and to address them quickly and effectively.
|
|
W2 Workstation Service
|
W2.1 Description
Windows Workstation service is responsible
for processing user requests to access resources such as files and
printers. The service determines if the resource resides on the local
system or on a network share, and routes the user requests
appropriately.
The network management functions provided by the service can be invoked via any of the following mechanisms.
- DCE/RPC calls over SMB protocol after connecting to the service using \\pipe\wkssvc named pipe.
- DCE/RPC calls directly over a UDP port (> 1024)
- DCE/RPC calls directly over a TCP port (> 1024)
Note that the service binds to the first available TCP and UDP port over 1024.
The Workstation service contains a stack-based buffer overflow that can
be triggered by a specially crafted DCE/RPC call. The problem arises
because parameters are passed to the logging function without any
bounds checking. This overflow can be exploited by an unauthenticated
remote attacker to execute arbitrary code on the vulnerable Windows
machine with "SYSTEM" privileges. The attacker can obtain complete
control of the compromised machine. The exploit code for leveraging the
vulnerability has been posted to the Internet and was re-used in some
variants of Phatbot/Gaobot worm that infected millions of systems
world-wide.
W2.2 Operating Systems Affected
Windows 2000 SP2, SP3 and SP4
Windows XP, Windows XP SP1
Windows XP 64 Bit Edition
W2.3 CVE/CAN Entries
CAN-2003-0812, CAN-2003-0813, CAN-2003-0352
W2.4 How to Determine if you are Vulnerable
Systems running
Windows 2000 without the MS03-049 patch and Windows XP without the
MS03-043 patch are vulnerable. Windows XP users that have installed
Service Pack 2 are protected.
Check for the following registry-entries:
KB828035: Under HKLM\Software\Microsoft\Updates\Windows XP (Windows XP)
KB828749: Under HKLM\Software\Microsoft\Updates\Windows 2000 (Windows 2000)
If
these registry entries are not found the Windows system may be
vulnerable. For greater certainty and support in mitigating this risk,
use a security scanner such as Microsoft Baseline Security Analyzer
(MBSA) to check if the appropriate update has been installed. MBSA can
be downloaded from http://www.microsoft.com/technet/security/tools/mbsahome.mspx
W2.5 How to Protect Against It
- Windows XP Service Pack 2 offers many security enhancements that
protect against these and other security risks. This should be a
priority for Windows XP installations and is recommended by the US-CERT.
- Ensure that Windows systems have all the latest security patches and service packs are installed. The configuration of Automatic Updates
should be viewed as a necessity, tailored to fit individual or
corporate requirements. Specifically ensure that Windows 2000 systems
have MS03-049 and Windows XP systems have MS03-043 patch installed. As
per the previous point, Service Pack 2 should be considered vital.
- Block the ports 139/tcp and 445/tcp at the network perimeter. This
prevents a remote attacker from exploiting the overflow via SMB.
- Open only the necessary TCP ports over 1024 at the network
perimeter. This prevents a remote attacker from exploiting the overflow
via DCE/RPC calls. Note that it is difficult to block UDP ports above
1024 at the firewall as the ports in this range are used as ephemeral
ports.
- Use TCP/IP Filtering available in both Windows 2000 and XP, or
Windows Firewall in Windows XP systems to block inbound access to the
affected ports. The Windows Firewall also offers network administrators
the ability to centrally enforce policies and settings across end-user
systems that can help heighten security.
- For Third-party applications running on customized Windows 2000/XP
platforms ensure that an appropriate patch from the vendor has been
applied. For example, Cisco has released an advisory stating that a
number of Cisco products are vulnerable to this overflow. Cisco has
also provided the patches.
- If the system is stand-alone (i.e. does not belong to a Windows
network environment), the Workstation service can be disabled, however,
this must be done with caution as it can affect applications and system
functionality.
Additional information:
Microsoft Advisory
http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx
eEye Advisory
http://www.eeye.com/html/Research/Advisories/AD20031111.html
CERT Advisories
http://www.cert.org/advisories/CA-2003-28.html
http://www.kb.cert.org/vuls/id/567620
CORE Security Advisory
http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0066.html
Cisco Advisory
http://www.cisco.com/warp/public/707/cisco-sa-20040129-ms03-049.shtml
Gaobot Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.gen.html
|
|
W3 Windows Remote Access Services
|
W3.1 Description
The family of Windows Operating systems supports a variety of different
networking methods and technologies. There is native support for most
industry standard networking protocols and built-in functionality for
many Microsoft specific networking methods and techniques. Common
avenues for exploitation include Network Shares, Anonymous Logon,
remote registry access, and remote procedure calls.
NETBIOS - A set of API's that can allow the sharing
files or folders across a network with other hosts through Windows
network shares. The underlying mechanism of this feature is the Server
Message Block (SMB) protocol, or the Common Internet File System
(CIFS). These protocols permit a host to manipulate remote files just
as if they were local.
Although this is a powerful and useful feature of Windows, improper
configuration of network shares may expose critical system files or may
provide a mechanism for a nefarious user or program to take full
control of the host. One of the ways in which I-Worm.Klez.a-h (Klez Family) worm, Sircam virus (see CERT Advisory 2001-22) and Nimda worm (see CERT Advisory 2001-26)
spread so rapidly in 2001 was by discovering unprotected network shares
and placing copies of themselves in them. Many computer owners
unknowingly open their systems to hackers when they try to improve
convenience for co-workers and outside researchers by making their
drives readable and writeable by network users. But when care is taken
to ensure proper configuration of network shares, the risks of
compromise can be adequately mitigated.
Anonymous Logon - An anonymous session is a
communication link established without correct credentials (i.e. blank
username and password). Null sessions can be used to display
information about users, groups, shares and password policies.
Microsoft Windows NT services running as the Local System account on
the local computer communicate with other services over the network by
establishing null sessions. Windows 2000 and later services running as
the Local System account on the local computer use the local computer
account to authenticate to other servers.
Remote Registry Access - Microsoft Windows 9x, Windows
CE, Windows NT, Windows 2000, Windows 2003, Windows ME and Windows XP
employ a central hierarchical database, known as the Registry, to
manage software, device configurations, and user settings. Improper
permissions or security settings can permit remote registry access or
execution of code or applications that should not be allowed to run.
