Foiling JD: Top 10 Ways to Stop Hackers David LeBlanc Eric Schultze Microsoft Corporation

Foiling JD: Top 10 Ways to Stop

Hackers

David LeBlancEric Schultze

Microsoft Corporation

Introduction

Practice Defense in Depth A well-configured server will often

resist even newly found vulnerabilities Example – the NT 4.0 system set up for

Eweek’s first OpenHack contest would have remained secure against most new attacks found over the next year

10. Secure Your Email client

Outlook Apply the Outlook Security Update

Outlook Express Move OE to Restricted Sites Zone Disable Active Scripting and Java

Don’t read e-mail on a web server!

9. Restrict Anonymous

Set RestrictAnonymous=2 This blocks detailed enumeration of

users and groups over a variety of protocols

(setting included in HiSec* templates) Do not allow system with RA=2 to

become master browser

8. ACL System Executables

Remove ability for users to execute system commands (cmd.exe, tftp.exe, etc.) C:\winnt (and subdirectories)

Dir *.exe /s /b > outfile.txt Cacl *.exe files as such:

Admins: Full System: Full

7. ACL Directories

Remove permissions for IUSR, IWAM, and Everyone to Write and Execute files in all directories Dump directory list to file Run cacls against each directory Identify each entry with Everyone perms

Read/Execute Write

Reset perms as follows:

7. ACL Directories

\Inetpub Everyone:(OI)(CI)F

Set to admins:F, everyone:R------------------------------------------------------------------------------\Documents and Settings\All Users\DRM Everyone:(OI)(CI)F

Set to everyone:R------------------------------------------------------------------------------\Documents and Settings\All Users\Application Data\Microsoft\HTML Help Everyone:F \Documents and Settings\All Users\Application Data\Microsoft\HTML Help Everyone:(OI)(CI)(IO)F

Set to everyone:R------------------------------------------------------------------------------\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys Everyone:(special access:) READ_CONTROLSYNCHRONIZEFILE_GENERIC_READFILE_GENERIC_WRITEFILE_READ_DATAFILE_WRITE_DATAFILE_APPEND_DATAFILE_READ_EAFILE_WRITE_EAFILE_READ_ATTRIBUTESFILE_WRITE_ATTRIBUTES

RemoveFILE_GENERIC_WRITEFILE_WRITE_DATA------------------------------------------------------------------------------

7. ACL Directories

\Inetpub\AdminScripts Everyone:(OI)(CI)F

Inherited permissions from \Inetpub ------------------------------------------------------------------------------\Inetpub\mailroot Everyone:(OI)(CI)F \Inetpub\mailroot\Badmail Everyone:(OI)(CI)F \Inetpub\mailroot\Drop Everyone:(OI)(CI)F \Inetpub\mailroot\Mailbox Everyone:(OI)(CI)F \Inetpub\mailroot\Pickup Everyone:(OI)(CI)F \Inetpub\mailroot\Queue Everyone:(OI)(CI)F \Inetpub\mailroot\Route Everyone:(OI)(CI)F \Inetpub\mailroot\SortTemp Everyone:(OI)(CI)F

Inherited permissions from \Inetpub------------------------------------------------------------------------------

7. ACL Directories

\WINNT\Tasks Everyone:(OI)(CI)(special access:) READ_CONTROLSYNCHRONIZEFILE_GENERIC_READFILE_GENERIC_WRITEFILE_GENERIC_EXECUTEFILE_READ_DATAFILE_WRITE_DATAFILE_APPEND_DATAFILE_READ_EAFILE_WRITE_EAFILE_EXECUTEFILE_READ_ATTRIBUTESFILE_WRITE_ATTRIBUTES

\WINNT\system32\Setup Everyone:(OI)(CI)F

Set to admins:F, everyone:R------------------------------------------------------------------------------\WINNT\system32\inetsrv\Data Everyone:F

Set to everyone:R------------------------------------------------------------------------------\WINNT\system32\Microsoft\Crypto\RSA\MachineKeys Everyone:(special access:) Set to everyone:R

