Technology to Stop Hackers
Download as PPT, PDF1 like43 views
This document outlines top 10 ways to stop hackers from gaining access to servers, including securing email clients, restricting anonymous access, applying access control lists (ACLs) to system executables and directories, disabling unnecessary services, filtering ports, disabling NetBIOS, applying security templates, following the IIS5 security checklist, and applying relevant hotfixes from Microsoft. It provides specific configuration steps and examples for hardening security on Windows servers.
Technology to Stop Hackers
- 1. Foiling JD: Top 10 Ways to Stop Hackers ANAND KUMAR MISHRA Microsoft Corporation
- 2. Introduction Practice Defense in Depth A well-configured server will often resist even newly found vulnerabilities Example – the NT 4.0 system set up for Eweek’s first OpenHack contest would have remained secure against most new attacks found over the next year
- 3. 10. Secure Your Email client Outlook Apply the Outlook Security Update Outlook Express Move OE to Restricted Sites Zone Disable Active Scripting and Java Don’t read e-mail on a web server!
- 4. 9. Restrict Anonymous Set RestrictAnonymous=2 This blocks detailed enumeration of users and groups over a variety of protocols (setting included in HiSec* templates) Do not allow system with RA=2 to become master browser
- 5. 8. ACL System Executables Remove ability for users to execute system commands (cmd.exe, tftp.exe, etc.) C:winnt (and subdirectories) Dir *.exe /s /b > outfile.txt Cacl *.exe files as such: Admins: Full System: Full
- 6. 7. ACL Directories Remove permissions for IUSR, IWAM, and Everyone to Write and Execute files in all directories Dump directory list to file Run cacls against each directory Identify each entry with Everyone perms Read/Execute Write Reset perms as follows:
- 7. 7. ACL Directories Inetpub Everyone:(OI)(CI)F Set to admins:F, everyone:R ------------------------------------------------------------------------------ Documents and SettingsAll UsersDRM Everyone:(OI)(CI)F Set to everyone:R ------------------------------------------------------------------------------ Documents and SettingsAll UsersApplication DataMicrosoftHTML Help Everyone:F Documents and SettingsAll UsersApplication DataMicrosoftHTML Help Everyone:(OI)(CI)(IO)F Set to everyone:R ------------------------------------------------------------------------------ Documents and SettingsAll UsersApplication DataMicrosoftCryptoRSAMachineKeys Everyone:(special access:) READ_CONTROL SYNCHRONIZE FILE_GENERIC_READ FILE_GENERIC_WRITE FILE_READ_DATA FILE_WRITE_DATA FILE_APPEND_DATA FILE_READ_EA FILE_WRITE_EA FILE_READ_ATTRIBUTES FILE_WRITE_ATTRIBUTES Remove FILE_GENERIC_WRITE FILE_WRITE_DATA ------------------------------------------------------------------------------
- 8. 7. ACL Directories InetpubAdminScripts Everyone:(OI)(CI)F Inherited permissions from Inetpub ------------------------------------------------------------------------------ Inetpubmailroot Everyone:(OI)(CI)F InetpubmailrootBadmail Everyone:(OI)(CI)F InetpubmailrootDrop Everyone:(OI)(CI)F InetpubmailrootMailbox Everyone:(OI)(CI)F InetpubmailrootPickup Everyone:(OI)(CI)F InetpubmailrootQueue Everyone:(OI)(CI)F InetpubmailrootRoute Everyone:(OI)(CI)F InetpubmailrootSortTemp Everyone:(OI)(CI)F Inherited permissions from Inetpub ------------------------------------------------------------------------------
- 9. 7. ACL Directories WINNTTasks Everyone:(OI)(CI)(special access:) READ_CONTROL SYNCHRONIZE FILE_GENERIC_READ FILE_GENERIC_WRITE FILE_GENERIC_EXECUTE FILE_READ_DATA FILE_WRITE_DATA FILE_APPEND_DATA FILE_READ_EA FILE_WRITE_EA FILE_EXECUTE FILE_READ_ATTRIBUTES FILE_WRITE_ATTRIBUTES WINNTsystem32Setup Everyone:(OI)(CI)F Set to admins:F, everyone:R ------------------------------------------------------------------------------ WINNTsystem32inetsrvData Everyone:F Set to everyone:R ------------------------------------------------------------------------------ WINNTsystem32MicrosoftCryptoRSAMachineKeys Everyone:(special access:) Set to everyone:R
- 10. 6. Disable Services Alerter Computer Browser Indexing Service Messenger Print spooler Remote Registry Distributed File System Workstation Server Telnet Smtp
- 11. 5. Filter Ports 42 WINS Host Name Server 80 HTTP 88 Kerberos 135 MS RPC 139 NetBIOS Session Service 389 LDAP 443 SSL 445 CIFS-SMB 464 kpasswd 593 HTTP endpoint mapper 636 SSL-ldap 3268 MS Global Catalog 3269 MS Global Catalog 3372 (Local-host only connection) 3389 MS Terminal Server xxxx IIS 5.0 HTML Mgmt
- 12. 5. Filter Ports Apply IPSec Port Filters Block access to ALL ports but 80, 443, etc.