Remote Procedure Calls - All versions of Microsoft
operating systems (Windows NT 4.0, 2000, XP, and 2003) provide an
inter-process communication mechanism that allows programs running on
one host to execute code on remote hosts. Three vulnerabilities have
been published that would allow an attacker to run arbitrary code on
susceptible hosts with Local System privileges. One of these
vulnerabilities was exploited by Blaster/MSblast/LovSAN and
Nachi/Welchia worms. There are also other vulnerabilities that would
allow attackers to mount Denial of Service attacks against RPC
components.
W3.2 Operating Systems Affected
Windows 95, Windows 98,
Windows NT Workstation and Server, Windows Me, Windows 2000 Workstation
and Server, Windows XP Home and Professional, and Windows 2003 are all
potentially vulnerable.
Windows XP Service Pack 2 changed the behaviour of RPC.
A new RPC Interface Restriction was implemented to make it more secure
by default. Particularly noteworthy are the addition of a new registry
key - RestrictRemoteClients. This key modifies the behaviour of all RPC
interfaces on the system and will, by default, eliminate remote
anonymous access to RPC interfaces on the system, effectively removing
this risk.
W3.3 CVE/CAN Entries
NETBIOS
CVE-2000-0979 (Windows 95, 98, and Windows Me - ONLY), CAN-2003-0661
CAN-1999-0518, CAN-1999-0519, CAN-1999-0621, CAN-2000-1079
Anonymous Logon
CVE-2000-1200
Remote Registry Access
CAN-2000-0377, CVE-2002-0049
CAN-1999-0562, CAN-2001-0045, CAN-2001-0046, CAN-2001-0047, CVE-2002-0642, CVE-2002-1117
Remote Procedure Calls
CAN-2002-1561, CVE-2003-0003, CAN-2003-0352, CAN-2003-0528, CAN-2003-0605, CAN-2003-0715, CAN-2001-0509, CAN-2003-0813
W3.4 How to Determine if you are Vulnerable
How to determine if you are vulnerable to NETBIOS related issues.
A number of tools are available that can help to determine if there are NETBIOS related vulnerabilities on a system.
NbtScan - NetBIOS Name Network explores the NETBIOS file-sharing services available on target systems NbtScan is available at: http://www.inetcat.org/software/nbtscan.html.
NLtest - extremely powerful tool, included in Windows 2000 and 2003 Support Tools (can be found on product CD) and Windows NT4 Resource Kit. NLtest can obtain a wealth of information about potential configuration vulnerabilities.
For Windows NT (SP4), Windows 2000, Windows XP, and Windows 2003, the Microsoft Baseline Security Analyser
will report hosts that are vulnerable to SMB exploits and may be used
to fix the problem. The tests can be run locally or on remote hosts.
Windows NT, Windows 2000, Windows XP, and Windows 2003 users can simply type net share
from the command prompt to see what resources are being shared. For
more information about the net share command, type net share /?.
IMPORTANT Note: This article contains information about
modifying shared resources. Before modifying any shared resource, make
that it is understood how to restore the resource if a problem occurs.
It is recommended that any modifications are thoroughly tested before
implementation in a production environment. For information about
shared resources, click the following article numbers to view the
article in the Microsoft Knowledge Base:
125996 - Saving and Restoring Existing Windows Shares
308419 - HOW TO Set, View, Change, or Remove Special Permissions for Files and Folders in Windows XP
307874 - HOW TO Disable Simplified Sharing and Password-Protect a Shared Folder in Windows XP
174273 - How to Copy Files and Maintain NTFS and Share Permissions
Although File System permissions and settings will take priority, the default permissions on new shares are detailed below:
Windows NT, Windows 2000, and Windows XP (Pre Service Pack 1)
Windows XP SP1
Windows XP by default has one shared directory called "SharedDocs." The physical location of this share is:
C:\Documents and Settings\All Users.WINDOWS
- The owner of the file or folder and local Computer Administrators
have read and write permission to the file or folder. Nobody else may
read or write to the folder or the files in it. This is the default
setting for all the folders and files in each user's My Documents
folder.
Most commercially-available network-based scanners will detect open
shares. A quick and effective test for SMB exposures can be found at
the Gibson Research Corporation web site,
although the accuracy of the results is dependant upon the host system
not being located behind a firewall or screening device.
Automated Scanning tools to detect share vulnerabilities:
How to determine if you are vulnerable to Anonymous Logon related issues.
Try to establish a null session to the computer by issuing the
following command from the command prompt (Start --> Run --> type
cmd):
C:\>net use \\ipaddress\ipc$ "" /user:""
The preceding syntax connects to the hidden interprocess communications
"share (IPC$) at ipaddress (/user:"") with a null () password.
If "The command completed successfully" is received, then the system is
potentially vulnerable to remote interrogation and account enumeration.
The list of tools above, including Nessus and Winfingerprint, can also be used to detect null session vulnerabilities.
How to determine if you are vulnerable to Remote Registry Access related issues.
NT Resource Kit (NTRK) formerly available from Microsoft contains an
executable file entitled Regdump.exe that will passively test remote
registry access permissions from a Windows NT host against other
Windows NT/Windows 2000 or Windows XP hosts on the Internet or internal
network.
How to determine if you are vulnerable to Remote Procedure Call related issues.
Microsoft has made a hotfix, configuration, and patch-checking tool
freely available for download; this is probably the best way to
determine if Windows hosts are susceptible to any of these
vulnerabilities. It is called the Microsoft Baseline Security Analyzer
(MBSA) and is available from http://www.microsoft.com/technet/security/tools/mbsahome.mspx
There is also a standalone scanning tool that will check for missing
security patches for CAN-2003-0352, CAN-2003-0528, CAN-2003- 0605 and
CAN-2003-0715 only; it is available from http://support.microsoft.com/?kbid=827363.
However, it is encouraged to use the MBSA, which has a wider coverage.
Home or small-scale users with only a few computers to take care of
will probably find it easier to visit the Windows Update site at http://windowsupdate.microsoft.com/ and check individual machines for outdated software.
W3.5 How to Protect Against It
Microsoft addresses security vulnerabilities in Service Packs and
security hotfixes for Operating systems and applications. It is
extremely important to have the most current Service Pack installed on
a system.
For example, the Sasser worm and its clones (exploiting vulnerability
of LSASS system) infected a lot of unpatched systems worldwide, while
systems that had hotfix MS04-011 installed were immune to this
extremely dangerous vulnerability. Microsoft had hotfix MS04-011
released a few weeks prior to appearance of the Sasser worm.
