1 1 Secure System Administration - SANS GIAC © 2000, 2001 Windows NT 4.0 Security In our next sections together we will consider the Windows NT and Windows 2000 operating systems. Windows NT was Microsoft’s first effort in building a production server operating system, and they made a number of changes and improvements in Windows 2000. We are going to take a quick look at the architecture and file system and then move into the tools that you can use to gather clues from your operating system. I am going to approach the tools in the following way: since NT has tools to implement security, we are going to learn to configure our system security policy and at the same time how to check it. As always, we will focus on learning to use the tools that are available with the operating system and possibly the Resource Kit, but we are also going to look at something new, your operating system’s interface to the network. In order to run a number of the exercises, you will need to be logged in as Administrator. As always, unless this is a scratch operating system that you loaded only for testing, make sure you have a good backup before trying privileged system commands. 2 2 Secure System Administration - SANS GIAC © 2000, 2001 HARDWARE Hardware Abstraction Layer ( Responsible for CPU and bus) Windows NT Kernel NT Executive ( Object Manager, Virtual Memory Manager, I/O Manager ) Subsystems: Security, Win32, POSIX …. User Processes: Outlook, Explorer …. K E R N E L M O D E U S E R M O D E Windows NT is a synthesis of operating systems that came before it, including MACH, UNIX, and VMS. The hardware privilege model is straightforward: kernel mode can run anything and user mode is tightly constrained. Two things to note: • Though there are multiple subsystems, including POSIX, OS/2, and the Virtual DOS Machine (VDM), they are rarely used. The Win32 subsystem is the animal that is more equal than other animals and it operates with more privileges. • Application programmers are supposed to write to the subsystems via Application Programming Interfaces (APIs), not write direct calls into the kernel. The subsystems use system service calls to communicate with the kernel mode portion of the operating system. If programmers stick to APIs, their software is more portable and safer in some sense. The APIs communicate with device drivers and these manage the hardware. These layers of abstraction increase the size of the operating system, but make it easier to write software. 3 3 Secure System Administration - SANS GIAC © 2000, 2001 What is Running? Start -> Settings -> Control Panel -> Devices. Attackers may target device drivers because they run in the kernel space with access to most of the system functions. For this reason, we need to know what drivers are installed on our system. To see which drivers are installed and their current status use: Start → Settings → Control Panel → Devices The above screen appears, showing the device name, its current status, and the configured startup behavior. Highlight a device name to start or stop the device or to change its startup behavior. Available options for startup behavior include Automatic, Manual, and Disabled. Other options may be available depending on the Service Pack applied and your current system configuration. New and reassigned systems often arrive with optional hardware that is not required. These can complicate configuring the server and may give attackers another door into the system. Experts do not recommend modems and removable media devices for critical systems. Physically remove these and their associated drivers and software. Protecting the devices involved in the boot process is critical. If at all possible, place servers in a locked room with limited access to maintain physical security. When this is not possible, secure the server with a power-on password and consider disabling the option to boot from the floppy drive. If the system doesn't need the floppy drive, remove it. 4 4 Secure System Administration - SANS GIAC © 2000, 2001 Kernel Mode • Hardware Abstraction Layer (HAL) – directly interfaces with the hardware and allows NT to run on completely different hardware such as Intel and also Alpha chips •Windows NT Kernel – provides process and thread scheduling, multiprocessor support and interrupt handling • Windows NT Executive – uses the services of HAL and the kernel, handles file systems, device drivers and I/O This slide gives an overview of the kernel mode processes for NT. The NT kernel is fairly small in terms of size or lines of code compared to the NT Executive. It is responsible for core OS functionality such as hardware exceptions, interrupts and traps. This is supposed to be the most privileged process in the operating system. The kernel gets its configuration from the registry database. The startup information is kept in HKEY_LOCAL_MACHINE, which has the following registry keys: HARDWARE, SAM, SECURITY, SOFTWARE, and SYSTEM. In troubleshooting, HARDWARE and SYSTEM are the most important and SYSTEM is used heavily in bootup. If the registry gets corrupted, bootup and operation of the system is nearly impossible. You can back up the registry on the local system using the NTBACKUP program, but you must select it specifically. Another thought is to create an Emergency Repair Disk (ERD). The Emergency Repair Disk can be used to repair a corrupt Partition Boot Sector. The ERD is unique for each system. An ERD created on one workstation or server will probably not work with a different workstation or server. The ERD should be kept in a secure location since the disk contains security information from the machine on which it was created. To create an emergency repair disk, type RDISK /S at the command prompt. Please do this NOW. We will remind you several times in the course, but if you make a mistake, you will need an ERD. You MUST protect this disk! The /S switch copies the SAM database onto the floppy. Password crackers can crack the passwords from this disk. Also note, the Repair Disk is not a boot disk. Setup disks – bootable disks used in installing Windows NT – are created by running winnt32.exe with the /ox switch. 