Windows XP Security II

1
Windows XP Security II

• Laurie Walters
• lwalters_at_psu.edu

2
XP Security II Seminar Objectives

• System Security II
• Simple File Sharing
• NTFS Permissions
• Windows Security Policies
• IPSEC filtering
• Application Security
• Services to Shut Off
• Remote Desktop / Remote Assistance
• Using HFNetChk and Baseline Security Analyzer
• Reading Logs

3
XP Security II Seminar Objectives

• IIS Security
• Installation of IIS
• Backing Up IIS Metabase
• Authentication
• FTP and SMTP
• Securing IIS manually and with IIS Lockdown tool
• Logging

4
Windows XP Security II

• System Security II
• Simple File Sharing
• Simple File Sharing Overview
• Setting Up SFS Shares
• SFS Is Not Secure
• Disabling SFS
• NTFS Permissions
• Windows Security Policies
• IPSEC filtering

5
XP Simple File Sharing

• With Windows XP, Microsoft introduced a new
  feature called Simple File Sharing
• By default with Simple File Sharing, no files or
  folders on the hard drive are shared with other
  network users.
• Simple File Sharing enabled by default in
• XP Home This feature cannot be disabled in XP
  Home Edition.
• XP Pro Only enabled in workstation / standalone
  mode. It may be disabled in this mode. When an
  XP Pro machine is joined to a domain, this
  feature is automatically disabled, and uses
  standard NTFS permissions instead.

6
Setting Up Shares Using Simple File Sharing

• To share a folder with simple file sharing
  enabled, right click on folder and choose
  properties and select the sharing tab.
• To share files/folders with other users on the
  same machine, drag the desired items to the
  Shared Documents folder
• To share file(s) or folder(s) with other network
  users, (use the network setup wizard) and then
  give share a name. There is a check box to
  Allow network users to change my files This
  is not recommended!!!

7
XP Simple File Sharing Is Not Very Secure!

• Simple File Sharing does not use passwords or
  access restrictions.
• Everything that is shared is accessible by
  everyone on the network.
• If Allow network users to change my files is
  checked, others have write privileges to the
  folder without any access controls.
• This is a good way for viruses to spread!
• If any folders or files are shared, it is
  recommended that you do not use simple file
  sharing.

8
Simple File Sharing Enabled
9
Disabling XP Simple File Sharing

• To disable simple file sharing, open up Windows
  Explorer or My Computer folder. Under the Tools
  Menu, Select Folder Options. Choose the View
  Tab. Scroll down to Use Simple File Sharing
  and uncheck the box.

10
Disabling Simple File Sharing
11
Simple File Sharing Disabled
12
Security (NTFS Permissions) Tab Appears After
Disabling SFS
13
Windows XP Security II

• System Security II
• Simple File Sharing
• NTFS Permissions
• Definitions
• Changing Default Permissions
• NTFS Rules Additive Permissions and Deny
  Permissions
• Removing Access to common executables
• Windows Security Policies
• IPSEC filtering

14
NT File ACLs (Permissions) For Shared Files

• NTFS uses DACLs (Discretionary Access Control
  Lists) to determine authorization
• An individual object in an Access Control Lists
  us known as an Access Control Entry (ACE).
• Generically, a collection of ACLs can be
  referred to as permissions
• Microsoft default for permissions has been
  Usability over security
• For security purposes it is prudent to restrict
  access to everyone and anonymous users where
  possible.

15
Changing Default NTFS Permissions

• After applying service pack, replace Everyone
  with Full Control to Administrators on pertinent
  files/folders
• Folders created by OS generally have correct
  permissions. Any folders created by you will
  inherit root folder permissions by default which
  is Everyone has Full Control
• Note Always add administrator(s) with full
  control before taking away full control for
  everyone.
• Add Authenticated Users give them desirable
  permissions
• E.g. RWXD or RX

16
NTFS ACL Rule 1 ACL Permissions Are Additive

• Example Your account is a member of two groups
  Backup Operators and Users.
• The Users group is not listed in the group of
  people allowed access to the folder. However,
  the Backup Operators group has permissions listed
  as RWXD.
• Result You have RWXD permissions for this
  folder.

