IN THIS CHAPTER
In earlier years, Microsoft products earned a reputation for poor security. Windows NT introduced a breakthrough in security for the Microsoft platform. Microsoft made great strides toward securing its platform with the introduction of Windows 2000, which Microsoft released in 2000. Windows 2000 ushered in even greater security with services such as Active Directory, Public Key Infrastructure (PKI), and Kerberos. Microsoft continued to improve the platform security with the release of Windows XP in 2001. Windows XP includes additional security capabilities and fixes in addition to all the Windows 2000 security features. Because the Windows 2000 and Windows XP operating systems offer the benefits of greater security and control, it would be in the best interest of your company to select at minimum Windows 2000 as your standard operating system. Microsoft officials have made their message clear: They have no intention of rewriting the security controls on Microsoft Windows for Workgroups, 95, 98, or Me.
Knowing this, I briefly discuss Windows 9x and Windows Me. To that end, this chapter begins with the minimum information necessary to break a non-Windows NT box.
Windows 9x and Windows Me were never meant to have robust security features, and to be honest, never offered much more security than the original DOS operating system. Both Windows 9x and Windows Me use the FAT file system, which does not offer any file level security. Also, both rely on the PWL password file scheme, which is not secured and easily accessed. PWL files are generated when you create your password. By default, PWL files are housed in the directory C:WINDOWS
. However, you might want to check the SYSTEM.INI
file for other locations. (SYSTEM.INI
is where the PWL path is specified.)
The PWL password scheme is not secure and can be defeated simply by deleting the files.
If the cracker wants to avoid leaving evidence of his intrusion, he probably won’t delete the PWL files. Instead, he will reboot, interrupt the load to Windows (by pressing F5 or F8), and edit the SYSTEM.INI
file. There, he will change the pointer from the default location (C:WINDOWS
) to a temporary directory. In that temporary directory, he will insert another PWL file to which he already knows the password. He will then reboot again and log in. After he has done his work, he will re-edit the SYSTEM.INI
, putting things back to normal.
In more complex cracking schemes, the attacker might actually need the password (for example, when the cracker is using a local Windows 95 box to authenticate to and crack a remote Windows NT 4.0 server). In such environments, the cracker has two choices: He can either crack the 95 PWL password file or flush the password out of cached memory while the target is still logged in. Both techniques are briefly discussed here.
Cracking standard PWL files generated on the average Windows 95 box is easy. For this, you need a utility called Glide.
Glide cracks PWL files. It comes with source code for those interested in examining it. To use Glide, enter the filename (PWL) and the username associated with it. Glide is quite effective and can be found online at the following location:
http://morehouse.org/hin/blckcrwl/hack/glide.zip
To make your PWL passwords secure, you should install third-party access control software. However, if you are forced to rely on PWL password protection, you can still better your chances. Glide will not crack PWL password files that were generated on any box with Windows 95 Service Pack 1 or later installed. You should install, at a minimum, the latest service packs.
Two different functions are used in the PWL system: one to encrypt and store the password and another to retrieve it. Those routines are as follows:
WNetCachePassword()
WNetGetCachedPassword()
The password remains cached. You can write a routine in Visual C++ or Visual Basic (VB) that will get another user’s password; the only restriction is that the targeted user must be logged in when the program is executed (so the password can be trapped). The password can then be cached out to another area of memory. Having accomplished this, you can bypass the password security scheme by using that cached version of the password. (This technique is called cache flushing. It relies on the same principle as using a debugger to expose authentication schemes in client software.)
You can also force the cached password into the swap file. However, this is a cumbersome and wasteful method; there are other, easier ways to do it.
One method is to hammer the password database with multiple entries at high speed. You can use a utility such as Claymore for this, which you can download at http://www.system7.org/archive/Passwd-Cracking/windows.html. You fill the available password space by using this technique. This causes an overflow, and the routine then discards older passwords. However, this technique leaves ample evidence behind.
Either way, the PWL system is inherently flawed and provides very little protection against intrusion. If you are using Windows 9x or Windows Me, you need to install third-party access control. This chapter provides a list of such products and their manufacturers in the “Access Control Software” section later in this chapter. Not all products have a version for Windows Me. Check with the manufacturers for availability.
Windows 9x and Windows Me were both excellent operating systems for their time. However, none of them are secure, and with the release of Windows XP replacing them, it is foolish in today’s security threat environment to continue using them. If your firm uses these operating systems at all, the boxes that run them should be hidden behind a firewall. This is especially so with Windows Me because it has received little scrutiny due to it being specifically marketed as only a home user operating system. It might contain many vulnerabilities that have yet to be revealed.
With that settled, let’s examine the Windows NT security features, which were initially introduced with the Windows NT operating system and were further enhanced with the introduction of the Windows 2000 and Windows XP operating systems.
Microsoft might be traditionally known for poor security, but not when it comes to Windows NT 4.0. Out of the box, Windows NT 4.0 has security measures as good as most other server platforms. The catch is that you must keep up with recent developments. Most of the security attacks that have been reported against Windows NT systems could have been prevented if the system had been running the current service pack release. If you have a connection to the Internet, you should consider subscribing to Windows Update so that it will automatically notify you about new service packs/updates.
Before you read any further, ask yourself this: Have I installed Windows NT 4.0 using NT File System (NTFS) and installed the service packs in their proper order? If not, your Windows NT 4.0 system is not secure and the rest of this chapter cannot help you. If you have not installed your system in this manner, go back, reinstall the service packs, and install with NTFS enabled.
One would think that the order in which service packs are installed doesn’t matter. Unfortunately, that is simply not true. There have been documented instances of users installing service packs in disparate order only to encounter trouble later. I recommend keeping a running record of when the packs were installed and any problems you encounter during installation. An important thing to remember when applying service packs is to always back up your system prior to installation.
Windows NT, like most operating systems, has vulnerabilities. Please note that the list of vulnerabilities discussed here is not exhaustive—other vulnerabilities of lesser severity exist.
Windows NT Version: All versions
Class: Critical
Fixes for Windows NT 4.0 Server and NT 4.0 Server, Enterprise Edition can be found at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25487.
As of this writing, no fix exists for Windows NT 4.0 Server, Terminal Server Edition.
Additional Information: http://www.microsoft.com/technet/security/bulletin/MS00-083.asp. The fix for this vulnerability will be included in Service Pack 7.
