Top Vulnerabilities in Windows Systems

• W1 Internet Information Services (IIS)
• W2 Microsoft SQL Server (MSSQL)
• W3 Windows Authentication
• W4 Internet Explorer (IE)
• W5 Windows Remote Access Services
• W6 Microsoft Data Access Components (MDAC)
• W7 Windows Scripting Host (WSH)
• W8 Microsoft Outlook and Outlook Express
• W9 Windows Peer to Peer File Sharing (P2P)
• W10 Simple Network Management Protocol (SNMP)

W1. Internet Information Services (IIS)

W1.1 Description

Default installations of Internet Information Services (IIS) have proven vulnerable to a number of serious attacks over time. The impact of these vulnerabilities can include:

• Denial of service
• Exposure or compromise of sensitive files or data
• Execution of arbitrary commands
• Complete compromise of the server

IIS uses a programming hook known as ISAPI to associate files having certain extensions with DLLs (known as ISAPI filters). Preprocessors such as ColdFusion and PHP use ISAPI, and IIS includes many ISAPI filters to handle functions such as Active Server Pages (ASP), server-side includes, and web-based printer sharing. Many ISAPI filters installed with IIS by default are not required in most installations, and many of those filters are exploitable. Examples of malicious programs which use this type of propagation mechanism include the well-known Code Red and Code Red 2 worms.

Like many web servers, IIS includes sample applications that were designed to demonstrate the functionality of the web server. These applications were not designed to operate securely in a production environment. Some IIS sample applications have allowed remote viewing or overwriting of arbitrary files as well as remote access to other sensitive server information, including the administrator's password.

An IIS installation that is not maintained is also subject to vulnerabilities discovered since the software release date. Examples include the WebDAV ntdll.dll vulnerabilities in IIS 5.0, which enabled denial of service attacks and could allow any web site visitor to create and execute scripts on the server, and the Unicode exploit vulnerability, which allowed any web site visitor to execute arbitrary commands on the web server merely by requesting carefully crafted URLs.

Third-party web add-ons such as ColdFusion and php can introduce further vulnerabilities in an IIS installation, either through misconfiguration or through vulnerabilities inherent in the product.

Additionally: More information on the latest WebDAV specific vulnerabilities (CAN-2003-0109 CA-2003-09) can be found at the following sites.

• http://www.cert.org/advisories/CA-2003-09.html
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0109
• http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q241520

W1.2 Operating Systems Affected

• Windows NT 4 (any flavor) running IIS 4
• Windows 2000 Server running IIS 5
• Windows XP Professional running IIS 5.1

At the time of this writing, no vulnerabilities have been reported in Windows 2003 running IIS 6; however, it is reasonable to anticipate that vulnerabilities will be found and reported as production environments adopt the new platform in significant numbers.

W1.3 CVE/CAN Entries

CVE-1999-0264, CVE-1999-0278, CVE-1999-0874, CVE-1999-0237, CVE-1999-0191, CVE-2000-0770, CVE-2000-0778, CVE-2000-0884, CVE-2000-0886, CVE-2000-0226, CVE-2001-0151, CVE-2001-0241, CVE-2001-0333, CVE-2001-0500, CVE-2001-0507

CAN-1999-0509, CAN-1999-0736, CAN-1999-1376, CAN-2002-0071, CAN-2002-0073, CAN-2002-0079, CAN-2002-0147, CAN-2002-0149, CAN-2002-0150, CAN-2002-0364, CAN-2002-0419, CAN-2002-0421, CAN-2002-0422, CAN-2002-0869, CAN-2002-1180, CAN-2002-1181, CAN-2002-1182, CAN-2002-1309, CAN-2002-1310, CAN-2003-0109, CAN-2003-0223, CAN-2003-0224, CAN-2003-0225, CAN-2003-0226, CAN-2003-0227, CAN-2003-0349

W1.4 How to Determine if You Are Vulnerable

Default or unpatched IIS installations should be presumed vulnerable.

