Security Issues With Microsoft Based PCs

The Pennsylvania State University

College of Engineering

Electronic & Computer ServicesJoe Lanager

Systems Analyst

October 16th, 2003

The Scope of the Problem• More than 2/3 of COE hosts are Microsoft based, or over 2000

– Still have many legacy (NetBIOS dependent) clients

• Amount and severity of software related security issues remains high– E.g., Windows 2000 systems on track for about 60 patches this year

• Increased desire of hackers to hit Microsoft systems

– Usually taken over for the purposes of becoming a rogue FTP , or Warez server

• University’s remain an especially “juicy” target– Fat pipes– No Firewalls– Weak security posture– Decent platforms with large amounts of combined storage

– May be used as a staging point for further attacks

• Securing Microsoft systems can be a chore– Unnecessary services install by default and are configured to be wide open– Some security tweaks require extensive research and registry manipulation– OS remains tightly integrated so securing users for least privilege remains a challenge

Warez Summary

0

50

100

150

200

250

SU02 FA02 SP03 SU03 FA03

COE

PSU

Common Attack Vectors• Self-Propagating Code (Viruses & Worms)

– Primary threat comes from users with laptops or self-managed system with no antivirus software or software isn’t keeping up with virus definitions

• Immutable Law of Security #8– An out of date virus scanner is only marginally better than no virus scanner at all

– Thousands unsuccessfully attempt to get through our mail server– Most successful have been fast moving worms that take advantage of

vulnerabilities arising from missing patches• Slammer, Blaster, Welchia

• Exploits– Toolkits test for any known vulnerability

• NetBIOS, IIS, SQL, etc.

• Social Engineering– E.g., Swen claims to be IE Patch

Current Threats• NetBIOS – The “necessary evil”

– Necessary to support down level clients– Too many security issues to allow outside of trusted IP space

• IIS– Exposure is limited because it’s not widely used– Installs by default with server– Usually see evidence of attempted file traversal and buffer

overflows on COE web server and honeypot

• SQL– Numerous security issues– Concern with protecting possible sensitive data

Emerging Threats

• P2P Software– Often used for illegal exchange of copyrighted material– Quickly becoming a channel for dissemination of malicious code

• IM Software– IRC channels quickly replacing P2P for copyrighted material– Provide another means of transferring malicious code

• Terminal Services and Remote Desktop (RDP)– Local Administrator account doesn’t lock out interactively– Connection IP address is logged as loop back address

Patching• Antivirus Software

– I know it’s not a “patch” but AV needs to be treated as a completing component of any Microsoft OS based PC

– “Patches” in this case refers to virus definitions– The COE maintains antivirus definitions on single server, which

are disseminated to clients within minutes of update

• Keeping up with Patches has become critical– Patches are sometimes released at the rate of more than one

per week– Most are necessary to maintain adequate security on

workstations and servers– Keeping up with security patches can easily eat into time

otherwise spent doing more useful tasks

Patching• Process is more manageable with

automation tools– COE currently runs a Software Update

Services (SUS) Server– SMS– Third Party Applications (Service Pack

Manager)

• Verify patch installation by scanning with MBSA and third party vulnerability testers

Configuration• Group Policies = Consistent Security Settings

– We began using System Policy with custom templates in 1998 to provide consistent security settings in NT Domains

– Currently use group policy extensively in administrative Domain and labs

• IIS Lockdown Tool– Includes URLScan– Greatly eases security configuration of IIS

• Microsoft Security Checklists

Filtering• Some protocols simply too insecure to allow outside of trusted IP

spaces– NetBIOS, SQL, SNMP, and arguably RDP

• Web server only allows http & https ports to the Internet inbound and outbound

• SQL server does not communicate at all with the Internet inbound or outbound

• NetBIOS, LDAP, GC, ICMP not exposed to the Internet in our out• Many COE labs allow no inbound and very limited outbound

• Our preference is to use both firewall appliances and software based

• Decent filtering capabilities are built into Windows 2000 and higher through IPSec– Very granular rule sets of specific machines, or groups of machines, can

be achieved via Group Policy assignments

• Systems can still be accessed via VPN– Better solution anyway because it provides authentication, integrity, and

privacy for any underlying protocols such as POP3, Telnet, etc.