5 5 Secure System Administration - SANS GIAC © 2000, 2001 Core NT File Systems •FAT 16 •FAT 32 •NTFS4 and NTFS5 Any discussion of NT or Windows 2000 should be based on the NTFS file system. The differences between NT 4.0 and NT 5.0 (Win 2K) are very small in regards to the file system Core NT File Systems The three file systems listed on your slide account for most Windows files. If you read system documentation you will see references that claim NT systems can support a number of file systems. This is not true in practice except for special purposes: • CDFS ISO 9660 disks • UDFS DVDs These are examples of Installable File Systems. Both Windows NT and Windows 2000 were designed around the NTFS file system and are happiest in an NTFS environment. Instead of FDISK, on NT you should use Disk Administrator. As the user Administrator, use Start → Programs → Administrative Tools → Disk Administrator to do partition and other FDISK work. [Editor’s note: vol will display the serial number and label for a disk with any of the Windows file systems. This can be used as a step in evidence collection, for instance vol c:\ > disklabel.txt. It will not, however display the file system, whereas chkdsk will. - SRN] 6 6 Secure System Administration - SANS GIAC © 2000, 2001 NTFS • 64 bit address scheme, 2**64 bytes • Hierarchical database (Master File Table) MFT – Files are a record in this database • Provides for file and folder level security: – Full Control (all of the rest) –Modify –Write – Read & Execute – List Folder Contents NTFS is a major improvement over the FAT file systems. This applies to a number of dimensions: more files, bigger files, more naming flexibility, resistance to becoming fragmented, and so on. NTFS also makes more efficient use of the disk, limiting the available hiding places for malware. Like the FAT file system, the NTFS file system uses clusters as the fundamental unit of disk allocation. In NTFS, the default cluster size depends on the volume size. For volumes of 512MB or less, the default cluster size equals the sector size of 512 bytes. For volume sizes of 513MB or greater, the cluster size increases but the sector size remains constant. Very large drives may be formatted to make use of larger clusters to improve operating system performance at the cost of a bit of wasted disk space. All of these are certainly important, but the most important thing is that NTFS file security is more granular than FAT, allowing fine tuning of permissions at the file level through Access Control Lists (ACLs). FAT/FAT32 allows limited use of passwords to protect shared folders (no file-level security is available) and provides absolutely no protection when a user logs on locally. You can convert from FAT to NTFS with the convert utility. From the command line, first run vol to get your volume name. Then type: CONVERT <volume_name> /fs:ntfs You can also use the drive letter with the CONVERT command, e.g. ,CONVERT C: /fs:ntfs. 7 7 Secure System Administration - SANS GIAC © 2000, 2001 Checking File Stamps •The DIR command can be used to check size and date/time • A good attacker can change this information to hide their files! • To check creation date/time and size of all EXE files: dir c:\winnt\*.exe /s/t:c > exefiles.txt Checking File Stamps One sign of system compromise is unauthorized modification of files. This slide shows an example of using options to the dir command to query one or more files as to their creation or last access time. Be aware that an attacker can change the file attributes, so this technique is not perfect. But, dir is still a useful tool for exploring what an attacker has done to a system during a given session. The example at the bottom of the screen is using the /t:c switch which will report the date and time stamp of when the file was created. You can substitute a “w” for the “c” to see the last time the file was written to, or an “a” to see the last access time. This implies that NTFS has more attributes than the four kept by the FAT file system. For more information on the dir switches available, type dir /? at the command prompt. Next let’s see how to configure our browser to see more file types. 8 8 Secure System Administration - SANS GIAC © 2000, 2001 Viewing all files As you probably discovered in the previous section on Windows 9x, while dir has a large number of options, it really has some limitations. The default viewing options in NT hide the following files: .dll, .sys, .vxd, .386, .drv, and .pnf files. These initial options also hide extensions for known file types, such as .bat, .txt, .htm, .rtf, .doc, .exe, etc. This represents a security risk since an attacker can hide rogue code under a known file extension or disguise the file type by using multiple extensions such as YourReport.rpt.exe. 9 9 Secure System Administration - SANS GIAC © 2000, 2001 Viewing all files (2) You will note, we have an option to view hidden files and while we are learning the operating system we should see all files. Windows 2000 users will have a new attribute called superhidden files. These are system files with the hidden attribute set. Tools → Folder Options → View Tab → Show Hidden Files and Folders and the Hide Protected Operating System Files is where the superhidden attribute is maintained. 