Credit: COVERT Labs at PGP Security, Inc., and the ISS X-force
According to http://www.microsoft.com/ntserver/ProductInfo/terminal/default.asp, Microsoft discontinued NT Terminal Server Edition in August 2000, so there is little hope that this problem will be resolved for this platform.
Several protocol parsers in Netmon have unchecked buffers. When an attacker sends a malformed frame to a server that is monitoring network traffic, and if the administrator is using a protocol parser with unchecked buffers, the malformed frame either causes Netmon to fail or causes code of the attacker’s choice to run on the server. If you are running Netmon under a local administrator’s account, the attacker can gain complete control over the server, but not over the domain. However, if you are running Netmon under a domain administrator’s account, the attacker might be able to gain control over the domain as well.
Windows NT Version: All versions
Impact: A local intruder can impersonate your privileges, eavesdrop on your session, or cause your server or workstation to fail.
Class: Critical—denial of service
Fix: http://www.microsoft.com/ntserver/nts/downloads/critical/q266433/default.asp. The fix for this vulnerability will be included in Service Pack 7.
Additional Information: http://www.microsoft.com/technet/security/bulletin/ms00-070.asp
Credit: BindView’s Razor Team
An intruder can only exploit this vulnerability locally. The intruder causes a denial-of-service attack on either a client or server box by sending large packets of random data to it. If the intruder identifies a system process that has an existing Link Control Protocol (LCP) connection with a privileged thread, she can then spoof the client and make requests that she wouldn’t ordinarily be able to perform. The amount of damage she can perform depends on which processes are running in the thread and what they permit her to do. The intruder can also eavesdrop on your session and potentially gather privileged information.
Windows NT Version: All versions
Impact: Default permissions on certain Registry values can allow an attacker to gain additional privileges on a box.
Class: Moderate to severe
Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24501. The Terminal Server Edition doesn’t have a fix at the time of this writing.
Additional Information: http://www.microsoft.com/technet/security/bulletin/MS00-095.asp
Credit: Chris Anley, Milan Dadok, and Glenn Larsson
The SNMP Parameters key, RAS Administration key, and MTS Package Administration key all have inappropriately loose default permissions. This vulnerability could enable an attacker to manage or configure devices on the network, such as misconfiguring routers and firewalls and starting or stopping services on a machine.
Windows NT Version: All versions
Class: Critical—denial of service
Fix for Windows NT 4.0 Workstation, Server, and Enterprise Server Edition: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23077. At the time of this writing, there is no fix available for the Terminal Server Edition.
Additional Information: http://www.microsoft.com/technet/security/bulletin/ms00-040.asp
Credit: Renaud Deraison
When an attacker sends a malformed request for remote Registry access, the request can cause the Winlogon process to fail, which in turn can cause the entire system to fail.
Impact: A local user can cause a box to stop responding to network traffic.
Class: Moderate—denial of service
Fix for Windows NT 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27272
Fix for Windows NT 4.0 Terminal Server: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27291
Additional Information: http://www.microsoft.com/technet/security/bulletin/MS01-003.asp
Credit: Arne Vidstrom
Inappropriate permissions assigned to a networking mutex can permit an intruder to run code to gain control of the mutex and then deny access to it. Doing this prevents other processes from being able to perform network operations with the machine.
Windows NT is also vulnerable to a wide range of other things, which might not be absolutely critical but are serious nonetheless. Table 20.1 lists these problems, along with URLs where you can learn more.
Table 20.1. Other Important Windows NT Vulnerabilities
Vulnerability | Facts and URL |
---|---|
Out of Band | Out-of-band (OOB) attacks are denial-of-service attacks with a vengeance. Many platforms are susceptible to OOB attacks, including Windows NT 3.51 and Windows NT 4.0. The fix for Microsoft is available at the following site: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT351/hotfixes-postSP5/oob-fix/. |
Port 1031 | If a cracker telnets to port 1031 of your server and issues garbage, this will blow your server off the Net. This exploits a vulnerability in the file |
NTCrash | A powerful denial-of-service utility called NTCrash can bring a Windows NT server to its knees. Source code is available on the Net at http://packetstorm.decepticons.org/Exploit_Code_Archive/ntcrash.server.dos.zip. Test it and see what happens. |
The majority of this chapter focuses on remote security, in which the attackers are on foreign networks. Unfortunately, foreign networks are not always the source of the attack. Sometimes, your very own users attack your server. That is what the next section is all about.
In general, Windows NT has only fair-to-good local security. This is in contrast to its external security, which I believe is very good (providing you stay current with the latest patches). At a bare minimum, you must use NTFS. If you don’t, there is no point in even hoping to secure your boxes. Here’s why: There are just too many things that local users can do and too many files and services they can use.
Some system administrators argue that they don’t need NTFS. Instead, they argue that between policy and careful administration and control of who accesses their machines, they can maintain a more or less tight ship. They are dreaming.
A perfect example is the RDISK hole. RDISK is a Windows NT utility that allows you to create emergency repair disks. This is a valuable utility for a system administrator. However, when it’s accessible to the wrong person, RDISK is an enormous security hole. Here’s why: A user can instruct RDISK to dump all security information (including passwords and Registry information) into the directory C:WINNTREPAIR
. From there, an attacker can load a password cracker, and within hours, the box is completely compromised. This is just one more reason you should not walk away from your computer and leave it logged on. Would you like to try it yourself? Issue this command at a prompt: rdisk /s
. Then go to the directory C:WINNTREPAIR
, where you will find the necessary information you need to crack the box.
Achieving good internal security is not an end. There is no list of tools you can install that will permanently secure your box. New holes always crop up. Also, although Microsoft has done wonders to improve the security of Windows NT, pervading user-friendliness in its products continues to hamper efforts at serious security.
An amusing example of this was described by Vacuum from Rhino9 (a prominent hacker group), who made the observation that restricting user access to the Control Panel was a fruitless effort:
If you do not have access to the Control Panel from Start/Settings/Control Panel or from the My Computer Icon, click Start/Help/Index. All of the normally displayed icons appear as help topics. If you click on “Network,” for example, a Windows NT Help Screen appears with a nice little shortcut to the Control Panel Network Settings.