17
NTFS ACL Rule 2 Deny Explicitly Overwrites Any
Allow Permissions

• Example Your account is again a member of two
  groups Backup Operators and Users
• The Users group has an explicit deny flag set for
  the folder. The Backup Operators Group is set to
  RWXD.
• Result You will not be able to access this
  folder!

18
Remove Access to Known Command Line Executables
From Everyone

• Grant ACLs for authenticated users only for the
  following C\Winnt\System32 executables
• Cmd.exe
• Command.com
• Ftp.exe
• Regedit.exe
• Regedt32.exe
• Telnet.exe
• Tftp.exe

19
Windows XP Security II

• System Security II
• Simple File Sharing
• NTFS Permissions
• Windows Security Policies
• Security Policies Overview
• Account / Password Policies
• Auditing Policies
• User Rights Assignment
• Security Policies
• IPSEC filtering

20
Security Policies

• Control Panel ? Classic View ? Administrative
  Tools ? Local Security Policy
• Policies Include
• Account Policies, Local Policies, Security
  Options, Public Key Policies, Software
  Restriction, IPSEC

21
Local Security Settings
22
Account / Password Policies

• Password History (X passwords remembered)
• Default 0, Recommended 5
• Maximum Password Age (X days)
• Default 42 days, Recommended ?
• Minimum Password Age
• Default 0 days, Recommended ?
• Password Length
• Default 0, Recommended 7

23
Password Policies (cont.)

• Password Must Meet Complexity Requirements
• ¾ of the following lower case, upper case,
  numbers, symbols AND passwords cannot contain
  user name or any part of full name.
• Default Disabled, Recommended Enabled
• Store passwords using reversible encryption for
  all users in the domain
• Default Disabled

24
Account Lockout Policy

• Account Lockout Duration
• Recommended 15 minutes or longer
• Account Lockout Threshold
• Recommended 5 attempts or lower
• Reset Account After
• Recommended 15 minutes or longer

25
Auditing Policies

• By default, nothing is audited in XP!
• Audit Account Logon Events Records response of
  a domain controller to authenticate a network
  user.
• Recommended Success / Failure
• Audit Account Management Audits account changes
  such as renaming, enabling/disabling, password
  changes, creation, deletion, etc.
• Recommended Success / Failure

26
Auditing Policies (Cont.)

• Audit directory service access logs events of
  standard active directory objects
• Recommended Failure
• Audit Logon Events Records user authentication
  for local machine or domain controllers
• Recommended Success / Failure
• Audit Object Access Allows setting of auditing
  on files or directories (you must set each
  directory/file separately).
• Recommended Varies

27
Auditing Policies (Cont.)

• Audit Policy Change Audits additions,
  deletions, and changes made to local and domain
  security policies
• Recommended Success / Failure
• Audit Privilege Use Audits special privileges
  assigned to a user, privileged services that are
  called, and privileged object operation
• Recommended Failure (Auditing success will fill
  up logs very quickly!)

28
Auditing Policies (Cont.)

• Audit Process Tracking Audits processes
  (creation, exits, and resources)
• Recommended Failure or None
• Audit System Events Audits events going on
  within the physical system that can affect
  security or logging (shutdowns, reboots, clearing
  of logs)
• Recommended Failure (can fill up logs VERY
  quickly)

29
Auditing Recap

• Audit success, failure of
• Logon events
• Account management
• Policy change
• Object Access
• Audit failure of
• Privilege use
• Process tracking
• System events

30
User Rights Assignment

• Access this computer from the network
• Default includes everyone in Windows NT
• You can remove Everyone and add desired users
• Other User Rights Assignment options include who
  is allowed to
• Back up files,
• Increase quotas,
• Log on locally,
• Shut down the system,
• Take ownership of files of other users

31
User Rights Assignment (Cont.)

• Bypass Traverse Checking Allows access to files
  and folders regardless of users permission to
  parent folder for users included in list.
• This setting basically nullifies Inherit parent
  permissions
• E.g. if you remove Everyone, then anyone not in
  one of the listed groups will access files based
  on parent inheritance, not individual file
  permissions.