NOTE: Windows 95 and Windows NT4 Workstation are no longer
supported by Microsoft. Support for Windows NT4 Server expires on
December 31, 2004.
For details of lifecycle for supported operating systems and products see Microsoft article Product Lifecycle Dates - Windows Product Family.
For finding relevant security hotfixes for a system, use:
- Windows Update
service. It automatically detects all required security hotfixes on the
system and installs them after the user selects (approves) the hotfixes
that need to be installed
- Enable the Automatic Updates feature to provide enhancements to the operating system and applications as they are released by Microsoft.
- Windows Security Bulletin Search online service located at: http://www.microsoft.com/technet/security/current.aspx
While having current service packs and security hotfixes addresses many
software design-related problems (such as buffer overflows, code design
errors etc), there are a number of dangerous features in Windows OS
that have legitimate and documented functionality, but can be safely
disabled or secured in many cases in order to harden system security.
To better understand and highlight potential security exposures or
risks, employ the Microsoft Baseline Security Analyzer (MBSA).
How to protect against NETBIOS related attacks.
Several actions can be taken to mitigate the risk of exploitation of
vulnerability through Windows Networking. NOTE: Extra care must be
taken before disabling sharing or netbios facilities as these can have
adverse effects on enterprise applications and services. In all
circumstances, ensure that the changes are effectively tested before
being implemented into a production environment.
If the system does not need to provide file/print services and does not
need to be remotely administered (most home workstations fit into this
category), the Server service can be disabled.
On Windows NT4/2000/2003/XP systems disable service Server by
selecting Start - Programs - Administrative Tools - Services - select
service Server - double-click it - set Startup type to value Disabled -
press button Apply - press button Stop - press button OK.
If the system does require service Server running, it is
recommended that systems are configured in line with current Best
Practice outlined at the Microsoft Security Guidance Center. In addition, the following steps can be made to secure Windows NT4/2000/2003/XP systems:
- Enumerate all default hidden shares ( C$, D$, E$ etc) by typing command:
Net share
From system command prompt. Make note of existing shares.
- Delete default hidden shares. Note that removing hidden shares will
often break enterprise applications such as backup and management
applications. To ensure the shares remain deleted following a reboot,
the adjustments to the registry (outlined in following steps) must be
also undertaken. To delete the hidden shares, issue the following
command:
Net share C$ /delete
from system command prompt. In most cases all alphabet shares
(C$, D$, E$ etc) and share ADMIN$ can be safely deleted. It is not
recommended to delete default share IPC$ on any system.
- In order to make deletion of default shares permanent (they would
be restored automatically on system restart or restart of service
Server), it is necessary to make following Registry modifications:
- Open Registry editor;
- Navigate to Registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
lanmanserver\parameters
- Create new Registry value under this key:
- Value name: AutoShareWks
- Value type: DWord
- Value: 00000000
- Create new Registry value under this key:
- Value name: AutoShareServer
- Value type: DWord
- Value: 00000000
Review existing non-default (custom-created) shares on system. That can be done through:
- Graphical interface (My Computer - right-click - Manage - Shared
Folders - Shares). Select shares that need to be disabled - right-click
- select Stop Sharing.
- Command line (from system prompt or as part of any script):
- Enumerate all shares by typing command:
Net share
From system command prompt. Make note of existing shares.
- Delete unnecessary shares by typing command:
Net share ShareName /delete
from system command prompt.
That will permanently delete non-default (custom-created) shares only.
For permanent deletion of default hidden shares C$, D$, ADMIN$ see
procedures in previous paragraph.
- Windows 95/98/Me clients that are a part of a Windows NT domain are
recommended to be setup with user-level file share access controls.
- Do not permit sharing with hosts on the Internet. Ensure all
Internet-facing hosts have Windows network shares disabled in the
Windows network control panel. File sharing with Internet hosts should
be achieved using SCP, FTP ,or HTTP.
- Do not permit unauthenticated shares. If file sharing is required,
then do not permit unauthenticated access to a share. Configure the
share so a password is required to connect to the share.
- Restrict shares to only the minimum folders required. Shares should
be generally only one folder and possibly sub-folders of that folder.
- Restrict permissions on shared folders to the minimum required. Be
especially careful to only permit write access when it is absolutely
required.
- For added security, allow sharing only to specific IP addresses as DNS names can be spoofed.
How to protect against Anonymous Logon problems on your systems. IMPORTANT Note:
This article contains information about modifying the registry. Before
modifying the registry, make sure to back it up and make sure that it
is understood how to restore the registry if a problem occurs. It is
recommended to thoroughly test any modifications before implementation
in a production environment. For information about how to back up,
restore, and edit the registry, click the following article numbers to
view the article in the Microsoft Knowledge Base:
256986 - Description of the Microsoft Windows Registry
323170 - HOW TO Backup, Edit, and Restore the Registry in Windows NT 4.0
322755 - HOW TO Backup, Edit, and Restore the Registry in Windows 2000
322756 - HOW TO Backup, Edit, and Restore the Registry in Windows XP Windows Server 2003
Windows NT Domain controllers require null sessions to communicate.
Therefore, if working in a Windows NT domain or Windows 2000/2003
Active Directory running in mixed mode, which allows Pre-Windows 2000
compatible access, it is possible to minimize the information that
attackers can obtain, but not stop all leakage by setting the
RestrictAnonymous registry value to 1. For example; GetAcct from
Security Friday sidesteps RestrictAnonymous=1 and will enumerate the
SID and UserID. The ideal solution with a native Windows 2000/2003
Active Directory is to set the RestrictAnonymous registry value to 2.
To restrict information available via null sessions, click the
following article numbers to view the articles in the Microsoft
Knowledge Base:
143474 - Restricting Information Available to Anonymous Logon Users in Windows NT
246261 - How to Use the RestrictAnonymous Registry Value in Windows 2000
To troubleshoot the RestrictAnonymous registry value, click the
following article number to view the article in the Microsoft Knowledge
Base:
296405 - The RestrictAnonymous Registry Value May Break the Trust to a Windows 2000 Domain
Windows NT:
- Start Registry Editor "regedit.exe" and go to the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro\Lsa
- Set the following registry value:
Name: RestrictAnonymous
Type: REG_DWORD Value: 1
- Restart your computer.
Windows 2000:
- Start "Control Panel-->Administrative Tools-->Local Security Policy".
- Open "Local Policies-->Security Options".
- Make sure "Additional restrictions of anonymous connections" is set to
"No access without explicit anonymous permissions".
