For buffer0verfl0w security
written by slash
tcsh@b0f.i-p.com
http://www.b0f.com
Windows NT Security Check Part II
=================================
Introduction
------------
In Part I of "Windows NT security Check" I explained some basic things about User accounts
and Logging options. In this part I'll try to explain varius Groups and User rights. Please
note that any of the topics provided in these articles can be discussed on our webboard
located at http://net-security.org/webboard.htm
Groups
------
The membership of groups should be carefully evaluated. A group that is granted
permissions to sensitive files might contain users that should not have that access.
Open each group listed in the User Manager and inspect its members.
- Carefully evaluate the members of management groups such as Administrators, Server
Operators, Account Operators, Backup Operators, and Print Operators. Remove all
unnecessary accounts.
- Make sure that all administrative users have two accounts: one for administrative
tasks and one for regular use. Administrators should only use their administrative
accounts when absolutely necessary.
- Evaluate each global group membership and the resources that the group has access to.
Does the group have access in other domains?
- What folders and files do groups have permission to access?
- Do local groups hold global groups from other domains? Check the membership of these
global groups and make sure that no users have unnecessary access to resources in the
current domain
The Administrator Account and Administrators Group
--------------------------------------------------
The Administrator account and Administrators group have unlimited rights on the system.
Therefore, you need to carefully evaluate the membership of the Administrators group
and take care of some other housekeeping related to the Administrator account:
- If you are taking over the management of an existing system, you should change the
Administrator account name and password immediately. You do not know who might have a
password that would give them access to the account.
- The Administrator account is often the target of attacks because of its well-known name.
You should rename the Administrator account to an obscure name and create a "decoy"
account called "Administrator" with no permissions. Intruders will attempt to break in
to this decoy account instead of the real account.
- Enable failed logons in the auditing system to detect attempts to log on to any account,
including Administrator.
- Look for unnecessary accounts that have Administrator status. Perhaps an intruder has
created such an account as a backdoor into the system.
The Administrators group has "Access this computer from network" right, which you can
block to prevent account hijacking or unauthorized activities. Without this right,
administrators must log on at the computer itself in a controlled environment to do any
administrative tasks. You will also need to remove the right from the Everyone group then
add back in accounts that are allowed to log on from network.
The Guest Account and Everyone Group
------------------------------------
Most administrators agree that it should be disabled, although removing it remove the
ability of anonymous users to access a system. If You decide to enable guest account
consider creating a separate domain for these public services where the Guest account
is enabled. Alternatively, use a Web server for this type of system.
- Users who log on as guests can access any shared folder that the Everyone group has
access to (i.e., if the Everyone group has Read permissions to the Private folder,
guests can access it with Read permissions).
- You don't know who Guest users are and there is no accountability because all guests
log in to the same account.
- If you have Microsoft Internet Information Server software installed, a special Guest
account called IUSR_computername exists with the rights to log on locally. Remove this
account if you don't want the general public to access your Web server. Users must then
have an account to access the Web server.
User rights
-----------
In the User Manager for Domains, check the rights that users and groups have on the
system. Choose User Rights from the Policies menu to display the User Rights Policy
dialog box. Initially, the box shows the basic rights. To evaluate all rights, click the
Show Advanced User Rights option. Here are some considerations for basic rights:
- Access this computer from the network
By default, only the Administrators and the Everyone group have this right. Remove
the Everyone group (why would you want everyone to access this server from the network
if you are interested in security?), then add specific groups as appropriate. For
example, create a new group called "Network Users" with this right, then add users who
should have network access.
- Backup files and directories
User's with this right can potentially carry any files off-site. Carefully evaluate which
users and groups have this right. Also evaluate the Restore files and directories right.
- Log on locally
For servers, only administrators should have this right. No regular user ever needs
to logon directly to the server itself. By default, the administrative groups
(Administrators, Server Manager, etc.) have this right. Make sure that any user who is
a member of these groups has a separate management account.
- Manage auditing and security logs
Only the Administrators group should have this right.
- Take ownership of files or other objects
Only the Administrators group should have this right.
Scan all the advanced rights to make sure that a user has not been granted rights
inappropriately.
Files, Folders, Permissions and Shares
--------------------------------------
This discussion assumes that you are only using NTFS volumes on your servers. Do not
use FAT volumes in secure installations.
To check permissions on folders and other resources, you must go to each resource
individually to review which users and groups have permissions. This can be a
bewildering task, so for large systems obtain a copy of the Somarsoft DumpACL utility.
To open the Permissions dialog box for a folder or file, right-click it and choose
Properties, then click either the Sharing or the Security tab. The Sharing options
show who has access to the folder over the network. The Security tab has the Permission
and Auditing buttons so you can check local permissions or set auditing options.
Start your evaluation with the most sensitive and critical folders if you are doing
this procedure manually or performing a periodic checkup. Take care to do the following:
- Check each folder and/or file to determine which local users and groups have access
and whether that access is appropriate.
- Check all shared folders and the share permissions
on those folders to determine which network users and groups have access and whether
that access is appropriate.
- Program files and data files should be kept in separate folders to make management
and permission setting easier. Also, if users can copy files into a data folder,
remove the Execute permission on the folder to prevent someone from copying and
executing a virus or Trojan Horse program.
- Separate public files from private files so you can apply different permission sets.
- If users or groups have access to a folder, should they have the same access to
every file in the folder? To every subdirectory? Check the sensitivity of files and
attached subdirectories to evaluate whether inherited permissions are appropriate.