32
Security Options Accounts

• Only those that should be changed are listed
  here.
• Guest Account Status
• Should be set to disabled. If it is not, please
  change this policy status to disabled
• Administrator Account Status
• May be disabled
• Rename Guest Account
• Recommended!
• Rename Administrator Account
• Recommended!
• Limit Local use of blank passwords to console
  logon
• Do not change this to disabled!!!

33
Security Options Devices

• Restrict access of CD Rom and Floppy to locally
  logged on User Recommended especially if running
  Remote Desktop or IIS is installed (e.g. A
  windows setup disk is left in the cd drive).

34
Security Options Interactive Logon

• Do Not Display Last User Name in Logon Screen
  Change to enabled (Users must know username and
  pw).
• Message text/title for users attempting to log on

35
Security Options Network Access

• Do not allow anonymous enumeration of SAM
  Accounts, Do not allow anonymous enumeration of
  SAM account and Shares Should be set to enabled
• If not enabled, local/domain accounts can be
  enumerated via the NetBIOS protocol
• Scripts / Lophtcrack can then be used to
  determine passwords associated with userid
• Let Everyone permissions apply to anonymous user
  should be disabled
• Remotely accessible registry paths if possible,
  remove ALL paths.

36
Security Options Network Security

• Force logoff when logon hours expire should be
  enabled.

37
Security Options Shutdown

• Allow system to be shut down without users having
  to log on disable this option.
• Clear Virtual Memory Pagefile when Shutting Down
  Enable this option

38
Windows XP Security II

• System Security II
• Simple File Sharing
• NTFS Permissions
• Windows Security Policies
• IPSEC filtering
• IP Security Overview
• Starting IPSec service
• Installing IPSec Policy
• Creating a Custom IPSec Policy

39
IP Security Filtering

• IP filtering using IPSEC allows the computer
  administrator to create a list of connections
  allowed or disallowed based on a number of rules
  such as port number, source, or destination.
• For example, you can block all NetBios traffic
  external to PSU but allow connections from the
  Penn State address space.

40
Starting the IPSEC Service

• In the Control Panel, open Administrative Tools
  and then Services. Make sure that IPSEC Policy
  Agent is Started and Set to Automatic.

41
Installing IPSEC Policy

• Next, open the Control Panel ? Administrative
  Tools ? Local Security Policy. Right click on
  IP Security Policies on local machine. From
  the menu that appears, choose All Tasks.
  Select Import Policies and browse to the
  location of the IPSEC policy.
• The policy should now appear in the list on the
  right hand side. Right click the new policy and
  select Assign.

42
Installing An IPSec Policy
43
Creating a Custom IPSEC Policy

• Open up the XP Help and Support button and click
  on Add or edit IPSec filters
• This help guide will walk you step by step
  through configuring custom IPSEC filters.

44
Common Breaches of System Security

• Most breaches are a result of this aspect!
• Open Network Shares
• Incorrect ACLS
• No Auditing / Logging
• Weak Passwords (Lophtcrack)
• Policies not set correctly

45
XP Security II Seminar Objectives

• System Security II
• Simple File Sharing
• NTFS Permissions
• Windows Security Policies
• IPSEC filtering
• Application Security
• Services to Shut Off
• Remote Desktop / Remote Assistance
• Using HFNetChk and Baseline Security Analyzer
• Reading Logs

46
XP Security II Seminar Objectives

• IIS Security
• Installation of IIS
• Backing Up IIS Metabase
• Authentication
• FTP and SMTP
• Securing IIS manually and with IIS Lockdown tool
• Logging

47
Windows XP Security II

• Application Security
• Services to Shut Off
• Disabling un-necessary services
• Use Secure Services
• Specific XP Services to disable
• Remote Desktop / Remote Assistance
• Using HFNetChk and Baseline Security Analyzer
• Reading Logs

48
Application Security

• Check for patches for all software (Application
  patches should be applied before system is placed
  on network)
• Adding remote access software increases risk of
  breaches
• Backdoors
• Warez servers
• SMTP servers
• Admin tools for dDos attacks
• Scanners/automated scripts disguised as innocent
  files
• OS files removed

49
Services

• Disable any that you are not using
• SMTP
• RAS (including VNC, Timbuktu, Terminal Services)
• HTTPD (IIS) Caution - May be installed with
  Network Monitoring Tools in 2000/XP
• FTP/tFTP
• Telnetd
• Service Distribution Do NOT install all services
  on one machine!
• Do Not install on PDC/ BDC

50
Use Secure Services

• Plugins for Email (Kerberos, PGP)
• SSh vs. Telnet
• HTTPS vs. HTTP
• Scp vs. FTP
• Use Secure services wherever possible.