- Restart your computer.
Windows XP:
- Start "Control Panel-->Administrative Tools-->Local Security Policy".
- Open "Local Policies-->Security Options".
- Make sure the following two policies are enabled:
- Network Access: Do not allow anonymous enumeration of SAM accounts
- Network Access: Do not allow anonymous enumeration of SAM accounts and shares
- Restart your computer.
How to protect against Remote Registry Access on your systems.
To address this threat, access to the system registry must be
restricted and the permissions set for critical registry keys reviewed.
Users of Microsoft Windows NT 4.0 should also ensure that Service Pack
4 (SP4) or later has been installed before adjusting the registry.
Important Note: This article contains information about
modifying the registry. Before modifying the registry, make sure to
back it up and make sure that it is understood how to restore the
registry if a problem occurs. It is recommended to thoroughly test any
modifications before implementation in a production environment. For
information about how to back up, restore, and edit the registry, click
the following article numbers to view the article in the Microsoft
Knowledge Base:
256986 - Description of the Microsoft Windows Registry
323170 - HOW TO Backup, Edit, and Restore the Registry in Windows NT 4.0
322755 - HOW TO Backup, Edit, and Restore the Registry in Windows 2000
322756 - HOW TO Backup, Edit, and Restore the Registry in Windows XP Windows Server 2003
Restrict Network Access. To restrict network access to the registry, follow the steps listed below to create the following Registry key:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\ SecurePipeServers\winreg
- Description: REG_SZ
- Value: Registry Server
Security permissions set on this key define the Users or Groups that
are permitted remote Registry access. Default Windows installations
define this key and set the Access Control List to provide full
privileges to the system Administrator and Administrators Group (and
Backup Operators in Windows 2000).
Changes to the system registry will require a reboot to take effect. To
create the registry key to restrict access to the registry:
For Windows 2000 and NT:
- Start Registry Editor "regedit.exe" and go to the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
- On the "Edit" menu, click "Add Key."
- Enter the following values: Key Name: SecurePipeServers Class: REG_SZ
- Go to the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers
- On the "Edit" menu, click "Add Key."
- Enter the following values: Key Name: winreg Class: REG_SZ
- Go to the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurePipeServers\winreg
- On the "Edit" menu, click "Add Value."
- Enter the following values: Value Name: Description Data Type: REG_SZ String: Registry Server
- Go to the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurePipeServers\winreg
- Select "winreg." Click "Security" and then click "Permissions." Add Users or Groups to which to grant access.
- Exit Registry Editor and restart Microsoft Windows.
- If at a later stage it is required to change the list of users that can access the registry, repeat steps 10-12.
For Windows XP and 2003:
- Start Registry Editor "regedt32.exe" and go to the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
- On the "Edit" menu, click "Add Key."
- Enter the following values: Key Name: SecurePipeServers Class: REG_SZ
- Go to the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers
- On the "Edit" menu, click "Add Key."
- Enter the following values: Key Name: winreg Class: REG_SZ
- Go to the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurePipeServers\winreg
- On the "Edit" menu, click "Add Value."
- Enter the following values: Value Name: Description Data Type: REG_SZ String: Registry Server
- Go to the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurePipeServers\winreg
- Select "winreg." Click "Edit" and then click "Permissions." Add Users or Groups to which to grant access.
- Exit Registry Editor and restart Microsoft Windows.
- If at a later stage it is required to change the list of users that can access the registry, repeat steps 10-12.
Limit Authorized Remote Access. Enforcing strict restrictions
upon the registry can have adverse side effects upon dependent
services, such as the Directory Replicator and the network printer
Spooler service.
It is therefore possible to add a degree of granularity to the
permissions by adding either the account name that the service is
running under to the access list of the "winreg" key or by configuring
Windows to bypass the access restriction to certain keys by listing
them in the Machine or Users value under the AllowedPaths key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurePipeServers\winreg\AllowedPaths
Value: Machine
Value Type: REG_MULTI_SZ - Multi string
Default
Data: System\CurrentControlSet\Control\ProductOptionsSystem\
CurrentControlSet\Control\Print\PrintersSystem\CurrentControlSet\
Services\EventlogSoftware\Microsoft\WindowsNT\CurrentVersionSystem\
CurrentControlSet\Services\Replicator
Valid Range: (A valid path to a location in the registry)
Description: Allow machines access to listed locations in the registry
provided that no explicit access restrictions exist for that location.
Value: Users
Value Type: REG_MULTI_SZ - Multi string
Default Data: (none)
Valid Range: (A valid path to a location in the registry)
Description: Allow users access to listed locations in the registry
provided that no explicit access restrictions exist for that location.
In the Microsoft Windows 2000 and Windows XP Registry:
Value: Machine
Value Type: REG_MULTI_SZ - Multi string
Default Data: System\CurrentControlSet\Control\ProductOptionsSystem\
CurrentControlSet\Control\Print\PrintersSystem\CurrentControlSet\
control\Server ApplicationSystem\CurrentControlSet\Services\Eventlog\
Software\Microsoft\Windows NT\CurrentVersion
Value: Users (does not exist by default)
It is common for there to be a lag between the time a vulnerability
becomes public and the time a patch is made available. Or for other
policy reasons, the vulnerability must be allowed. To mitigate the risk
an organization can limit access through firewalls or routers. An
additional measure would be to write new rules for an IDS (Intrusion
Detection System) like Snort which would alert or trigger a response by the organization. Examples of documented rules for Snort are located here.
How to protect against Remote Procedure Call-related issues on your systems.
The best way by far is to apply the relevant patches as identified by the MBSA, Automatic Update features or Windows Update:
see "How to determine if you are vulnerable to Remote Procedure Call
related issues" above. Failing that there are a number of ways to
disable or restrict some Remote Procedure Call functionality, and some
can be found in the excellent synopsis at http://www.ntbugtraq.com/dcomrpc.asp.
BE WARNED: disabling or restricting Remote Procedure Call functionality
may break Windows services that are relied on, so always test any
modifications in a non-production environment first.
If systems cannot be patched, then certainly block ports associated
with Windows remote procedure calls (TCP ports 135, 139, 445 and 593;
UDP ports 135, 137, 138 and 445) at the network perimeters. Of course,
it is always best practice to block *all* unnecessary services at the
network perimeter by default.
For more information:
Microsoft Knowledge Base Article 153183. How to Restrict Access to NT Registry from a Remote Computer.
Another source is Microsoft Security Bulletin Search.