10 10 Secure System Administration - SANS GIAC © 2000, 2001 Setting the Account Policy To begin our discussion of checking and setting system policies, our first stop is Account Policy. Hitting “Cancel” to bypass a password will not work on an NT machine. The first thing to notice at the top of the screen is the word “Domain.” For NT and Windows 2000, domains are security entities. If your workstation or server is a member of a domain, you obtain your authentication from a special server. These are called Primary Domain Controllers (PDCs) and Backup Domain Controllers (BDCs). If you are installing a machine that does not need to share credentials with other machines, you can make it a member of a workgroup and it can still do file and print sharing with other systems on its network. The “Account Policy” under User Manager for Domains sets the general domain-wide password policy for all network accounts. However, for each user account, “User Properties” also affects passwords for a specific account. It is important to note that settings in User Properties override the settings in the Account Policy. For example, an Account Policy requiring a password change every “X” days can be overridden for a particular user by selecting “Password never expires” in the User Properties for that particular user. [...]... account, which is used by Microsoft’s web server software, Internet Information Server The Anonymous account is generally named IUSER_ Also, the null session vulnerability is not “fixed” simply by installing Service Pack 4 (though SP4 did provide some important security enhancements to Windows NT) The null session vulnerability can be prevented by making a change to the Windows NT registry,... want to consider the fundamental security token of most operating systems: the password Windows NT and Windows 2000 have a tool called passfilt.dll of dubious value, but it prevents some of the classic user errors such as the use of simple dictionary passwords that are easily guessable We can use passfilt.dll as an opportunity to examine the Windows NT configuration database, called the registry Windows. .. investigate log events The event on your screen is the result of an attack from a network and so this event was stored in the Security log Speaking of events, a really good idea is to make using the Administrator account an event! You may not delete it, but as administrator you can create a new account, Start → Programs → Administrative Tools → User Manager and make the new account a member of the... SYSTEM LSA (the Local Security Authority), which controls the security mechanisms integrated into NT, is a subkey of the SYSTEM key That said, take a deep breath, go to the next slide, and we will fix null sessions 20 Secure System Administration - SANS GIAC © 2000, 2001 21 Start → Run → regedt32.exe Navigate to the registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA Check whether... 23 We have introduced several important concepts NTFS has the capability to enforce file permissions As a privileged Administrator user you have access to Administrative Tools including Disk Administrator and the Event Viewer To be able to audit NT systems you will want to enable auditing in advance Tools like passfilt.dll and Account Policy are available to help manage users We have introduced the... lose physical control of the system, you may wish to select to not audit In any case, you should know your audit status and can check it through User Manager (NT Workstation or member server) or User Manager for Domains (NT Server configured as a Domain Controller) by selecting Policies → Audit In Windows 2000, you set Windows 2000 auditing by going to Administrative Tools → Local Security Policy →... running Windows 2000, you want to highlight a log then select Action → Properties Note that when you change the log size, it only effects a single log With NT this will be whichever log is shown in the “Change settings for” display With Windows 2000, it will be for whichever log you had highlighted prior to selecting Properties Now take a look at event log wrapping By default, NT will overwrite events... addition, the Events to Audit is set separately for each user or group The screen on the right shows settings for either an extremely sensitive folder, a highly untrusted user or, perhaps, both Auditing of File and Object Access should be used sparingly to prevent excessive entries in the security log 13 Secure System Administration - SANS GIAC © 2000, 2001 14 The Event Viewer is a Graphical User Interface... determined through Windows Explorer The auditing of files and folders should be used sparingly since excessive entries can make the logs fill up pretty durn fast In our last section we introduced the concept of attackers hiding in the noise We do not want to make it easy for them by logging events that have no value Also note: if your workstations are running Win95 or Win98, all logon and logoff entries are... look Hive: HKEY_LOCAL_MACHINE Key: \System\CurrentControlSet\Control\Lsa Value Name: Notification Packages Value Type: REG_MULTI_SZ On Windows 2000, you can check to see if passfilt.dll is enabled from the Group Policy console for Active Directory Let’s do a quick recap: we know how to examine files for their modified date, list hidden files, set the Account Policy, set the Audit Policy, manage logs and . GIAC © 200 0, 200 1 Windows NT 4. 0 Security In our next sections together we will consider the Windows NT and Windows 200 0 operating systems. Windows NT was. •FAT 32 •NTFS4 and NTFS5 Any discussion of NT or Windows 200 0 should be based on the NTFS file system. The differences between NT 4. 0 and NT 5 .0 (Win 2K)