The problem sounds simple and not very threatening. However, the rule holds true for most system resources and even administrative tools. (Microsoft probably won’t change it, either. Its defense would probably be this: It enhances user-friendliness to provide a link to any program discussed in Help.)
At a bare minimum, you should install logging utilities and a sniffer. I also recommend making a comprehensive list of all applications or resources that have no logging. If these applications and resources have no native logging (and also cannot be logged using other applications), I recommend deleting them, placing access restrictions on them, or (at a minimum) removing them from their default locations.
To effectively erect a secure Windows NT server, you must start at installation time. To ascertain whether you should reinstall, you should measure your original installation procedure against typical preparations for a C2 system. To do that, I recommend downloading the “Secure Windows NT Installation and Configuration Guide”, which was authored by the Department of the Navy Space and Naval Warfare Systems Command Naval Information Systems Security Office. That document contains the most comprehensive secure installation procedure currently available in print. It is located at https://infosec.navy.mil/TEXT/COMPUSEC/ntsecure.html.
C2 is an evaluation level in the U.S. government’s Trusted Computer Security Evaluation Criteria (TCSEC) program. TCSEC provides a standard set of criteria for judging the security that computer products provide. TCSEC has also come to be known as the “Orange Book” because the base set of criteria specified by TCSEC is provided in a book with an orange cover.
The Navy guide takes you through configuration of the file system, audit policy, the Registry, the User Manager, user account policy, user rights, trust relationships, system policy, and Control Panel. It also has a blow-by-blow guide that explains the rationale for each step taken. This is invaluable because you can learn Windows NT security on the fly. Even though it spans only 185 pages, the Navy guide is worth 10 or even 100 books like this one. By using that guide, you can guarantee yourself a head start on establishing a reasonably secure server.
Windows NT 4.0 was the first step Microsoft took toward securing your network. Although Windows NT 4.0 and third-party software vendors provide you with many features to secure your Windows NT 4.0 network, Windows 2000 possesses even greater security. If you haven’t yet taken the plunge to upgrade to Windows 2000, you should seriously consider doing so.
Let’s move on now to examine Windows 2000 security.
Windows 2000 has built on the existing Windows security by improving existing capabilities and adding new features. The NTFS file system has been redesigned for better performance, and Active Directory now replaces the Windows NT Lan Manager-style domain architecture. New security capabilities include Kerberos (used in Active Directory for authentication) and IPSec/L2TP (used with the Routing and Remote Access Service for network connections).
As with Windows NT 4.0, it is very important to install Windows 2000 using NTFS. If you don’t install NTFS on your Windows 2000 desktop or server, you will not have a secure installation. Also, NTFS is required to install Active Directory. The focus of this section on Windows 2000 is on improvements to security and on general Windows 2000 security vulnerabilities.
Microsoft paid more attention to security with Windows 2000 and fully integrated security with the Active Directory directory service structure. Microsoft also designed the Windows 2000 platform to be more reliable than previous versions of Windows.
Some of the security features new to Windows 2000 are briefly discussed in the following list:
First and foremost, Windows 2000 introduced Active Directory. It is the core of the flexibility of the Windows 2000 security model and provides information about all objects on the network. It is the basis for Windows 2000 distributed networking and facilitates the use of centralized management techniques, such as Group Policy and remote operating system operations. Active Directory replaced the security accounts manager (SAM) database area of the Registry on domain controllers storing security information such as user accounts, passwords, and group. Consequently, Active Directory has become a trusted component of the Local Security Authority (LSA). Active Directory stores both access control information to support authorization to access system resources and user credentials to support authentication within the domain. Windows 2000 Professional and member servers still retain the local SAM database for locally defined users and groups.
Active Directory provides a single point of management for Windows clients, servers, applications, and user accounts. With Active Directory, you can delegate specific administrative tasks and privileges to individual users and groups, thus enabling the distribution of system administration tasks to either localized or centralized administration. For example, you can assign a specific management task, such as resetting a user’s password, to office administrators in specific departments of your organization so that you can free up your time for more complex tasks.
Active Directory includes built-in support for secure Internet-standard protocols such as PKI, Kerberos, and Lightweight Directory Access Protocol (LDAP). Learn more about Active Directory at http://www.microsoft.com/windows2000/guide/server/features/directory.asp.
PKI also lies at the core of many of the security features in Windows 2000. PKI makes use of Microsoft Certificate Services, allowing the deployment of enterprise certificate authorities (CAs) in your enterprise, and is integrated into Active Directory. Active Directory uses the directory service to publish information about certificate services, which includes the location of user certificates and certificate revocation lists. When your organization begins to manage digital certificates, a range of enhanced security features becomes available to you in order to secure such technologies as Digitally Signed Software, the Encrypted File System (EFS), email, IP Security, and Smart Card Security.
The EFS presents your users with the option to encrypt sensitive data on their hard disks, thus ensuring confidentiality should an intruder compromise or steal the disk.
Kerberos is the default authentication protocol on Windows 2000, replacing Windows NT Challenge Response (NTLM) authentication. Kerberos has been around for a number of years, having been developed at the Massachusetts Institute of Technology during the 1980s.
Internet Protocol Security Protocol (IPSec) provides advanced network security for you and your enterprise users.
The Windows 2000 distributed security services include the following key business requirements:
Strong user authorization and authentication
Users log on once to access all enterprise resources
Secure communications between external and internal resources
Automated security auditing
Interoperability with other operating systems
Microsoft bases Windows 2000 security on a simple model of authentication and authorization. After Windows 2000 identifies the user through authentication with a domain controller, the user is granted access to specific network resources based on permissions. This security model enables authorized users to work on a secure, extended network. The Windows 2000 distributed security model is based on delegation of trust between services, trusted domain controller authentication, and object-based access control.
Learn more about Microsoft Windows 2000 distributed security at http://www.microsoft.com/windows2000/techinfo/howitworks/security/distsecservices.asp. Now that we’ve briefly examined some of the new security features in Windows 2000, let’s move on to some potentially harmful vulnerabilities.
Windows 2000, like most operating systems, has vulnerabilities. Please note that the list of vulnerabilities discussed here is not exhaustive. Other vulnerabilities of lesser severity exist.
Microsoft Windows Version: Windows 2000 Professional, Server, and Advanced Server
Impact: An attacker can send a malformed data transfer request and stop or severely affect the performance of the SMTP service.