- Keep in mind that the Everyone group gets Full access by default for all new folders
you create. To prevent this, change the Everyone group's permission for a folder,
then any new subdirectories you create will get the new permission settings.
- If the server is connected to an untrusted network such as the Internet, do not
store any files on the server that are sensitive and for in-house access only.
- Never share the root directory of a drive or one of the drive icons that appears in the
graphical display. An exception would be sharing a Read Only CD-ROM drive for public
access.
- For sensitive, password protected directories, enable Auditing. Right-click a folder,
click Security, then click Auditing and enable Failure to track users that are attempting
unauthorized access a folder or file. Note that File and Object access must be enabled
from the Audit Policies menu in the User Manager, as described later.
- Use encryption wherever possible to hide and protect files. Mergent
(http://www.mergent.com/) and RSA Data Systems (http://www.rsa.com/) provide encryption
software for this purpose.
You can remove Everyone's access to an entire folder tree by going to the root of the
drive, changing the permissions, and propagating those permissions to subdirectories.
Do not do this for the systemroot folder (usually C:\WINNT). You must manually update
Everyone's right there.
Virus and Trojan Horse Controls
-------------------------------
Viruses are a particularly serious problem in the network environment because the client
computer can become infected, transferring the virus to server systems. Other users may come
into contact with infected files at the server. Evaluate and set the following options:
- Program directories should have permissions set to Read and Execute (not Write) to
prevent a virus from being written into a directory where it can be executed. To install
programs, temporarily set Write on, then remove it.
- Install new software on a separate, quarantined system for a test period, then install
the software on working systems once you have determined that it is safe to run.
- Public file sharing directories should have the least permissions possible, i.e., Read
Only, to prevent virus infections.
- If a user needs to put files on your server, create a "drop box" directory that has
only the Write permission. Check all new files placed in this directory with a virus
scanner. Implement backup policies and other protective measures.
- Educate and train users.
- Check the Symantec () site for interesting papers on
Windows NT-specific virus issues.
Auditing and Event Logs
-----------------------
Check the status of audit settings by choosing Audit on the Policies menu in the User
Manager for Domains. The Audit Policy dialog box appears. The settings in this box reflect
the minimum settings that are appropriate for auditing in most environments. Keep in mind
that auditing too many events can affect a system's performance.
Protect auditing and security logs from other administrators who might change or delete
them. You can grant only the Administrators group the ability to access the logs. To
restrict access to only one user (the "auditor"), remove all users except the auditor
from the Administrators group. This means all of your other administrators should be
members of a management group that does not have the "Manage auditing and security log"
right.
Check for failed logons in the Event Viewer. You can enable security auditing for logon
attempts, file and object access, use of user rights, account manage- ment, security
policy changes, restart and shutdown, and process tracking.
Backup
------
Backup policies and procedures are essential. In your evaluation, determine which users
belong to the Backup Operators group. Carefully evaluate if you trust these users. Backup
operators have the ability to access all areas of the system to back up and restore files.
Members of the Backup Operators group should have special logon accounts (not regular user a
ccounts) on which you can set logon restrictions. If Joe is the backup operator, he should
have a regular logon account for his personal activities and a special logon account for
backing up the system. Set restrictions on the backup account, then set restrictions that
force Joe to log on from a specific system only during appropriate hours. Change, with
frequency, the name and password of the account to guard against hijacking.
- Review the backup policies. Is the backup schedule appropriate? Are files safely
transported to secure backup locations? How might backup compromise the confidentiality
of files?
- View the Event Log to audit backup activities.
Final conclusion
----------------
Well, I hope that this articles gave You some basic info how to administrate Youre Windows NT
server. For more info I recomend reading the following books:
- Inside Windows NT Server 4 : Administrators Resource Edition
This national bestseller has been updated and expanded to cover the most talked-about
Windows NT-related technologies and the latest information on Windows NT Server 4. Aimed
at network administrators, consultants, and IT professionals, this book provides invaluable
information to help you get up and running. Written by experts, this comprehensive book
takes you through the ins and outs of installing, managing, and supporting a Windows NT
network - with efficiency. Loaded with tutorials and organized as a reference, it's the
perfect resource for new administrators who need to get up to speed quickly, as well as
technically savvy and experienced administrators who just need to locate the most essential
information - without reading every page.
- Essential Windows NT System Administration
Essential Windows NT System Administration helps you manage Windows NT systems as
productively as possible, making the task as pleasant and satisfying as can be. It
combines practical experience with technical expertise, helping you to work smarter
and more efficiently. It covers not only the standard utilities offered with the Windows
NT operating system, but also those from the Resource Kit, as well as important commercial
and free third-party tools. It also pays particular attention to developing your own
tools by writing scripts in Perl and other languages to automate common tasks. This book
covers the workstation and server versions of Windows NT 4 on both Intel and Alpha
processor-based systems.
- Microsoft Windows NT 4.0 Security, Audit, and Control
This "Security Handbook" is the official guide to enterprise-level security on networks
running Microsoft Windows NT Server 4.0 Written in collaboration between Microsoft and
MIS professionals at Coopers & Lybrand, here is the essential reference for any Windows
NT Server 4.0-based network.
This is only a small amount of book concerning Windows NT security and administration. You
can find more books on Windows NT at our online bookstore
Default newsletter (http://default.net-security.org)