System and network administrators in charge of IIS deployments should familiarize themselves with Microsofts extensive collection of tools and security documents relating to the proper administration of Internet Information Server.

The main repository for IIS related security documentation is the Internet Information Sever (IIS) Security Center.

It is suggested that you download and run the Microsoft Baseline Security Analyzer which contains detection procedures specifically tailored to IIS.

Administrators should compare their systems against the many checklists, hardening guides, and vulnerability remediation documentation that Microsoft offers to get a sense of vulnerability status.

W1.5 How to Protect Against It

Patch the system and keep it current.

Patching a server on installation is necessary but not sufficient. As new IIS weaknesses are uncovered, you will need to patch accordingly. Windows Update and AutoUpdate are options for single-server installations. HFNetChk, the Network Security Hotfix Checker, assists the system administrator in scanning local or remote systems for current patches. The tool works on Windows NT 4, Windows 2000, and Windows XP. The current version can be downloaded from Microsoft at http://www.microsoft.com/technet/security/tools/hfnetchk.asp.

If you use third-party add-ons such as ColdFusion, PerlIIS, or PHP, remember to check the third-party vendors' web sites for patches and configuration tips as well. For obvious reasons, Microsoft does not include third-party patches in Windows Update and related update services.

Use IIS Lockdown Wizard to harden the installation

Microsoft has released a simple tool to aid in securing IIS installations known as the IIS Lockdown Wizard. The current version can be downloaded from Microsoft at http://www.microsoft.com/technet/security/tools/locktool.asp.

Running the IIS Lockdown Wizard in "custom" or "expert" mode will allow you to make the following recommended changes to an IIS installation:

• Disable WebDAV (unless your environment absolutely requires it for web content publishing).
• Unmap all unnecessary ISAPI extensions (including .htr, .idq, .ism, and .printer in particular).
• Eliminate sample applications.
• Forbid the web server from running system commands commonly used in a compromise (e.g., cmd.exe and tftp.exe).

Use URLScan to filter HTTP requests

Many IIS exploits, including Code Blue and the Code Red family, use maliciously formed HTTP requests in directory traversal or buffer overflow attacks. The URLScan filter can be configured to reject such requests before the server attempts to process them. The current version has been integrated into the IIS Lockdown Wizard, but can be downloaded separately from Microsoft at http://www.microsoft.com/technet/security/tools/urlscan.asp.

W2. Microsoft SQL Server (MSSQL)

W2.1 Description

The Microsoft SQL Server (MSSQL) contains several serious vulnerabilities that allow remote attackers to obtain sensitive information, alter database content, compromise SQL servers, and, in some configurations, compromise server hosts.

MSSQL vulnerabilities are well-publicized and actively under attack. Two recent MSSQL worms in May 2002 and January 2003 exploited several known MSSQL flaws. Hosts compromised by these worms generate a damaging level of network traffic when they scan for other vulnerable hosts. Additional information on these worms can be found at

SQLSnake/Spida Worm (May 2002)

http://isc.incidents.org/analysis.html?id=157

http://www.eeye.com/html/Research/Advisories/AL20020522.html

http://www.cert.org/incident_notes/IN-2002-04.html

SQL-Slammer/SQL-Hell/Sapphire Worm (January 2003)

http://isc.incidents.org/analysis.html?id=180

http://www.nextgenss.com/advisories/mssql-udp.txt

http://www.eeye.com/html/Research/Flash/AL20030125.html

http://www.cert.org/advisories/CA-2003-04.html

Port 1433 and 1434 (MSSQL server and monitor default ports) have also been regularly registered as two of the most frequently scanned ports by the Internet Storm Center.

SQLSnake's exploit routine depends on the default administrative account, or "sa" account, having a null password. It is essential to the proper configuration and defense of any system to ensure that all system accounts are password protected, or completely disabled if not in use. You can find more information regarding setting and managing sa account passwords in the Microsoft Developer Network documentation under Changing the SQL Server Administrator Login, as well as Verify and Change the System Administrator Password by Using MSDE. The sa account should have a complex, hard-to-guess password even if it is not used to run your SQL/MSDE implementation.