Fix: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q313450. The fix for this vulnerability will be included in Windows 2000_
Service Pack 3.
Microsoft Windows Version: Windows 2000 Server and Advanced Server
Impact: A malicious user can install malicious code onto a domain server.
Class: Moderate to severe
Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27500. The fix for this vulnerability will be included in Windows 2000_
Service Pack 2.
Additional Information: http://www.microsoft.com/technet/security/bulletin/MS01-006.asp
Credit: John Sherriff of the Wool Research Organization
A malicious user with physical access to and administrative logon privileges on your domain server can install malicious code if the server was promoted to a domain server using the Configure Your Server tool. The only domain server in the forest that can be affected by this vulnerability is the one that was installed first.
Microsoft Windows Version: Windows 2000 Server and Advanced Server
Impact: An attacker can gain control of your server.
Class: Critical
Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25485. The fix for this vulnerability will be included in Windows 2000 Service Pack 2.
Additional Information: http://www.microsoft.com/technet/security/bulletin/MS00-083.asp
Credit: COVERT Labs at PGP Security, Inc., and the ISS X-force
Refer to the section “General Windows NT Security Vulnerabilities,” for an explanation of this vulnerability. This vulnerability affects both Windows 2000 and Windows NT.
Impact: An attacker can gain complete control over your box.
Class: Severe
Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27526. The fix for this vulnerability will be included in Windows 2000 Service Pack 3.
Additional Information: http://www.microsoft.com/technet/security/bulletin/MS01-007.asp
Credit: DilDog of @Stake, Inc.
This is privilege elevation vulnerability. An attacker could exploit this vulnerability to take any action he wanted to on your box, because it enables him to run commands and programs with the privileges of the operation system itself.
Microsoft Windows Version: Windows 2000 Server and Advanced Server
Impact: An attacker can execute hostile code on a remote server that is running the Phone Book Service.
Class: Critical
Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25531. The fix for this vulnerability will be included in Windows 2000 Service Pack 2.
Additional Information: http://www.microsoft.com/technet/security/bulletin/MS00-094.asp
Credit: CORE-SDI and @Stake, Inc.
The Phone Book Service is used with dial-up networking clients to provide a prepopulated list of dial-up networking servers to the client. This service has an unchecked buffer in a portion of the code that does the processing of requests for phone book updates. When an attacker sends a malformed request, it can result in overrunning the buffer. This enables the attacker to execute any code that a user logged in to the server can run. In other words, the attacker can install and run code of his choice; add, delete, or change Web pages; reformat the hard drive; or do any number of other tasks.
Microsoft Windows Version: All Windows 2000 versions
Impact: An attacker could obtain another user’s NTLM authentication credentials without the user’s knowledge.
Class: Moderate to critical
Fix: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-067.asp.
The fix for this vulnerability will be included in Windows 2000 Service Pack 2.
Additional Information: http://www.microsoft.com/technet/security/bulletin/MS00-067.asp
Credit: DilDog of @Stake, Inc.
If a malicious Webmaster were operating a Telnet server and you initiated a session with that server, the Webmaster could collect your NTLM responses and then use them to possibly authenticate to your box. This is possible because, as part of the session, your box might pass your cryptographically protected NTLM authentication credentials to his server. After he has obtained these credentials, he could then use an offline brute-force attack to gain your plaintext password.
Impact: A remote user can prevent your box from providing Telnet services.
Class: Moderate to severe—denial of service
Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22753
Additional Information: http://www.microsoft.com/technet/security/bulletin/MS00-050.asp
Credit: Unknown
This is a remote denial-of-service vulnerability. A malicious remote user can send a malformed input string from her box that would then cause the Telnet server to fail, causing the loss of any work in progress.
The Windows XP operating system was released in the fall of 2001 both to replace the Windows 9x/Me operating systems and as an improvement over Windows 2000 Professional. The two main versions of Windows XP are Home and Professional. The XP Home version is meant for home users and does not include all the capabilities of Windows 2000/XP Professional, such as the capability to join a domain. Windows XP Professional is the replacement for Windows 9x/Me and Windows 2000 Professional in a corporate environment and has all the capabilities of Windows 2000 Professional, with the addition of a new user interface and improved system operation and functionality.
Both Windows XP Home and Windows XP Professional offer numerous security improvements over Windows 9x/Me and Windows 2000 Professional.
Windows XP includes the following new security features:
Personalized login—. This feature provides the capability for multiple users to have secure user profiles, which prevent other system users from accessing or modifying the user information. This is similar in operation to user accounts on Windows 2000 and does not require a domain. This feature is not available on a Windows XP Professional system after it is joined to a domain. This replaces the Windows 9x/Me user account feature, which was not secured in any way.
User switching—. Used in conjunction with the personalized login feature, user switching allows multiple users to be logged on to a computer and to “switch” between user sessions. This feature is not available on a system that is the member of a domain.
Internet Connection Firewall (ICF)—. This feature provides security for your Internet connection by using active packet filtering. Packet filtering blocks all TCP/IP ports by default and dynamically opens ports as necessary. ICF provides protection from outside users gaining access to your system’s data and services.
The following features are available only with Windows XP Professional:
Blank password restriction—. Windows XP provides a remote control feature based on the Terminal Services capability provided in Windows 2000 Server called Remote Desktop. The blank password restriction blocks user accounts with blank passwords from accessing the system using the Remote Desktop feature.
Encrypting File System (EFS)—. The EFS feature uses public-key encryption to provide an additional layer of security over the basic NTFS file security. EFS can be very valuable for protecting sensitive data for mobile and remote users where physical system security cannot be guaranteed.
Smart card support—. Windows XP Professional provides the capability to use Personal Computer/Smart Cards (PC/SC) in conjunction with a smart card reader to control access to the system. This feature is available only for systems that are members of a Windows 2000 Active Directory domain, because the card uses an X.509 certificate to authenticate the card holder with the domain controller.
With the release of Windows XP Home and Professional, Microsoft has continued to add to the security features that were provided originally with Windows NT. Windows XP also provides the capability for home and standalone users to have the benefit of NTFS security and user profile functionality, which is missing from Windows 9x and Me.
