security issues with microsoft based pcs the pennsylvania state university college of engineering...
TRANSCRIPT
Security Issues With Microsoft Based PCs
The Pennsylvania State University
College of Engineering
Electronic & Computer ServicesJoe Lanager
Systems Analyst
October 16th, 2003
The Scope of the Problem• More than 2/3 of COE hosts are Microsoft based, or over 2000
– Still have many legacy (NetBIOS dependent) clients
• Amount and severity of software related security issues remains high– E.g., Windows 2000 systems on track for about 60 patches this year
• Increased desire of hackers to hit Microsoft systems
– Usually taken over for the purposes of becoming a rogue FTP , or Warez server
• University’s remain an especially “juicy” target– Fat pipes– No Firewalls– Weak security posture– Decent platforms with large amounts of combined storage
– May be used as a staging point for further attacks
• Securing Microsoft systems can be a chore– Unnecessary services install by default and are configured to be wide open– Some security tweaks require extensive research and registry manipulation– OS remains tightly integrated so securing users for least privilege remains a challenge
Common Attack Vectors• Self-Propagating Code (Viruses & Worms)
– Primary threat comes from users with laptops or self-managed system with no antivirus software or software isn’t keeping up with virus definitions
• Immutable Law of Security #8– An out of date virus scanner is only marginally better than no virus scanner at all
– Thousands unsuccessfully attempt to get through our mail server– Most successful have been fast moving worms that take advantage of
vulnerabilities arising from missing patches• Slammer, Blaster, Welchia
• Exploits– Toolkits test for any known vulnerability
• NetBIOS, IIS, SQL, etc.
• Social Engineering– E.g., Swen claims to be IE Patch
Current Threats• NetBIOS – The “necessary evil”
– Necessary to support down level clients– Too many security issues to allow outside of trusted IP space
• IIS– Exposure is limited because it’s not widely used– Installs by default with server– Usually see evidence of attempted file traversal and buffer
overflows on COE web server and honeypot
• SQL– Numerous security issues– Concern with protecting possible sensitive data
Emerging Threats
• P2P Software– Often used for illegal exchange of copyrighted material– Quickly becoming a channel for dissemination of malicious code
• IM Software– IRC channels quickly replacing P2P for copyrighted material– Provide another means of transferring malicious code
• Terminal Services and Remote Desktop (RDP)– Local Administrator account doesn’t lock out interactively– Connection IP address is logged as loop back address
Patching• Antivirus Software
– I know it’s not a “patch” but AV needs to be treated as a completing component of any Microsoft OS based PC
– “Patches” in this case refers to virus definitions– The COE maintains antivirus definitions on single server, which
are disseminated to clients within minutes of update
• Keeping up with Patches has become critical– Patches are sometimes released at the rate of more than one
per week– Most are necessary to maintain adequate security on
workstations and servers– Keeping up with security patches can easily eat into time
otherwise spent doing more useful tasks
Patching• Process is more manageable with
automation tools– COE currently runs a Software Update
Services (SUS) Server– SMS– Third Party Applications (Service Pack
Manager)
• Verify patch installation by scanning with MBSA and third party vulnerability testers
Configuration• Group Policies = Consistent Security Settings
– We began using System Policy with custom templates in 1998 to provide consistent security settings in NT Domains
– Currently use group policy extensively in administrative Domain and labs
• IIS Lockdown Tool– Includes URLScan– Greatly eases security configuration of IIS
• Microsoft Security Checklists
Filtering• Some protocols simply too insecure to allow outside of trusted IP
spaces– NetBIOS, SQL, SNMP, and arguably RDP
• Web server only allows http & https ports to the Internet inbound and outbound
• SQL server does not communicate at all with the Internet inbound or outbound
• NetBIOS, LDAP, GC, ICMP not exposed to the Internet in our out• Many COE labs allow no inbound and very limited outbound
• Our preference is to use both firewall appliances and software based
• Decent filtering capabilities are built into Windows 2000 and higher through IPSec– Very granular rule sets of specific machines, or groups of machines, can
be achieved via Group Policy assignments
• Systems can still be accessed via VPN– Better solution anyway because it provides authentication, integrity, and
privacy for any underlying protocols such as POP3, Telnet, etc.