SQL Slammer's exploit routine is based upon a buffer overflow in the SQL Server Resolution Service. This buffer overflow is brought to bear and host security is thus compromised when the worm sends crafted attack packets to UDP port 1434 of vulnerable target systems. If a machine runs SQL services that are subject to this stack buffer overflow and it receives packets of this nature, it will usually result in total server and system security compromise. The most effective means of defense against this worm is diligent patching, proactive system configuration practices, and ingress/egress UDP port 1434 filtering at network gateways.

The Microsoft Server 2000 Desktop Engine (MSDE 2000) can be thought of as "SQL Server Lite". Many system owners don't even realize that their systems are running MSDE and that they have a version of SQL Server installed. MSDE 2000 is installed as a part of the following Microsoft products:

1. SQL/MSDE Server 2000 (Developer, Standard and Enterprise Editions)
2. Visual Studio .NET (Architect, Developer and Professional Editions)
3. ASP.NET Web Matrix Tool
4. Office XP
5. Access 2002
6. Visual Fox Pro 7.0/8.0

In addition there are many other software packages that make use of the MSDE 2000 software. For an up-to-date list please check http://www.SQLsecurity.com/forum/applicationslistgridall.aspx. Since this software uses MSDE as its core database engine, it has the same vulnerabilities as SQL/MSDE Server. MSDE 2000 can be configured to listen for incoming client connections in a multitude of different ways. It can be configured such that clients can use named pipes over a NetBIOS session (TCP port 139/445) or sockets with clients connecting to TCP port 1433, or both. Whichever method is used, SQL Server and MSDE will always listen on UDP port 1434. This port is designated as a monitor port. Clients will send a message to this port to dynamically discover how the client should connect to the server.

The MSDE 2000 engine returns information about itself whenever presented with the single byte packet 0x02 on UDP port 1434. Other single byte packets cause a buffer overflow without ever having to authenticate to the server itself. What further exacerbates these issues is that the attack is channeled over UDP. Whether the MSDE 2000 process runs in the security context of a domain user or the local SYSTEM account, successful exploitation of these security holes may mean a total compromise of the target system.

Since SQL Slammer exploits a buffer overflow on the target system, following best practices of timely patching and conscientious system configuration helps to mitigate this threat. By downloading and using defensive tools such as theMicrosoft SQL Critical Update Kit, one can check local systems for vulnerability to this exploit, scan entire domains or networks for the existence of vulnerable systems, and automatically update affected files with SQL Critical Update.

Please see the report and analysis on incidents.org for more details on the SQL/MSDE Slammer worm. This particular attack affected the Internet Backbone for a few hours on the morning of January 25, 2003.

W2.2 Operating Systems Affected

Any Microsoft Windows system with Microsoft SQL/MSDE Server 7.0, Microsoft SQL/MSDE Server 2000 or Microsoft SQL/MSDE Server Desktop Engine 2000 installed, as well as any system which uses the MSDE engine separately.

W2.3 CVE/CAN Entries

CVE-1999-0999, CVE-2000-0202, CVE-2000-0402, CVE-2000-0485, CVE-2000-0603, CVE-2001-0344, CVE-2001-0879

CAN-2000-0199, CAN-2000-1081, CAN-2000-1082, CAN-2000-1083, CAN-2000-1084, CAN-2000-1085, CAN-2000-1086, CAN-2000-1087, CAN-2000-1088, CAN-2000-1209, CAN-2001-0509, CAN-2001-0542, CAN-2002-0056, CAN-2002-0154, CAN-2002-0186, CAN-2002-0187, CAN-2002-0224, CAN-2002-0624, CAN-2002-0641, CAN-2002-0642, CAN-2002-0643, CAN-2002-0644, CAN-2002-0645, CAN-2002-0649, CAN-2002-0650, CAN-2002-0695, CAN-2002-0721, CAN-2002-0729, CAN-2002-0859, CAN-2002-0982, CAN-2002-1123, CAN-2002-1137, CAN-2002-1138, CAN-2002-1145, CAN-2003-0118

W2.4 How to Determine if you are Vulnerable

Microsoft has published a set of security tools at http://www.microsoft.com/sql/downloads/securitytools.asp. The toolkit named the SQL Critical Update Kit contains valuable tools such as SQL Scan, SQL Check, and SQL Critical Update.