- 13. 5. Filter Ports
- 14. 5. Filter Ports Apply Port Filtering at the Router Block all non-essential ports in BOTH directions Why should DMZ webserver be doing NetBIOS, TFTP, or HTTP OUTBOUND to other Internet Hosts? It Shouldn’t. Block It.
- 15. 4. Disable NetBIOS Foil Feinman Don’t allow malicious users to access tcp 139 and tcp/udp 445 Without this access – it will be much tougher for hacker to enumerate details about users and groups
- 16. 4. Disable NetBIOS IPSec Create Blocker rules for tcp 139 and tcp/udp 445 Unbind File and Printer Sharing for Microsoft Networks Will stop 139 from responding to requests Advanced IP filtering Only allow required ports Unbind NetBIOS from WINS
- 17. 4. Unbind F&P Sharing Must select Advanced – Advanced Settings 445 disappears, 139 appears, but does not respond No Reboot Required
- 18. 4. Advanced IP Filtering Reboot Required !! Only specified ports are allowed
- 19. 4. Advanced IP Filtering Reboot Required !! WARNING Selecting IP Protocols – Permit Only ‘6’ (tcp) will ALSO allow ICMP ‘1’ – even though this is not explicitely defined
- 20. 4. Unbind NetBIOS from WINS 139 disappears, 445 still accepts connections No Reboot Required
- 21. 4. Disable NetBIOS Most Secure Option Is to Unbind File and Printer Sharing from the specified adapter Both 139 and 445 will be prohibited
- 22. 4. Foiling Feinman Aside from Blocking User Enumeration via NetBIOS You must secure enumeration via SNMP and LDAP Block tcp 389 and udp 161 DO NOT weaken perms on AD during AD setup Or, remove EVERYONE group from Pre- Windows 2000 Compatability group
- 24. 3. Apply Security Templates Templates located in: Winntsecuritytemplates Basicdc Basicsv Basicws Compatws Hisecdc Hisecws Ocfiless Ocfilesw Securedc Securews HISECWEB – download from microsoft.com/security
- 25. 2. Follow IIS5 Checklist Summary: Remove sample apps inetpubsamples winnthelpiishelp Program filescommon filessystemmsadc ACL IIS log file Admin and system Full Everyone RWC Enable IIS Logging Review all code on server for RevertToSelf calls
- 26. 2. Follow IIS5 Checklist (cont) Disable File System Object Regsrv32 scrrun.dll /u Remove IISADMPWD directory (if exists) Only exists if upgraded from IIS4 Remove script mappings htr, idc, stm, shtm, shtml Disable Parent Paths Scripts, msadc, etc.
- 27. Additional IIS Security Steps Remove or disable Admin web sites Remove Server extensions if you aren’t using them (remove files, too) Run Permissions Wizard on all web directories Disable Windows Auth on directories that don’t need it
- 28. 1. Apply Hotfixes Search by Service Pack
- 29. 1. Apply Hotfixes Apply the Patches MS00-086 Solves Directory Traversal Vulnerability Supersedes 00-057 and 00-078 MS01-007 Solves Win2K Privilege Escalation Vulnerability Visit microsoft.com/security for others…
- 31. Resources www.microsoft.com/security Bulletins and patches IIS5 Security Checklist HiSecWeb Template HFCheck (IIS5 hotfix checker) secure@microsoft.com Reports of security vulnerabilities in MS products secfdbck@microsoft.com Feedback on website, tools, checklists, etc.