In this section, I enumerate security weaknesses in some commonly used Microsoft applications: Microsoft Internet Explorer (Microsoft’s Web browser, also known as MSIE), Microsoft Exchange Server (a mail administration package), and Internet Information Server (IIS) v4.0 and 5.0 (Microsoft’s Web server, previously an add-on with the Windows NT Option Pack and now integrated into Windows 2000).
Microsoft Internet Explorer v4.x and 5.x have several serious vulnerabilities; some of them are covered briefly here. Those vulnerabilities that are classified as either critical or severe can result in system compromise and are therefore of great interest to system administrators. With the release of Internet Explorer v6.0, these vulnerabilities have been addressed, and unless the older versions are required, it is recommended that you consider upgrading to 6.0. Windows XP and the upcoming release of Windows .NET are shipped with Internet Explorer 6.0 already integrated into the operating system (at least at this time—future versions of the OS might ship without a default browser, depending on the current government antitrust action). Although IE 6.0 has corrected the numerous vulnerabilities associated with the earlier releases, it is still recommended that you check the Windows Update site frequently to watch for new vulnerabilities and patches, as IE 6.0 has already had a few vulnerabilities identified.
Impact: Can allow Web pages to read local files
Class: Severe
Fix for MSIE 5.x and 6: http://www.microsoft.com/windows/ie/downloads/critical/q318089/default.asp
Additional Information: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-009.asp
Impact: Malicious Webmasters can download a .CAB file to any disk on your box.
Class: Severe
Fix for MSIE 4.x and 5.01: http://www.microsoft.com/windows/ie/downloads/critical/patch8/default.asp
Fix for MSIE 5.5: http://www.microsoft.com/windows/ie/downloads/critical/patch11/default.asp
Additional Information: http://www.microsoft.com/technet/security/bulletin/ms00-042.asp
Credit: Unknown
A malicious Web site can download a .CAB file to any disk on your box and then use the .CAB file to overwrite files, including system files. This could render your machine inoperable and create a denial of service on your box.
Microsoft Internet Explorer Version: 4.x and 5.x prior to version 5.5
Impact: Malicious intruders can obtain your user ID and password to a Web site.
Class: Moderate to severe
Fix: http://www.microsoft.com/windows/ie/downloads/critical/q273868/default.asp
Additional Information: http://www.microsoft.com/technet/security/bulletin/ms00-076.asp
Credit: ACROS Security
When you use Basic authentication to authenticate to a secured Web page, MSIE caches your user ID and password to minimize the number of times you must authenticate to the same site. Although MSIE should pass your cached credentials only to secured pages on the site, it will also send them to the site’s nonsecured pages. If an attacker has control of your box’s network communications when you log on to a secured site, the attacker can spoof a request for a nonsecured page and then collect your credentials.
Microsoft Internet Explorer Version: 4.01 SP2 and higher, when Microsoft Access 97 or
Microsoft Access 2000 is present on the machine
Impact: Permits an attacker to run code of her choice on your box, potentially allowing her to take full control of it.
Class: Extremely severe
Fix: http://www.microsoft.com/windows/ie/downloads/critical/patch11/default.asp or set an Administrator password for Microsoft Access
Additional Information: http://www.microsoft.com/technet/security/bulletin/ms00-049.asp
Credit: Georgi Guninski
This vulnerability enables an attacker to embed malicious VB code into Microsoft Access via Internet Explorer. Simply visiting a malicious Web site or previewing an email that contains malicious code can compromise your box.
Note: MSIE 5.01 Service Pack 1 and MSIE 5.5 are not affected.
Impact: Two flaws exist in MSIE that can allow a malicious Web site to pose as a legitimate Web site. The attacker can trick users into disclosing information (such as credit card numbers or personal data) intended for a legitimate Web site.
Class: Moderate
Fix: http://www.microsoft.com/windows/ie/downloads/critical/patch11/default.asp or upgrade to MSIE 5.5
Additional Information: http://www.microsoft.com/technet/security/bulletin/ms00-039.asp
Credit: ACROS Penetration Team, Slovenia
When a connection to a secure server is made through either a frame or an image on a Web site, MSIE verifies only that the server’s Secure Sockets Layer (SSL) certificate was issued by a trusted root and does not verify either the server name or the expiration date of the certificate. When you make a secure connection via any other means, MSIE performs the expected validation. If a user establishes a new SSL session with the same server during the same MSIE session, MSIE does not revalidate the certificate.
Note: MSIE 5.01 Service Pack 1 and MSIE 5.5 are not affected.
Impact: This vulnerability can allow a malicious Webmaster to obtain personal information from a user’s box.
Class: Moderate
Fix: http://www.microsoft.com/windows/ie/downloads/critical/patch11/default.asp
Additional Information: http://www.microsoft.com/technet/security/bulletin/FQ00-033.asp#B
Credit: Unknown
A malicious Web site operator could entice a user to click a link on the operator’s site that would allow the operator to read, change, or add a cookie to that user’s box.
The following sections list important vulnerabilities in Microsoft Exchange Server 2000 and Exchange Server 5.x.
Impact: Intruder can perform mail relaying.
Class: Moderate—denial of service
Fix: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/PostSP2/imc-fix/
Additional Information: http://www.microsoft.com/technet/security/bulletin/fq99-027.asp
Credit: Laurent Frinking of Quark Deutschland GmbH
This vulnerability could enable an intruder to get around the antirelaying features of an Internet-connected Exchange server. Because encapsulated Simple Mail Transfer Protocol (SMTP) addresses are not subject to the same antirelaying protections as nonencapsulated SMTP addresses, an intruder can cause a server to forward an encapsulated SMTP address from the attacker to any email address she wants—as though the server were the sender of the email.
Microsoft Exchange Server Version: 5.5
Impact: A malicious user can cause an Exchange Server to fail.
Class: Severe—denial of service
Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25443 or Exchange5.5 SP4
Additional Information: http://www.microsoft.com/technet/security/bulletin/MS00-082.asp
Credit: Art Savelev
The Exchange Server normally checks for invalid values in the MIME header fields. However, the Exchange service will fail if a particular type of invalid value is present in certain MIME header fields. You can restore normal operations by restarting the Exchange Server and then deleting the offending mail. The offending mail will be at the front end of the queue after you restart the Exchange service.
Microsoft Exchange Server Versions: 5.0 and 5.5
Impact: An attacker can cause the Server Information Store to choke.