Chip Andrews of sqlsecurity.com released a tool called SQLPingv2.2. This tool sends a single byte UDP packet (byte value of 0x02) to port 1434 of either a single host or an entire subnet. SQL Servers listening on UDP 1434 will respond by divulging system details such as version number, instances, etc. SQLPingv2.2 is considered a scanning and discovery tool much like Microsoft's SQL Scan, and will not further compromise your system and network security. Additional SQL security tools can be found at Chip Andrew's SQL/MSDE Security Web site.

W2.5 How to Protect Against It

Summary:

1. Disable SQL/MSDE Monitor Service on UDP Port 1434.
2. Apply the latest service pack for Microsoft SQL/MSDE server and/or MSDE 2000.
3. Apply the latest cumulative patch that is released after the latest service pack.
4. Apply any individual patches that are released after the latest cumulative patch.
5. Enable SQL Server Authentication Logging.
6. Secure the server at system and network level.
7. Minimize privileges of the MSSQL/MSDEServer service and SQL/MSDE Server Agent.

Detail:

1. Disable the SQL/MSDE Server Monitor on UDP Port 1434.
   
   This can be easily accomplished by installing and using the functionality within SQL Server 2000 Service Pack 3a. Microsoft's database engine MSDE 2000 exhibits two buffer overflow vulnerabilities that can be exploited by a remote attacker without ever having to authenticate to the server. What further exacerbates these issues is that the attack is channeled over UDP. Whether the MSDE 2000 process runs in the security context of a domain user or the local SYSTEM account, successful exploitation of these security holes may mean a total compromise of the target system. MS-SQL/MSDE Slammer sends a 376 byte long UDP packet to port 1434 using random targets at a very high rate. Compromised systems will immediately start sending identical 376 byte packets once they are infected. The worm sends traffic to random IP addresses, including multicast IP addresses, causing a Denial of Service on the target network. Single infected machines have reported traffic in excess of 50 Mb/sec after being infected.
   
   
2. Apply the latest service pack for Microsoft SQL/MSDE server and MSDE 2000.
   
   The current Microsoft SQL/MSDE Server service pack version is:
   • SQL/MSDE Server 7.0 Service Pack 4
   • MSDE/SQL Server 2000 Service Pack 3a
   To ensure that you are current with any future upgrades, monitor Make Your SQL/MSDE Servers Less Vulnerable from Microsoft TechNet.
   
   
3. Apply the latest cumulative patch that is released after the latest service pack.
   
   The current cumulative patch for all versions of SQL/MSDE/MSDE Server is available at MS02-061 Elevation of Privilege in SQL/MSDE Server Web Tasks (Q316333/Q327068).
   
   To ensure that you are current with any future upgrades, you can check for the latest cumulative patch for Microsoft SQL/MSDE Server at:
   • Microsoft SQL/MSDE Server 7.0
   • Microsoft SQL Server 2000
   • MSDE Server Desktop Engine 2000 (MSDE 2000)
   
   
4. Apply any individual patches that are released after the latest cumulative patch.
   
   Currently, there is no individual patch after the release of the MS02-061 Elevation of Privilege in SQL/MSDE Server Web Tasks (Q316333/Q327068). But to ensure that you are current with any future upgrades, you can check for any newly released individual patches at:
   • Microsoft SQL/MSDE Server 7.0
   • Microsoft SQL Server 2000
   • MSDE Server Desktop Engine 2000 (MSDE 2000)
   
   
5. Enable SQL Server Authentication Logging.
   
   SQL Server Authentication Logging is commonly not enabled. This can be done through Enterprise Manager (Server properties; tab Security).
   