MSDN Library (Search for Securing Registry)
Microsoft Knowledge Base Article 310426 : HOW TO: Use the Windows XP and Windows Server 2003 Registry Editor
Network access: Remotely accessible registry paths and subpaths
Windows Server 2003 Security Guide
|
|
W4 Microsoft SQL Server (MSSQL)
|
W4.1 Description
The Microsoft SQL Server (MSSQL) contains several serious
vulnerabilities that allow remote attackers to obtain sensitive
information, alter database content, compromise SQL servers, and, in
some configurations, compromise server hosts.
MSSQL vulnerabilities are well-publicized and actively under attack.
Two recent MSSQL worms in May 2002 and January 2003 exploited several
known MSSQL flaws. Hosts compromised by these worms generate a damaging
level of network traffic when they scan for other vulnerable hosts.
Additional information on these worms can be found at
SQLSnake/Spida Worm (May 2002)
SQL-Slammer/SQL-Hell/Sapphire Worm (January 2003)
Port 1433 and 1434 (MSSQL server and monitor default ports) have also
been regularly registered as two of the most frequently scanned ports
by the Internet Storm Centre.
SQLSnake's exploit routine depends on the default administrative
account, or "sa" account, having a null password. It is essential to
the proper configuration and defence of any system to ensure that all
system accounts are password protected, or completely disabled if not
in use. You can find more information regarding setting and managing sa
account passwords in the Microsoft Developer Network documentation
under Changing the SQL Server Administrator Login, as well as Verify and Change the System Administrator Password by Using MSDE. The sa account should have a complex, hard-to-guess password even if it is not used to run your SQL/MSDE implementation.
SQL Slammer's exploit routine is based upon a buffer overflow in the
SQL Server Resolution Service. This buffer overflow is brought to bear
and host security is thus compromised when the worm sends crafted
attack packets to UDP port 1434 of vulnerable target systems. If a
machine runs SQL services that are subject to this stack buffer
overflow and it receives packets of this nature, it will usually result
in total server and system security compromise. The most effective
means of defence against this worm is diligent patching, proactive
system configuration practices, and ingress/egress UDP port 1434
filtering at network gateways.
The Microsoft Server 2000 Desktop Engine (MSDE 2000) can be thought of
as "SQL Server Lite". Many system owners don't even realize that their
systems are running MSDE and that they have a version of SQL Server
installed. MSDE 2000 is installed as a part of the following Microsoft
products:
- SQL/MSDE Server 2000 (Developer, Standard and Enterprise Editions)
- Visual Studio .NET (Architect, Developer and Professional Editions)
- ASP.NET Web Matrix Tool
- Office XP
- Access 2002
- Visual Fox Pro 7.0/8.0
In addition there are many other software packages that make use of the MSDE 2000 software. For an up-to-date list please check http://www.SQLsecurity.com/applicationslistgridall.aspx.
Since this software uses MSDE as its core database engine, it has the
same vulnerabilities as SQL/MSDE Server. MSDE 2000 can be configured to
listen for incoming client connections in a multitude of different
ways. It can be configured such that clients can use named pipes over a
NetBIOS session (TCP port 139/445) or sockets with clients connecting
to TCP port 1433, or both. Whichever method is used, SQL Server and
MSDE will always listen on UDP port 1434. This port is designated as a
monitor port. Clients will send a message to this port to dynamically
discover how the client should connect to the server.
The MSDE 2000 engine returns information about itself whenever
presented with the single byte packet 0x02 on UDP port 1434. Other
single byte packets cause a buffer overflow without ever having to
authenticate to the server itself. What further exacerbates these
issues is that the attack is channelled over UDP. Whether the MSDE 2000
process runs in the security context of a domain user or the local
SYSTEM account, successful exploitation of these security holes may
mean a total compromise of the target system.
Since SQL Slammer exploits a buffer overflow on the target system,
following best practices of timely patching and conscientious system
configuration helps to mitigate this threat. By downloading and using
defensive tools such as the Microsoft SQL Critical Update Kit,
one can check local systems for vulnerability to this exploit, scan
entire domains or networks for the existence of vulnerable systems, and
automatically update affected files with SQL Critical Update.
Please see the report and analysis on incidents.org
for more details on the SQL/MSDE Slammer worm. This particular attack
affected the Internet Backbone for a few hours on the morning of
January 25, 2003.
W4.2 Operating Systems Affected
Any Microsoft Windows system with Microsoft SQL/MSDE Server 7.0,
Microsoft SQL/MSDE Server 2000 or Microsoft SQL/MSDE Server Desktop
Engine 2000 installed, as well as any system which uses the MSDE engine
separately.
W4.3 CVE/CAN Entries
CVE-2000-0202, CVE-2000-0402, CVE-2000-0485, CVE-2000-0603,CVE-2001-0344, CVE-2001-0879, CAN-2002-0649
CVE-2002-0186, CVE-2002-0187, CAN-2002-0224, CAN-2002-0624, CAN-2002-0641, CVE-2002-0642,CAN-2002-0643, CAN-2002-0644, CAN-2002-0645, CAN-2002-0649, CVE-2002-0650,CAN-2002-0695, CAN-2002-0721, CVE-2002-0729, CVE-2002-0859, CAN-2002-0982,CVE-2002-1123, CVE-2002-1137, CVE-2002-1138, CAN-2002-1145, CAN-2003-0118, Secunia-12680
W4.4 How to Determine if you are Vulnerable
Microsoft has published a set of security tools at http://www.microsoft.com/sql/downloads/securitytools.asp. The toolkit named the SQL Critical Update Kit contains valuable tools such as SQL Scan, SQL Check, and SQL Critical Update.
Chip Andrews of sqlsecurity.com
released a tool called SQLPingv2.2. This tool sends a single byte UDP
packet (byte value of 0x02) to port 1434 of either a single host or an
entire subnet. SQL Servers listening on UDP 1434 will respond by
divulging system details such as version number, instances, etc.
SQLPingv2.2 is considered a scanning and discovery tool much like
Microsoft's SQL Scan, and will not further compromise your system and
network security. Additional SQL security tools can be found at Chip
Andrew's SQL/MSDE Security Web site.
W4.5 How to Protect Against It
Summary:
- Disable SQL/MSDE Monitor Service on UDP Port 1434 (appreciate that
this might interfere with remote administration or backup services).
- Apply the latest service pack for Microsoft SQL/MSDE server and/or MSDE 2000.