6. Disable Services

Alerter Computer Browser Indexing Service Messenger Print spooler Remote Registry Distributed File System Workstation Server Telnet Smtp

5. Filter Ports

42 WINS Host Name Server80 HTTP88 Kerberos135 MS RPC139 NetBIOS Session Service389 LDAP443 SSL445 CIFS-SMB464 kpasswd593 HTTP endpoint mapper636 SSL-ldap3268 MS Global Catalog3269 MS Global Catalog3372 (Local-host only connection)3389 MS Terminal Server xxxx IIS 5.0 HTML Mgmt

5. Filter Ports

Apply IPSec Port Filters Block access to ALL ports but

80, 443, etc.

5. Filter Ports

5. Filter Ports

Apply Port Filtering at the Router Block all non-essential ports in BOTH

directions

Why should DMZ webserver be doing NetBIOS, TFTP, or HTTP OUTBOUND to other Internet Hosts?

It Shouldn’t. Block It.

4. Disable NetBIOS

Foil Feinman Don’t allow malicious users to access

tcp 139 and tcp/udp 445 Without this access – it will be much

tougher for hacker to enumerate details about users and groups

4. Disable NetBIOS

IPSec Create Blocker rules for tcp 139 and tcp/udp

445 Unbind File and Printer Sharing for

Microsoft Networks Will stop 139 from responding to requests

Advanced IP filtering Only allow required ports

Unbind NetBIOS from WINS

4. Unbind F&P SharingMust select Advanced – Advanced Settings

445 disappears, 139 appears, but does not respond

No Reboot Required

4. Advanced IP FilteringReboot Required !!

Only specified ports are allowed

4. Advanced IP FilteringReboot Required !!

WARNING

Selecting IP Protocols –Permit Only ‘6’ (tcp) will ALSO allow ICMP ‘1’ – even though this is not explicitely defined

4. Unbind NetBIOS from WINS

139 disappears, 445 still accepts connections

No Reboot Required

4. Disable NetBIOS

Most Secure Option Is to Unbind File and Printer Sharing from the specified adapter Both 139 and 445 will be prohibited

4. Foiling Feinman

Aside from Blocking User Enumeration via NetBIOS You must secure enumeration via

SNMP and LDAP Block tcp 389 and udp 161 DO NOT weaken perms on AD during

AD setup Or, remove EVERYONE group from Pre-

Windows 2000 Compatability group

4. Foiling Feinman

3. Apply Security Templates

Templates located in: Winnt\security\templates

Basicdc Basicsv Basicws Compatws Hisecdc Hisecws Ocfiless Ocfilesw Securedc Securews HISECWEB – download from microsoft.com/security

2. Follow IIS5 Checklist

Summary: Remove sample apps

inetpub\samples winnt\help\iishelp Program files\common files\system\msadc

ACL IIS log file Admin and system Full Everyone RWC

Enable IIS Logging Review all code on server for RevertToSelf calls

2. Follow IIS5 Checklist (cont)

Disable File System Object Regsrv32 scrrun.dll /u

Remove IISADMPWD directory (if exists)

Only exists if upgraded from IIS4 Remove script mappings

htr, idc, stm, shtm, shtml Disable Parent Paths

Scripts, msadc, etc.

Additional IIS Security Steps

Remove or disable Admin web sites Remove Server extensions if you

aren’t using them (remove files, too) Run Permissions Wizard on all web

directories Disable Windows Auth on directories

that don’t need it

1. Apply Hotfixes

Apply the Patches MS00-086

Solves Directory Traversal Vulnerability Supersedes 00-057 and 00-078

MS01-007 Solves Win2K Privilege Escalation

Vulnerability

Visit microsoft.com/security for others…

1. Apply Hotfixes

Search by Service Pack

1. Apply Hotfixes

DRAFT

Resources

www.microsoft.com/security Bulletins and patches IIS5 Security Checklist HiSecWeb Template HFCheck (IIS5 hotfix checker)

secure@microsoft.com Reports of security vulnerabilities in MS

products secfdbck@microsoft.com

Feedback on website, tools, checklists, etc.