   
6. Secure the server at system and network level.
   
   One of the most commonly attacked MSSQL/MSDE exposures is that the default administrative account (known as "sa") is installed with a blank password. If your SQL/MSDE "sa" account is not password-protected, you effectively have no security and can be affected by worms and other exploits. Therefore, you should follow the recommendation from the "System Administrator (SA) Login" topic in SQL/MSDE Server Books Online to make sure that the built-in "sa" account has a strong password, even if your SQL/MSDE server does not run using this account. Microsoft Developer's Network has documentation on Changing the SQL Server Administrator Login and how to Verify and Change the System Administrator Password by Using MSDE.
   
   
7. Minimize privileges of the MSSQL/MSDEServer service and SQL/MSDE Server Agent.
   
   Run the MSSQL/MSDEServer service and SQL/MSDE Server Agent under a valid domain account with minimal privileges, not as a domain administrator or the SYSTEM (on NT) or LocalSystem (on 2000 or XP) account. A compromised service running with local or domain privileges would give an attacker complete control of your machine and/or your network.
   1. Enable Windows NT Authentication, enable auditing for successful and failed logins, and then stop and restart the MSSQL/MSDEServer service. If possible, configure your clients to use NT Authentication.
   2. Packet filtering should be performed at network borders to prohibit specifically non-authorized inbound or outbound connections to MSSQL specific services. Ingress and egress filtering of TCP/UDP ports 1433 and 1434 could prevent internal or external attackers from scanning and or infecting vulnerable Microsoft SQL/MSDE servers on your network or the networks of others that are not explicitly authorized to provide public SQL/MSDE services.
   3. If TCP/UDP ports 1433 and 1434 need to be available on your Internet gateways, enable and customize egress/ingress filtering to prevent misuse of this port.

Additional information on securing Microsoft SQL/MSDE Server can be found at:

• Microsoft SQL/MSDE Server 7.0 Security
• Microsoft SQL/MSDE Server 2000 Security

W3. Windows Authentication

W3.1 Description

Passwords, passphrases and security codes are used in virtually every interaction between users and information systems. Most forms of user authentication, as well as file and data protection, rely on user-supplied passwords. Since properly authenticated access is often not logged, or even if logged not likely to arouse suspicion, a compromised password is an opportunity to explore a system from the inside virtually undetected. An attacker would have complete access to any resources available to that user, and would be significantly closer to being able to access other accounts, nearby machines, and perhaps even administrative privileges. Despite this threat, accounts with bad or empty passwords remain extremely common, and organizations with good password policy are far too rare.

The most common password vulnerabilities are:

• User accounts have weak or nonexistent passwords.
• Regardless of the strength of their password, users fail to protect it.
• The operating system or additional software creates administrative accounts with weak or nonexistent passwords.
• Password hashing algorithms are known and often hashes are stored such that they are visible by anyone. The best and most appropriate defense against these is a strong password policy which includes thorough instructions for good password habits and proactive checking of password integrity.

Microsoft Windows does not store or transmit passwords in clear text - it uses a hash of password for authentication. A Hash is a fixed-size result obtained by applying a mathematical function (the hashing algorithm) to an arbitrary amount of data (also known as the message digest). (MSDN Library) There are three Windows authentication algorithms: LM (least secure, most compatible); NTLM and NTLMv2 (most secure and least compatible). Although most current Windows environments have no need for LAN Manager (LM) support, Microsoft Windows locally stores legacy LM password hashes (also known as LANMAN hashes) by default on Windows NT, 2000 and XP systems (but not in Windows 2003). Since LM uses a much weaker encryption scheme than more current Microsoft approaches (NTLM and NTLMv2), LM passwords can be broken in a very short period of time. Even passwords that otherwise would be considered "strong" can be cracked by brute-force in under a week on current hardware.

http://msdn.miscrosoft.com/library/default.asp?url=/library/en-us/security/Security/h_gly.asp

The weakness of LM hashes derives from the following:

• Passwords are truncated to 14 characters.
• Passwords are padded with spaces to become 14 characters.
• Passwords are converted to all upper case characters.
• Passwords are split into two seven character pieces.