Microsoft’s IPSec as a Filter• For most of 2002 we’ve endured almost constant

dictionary attacks– Most of the time they hit slow enough to not lock out accounts– Several times they hit so hard as to create a virtual DoS attack

• Took advantage of known enumeration vulnerabilities– All communications to servers and systems were completely

unrestricted to the Internet– Used NetBIOS as the primary means to enumerate accounts

and attack systems• No source IP is recorded in Windows 2000 event log

– In some cases it appears as though they also used the exposed LDAP ports, introduced with Windows 2000 DCs, to enumerate accounts

All Internal TrafficFlows Unrestricted

Modem Bank

IPSEC Rules

All NetBIOS, LDAP, ICMPPackets Are Ignored

InternetVPN Client

Our Reaction• Implemented IPSec as stateless filter for Domain and most labs

– Capability built right into Windows 2000/XP• Not originally designed for this purpose but with defaults turned off it does work as a

“poor man’s” port filter• NO COST & LITTLE SOFTWARE OVERHEAD WHEN USED AS A FILTER

– We were able to develop a single set of rules that could quickly be implemented for a single PC up to an entire domain

• Can by modified to react to emergent security threats such as a new worm– Slammer

– The rule is portable• Easily implemented in most labs

– Rules then tightened even further

– The Rule• Blocked ALL NetBIOS ports, GC, and LDAP ports for IP addresses outside the

University to stop enumeration and capability to attack• Blocked ICMP for IP addresses outside the University to stop rudimentary OS

fingerprinting based on ping sweeps– Subsequently Blocked UDP port 1434 to thwart SQL Slammer

• Activated VPN for those coming in from outside ISPs

1 3 5 7 9

11

13

15

17

19

21

23

25

27

29

31

33

35

37

39

41

S1

0

1000

2000

3000

4000

5000

6000

7000

8000

Dictionary Attack Activity During Implementation of IPSec rules

And, A Very Desirable Side Effect

Personal Firewall Software

• Stateless filtering capabilities built into OS– Desktop firewall

• Third Party Products– Provide highly configurable filtering, IDS, and

file system protection– BlackICE– Tiny Personal Firewall

• FREE for home use

– ZoneAlarm

Security Policy• Want to have basic security on all systems

– Elite hackers prefer these targets because they’re less likely to be watched closely and more likely to be improperly configured

• College is finalizing written security policy that will provide consistent minimal security for all systems

• Policies Goals– Easily Understood– Clearly Communicated– FOLLOWED– ENFORCED

Education• Periodically hold workshops on Windows security

• Hold technical support roundtables monthly to cover security issues among other technical topics

• Use internal mailing list to disseminate security alerts and information

• Specific vulnerability reports are sent directly to those responsible for the systems involved

• Other resources– Software checklist– Security checklist– Recommended security settings– Group Policy templates– Local Security templates

Detection• Proactive College & University Scans• Intrusion Detection Systems

– University is experimenting with SNORT– Desktop Firewall Software

• Servers run Personal Firewall software to record all connections to aid in identification of malicious activity

– Daily review of security logs on all servers looking for patterns of failed logons, account lockouts, and logons with administrative level accounts

• Group Policy is used to enforce event logging on all systems• All logs are offloaded from the servers several times a day to a SQL server• Currently changing configuration to trap events to Syslog server and then to

SQL server• Front end database application is used as a front end to expedite search for

patterns associated with possible compromised privileged account or attempted break-in

• New firewalls undergoing deployment should offer additional IDS capabilities

Proactive Scanning

• Regular scanning of network is critical– External Tools

• See network from hacker’s perspective– ISS (University Security Office uses this)– Retina Scanner– Port Scanners

» SuperScan– X-Scan– Nessus

– Administrative Level Tools• Use benefits of having root access to examine systems for

vulnerabilities– Microsoft Baseline Security Analyzer

Cleanup• Get the system off the wire!

• Gather forensic information if available– Determine extent and cause of the compromise

• After information is collected almost always the recommendation is to rebuild the OS

• Always treat all passwords associated with the system as compromised

Room for Improvement• Only half of the departments with the College have

signed on for automatic updates via SUS server– Only provides critical updates not recommended or patches to

Microsoft applications– Currently not using Group Policy or SMS to deploy other fixes

• Office installations are updated by technical staff or user

• Need consistent security settings on all Microsoft systems within the COE– Need to reign in workgroups and departments that don’t harden

machines and use nonexistent, weak, or common passwords

• Need to expand our filtering to all COE machines for consistent, secure environment