Class: Medium—denial of service
Fix: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.0/Post-SP2-STORE/ or install SP1 or later
Additional Information: http://www.microsoft.com/technet/security/bulletin/ms98-007.asp
Credit: Internet Security Systems, Inc.’s X-Force team
When an attacker issues a series of incorrect data, an application error can result in the Server Information Store failing. It also causes users to fail in their attempts to connect to their folders on the Exchange Server.
Microsoft Exchange Server Versions: 5.0 and 5.5
Impact: An attacker can cause the Internet Mail Service to choke.
Class: Medium—denial of service
Fix: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.0/post-sp2-ims/ or install SP1 or later
Additional Information: http://www.microsoft.com/technet/security/bulletin/ms98-007.asp
Credit: Internet Security Systems, Inc.’s X-Force team
When an attacker issues a series of incorrect data, an application error can result in the Internet Mail Service failing.
Microsoft Exchange Server Versions: 5.0 and 5.5
Impact: An intruder might be able to recover encrypted data from your network.
Class: Moderate to severe
Fix: Download the latest version of Schannel.dll
. Check out this URL for information on where to obtain the latest version: http://support.microsoft.com/support/kb/articles/q148/4/27.asp.
Additional Information: http://www.microsoft.com/technet/security/bulletin/ms98-002.asp
Credit: Daniel Bleichenbacher
An intruder, running a sniffer on your network, might be able to observe an SSL-encrypted session, interrogate the server involved in that session, recover the session key used in that session, and then recover the encrypted data from that session.
Microsoft Exchange Server Version: 2000
Impact: An intruder can remotely log on to an Exchange 2000 Server and possibly on to other servers in the affected Exchange Server’s network.
Class: Moderate to severe
Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25866
Additional Information: http://www.microsoft.com/technet/security/bulletin/MS00-088.asp
Credit: Unknown
A malicious user can log on to Exchange by using an account with a known username (EUSR_EXSTOREEVENT
) and a password that Exchange creates during the setup process. Normally, this account has only local user rights, meaning that the account is neither a privileged account nor can it gain access to Exchange 2000 data. However, when you install Exchange 2000 on a domain controller, the system automatically gives Domain User privileges to the account, so it can gain access to other resources on the affected domain. Microsoft recommends that you disable or delete this account after the setup process has completed.
IIS is a popular Internet server package, and like most server packages, it has vulnerabilities. IIS 4.0 was released for the Windows NT operating system as part of the Windows NT Option Pack, and IIS 5.0 is included in the Windows 2000 Server operating system. Some of the most well-known IIS vulnerabilities are covered here in detail. However, please note that the list of vulnerabilities discussed is not exhaustive. Other vulnerabilities of lesser severity exist, and I am sure new ones are being found even as this is being written.
IIS Version: 4.0 and 5.0
Impact: An attacker can cause the server to temporarily stop providing Web services, or in very unusual cases, the attacker can gain control of the server by sending a specially chosen request to an affected Web server.
Class: Severe
Fix for IIS 4.0 and 5.0: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q319733
IIS Version: 5.0 and 5.1
Impact: An attacker can send a request to an affected server that causes a Web page containing script to be sent to another user. The script executes in the user’s browser as though it comes from the third-party site, which lets the script run by using the security settings that are appropriate to the third-party Web site, and also permits the attacker to access any data that belongs to the site.
Class: Severe
Fix for IIS 5.1: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37857
Fix for IIS 5.0: http://www.microsoft.com/windows2000/downloads/security/q319733/default.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D37824%26redirect%3Dno
IIS Version: 4.0 and 5.0
Impact: An attacker can run code on your machine masquerading as a third-party Web site.
Class: Severe
Fix for IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25534
Fix for IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25533
Additional Information: http://www.microsoft.com/technet/security/bulletin/MS00-060.asp
Credit: Peter Grundl of Defcom
When a malicious user runs code masquerading as a third-party Web site, that code can take any action on your box that the third-party Web site is permitted to take. If you designate that Web site as a trusted site, the attacker’s code could take advantage of the increased privileges. The attacker can make the code persistent, so that if you return to that Web site in the future, the code will begin to run again.
IIS Version: 4.0 and 5.0
Impact: An attacker can prevent a Web server from providing service.
Class: Severe—denial of service
Fix for IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26704
Fix for IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26277
Additional Information: http://www.microsoft.com/technet/security/bulletin/MS00-100.asp
Credit: eEye Digital Security
FrontPage Server Extensions ship with IIS 4.0 and IIS 5.0 and provide browse-time support functions. A vulnerability exists in some of these functions that allows an attacker to levy a malformed form submission to an IIS server that would cause the IIS service to fail. In IIS 4.0, you have to restart the service manually. In IIS 5.0, the IIS service will restart by itself.
IIS Version: 4.0 and 5.0
Impact: An attacker can read fragments of files from a Web server.
Class: Moderate
Fix for IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27492
Fix for IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27491
Additional Information: http://www.microsoft.com/technet/security/bulletin/MS01-004.asp
Credit: Unknown
An attacker can cause a requested file to be processed by the .HTR ISAPI extension in such a way as to cause fragments of server-side files, such as .ASP files, to be sent to the attacker.
IIS Version: 4.0 and 5.0
Impact: A malicious user can hijack another user’s secure Web session.
Class: Critical
Fix for IIS 4.0 x86 platforms: http://www.microsoft.com/ntserver/nts/downloads/critical/q274149
Fix for IIS 4.0 Alpha platforms: Available from Microsoft Product Support Services
Fix for IIS 5.0: http://www.microsoft.com/Windows2000/downloads/critical/q274149
Additional Information: http://www.microsoft.com/technet/security/bulletin/MS00-080.asp
Credit: ACROS Security and Ron Sires and C. Conrad Cady of Healinx
IIS uses the same session ID for both secure and nonsecure pages on the same Web site. What this means to you is that when you initiate a session with a secure Web page, the session ID cookie is protected by SSL. If you subsequently visit a nonsecure page on the same site, that same session ID cookie is exchanged, only this time in plaintext. If a malicious user has control over the communications channel of your box, she could then read the plaintext session ID cookie and use it to take any action on the secure page that you can.
IIS Version: 4.0 and 5.0
Impact: Remote users can run operating system commands on a Web server.
