HARDENING WINDOWS Computers =========================== Win2k Infrastructure Security ============================= In WinNT each host has its own security database configuration In Win2k there is one centralized security database configuration, called Active Directory (with LDAP access method) AD (Active Directory) = NTDS (Win2000 Directory Service) Note: AD has info of the objects in the domain (up to millions) In WinNT there were "Primary Domain Controller" & "Backup Domain Controller" In Win2k there are (1 or +) "Domain Controllers" Object access authorization is stored in the AD as DACL (Discretionary Access Control List). AD objects are organized in classes (user accounts, computers, domains, groups, OU). AD Components: ------------- Logical: *Domains, Forests, Trees, OU, Physical: Domain Controllers, Sites, links between sites. (*) Interesting Domain Objects: Shared folders, printers, databases, email addresses. If you want 1 policy for all OU, assign it to the Parent OU. WinNT Trusts: One-way trust [non transitive] Win2k Trusts: two-way trust [transitive] Win2k3 Trusts: Trust between forests -> Federation shortcut trusts: Connect 2 win2k domains that are far down the trees of different forests, to speed up communication become a Domain Controller: "C:\> DCPROMO" Active Directory Physical Structure ----------------------------------- The main components of the physical side of A.D. are: sites, the links between the sites, and the Domain Controllers. Site: combination of one or more IP subnets connected by a highly reliable and fast link to localize as much network traffic as possible. *A site is also not part of the DNS namespace. Site contains: 1)Computer objects, 2)Objects relevant to the connection and replication from one site to another. Win2k DNS --------- DDNS -> Dynamic DNS Group Policy [mmc] ------------ 1) Computer Configuration <- O.S. behavior. IPSec, account policies, etc. 2) User Configuration <- Desktop, control panel, start menu settings GPO processing order -------------------- 1) Local GPO 2) site GPO 3) domain GPO 4) OU GPO ***NOTE: Last rules take effect over first ones*** Win2k AUTHENTICATION ==================== Win -> LM (LanManager) WinNT -> NTLM WinNT4 (SP4) -> NTLMv2 Win2000 -> NTLMv2 LM <- 14 characters (UPPERCASE) NTLM <- 14 characters (full Unicode) [uses MD4] NTLMv2 <- 128bit mode (Confidentiality and Integrity) [uses MD5] 56bit mode (outside US default) SYSKEY <- 128bit key to encrypt SAM db Win2k Local logon process ------------------------- 2 methods: 1) Kerberos 2) NTLM If Win2k cannot find a KDC (Kerberos Distribution Center) it wil revert to NTLM 1) User enters usr/pass in GINA (Graphical Identification and Authentication) 2) GINA gives usr/pass to LSA (Local Security Authority) 3) LSA will give the info to the SSPI, which will give the auth req to the NTLM driver [MSV1-0 SSP] **If Kerberos is used SSPI would give to Kerberos 4) The NTLM driver uses the Netlogon service to authenticate the user info with the local SAM db. Kerberos in Win2k ----------------- Created by MIT (1980) Logon process: 1) User enters usr/pass 2) Win2k contacts an AD DC & KDC 3) KDC issues a TGT to the user 4) TGT is used to req. more tickets for other net services *TGS provides the tickets Benefits: 1) S.S.O. (single sign on). access to the forest 2) Verifies user identity SmartCards in Win2k use Kerberos & PK (asymmetric crypt) 1 key to encrypt } private/public 1 key to decrypt } key pair Win2k Security Configuration Tools ---------------------------------- Security Template [mmc-SnapIn] Security Configuration and Analysis [mmc-SnapIn] <- Apply Templates to GPOs Secedit.exe User accounts in Win2k: 1) Domain User 2) Local User [Ex.:guest,admin] Restricting Logon Hours: In Win2k only for Domain Users (AD) 1) Open "Active Directory Users And Computers" [mmc-SnapIn] 2) Users folder | User | Properties | Account tab | Logon Hours Expiration dates for User Accounts: In Win2k only for Domain Users (AD) 1) Open "Active Directory Users And Computers" [mmc-SnapIn] 2) Users