- Apply the latest cumulative patch that is released after the latest service pack.
- Apply any individual patches that are released after the latest cumulative patch.
- Enable SQL Server Authentication Logging.
- Secure the server at system and network level.
- Minimize privileges of the MSSQL/MSDEServer service and SQL/MSDE Server Agent.
- Take Best Practice guidance on securing this infrastructure at Microsoft.
Detail:
- Disable the SQL/MSDE Server Monitor on UDP Port 1434.
This can be easily accomplished by installing and using the functionality within SQL Server 2000 Service Pack 3a.
Microsoft's database engine MSDE 2000 exhibits two buffer overflow
vulnerabilities that can be exploited by a remote attacker without ever
having to authenticate to the server. What further exacerbates these
issues is that the attack is channeled over UDP. Whether the MSDE 2000
process runs in the security context of a domain user or the local
SYSTEM account, successful exploitation of these security holes may
mean a total compromise of the target system. MS-SQL/MSDE Slammer sends
a 376 byte long UDP packet to port 1434 using random targets at a very
high rate. Compromised systems will immediately start sending identical
376 byte packets once they are infected. The worm sends traffic to
random IP addresses, including multicast IP addresses, causing a Denial
of Service on the target network. Single infected machines have
reported traffic in excess of 50 Mb/sec after being infected.
- Apply the latest service pack for Microsoft SQL/MSDE server and MSDE 2000.
The current Microsoft SQL/MSDE Server service pack version is:
- SQL/MSDE Server 7.0 Service Pack 4
- MSDE/SQL Server 2000 Service Pack 3a
To ensure that you are current with any future upgrades, monitor Make Your SQL/MSDE Servers Less Vulnerable from Microsoft TechNet.
- Apply the latest cumulative patch that is released after the latest service pack.
The current cumulative patch for all versions of SQL/MSDE/MSDE Server is available at MS02-061 Elevation of Privilege in SQL/MSDE Server Web Tasks (Q316333/Q327068).
To ensure that you are current with any future upgrades, you can check
for the latest cumulative patch for Microsoft SQL/MSDE Server at:
Apply any individual patches that are released after the latest cumulative patch and enable the Automatic Update feature and consider subscribing the Microsoft Security Notification Service. Currently, there is no individual patch after the release of the MS02-061 Elevation of Privilege in SQL/MSDE Server Web Tasks (Q316333/Q327068).
- Enable SQL Server Authentication Logging.
SQL Server Authentication Logging is commonly not enabled. This can be
done through Enterprise Manager (Server properties; tab Security).
- Secure the server at system and network level.
One of the most commonly attacked MSSQL/MSDE exposures is that the
default administrative account (known as "sa") is installed with a
blank password. If your SQL/MSDE "sa" account is not
password-protected, you effectively have no security and can be
affected by worms and other exploits. Therefore, you should follow the
recommendation from the "System Administrator (SA) Login" topic in SQL/MSDE Server Books Online
to make sure that the built-in "sa" account has a strong password, even
if your SQL/MSDE server does not run using this account. Microsoft
Developer's Network has documentation on Changing the SQL Server Administrator Login and how to Verify and Change the System Administrator Password by Using MSDE.
- Minimize privileges of the MSSQL/MSDEServer service and SQL/MSDE Server Agent.
Run the MSSQL/MSDEServer service and SQL/MSDE Server Agent under a
valid domain account with minimal privileges, not as a domain
administrator or the SYSTEM (on NT) or LocalSystem (on 2000 or XP)
account. A compromised service running with local or domain privileges
would give an attacker complete control of your machine and/or your
network.
- Enable Windows NT Authentication, enable auditing for successful
and failed logins, and then stop and restart the MSSQL/MSDEServer
service. If possible, configure your clients to use NT Authentication.
- Packet filtering should be performed at network borders to prohibit
specifically non-authorized inbound or outbound connections to MSSQL
specific services. Ingress and egress filtering of TCP/UDP ports 1433
and 1434 could prevent internal or external attackers from scanning and
or infecting vulnerable Microsoft SQL/MSDE servers on your network or
the networks of others that are not explicitly authorized to provide
public SQL/MSDE services.
- If TCP/UDP ports 1433 and 1434 need to be available on your
Internet gateways, enable and customize egress/ingress filtering to
prevent misuse of this port.
Additional information on securing Microsoft SQL/MSDE Server can be found at
|
|
W5 Windows Authentication
|
W5.1 Description
Passwords, pass-phrases and security codes are used in virtually every
interaction between users and information systems. Most forms of user
authentication, as well as file and data protection, rely on
user-supplied passwords. Since properly authenticated access is often
not logged, or even if logged not likely to arouse suspicion, a
compromised password is an opportunity to explore a system from the
inside virtually undetected. An attacker would have complete access to
any resources available to that user, and would be significantly closer
to being able to access other accounts, nearby machines, and perhaps
even administrative privileges. Despite this threat, accounts with bad
or empty passwords remain extremely common, and organizations with good
password policy are far too rare.
The most common password vulnerabilities are:
- User accounts have weak or nonexistent passwords.
- Regardless of the strength of their password, users fail to protect it.
- The operating system or third-party applications create accounts with weak or nonexistent passwords.
- In many commercial and Open Source applications, the hashing
algorithms is known and often the hashes are stored where they can be
accessed by standard users. Whilst system policies cannot help protect
against hashing implementations or short-comings, the use of strong
passwords can help thwart attacks against the hashes to recover the
pass-phrase.
Microsoft Windows does not store or transmit passwords in clear text -
it uses a hash of password for authentication. A Hash is a fixed-size
result obtained by applying a mathematical function (the hashing
algorithm) to an arbitrary amount of data (also known as the message
digest). There are three Windows authentication algorithms: LM (least
secure, most compatible); NTLM and NTLMv2 (most secure and least
compatible). Although most current Windows environments have no need
for LAN Manager (LM) support, Microsoft Windows locally stores legacy
LM password hashes (also known as LANMAN hashes) by default on Windows
NT, 2000 and XP systems (but not in Windows 2003). Since LM uses a much
weaker encryption scheme than more current Microsoft approaches (NTLM
and NTLMv2), LM passwords can be broken in a relatively short period of
time by a determined attacker. Even passwords that otherwise would be
considered "strong" can be cracked by brute-force in under a week on
current hardware.
http://msdn.miscrosoft.com/library/default.asp?url=/library/en-us/security/Security/h_gly.asp
The weakness of LM hashes derives from the following:
- Passwords are truncated to 14 characters.