This hashing process means that an attacker needs only to complete the trivial task of cracking two seven-character, upper-case passwords to gain authenticated access to your system. Since the complexity of cracking hashes increases geometrically with the length of the hash, each seven-character string is at least an order of magnitude simpler to attack by brute-force than would a combined fourteen-character string. Since all strings are exactly seven characters (including spaces) and entirely upper-case, a dictionary-style attack is also simplified. The LM hashing method therefore completely undermines good password policies.

In addition to the risk posed by having legacy LM hashes stored in the SAM, the LAN Manager authentication process is often by default enabled on clients and accepted by servers. As a result, Windows machines capable of utilizing stronger hash algorithms instead send weak LM hashes across the network, making Windows authentication vulnerable to eavesdropping by packet sniffing, and therefore easing the efforts of an attacker to obtain and crack user passwords.

W3.2 Operating Systems Affected

All Microsoft Windows operating systems.

W3.3 CVE/CAN Entries

CVE-2000-0222

CAN-1999-0504, CAN-1999-0505, CAN-1999-0506

W3.4 How to Determine if you are Vulnerable

Although there are observable symptoms of general password weakness, such as the existence of active accounts for users who have departed the organization or services which are not running, the only way to know for certain that each individual password is strong is to test all of them against the same password cracking tools used by attackers.

Please Note: Never run a password scanner, even on systems for which you have administrative access, without explicit and preferably written permission from your employer. Administrators with the most benevolent of intentions have been fired for running password cracking tools without authority to do so.

A few of the best cracking tools available are: LC4 (l0phtcrack version 4) and John the Ripper

Regarding the issue of a locally stored LAN Manager hash:

• If you are running a default installation of NT, 2000 or XP, you are vulnerable since LAN Manager hashes are stored locally by default.
• If you have legacy operating systems in your environment that require LM authentication in order to communicate to servers, then you are vulnerable because those machines send LM hashes which can be sniffed off the network.

W3.5 How to Protect Against It

The best and most appropriate defense against password weaknesses is a strong policy which includes thorough instructions to engender good password habits and proactive checking of password integrity.

1. Assure that passwords are consistently strong. Given enough hardware and enough time, any password can be cracked by brute force. But there are simpler and very successful ways to learn passwords without such expense. Password crackers employ what are known as dictionary-style attacks. Since encryption methods are known, cracking utilities simply compare the encrypted form of a password against the encrypted forms of dictionary words (in many languages), proper names, and permutations of both. Therefore a password whose root in any way resembles a known word is highly susceptible to a dictionary attack. Many organizations instruct users to generate passwords by including combinations of alphanumeric and special characters, and users more often than not adhere by taking a word ("password") and converting letters to numbers or special characters ("pa$$w0rd"). Such permutations cannot protect against a dictionary attack: "pa$$w0rd" is as likely to be cracked as "password."
   
   A good password therefore cannot have a word or proper name as its root. A strong password policy should direct users to generate passwords from something more random, like a phrase or the title of a book or song. By concatenating a longer string (taking the first letter of each word, or substituting a special character for a word, removing all the vowels, etc.), users can generate sufficiently long strings which combine alphanumeric and special characters in a way which dictionary attacks will have great difficulty cracking. And if the string is easy to remember, then the password should be as well.
   
   Once users are given the proper instructions for generating good passwords, procedures should be put in place to assure that these instructions are followed. The best way to do this is by validating the password whenever the user changes it by employing Passfilt (NT4).
   