folder | User | Properties | Account tab | Account Expires Configuring Win2000 Groups -------------------------- Basic group types: Security Group, Distribution Group WinNT group types: 1)Global 2)Local Win2K group types: 1)Computer Local 2)Domain Local 3)Global 4)Universal Group Policies: Issues: No override, Block Inheritance Security Templates ------------------ Security Templates [mmc-SnapIn] 1)Basic 2)Compatible [for Mixed env. WinNT] 3)Secure 4)Highly Secure Dedicated Domain Controller -> DEDICADC.INF Harden IIS v5 -> HISECWEB.INF (not on default litst, must be downloaded) Apply Templates to GPOs: ----------------------- 1)Open "Security Configuration and Analysis" [mmc-SnapIn] 2)Create new *.sdb 3)Load customized *.inf template 4)"Analyze computer now" 5)Observe Refresh Policy Time Implementation: - For Computers *every 90 min*. - For Domain Controllers *every 5 min*. "c:\> secedit /refreshpolicy /enforce" "c:\> secedit /export /CFG c:\secfile.txt" <- Export settings to a file. The Gold Standard ----------------- The "Gold Standard" is only a recommendation for a "secure desktop" environment The "Gold Standard" template filename is "NIST2kws.inf" 1) Copy "NIST2kws.inf" to %systemroot%\security\templates 2) Create database *.sdb and load "NIST2kws.inf" 3) "Analyze computer now" 4) Observe The NULL Session ---------------- "c:\> net use \\172.16.10.12\ipc$ "" /user:"" net use * /delete Win2000 Printer Security ------------------------ Printer security permissions: 1)Print <- [ print,pause,resume,restart,cancel ] 2)Manage Documents <- [ pause,resume,restart,cancel ] 3)Manage Printers <- [ share printer,etc. ] Note: The spooler should be moved from %systemroot% (Everybody controls) to a (secure) NTFS location Blocking Registry Access ------------------------ Blocking local Registry access 1) Regedt32.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies 2) Add policy "System" 3) Add DWORD value "DisableRegistryTools" REG_DWORD=1 Unblock Registry Access (remotely) 1) Create share \WINNT\System32 (allow remote usr account Full control, and remove all the others) 2) Remotely access: Registry | Connect Network Registry | IP | Ok 3) Expand HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 4) Set DisableRegistryTools=0 Removing unneeded Services -------------------------- 1)Remove files: \WINNT\System32 posix.exe, psxss.exe, os2.exe, os2srv.exe, os2ss.exe 2)Detele Registry entries: (posix, os2) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\SubSystems Win2k Auditing and Loggin ========================= Modify audit events and refresh: "c:\> secedit /refreshpolicy /machine_policy" Logon Types: Logon Type 2: Interactive (local) Logon Type 3: Network Logon Type 4: Batch Logon Type 5: Service Logon Type 6: Proxy Logon Type 7: Unlock the Workstation Win2k EFS ========= EFS uses PK (asymmetric) Each encrypted file has a unique encryption key (FEK: File Encryption Key ) Default Data Recovery Agent: Administrator (Just recover files, not user's private keys) If EFS is implemented on a machine that is not part of a domain, the system will auto-gen&save recovery keys. EFS Cryptography: Win2k -> DES Win2k (SP2) -> 3DES "c:\> cipher /e" <- Encryption "c:\> cipher /d" <- Decryption Win2k Network Security ====================== Printer Spooler Security ------------------------ Select Printer: File | ServerProperties Check Spool Folder: \WINNT\System32\Spool\PRINTERS Check||Unckeck "Keep printed documents" .SPL <- See filename and contents [spooled files] .SHD <- See who sent the file from which PC [spool header files] NetBIOs ------- NetBIOs is not necessary. IP is enough. Though Win2k will ask a NetBIOs name on Install. "c:\> nbtstat -S" <- Display NetBIOs connections NAT and ICS ----------- NAT (RFC:1631) Private IPs (RFC:1918) Win2k RRAS (Routing and Remote Access Service) includes NAT, RIP & OSPF, RADIUS IAS (Internet Access Server) is Ms. implementation of RADIUS IAS accepts PAP,CHAP,MS-CHAP,EAP. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hugo Martin www.hackcraft.com (2006)