- Passwords are padded with spaces to become 14 characters.
- Passwords are converted to all upper case characters.
- Passwords are split into two seven character pieces.
This hashing implementation means that an attacker needs only to
complete the trivial task of cracking two seven-character, upper-case
passwords to gain authenticated access to your system. Since the
complexity of cracking hashes increases geometrically with the length
of the hash, each seven-character string is at least an order of
magnitude simpler to attack by brute-force than would a combined
fourteen-character string. Since all strings are exactly seven
characters (including spaces) and entirely upper-case, a
dictionary-style attack is also simplified. If the pass-phrase consists
of 15 characters or more, the LM hash is sets a null string which
effectively thwarts brute forcing against the hash. It is important to
note that this insecurity is not just specific to Windows environments
- whenever password hashes can be accessed without due authorisation,
there is the potential for an attacker to brute-force the correct
pass-phrase.
In addition to the risk posed by having legacy LM hashes
stored in the SAM, the LAN Manager authentication process is often by
default enabled on clients and accepted by servers. As a result,
Windows machines capable of utilizing stronger hash algorithms instead
send weak LM hashes across the network, making Windows authentication
vulnerable to eavesdropping by packet sniffing, and therefore easing
the efforts of an attacker to obtain and crack user passwords.
W5.2 Operating Systems Affected
All Microsoft Windows operating systems.
W5.3 CVE/CAN Entries
CVE-2000-0222
CAN-1999-0504, CAN-1999-0505, CAN-1999-0506
W5.4 How to Determine if you are Vulnerable
Although there are observable symptoms of general password weakness,
such as the existence of active accounts for users who have departed
the organization or services which are not running, the only way to
know for certain that each individual password is strong is to test all
of them against the same password cracking tools used by attackers.
Please Note: Never run a password scanner, even on systems for
which you have administrative access, without explicit and preferably
written permission from your employer. Administrators with the most
benevolent of intentions have been fired for running password cracking
tools without authority to do so.
A few of the best cracking tools available are: LC6 (L0phtcrack version 5) and John the Ripper
Regarding the issue of a locally stored LAN Manager hash:
- If you are running a default installation of NT, 2000 or XP, you
are vulnerable since LAN Manager hashes are stored locally, although by
default only the system administrator has access privileges.
- If you have legacy operating systems in your environment that
require LM authentication in order to communicate to servers, then you
are vulnerable because those machines send NTLM hashes which can be
sniffed off the network.
W5.5 How to Protect Against It
The best and most appropriate defence against password weaknesses is a
strong policy which includes thorough instructions to engender good
password habits and proactive checking of password integrity.
- Ensure that passwords are consistently strong. Given enough
hardware and enough time, any password can be cracked by brute force.
But there are simpler and very successful ways to learn passwords
without such expense. Password crackers employ what are known as
dictionary-style attacks. Since hashing methods are known, cracking
utilities simply compare the hashed form of a password against the
hashed forms of dictionary words (in many languages), proper names, and
permutations of both. Therefore a password whose root in any way
resembles a known word is highly susceptible to a password-cracking
attack. Many organizations instruct users to generate passwords by
including combinations of alphanumeric and special characters, and
users more often than not adhere by taking a word ("password") and
converting letters to numbers or special characters ("pa$$w0rd"). Such
permutations can protect against a dictionary attack, but are likely to
fall if subject to a brute-force attempt on every printable character.
A good password therefore cannot have a word or proper name as its
root. A strong password policy should direct users to generate
passwords from something more random, like a phrase or the title of a
book or song. By concatenating a longer string (taking the first letter
of each word, or substituting a special character for a word, removing
all the vowels, etc.), users can generate sufficiently long strings
which combine alphanumeric and special characters in a way which
dictionary attacks will have great difficulty cracking. And if the
string is easy to remember, then the password should be as well.
Once users are given the proper instructions for generating good
passwords, procedures should be put in place to assure that these
instructions are followed. The best way to do this is by validating the
password whenever the user changes it by employing Passfilt (NT4).
Windows 2000, XP, 2003 have powerful tools for enforcing password
policy. To view your current password policy on most Windows systems,
follow these steps (Start - Programs - Administrative Tools - Local
Security Policy - select Account Policies - Password Policy). The Local
Security Policy has following settings:
- Password must meet complexity requirements. Determines whether
passwords must meet complexity requirements. Complexity requirements
are enforced when passwords are changed or created. If this policy is
enabled, passwords must meet the following minimum requirements:
- Not contain all or part of the user's account name
- Be at least six characters in length
- Contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Nonalphanumeric characters (e.g., !, $, #, %)
- Enforce password history (range: 0-24): Determines the
number of unique new passwords that have to be associated with a user
account before an old password can be reused. The value must be between
0 and 24 passwords. Setting this parameter to 0 passwords remembered
enables password recycling; setting it to 24 passwords remembered
requires 24 changes of password before initial password can be
recycled. This policy enables administrators to enhance security by
ensuring that old passwords are not reused continually. To maintain the
effectiveness of the password history, do not allow passwords to be
changed immediately when you configure the minimum password age.
- Maximum password age (range: 0-999 days): Determines the
period of time (in days) that a password can be used before the system
requires the user to change it. You can set passwords to expire after a
number of days between 1 and 999, or you can specify that passwords
never expire by setting the number of days to 0.
- Minimum password age (range: 0-999 days): Determines the
period of time (in days) that a password must be used before the user
can change it. You can set a value between 1 and 999 days, or you can
allow changes immediately by setting the number of days to 0. The
minimum password age must be less than the maximum password age.
Configure the minimum password age to be more than 0 if you want
Enforce password history to be effective. Without a minimum password
age, users can cycle through passwords repeatedly until they get to an
old favorite. The default setting does not follow this recommendation,
so that an administrator can specify a password for a user and then
require the user to change the administrator-defined password when the
user logs on. If the password history is set to 0, the user does not
have to choose a new password. For this reason, password history is set
to 1 by default.
- Minimum password length (range: 0-14 characters): Determines
the least number of characters that a password for a user account may
contain. You can set a value of between 1 and 14 characters, or you can
establish that no password is required by setting the number of
characters to 0. Minimum password length should conform to corporate
security policy (otherwise it is recommended that it be set to 8 or
more characters; National Security Agency (NSA) recommends 12 characters).