Class: Critical
Fix for IIS 4.0: http://www.microsoft.com/ntserver/nts/downloads/critical/q277873
Fix for IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25547
Additional Information: http://www.microsoft.com/technet/security/bulletin/MS00-086.asp
Credit: NSFocus
An attacker can execute operating system commands that would enable her to take any action that any interactively logged-on user could take. This would enable her to add, delete, or change files on the server; modify Web pages; reformat the hard drive; run existing code on the server; or upload code onto the server and then run it.
IIS Version: 4.0
Class: Severe—denial of service
Fix for NT 4.0 Workstation, Server and Server Enterprise Editions: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24403
Credit: Peter Grundl of VIGILANTe
An attacker can send an invalid URL to the server which, through a sequence of events, could result in an invalid memory request that would cause the IIS service to fail. Microsoft engineers believe that the underlying problem actually exists within Windows NT 4.0 itself.
IIS Version: 4.0 and 5.0
Impact: An attacker can slow an IIS server’s response or prevent it from providing service.
Class: Medium to Severe—denial of service
Fix for IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20292
Fix for IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20286
Credit: Vanja Hrustic of the Relay Group
By sending a malformed URL with an extremely large number of escape characters, an attacker can consume large quantities of CPU time and thus slow down or prevent the IIS server from providing service for a period of time.
IIS Version: 4.0 and 5.0
Impact: An attacker can take destructive actions against a Web server.
Class: Critical
Fix: http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp
Additional Information: http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
Credit: Rain Forest Puppy
An attacker can change or delete files or Web pages, run existing code on the Web server, upload new code and run it, format the hard disk, or take any number of other destructive actions.
After you establish your Windows NT 4.0 or Windows 2000 server, you can obtain several indispensable tools that will help you keep it secure. No Windows NT 4.0 or Windows 2000 administrator should be caught without these tools.
Administrator Assistant Tool Kit is an application suite that contains utilities to streamline system administration on Windows NT boxes.
Aelita Software
Windows Version: Windows NT 4.0 or Windows NT 3.51
Email: [email protected]
FileAdmin is an advanced tool for manipulating file permissions on large Windows NT-based networks. This utility can save you many hours of work.
Aelita Software
Windows Version: Windows NT 4.0 or Windows NT 3.51
Email: [email protected]
Kane Security Analyst provides real-time intrusion detection for Windows NT 4.0 and Windows 2000. This utility monitors and reports security violations and is very configurable. It assesses six critical security areas: access control, data confidentiality, data integrity, password strength, system monitoring, and user account restrictions.
Intrusion.com, Inc.
Windows Version: Windows 2000 and Windows NT
Email: [email protected]
URL: http://www.intrusion.com/products/product.asp?lngProdNmId=4&lngCatId=23
The LANguard Network Security Scanner not only enables you to monitor and control Internet usage on your network, but also monitors network traffic to detect break-ins from outside your network. With Network Security Scanner, you use keywords to block access to unwanted sites (such as IRC). You can also use keywords to block searches for objectionable material at search engine sites without blocking the entire search engine. With the network monitor, you can watch for suspicious incoming traffic to a specific server that shouldn’t be accessible to outside traffic.
GFI Fax & Voice USA
Windows Version: Windows 2000 or Windows NT 4.0
Email: [email protected]
Security Reporter collects data about your Windows NT 4.0 or Windows 2000 network, such as user rights, users having administrative rights, and resource permissions, among others. This information is stored in a central database, and you use this information to generate reports that help you to identify and fix potential security problems.
GFI Fax & Voice USA
Windows Version: Windows XP, Windows 2000, and Windows NT 4.0
Email: [email protected]
NT Crack is a tool that audits Windows NT passwords. This is the functional equivalent of Crack for Unix.
Secure Networks, Inc.
Windows Version: Windows NT (all versions)
The Administrator’s Pak includes a variety of tools for recovering crashed Windows 2000 and Windows NT 4.0 systems. This bundle includes the NT Locksmith, NTRecover, Remote Recover, and NTFSDOS Pro tools, just to name a few. The Administrator’s Pak bundle is a great value for tools that will help with recovering your Windows 2000 and Windows NT boxes.
Winternals Software LP
Windows Version: Windows 2000 or Windows NT 4.0
Email: [email protected]
NTFSDOS Pro allows you to copy and rename permissions on Windows 2000 and Windows NT 4.0 from a DOS disk. This is a great tool to keep around for emergencies (for example, when you lose that Administrator password).
Winternals Software LP
Windows Version: Windows 2000 or Windows NT 4.0
Email: [email protected]
RemoteRecover is a salvage program. It allows you to access dead Windows NT/2000/XP volumes via a network—now is that cool or what? NTRecover uses TCP/IP to access files and volumes on a dead NT box. You use the TCP/IP network connection to make the disks on the dead box seem as though they are mounted on your own system.
Winternals Software LP
Windows Version: Windows XP, Windows 2000, or Windows NT 4.0
Email: [email protected]
PC Firewall ASaP is a bi-directional packet filter suite for Windows 9x/Me and Windows NT 4.0 clients.
McAfee Security
Windows Version: Windows 9x/Me or Windows NT 4.0
Email: [email protected]
RegAdmin is an advanced tool for manipulating Registry entries on large networks, which is a big timesaver.
Aelita Software
Windows Version: Windows NT 4.0 or Windows NT 3.51
Email: [email protected]
Sniffer Basic (formerly named NetXRay Analyzer) is a powerful protocol analyzer (sniffer) and network monitoring tool for Windows NT. It is probably the most comprehensive NT sniffer available.
Sniffer Technologies
Windows Version: Windows 2000, Windows NT (all versions), or Windows 9x/Me
Note: Sniffer Technologies released Sniffer Pro 4.5 for laptop platforms in January 2001. This version includes support for Windows 2000.
Email: [email protected]
URL: http://www.sniffer.com/products/sniffer-basic/default.asp?A=2
Somarsoft DumpSec dumps permissions for the NTFS file system in the Registry, including shares and printers. It offers a bird’s-eye view of permissions, which are normally hard to gather on large networks.
SystemTools LLP
Windows Version: Windows XP, Windows 2000, Windows NT (all versions)
Email: [email protected]
Somarsoft DumpEvt dumps Event Log information for importation into a database for analysis.