Microsoft’s IPSec as a Filter• For most of 2002 we’ve endured almost constant
dictionary attacks– Most of the time they hit slow enough to not lock out accounts– Several times they hit so hard as to create a virtual DoS attack
• Took advantage of known enumeration vulnerabilities– All communications to servers and systems were completely
unrestricted to the Internet– Used NetBIOS as the primary means to enumerate accounts
and attack systems• No source IP is recorded in Windows 2000 event log
– In some cases it appears as though they also used the exposed LDAP ports, introduced with Windows 2000 DCs, to enumerate accounts
All Internal TrafficFlows Unrestricted
Modem Bank
IPSEC Rules
All NetBIOS, LDAP, ICMPPackets Are Ignored
InternetVPN Client
Our Reaction• Implemented IPSec as stateless filter for Domain and most labs
– Capability built right into Windows 2000/XP• Not originally designed for this purpose but with defaults turned off it does work as a
“poor man’s” port filter• NO COST & LITTLE SOFTWARE OVERHEAD WHEN USED AS A FILTER
– We were able to develop a single set of rules that could quickly be implemented for a single PC up to an entire domain
• Can by modified to react to emergent security threats such as a new worm– Slammer
– The rule is portable• Easily implemented in most labs
– Rules then tightened even further
– The Rule• Blocked ALL NetBIOS ports, GC, and LDAP ports for IP addresses outside the
University to stop enumeration and capability to attack• Blocked ICMP for IP addresses outside the University to stop rudimentary OS
fingerprinting based on ping sweeps– Subsequently Blocked UDP port 1434 to thwart SQL Slammer
• Activated VPN for those coming in from outside ISPs
1 3 5 7 9
11
13
15
17
19
21
23
25
27
29
31
33
35
37
39
41
S1
0
1000
2000
3000
4000
5000
6000
7000
8000
Dictionary Attack Activity During Implementation of IPSec rules
Personal Firewall Software
• Stateless filtering capabilities built into OS– Desktop firewall
• Third Party Products– Provide highly configurable filtering, IDS, and
file system protection– BlackICE– Tiny Personal Firewall
• FREE for home use
– ZoneAlarm
Security Policy• Want to have basic security on all systems
– Elite hackers prefer these targets because they’re less likely to be watched closely and more likely to be improperly configured
• College is finalizing written security policy that will provide consistent minimal security for all systems
• Policies Goals– Easily Understood– Clearly Communicated– FOLLOWED– ENFORCED
Education• Periodically hold workshops on Windows security
• Hold technical support roundtables monthly to cover security issues among other technical topics
• Use internal mailing list to disseminate security alerts and information
• Specific vulnerability reports are sent directly to those responsible for the systems involved
• Other resources– Software checklist– Security checklist– Recommended security settings– Group Policy templates– Local Security templates
Detection• Proactive College & University Scans• Intrusion Detection Systems
– University is experimenting with SNORT– Desktop Firewall Software
• Servers run Personal Firewall software to record all connections to aid in identification of malicious activity
– Daily review of security logs on all servers looking for patterns of failed logons, account lockouts, and logons with administrative level accounts
• Group Policy is used to enforce event logging on all systems• All logs are offloaded from the servers several times a day to a SQL server• Currently changing configuration to trap events to Syslog server and then to
SQL server• Front end database application is used as a front end to expedite search for
patterns associated with possible compromised privileged account or attempted break-in
• New firewalls undergoing deployment should offer additional IDS capabilities
Proactive Scanning
• Regular scanning of network is critical– External Tools
• See network from hacker’s perspective– ISS (University Security Office uses this)– Retina Scanner– Port Scanners
» SuperScan– X-Scan– Nessus
– Administrative Level Tools• Use benefits of having root access to examine systems for
vulnerabilities– Microsoft Baseline Security Analyzer
Cleanup• Get the system off the wire!
• Gather forensic information if available– Determine extent and cause of the compromise
• After information is collected almost always the recommendation is to rebuild the OS
• Always treat all passwords associated with the system as compromised
Room for Improvement• Only half of the departments with the College have
signed on for automatic updates via SUS server– Only provides critical updates not recommended or patches to
Microsoft applications– Currently not using Group Policy or SMS to deploy other fixes
• Office installations are updated by technical staff or user
• Need consistent security settings on all Microsoft systems within the COE– Need to reign in workgroups and departments that don’t harden
machines and use nonexistent, weak, or common passwords
• Need to expand our filtering to all COE machines for consistent, secure environment