51
XP Services

• Accessed from Control Panels ? Classic View ?
  Administrative Tools ? Services
• If not needed, stop and set to manual
• Remote Registry
• Remote Desktop
• Remote Access Auto Connection Manager
• NetMeeting Remote Desktop Sharing
• SSDP (Universal Plug and Play)
• TCP Port 5000
• UDP Port 1900

52
Windows XP Security II

• Application Security
• Services to Shut Off
• Remote Desktop / Remote Assistance
• Remote Assistance Overview
• Disabling Remote Assistance
• Remote Desktop Overview
• Setting Up Remote Desktop
• Changing Default Remote Desktop Port
• Disabling Remote Desktop
• Using HFNetChk and Baseline Security Analyzer
• Reading Logs

53
Remote Assistance

• Designed to allow others to take control of your
  computer to assist in troubleshooting and even
  fix problems.
• Turn this off until it is needed!
• Control Panel ? Classic View ? System ? Remote
  tab ? Settings button
• Administrators group can connect to the computer
  by default.

54
Disabling Remote Assistance

• To disable uncheck one of the following
• Allow Remote Assistance invitations to be sent
  from this computer
• Under Advanced button, Allow this computer to be
  controlled remotely

55
Remote Desktop

• Other computers can access your windows session
  by remotely logging in to your computer with a
  valid username and password
• This feature is based on Terminal Services
  session data is sent encrypted.
• (E.g. you can leave your machine logged in at
  work and then log on to Remote Desktop at home to
  control your computer).
• Logging on remotely locks screen locally

56
Setting Up Remote Desktop

• On host computer, navigate to the Control Panel
  and choose the System icon. Click on the Remote
  tab.
• Check the box for Allow Users to connect remotely
  to this computer.
• Click on the settings button to change which
  users have remote access.

57
Setting Up Remote Desktop

• To open Remote Desktop Client
• On connecting computer if XP, navigate to the
  Start Menu ? Accessories ? Communications ?
  Remote Desktop Connection
• On a non-XP Windows machine, insert the XP CD
  into the CD Rom drive. When the Welcome page
  appears, click Perform additional tasks, and then
  choose Set up Remote Desktop Connection
• You will need to enter the IP address of machine
  you are connecting to, and your username and
  password on that machine.

58
Remote Desktop Connection

• Click the options button to expand so additional
  options (username and password, domain, display
  options, etc are shown).

59
Changing Remote Desktop Port

• By default, Remote Desktop (and Terminal
  Services) runs on port 3389.
• You can add security by obscurity by changing
  the default port.
• You need to make a simple registry change on the
  host computer, and add portnumber after IP
  address on connector for client.

60
Entering Remote Desktop Port in Client

• In example, 10.0.0.1 is theoretical IP Address
  and 8337 is port that Remote Desktop was changed
  to.

61
Disabling Remote Desktop

• If not needed, do not run this feature.
• Control Panel ? Classic View ? System ? Remote
  tab ? Settings button
• Uncheck Allow others to connect remotely to this
  computer
• All Remote Access Services should log all traffic

62
Windows XP Security II

• Application Security
• Services to Shut Off
• Remote Desktop / Remote Assistance
• Using HFNetChk and Baseline Security Analyzer
• HFNetchk Overview
• Microsoft Baseline Security Analyzer Overview
• Reading Logs

63
HFNetchk

• Command Line utility which tells you if you are
  up to date on patches.
• Every time you run HFNetchk, it will attempt to
  connect to Microsoft to download an up to date
  XML document which indicates what patches should
  be on your machine.
• If the network is unavailable, it will use
  configuration already saved to your hard disk.
• You can download HFNetchk from
  http//support.microsoft.com/default.aspx?scidkb
  en-us303215

64
Baseline Security Analyzer

• http//www.microsoft.com/technet/treeview/default.
  asp?url/technet/security/tools/Tools/MBSAhome.asp
  
• Checks for hotfixes and security
  misconfigurations on systems.
• Scan by machine name or IP Address(es) Can scan
  multiple computers at a time.