   Windows 2000, XP, 2003 have powerful tools for enforcing password policy. To view your current password policy on most Windows systems, follow these steps (Start - Programs - Administrative Tools - Local Security Policy - select Account Policies - Password Policy). The Local Security Policy has following settings:
   
   
   • Password must meet complexity requirements. Determines whether passwords must meet complexity requirements. Complexity requirements are enforced when passwords are changed or created. If this policy is enabled, passwords must meet the following minimum requirements:
     1. Not contain all or part of the user's account name
     2. Be at least six characters in length
     3. Contain characters from three of the following four categories:
     4. English uppercase characters (A through Z)
     5. English lowercase characters (a through z)
     6. Base 10 digits (0 through 9)
     7. Nonalphanumeric characters (e.g., !, $, #, %)
   • Enforce password history (range: 0-24): Determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords. Setting this parameter to 0 passwords remembered enables password recycling; setting it to 24 passwords remembered requires 24 changes of password before initial password can be recycled. This policy enables administrators to enhance security by ensuring that old passwords are not reused continually. To maintain the effectiveness of the password history, do not allow passwords to be changed immediately when you configure the minimum password age.
   • Maximum password age (range: 0-999 days): Determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0.
   • Minimum password age (range: 0-999 days): Determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 999 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the maximum password age. Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, password history is set to 1 by default.
   • Minimum password length (range: 0-14 characters): Determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. Minimum password length should conform to corporate security policy (otherwise it is recommended that it be set to 8 or more characters; National Security Agency (NSA) recommends 12 characters).
   • Store password using reversible encryption for all users in the domain: Determines whether Windows 2000, 2003 and XP Professional store passwords using reversible encryption. This policy provides support for applications using protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.
   
   An approach that can be used to automatically generate and assign complex passwords to user accounts is as follows - run the following command (from Command line prompt of Windows NT4, 2000, XP, 2003):
   
   Net user username /random
   
   Execution of this command will assign random complex (but always 8-characters long) passwords to an account and will print this password on the console screen. This method is usually more appropriate for assigning passwords for service accounts, rather than for actual users.
   
   The best way to audit the quality of passwords is to run password cracking utilities in a stand-alone mode as part of routine scanning.
   
   Again Please Note: Never run a password scanner, even on systems for which you have administrative access, without explicit and preferably written permission from your employer. Administrators with the most benevolent of intentions have been fired for running password cracking tools without authority to do so.
   
   Once you have acquired authority to run cracking utilities on your system, do so regularly on a protected machine. Users whose passwords are cracked should be notified confidentially and given instructions on how to choose a good password. Administrators and management should develop these procedures together so that management can provide assistance when users do not respond to these notifications.
   
   Another way to protect against nonexistent or weak passwords is to use an alternative form of authentication such as password-generating tokens or biometrics.
   
   
2. Protect strong passwords. Even if passwords themselves are strong, accounts can be compromised if users do not protect their passwords. Good policy should include instructions that a user never tell his or her password to anyone else, never write a password down where it could be read by others, and properly secure any files in which a password is stored to automate authentication (passwords are easier to protect when this practice is only used if absolutely necessary). Password aging should be enforced so that any passwords which slip through these rules are only vulnerable for a short window of time, and old passwords should not be reused. Make sure that the users are given warning and chances to change their password before it expires. When faced with the message "Your password has expired and must be changed," users will tend to pick a bad password.
   
   
3. Tightly control accounts.
   • Any service-based or administrative accounts not in use should be disabled or removed. Any service-based or administrative accounts which are used should be given new and strong passwords.
   • Audit the accounts on your systems and create a master list. Do not forget to check passwords on systems like routers and Internet-connected digital printers, copiers and printer controllers.
   • Develop procedures for adding authorized accounts to the list, and for removing accounts when they are no longer in use.
   • Validate the list on a regular basis to make sure no new accounts have been added and that unused accounts have been removed.
   • Have rigid procedures for removing accounts when employees or contractors leave or when the accounts are no longer required.
   
   
4. Maintain strong password policy for the enterprise. In addition to operating system or network service-level controls, there are many comprehensive tools available to help manage good password policy. Many sample policies templates, policy development guidelines, password security fundamentals, and links to numerous security policy web sites (which include password policy information) can be found at the SANS Security Policy Project site.
   