- Store password using reversible encryption for all users in
the domain: Determines whether Windows 2000, 2003 and XP Professional
store passwords using reversible encryption. This policy provides
support for applications using protocols that require knowledge of the
user's password for authentication purposes. Storing passwords using
reversible encryption is essentially the same as storing plaintext
versions of the passwords. For this reason, this policy should never be
enabled unless application requirements outweigh the need to protect
password information.
An approach that can be used to automatically generate and assign
complex passwords to user accounts is as follows - run the following
command (from Command line prompt of Windows NT4, 2000, XP, 2003):
Net user username /random
Execution of this command will assign random complex (but always
8-characters long) passwords to an account and will print this password
on the console screen. This method is usually more appropriate for
assigning passwords for service accounts, rather than for actual users.
The best way to audit the quality of passwords is to run password
cracking utilities in a stand-alone mode as part of routine scanning.
Important Note: Never run a password scanner, even on systems
for which you have administrative access, without explicit and
preferably written permission from your employer. Administrators with
the most benevolent of intentions have been fired for running password
cracking tools without authority to do so.
Once you have acquired authority to run cracking utilities on your
system, do so regularly on a protected machine. Users whose passwords
are cracked should be notified confidentially and given instructions on
how to choose a good password. Administrators and management should
develop these procedures together so that management can provide
assistance when users do not respond to these notifications.
Another way to protect against nonexistent or weak passwords is to use
an alternative form of authentication such as password-generating
tokens or biometrics.
- Protect strong passwords. Even if passwords themselves are
strong, accounts can be compromised if users do not protect their
passwords. Good policy should include instructions that a user never
tell his or her password to anyone else, never write a password down
where it could be read by others, and properly secure any files in
which a password is stored to automate authentication (passwords are
easier to protect when this practice is only used if absolutely
necessary). Password aging should be enforced so that any passwords
which slip through these rules are only vulnerable for a short window
of time, and old passwords should not be reused. Make sure that the
users are given warning and chances to change their password before it
expires. When faced with the message "Your password has expired and
must be changed," users will tend to pick a bad password.
- Prevent password hashes and SAM database from being copied. Password cracking tools, mentioned in this section, obtain password hashes by:
- Sniffing passwords from the network. Countermeasures: 1. Use of
switched networks; 2. Detection and removal of network cards in
promiscuous mode (they can be detected by most commercial security
assessment tools, such as free tools like ethereal).
- Copying SAM file (located in %SystemRoot%\System32\Config\ folder
usually C:\Winnt\System32\Config\ - on Windows NT4 and 2000 or
C:\Windows\System32\Config\ - on Windows XP and 2003). This file is
normally locked by Windows OS and can be copied only when system booted
to alternative OS. SAM file also can be obtained by restoring backup of
SAM file or System State (Windows 2000, 2003, XP). SAM file also
located on NT4 Repair Disk.
Countermeasures: Limit and monitor physical access to computer systems (especially domain controllers), backup media and Repair Disk.
The following Microsoft articles provide useful references:
- Tightly control accounts.
- Any service-based or administrative accounts not in use should be
disabled or removed. Any service-based or administrative accounts which
are used should be given new and strong passwords.
- Audit the accounts on your systems and create a master list. Do not
forget to check passwords on systems like routers and
Internet-connected digital printers, copiers and printer controllers.
- Develop procedures for adding authorized accounts to the list, and for removing accounts when they are no longer in use.
- Validate the list on a regular basis to make sure no new accounts have been added and that unused accounts have been removed.
- Have rigid procedures for removing accounts when employees or contractors leave or when the accounts are no longer required.
- Maintain strong password policy for the enterprise. In
addition to operating system or network service-level controls, there
are many comprehensive tools available to help manage good password
policy. Many sample policies templates, policy development guidelines,
password security fundamentals, and links to numerous security policy
web sites (which include password policy information) can be found at
the SANS Security Policy Project site.
- Disable LM authentication across the network. The best
replacement in Windows for LAN Manager authentication is NT LAN Manager
version 2 (NTLMv2). NTLMv2 challenge/response methods overcome many
weaknesses in LM by using stronger encryption and improved
authentication and session security mechanisms. The registry key that
controls this capability in both Windows NT and 2000 is:
Hive: HKEY_LOCAL_MACHINE
Key: System\CurrentControlSet\Control\LSA
Value: LMCompatibilityLevel
Value Type: REG_DWORD - Number
Valid Range: 0-5
Default: 0
Description: This parameter specifies the type of authentication to be used.
0 - Send LM response and NTLM response; never use NTLMv2 session security
1 - Use NTLMv2 session security if negotiated
2 - Send NTLM authentication only
3 - Send NTLMv2 authentication only
4 - DC refuses LM authentication
5 - DC refuses LM and NTLM authentication (accepts only NTLMv2)
On Windows 2000, 2003, and XP the same functionality can be implemented
by configuring the setting LAN Manager authentication level (Windows
2000) or Network security: LAN Manager authentication level (Windows
XP, 2003) (Start - Programs - Administrative Tools - Local Security
Policy - Local Policies - Security Options).
If all of your systems are Windows NT SP4 or later, you can set this to
3 on all clients and 5 on all domain controllers to prevent any
transmission of LM hashes on the network. However, legacy systems (such
as Windows 95/98) will not use NTLMv2 with the default Microsoft
Network Client. To get NTLMv2 capability, install the Directory
Services Client. Once installed, the registry value name is
"LMCompatibility," and the allowed values are 0 or 3.
If you cannot force your legacy clients to use NTLMv2, you can gain a
slight improvement over LM hashing by forcing NTLM (NT Lan Manager,
version 1) at the domain controller (set LMCompatibilityLevel to 4 or
if you use tool Local Security Policy set LAN Manager authentication
level to value: Send NTLMv2 Response only\Refuse LM). But the most
secure option with regard to legacy systems is to migrate them to newer
operating platforms, since the older operating systems do not allow
this minimum security level to be supported.
- Prevent the LM hash from being stored. One major problem
with simply removing the LM hashes being passed over the network is
that the hashes are still created and stored in the SAM or Active
Directory. Microsoft has a mechanism available for turning off the
creation of the LM hashes altogether, but only in Windows 2000, 2003
and XP. On Windows 2000 systems (SP2 or later), the following registry
key controls this function:
Hive: HKEY_LOCAL_MACHINE
Key: System\CurrentControlSet\Control\LSA\NoLMHash
If this key is created on a Windows 2000 Domain Controller, the LanMan
| |