65
Windows XP Security II

• Application Security
• Services to Shut Off
• Remote Desktop / Remote Assistance
• Using HFNetChk and Baseline Security Analyzer
• Reading Logs
• System Logfile locations
• IIS Logfile location

66
Reading Logs

• Event Viewer (eventvwr)
• System
• Application
• Security
• IIS Logs (c\winnt\system32\logfiles)
• W3SVC1, etc.
• If you do not look through logs you may not
  notice anything is going on!

67
XP Security II Seminar Objectives

• System Security II
• Simple File Sharing
• NTFS Permissions
• Windows Security Policies
• IPSEC filtering
• Application Security
• Services to Shut Off
• Remote Desktop / Remote Assistance
• Using HFNetChk and Baseline Security Analyzer
• Reading Logs

68
XP Security II Seminar Objectives

• IIS Security
• Installation of IIS
• Backing Up IIS Metabase
• Authentication
• FTP and SMTP
• Securing IIS manually and with IIS Lockdown tool
• Logging

69
XP Security II Seminar Objectives

• IIS Security
• Installation of IIS
• IIS Installation Overview
• What is and is not installed by default in IIS
• IIS Accounts which are added to machine
• Uninstalling IIS
• Backing Up IIS Metabase
• Authentication
• FTP and SMTP
• Securing IIS manually and with IIS Lockdown tool
• Logging

70
Installing IIS

• IIS Patch (included in SP1) must be applied
  before networked!
• Add / Remove Programs ? Add / Remove Windows
  Components
• It is better to install IIS after operating
  system is secured than while initially setting up
  OS.

71
IIS Installation

• By default, the following are installed
• Common Files
• Documentation
• Front Page 2000 Server Extensions
• IIS Snap-In
• SMTP service
• WWW Service
• Do not install Documentation on a production web
  server.
• If you are not using Form Mail, do not install
  SMTP service.

72
IIS Installation

• The following are not installed by default
• FTP Service
• Scripts virtual directory
• Do not install these unless absolutely necessary

73
IIS Installation

• Adds Internet Information Services snap in (ISM)
  and server extension administrator snap in to
  Administrative Tools.
• Adds accounts
• IUSR_MACHINENAME built in account for anonymous
  IIS access
• IWAM_MACHINENAME built in account for out of
  process access

74
Uninstallation of IIS

• Following arent uninstalled
• \Inetpub
• \Systemroot\Help\iishelp
• \Systemroot\system32\inetsrv
• Following users are not removed
• IUSR_Machinename
• IWAM_Machinename

75
XP Security II Seminar Objectives

• IIS Security
• Installation of IIS
• Backing UP IIS Metabase
• Authentication
• FTP and SMTP
• Securing IIS manually and with IIS Lockdown tool
• Logging

76
Backing Up IIS Metabase

• The IIS Metabase is similar to the Windows
  registry. It stores configuration entries for
  IIS.
• The Metabase can become corrupted so it should be
  backed up every time a change is made to IIS.
• To backup the Metabase, in the ISM, right click
  on your server icon and select Backup/Restore
  Configuration. Click on Create Backup and enter
  a meaningful name.

77
XP Security II Seminar Objectives

• IIS Security
• Installation of IIS
• Backing Up IIS Metabase
• Authentication
• FTP and SMTP
• Securing IIS manually and with IIS Lockdown tool
• Logging

78
IIS Authentication

• To set means of IIS Authentication, right click
  on your web site and select properties, then
  choose the directory security tab. Click on the
  Edit button next to Anonymous access and
  Authentication control.
• Anonymous - uses IUSR_Machinename to anonymously
  access the site
• Integrated Windows users connect to the machine
  with a Windows username and password
• Basic authenticates to machine using
  unencrypted username / password (user accounts
  must have log on locally rights).
• Digest authentication within a W2K domain,
  password hashes compared against DC hashes.
• Kerberos authenticate to a K4 or K5 domain

79
XP Security II Seminar Objectives

• IIS Security
• Installation of IIS
• Backing Up IIS Metabase
• Authentication
• FTP and SMTP
• Securing IIS manually and with IIS Lockdown tool
• Logging

80
FTP and SMTP

• Disable SMTP and FTP if not needed if absolutely
  needed, limit access by userid/pw or IP address
• Allowing totally anonymous connections to machine
  bad idea.
• Specify directory where users can upload/download
  files.
• Create appropriate permissions on files in this
  directory (e.g. remote users can read but not
  write or execute files).