SystemTools LLP
Windows Version: Windows XP, Windows 2000 or Windows NT (all versions)
Email: [email protected]
Somarsoft DumpReg dumps Registry information for analysis. It also allows incisive searching and matching of keys.
SystemTools LLP
Windows Version: Windows XP, Windows 2000, Windows NT (all versions), or Windows 98
Email: [email protected]
The following section introduces several good packages for adding access control to Windows 2000, Windows NT, and Windows 9x/Me.
Windows Version: Windows 2000, Windows NT 4.0, or Windows 9x/Me
Email: [email protected]
Cetus StormWindow allows you to incisively hide and protect almost anything within the system environment, including the following:
Links and folders
Drives and directories
Networked devices and printers
In all, Cetus StormWindow offers very comprehensive access control. (This product also intercepts most alternate boot requests, such as warm boots, Ctrl+Alt+Delete, and function keys.)
imagine LAN, Inc.
Windows Version: Windows 2000, Windows 4.0, or Windows 9x/Me
Email: [email protected]
ConfigSafe Complete Recovery v4 records changes and updates made to the Registry, system files, drivers, directory structures, DLL files, and system hardware. You can instantly restore a system to a previously working configuration with ConfigSafe.
DECROS, Ltd.
Windows Version: Windows 2000, Windows NT 4.0, or Windows 9x/Me
Email: [email protected]
DECROS Security Card provides C2-level access control using physical security in the form of a card key. Without that card, no one will gain access to the system.
Omniquad, Ltd.
Email: [email protected]
Desktop Surveillance is a full-fledged investigation and access control utility. (This product has strong logging and audit capabilities.)
Hanovia House
Windows Version: Windows XP, Windows 2000, Windows NT 4.0, or Windows 9x
Email: [email protected]
The Detective is a simple but powerful tool for monitoring system processes. Omniquad Detective enables you to monitor computer usage, reconstruct activities that have occurred on a workstation or server, identify intruders who try to cover their tracks, perform content analysis, and define user search patterns. In all, this very comprehensive tool is tailor-made to catch someone in the act and is probably suitable for investigating computer-assisted crime in the workplace.
Posum LLC
Windows Version: . Windows 2000, Windows 4.0, or Windows 9x/Me
Email: [email protected]
URL: http://posum.com/
Windows Task-Lock 6.2 provides a simple, inexpensive, and effective way to password-protect specified applications no matter how you (or someone else) execute them. It is easy to configure and requires little to no modifications to your current system configuration. Optional Sound events, stealth mode, and password timeout are also included.
PBNSoft
Windows Version: Windows NT or Windows 9x
Email: [email protected]
WinSafe allows you to encrypt your files using strong cryptography algorithms such as Blowfish and CAST. With WinSafe you can choose from among 28 different algorithms. Other tools included with this package are File Wiping and Merge Files. File Wiping rewrites deleted files with random trash for the number of times that you specify, whereas Merge Files enables you to merge two files so that you can hide one file in another.
F-Secure, Inc.
Windows Version: Windows 2000, Windows NT 4.0, Windows 9x, or Windows 3x
Email: [email protected]
Secure Shell (SSH), . as you have seen throughout the book, provides safe, encrypted communication over the Internet or other untrusted networks. SSH is an excellent replacement for Telnet or rlogin. SSH uses IDEA and Rivest-Shamir-Adelman (RSA) encryption and is therefore extremely secure. It is reported that the keys are discarded and new keys are made once an hour. SSH completely eliminates the possibility of third parties capturing your communication (for example, passwords that might otherwise be passed in clear text). SSH sessions cannot be overtaken or hijacked, nor can they be sniffed. The only real drawback is that for you to use SSH, the other end must also be using it. Although you might think such encrypted communication would be dreadfully slow, it isn’t.
This section contains many good Windows resource links. Most are dynamic and house material that is routinely updated.
If you are new to Windows NT security, the Windows NT Security Frequently Asked Questions document is an absolute must. I would wager that better than half of the questions you have about NT security are answered in this document.
NTBugTraq is an excellent resource provided by Russ Cooper of RC Consulting. The site includes a database of Windows NT vulnerabilities, plus the archived and searchable versions of the NTBugTraq mailing list.
This site is hosted by Aelita Software Group division of Midwestern Commerce, Inc., a well-known development firm that designs security applications for Windows 2000 and Windows NT, among other things.
This is a forum in which advanced Windows XP, Windows 2000, Windows NT, and Windows 9x/Me issues are discussed. It is a good place to find possible solutions to very obscure and configuration-specific problems. Regulars post clear, concise questions and answers along the lines of “I have a PPRO II w/ NT 4.0 and IIS 3 running MS Exchange 5.0, with SP3 for NT and SP1 for Exchange. So, why is my mail server dying?”
The Windows IT Security site, hosted by Windows 2000 Magazine, is full of information about the latest in security. You can subscribe to discussion lists about advanced vulnerabilities in the Windows 2000 and Windows NT operating systems. You can find it at the following URL:
“An Introduction to the Windows 2000 Public Key Infrastructure” is an article written by Microsoft Press. It presents an introduction to one of Windows 2000’s new security features, PKI.
http://www.microsoft.com/windows2000/techinfo/howitworks/security/pkiintro.asp
I know what you’re thinking—commercial magazines are probably not very good sources for security information. Windows and .NET Magazine is the former Windows 2000 magazine, and the site offers numerous articles and FAQs on security for Windows .NET, XP, 2000 and NT. You can reach the site at http://www.winntmag.com/.
“Securing Windows NT Installation” is an incredibly detailed document from Microsoft on establishing a secure Windows NT server. You can find it at this site:
http://www.microsoft.com/ntserver/techresources/security/Secure_NTInstall.asp
Microsoft lists the steps necessary to upgrade to Windows 2000. Included is how to check whether your hardware and software are compatible with Windows 2000 and how to choose a filesystem. You can find it here:
Microsoft offers a number of excellent applications, and Windows XP, Windows 2000, and Windows NT 4.0 are excellent platforms. However, like their counterparts, they are not secure out of the box. To run secure Microsoft applications and servers, you must do three things:
Patch the vulnerabilities discussed in this chapter.
Apply the general security techniques discussed in other chapters.
Constantly keep up with advisories.
If you cover these bases, you should be fine.
3.12.136.186