81
XP Security II Seminar Objectives

• IIS Security
• Installation of IIS
• Backing Up IIS Metabase
• Authentication
• FTP and SMTP
• Securing IIS manually and with IIS Lockdown tool
• Logging

82
IIS Lockdown Tool

• http//www.microsoft.com/technet/treeview/default.
  asp?url/technet/security/tools/Tools/locktool.asp
  
• Turns off unnecessary services and features of
  IIS.

83
URLScan

• Part of IIS Lockdown tool. It also turns off
  unneeded features and restricts type of HTTP
  requests that the server can process.
• Execute the following command
• Iislockd.exe /q /c tltc\lockdown_files
• It will install urlscan.exe to this folder.
• Run Urlscan.exe to install it.

84
XP Security II Seminar Objectives

• IIS Security
• Installation of IIS
• Backing Up IIS Metabase
• Authentication
• FTP and SMTP
• Securing IIS manually and with IIS Lockdown tool
• Logging

85
IIS Logging

• Enable extended logging properties in IIS Manager
• W3C Extended Log Format instead of Active Log
• Make sure Date, Time, Server IP, Client IP, URI
  Stem and URI Query are checked
• Daily logs kept in UTC (GMT) format in the
  following location C\Windows\System32\Logfiles\W
  3SVC1\ex020930.txt
• Check the box Use local time for file naming and
  rollover so that logs are kept in EST instead of
  GMT.

86
Common IIS Breaches

• Buffer Overflows (XXXXXXXXXXXXXXXcode)
• Directory Traversal (../../../cwinnt/system32/cmd
  .exe)
• Request unusual action using cmd.exe, .bat
• Encoded using an alternate character set (e.g.
  Unicode) or include character sequences that are
  rarely seen in legitimate requests.
• All of above used for recent worms (e.g.
  IIS/Sadmind, Code Red, Code Red 2, Nimda)

87
Ways to Overcome Common IIS Breaches Other Than
Patching

• Patching prevents current vulnerabilities
• Other means help secure against future
  vulnerabilities
• Install IIS on separate hard drive or
• Do not allow everyone or IUSR account to run
  .exe (e.g. cmd.exe) commands
• Use URLScan and IIS Lockdown Tools
• Follow suggested SOS guidelines for securing IIS

88
XP Security II Seminar Objectives

• System Security II
• Simple File Sharing
• NTFS Permissions
• Windows Security Policies
• IPSEC filtering
• Application Security
• Services to Shut Off
• Remote Desktop / Remote Assistance
• Using HFNetChk and Baseline Security Analyzer
• Reading Logs

89
XP Security II Seminar Objectives

• IIS Security
• Installation of IIS
• Backing Up IIS Metabase
• Authentication
• FTP and SMTP
• Securing IIS manually and with IIS Lockdown tool
• Logging

90
Windows Is a Popular OS to Hack

• Millions of lines of code
• All aspects add to increase security
• ACLS, Services and Applications run among most
  important
• Frequent patching and examination of logs is a
  must
• Also consider other means to secure
• Apply ideas to workstations in department as well
• Spend extra time setting up a machine when you
  have time rather than rebuilding when downtime is
  highly inconvenient

91
Appendix 1 File and Folder Permissions
92
Appendix 2 PSU Security Policies

• Located at http//sos.its.psu.edu/policy.html

93
Appendix 3 Additional Resources

• SANS guidelines
• //common/docs/SANS
• NSA Guide to Securing W2K
• nsa2.www.conxion.com/win2k/download.htm
• Securing IIS Whitepaper
• http//www.microsoft.com/serviceproviders/whitepap
  ers/securing_iis_whpaper.doc