   
5. Disable LM authentication across the network. The best replacement in Windows for LAN Manager authentication is NT LAN Manager version 2 (NTLMv2). NTLMv2 challenge/response methods overcome many weaknesses in LM by using stronger encryption and improved authentication and session security mechanisms. The registry key that controls this capability in both Windows NT and 2000 is:
   
   Hive: HKEY_LOCAL_MACHINE
   Key: System\CurrentControlSet\Control\LSA
   Value: LMCompatibilityLevel
   Value Type: REG_DWORD - Number
   Valid Range: 0-5
   Default: 0
   
   

   Description: This parameter specifies the type of authentication to be used.

   0 - Send LM response and NTLM response; never use NTLMv2 session security

   1 - Use NTLMv2 session security if negotiated

   2 - Send NTLM authentication only

   3 - Send NTLMv2 authentication only

   4 - DC refuses LM authentication

   5 - DC refuses LM and NTLM authentication (accepts only NTLMv2)

   On Windows 2000, 2003, and XP the same functionality can be implemented by configuring the setting LAN Manager authentication level (Windows 2000) or Network security: LAN Manager authentication level (Windows XP, 2003) (Start - Programs - Administrative Tools - Local Security Policy - Local Policies - Security Options).
   
   If all of your systems are Windows NT SP4 or later, you can set this to 3 on all clients and 5 on all domain controllers to prevent any transmission of LM hashes on the network. However, legacy systems (such as Windows 95/98) will not use NTLMv2 with the default Microsoft Network Client. To get NTLMv2 capability, install the Directory Services Client. Once installed, the registry value name is "LMCompatibility," and the allowed values are 0 or 3.
   
   If you cannot force your legacy clients to use NTLMv2, you can gain a slight improvement over LM hashing by forcing NTLM (NT Lan Manager, version 1) at the domain controller (set LMCompatibilityLevel to 4 or if you use tool Local Security Policy set LAN Manager authentication level to value: Send NTLMv2 Response only\Refuse LM). But the most secure option with regard to legacy systems is to migrate them to newer operating platforms, since the older operating systems do not allow this minimum security level to be supported.
   
   
6. Prevent the LM hash from being stored. One major problem with simply removing the LM hashes being passed over the network is that the hashes are still created and stored in the SAM or Active Directory. Microsoft has a mechanism available for turning off the creation of the LM hashes altogether, but only in Windows 2000, 2003 and XP. On Windows 2000 systems (SP2 or later), the following registry key controls this function:
   
   Hive: HKEY_LOCAL_MACHINE
   Key: System\CurrentControlSet\Control\LSA\NoLMHash
   
   If this key is created on a Windows 2000 Domain Controller, the LanMan hashes will no longer be created and stored in Active Directory.
   
   On Windows XP and 2003, the same functionality can be implemented by enabling setting Network security: Do not store LAN Manager hash value on next password change (Start - Programs - Administrative Tools - Local Security Policy - Local Policies - Security Options).
   
   After making these modifications the system must be restarted in order for the change to take effect.
   
   Important Note: This only prevents new LM hashes from being generated. Existing LM hashes are removed individually the next time each user changes his or her password.
   
   
7. Prevent password hashes and SAM database from being copied. Password cracking tools, mentioned in this section, obtain password hashes by:
   • Sniffing passwords from the network. Countermeasures: 1. Use of switched networks; 2. Detection and removal of network cards in promiscuous mode (they can be detected by most commercial security assessment tools, such as free tools like ethereal).
   • Copying SAM file (located in %SystemRoot%\System32\Config\ folder usually C:\Winnt\System32\Config\ - on Windows NT4 and 2000 or C:\Windows\System32\Config\ - on Windows XP and 2003). This file is normally locked by Windows OS and can be copied only when system booted to alternative OS. SAM file also can be obtained by restoring backup of SAM file or System State (Windows 2000, 2003, XP). SAM file also located on NT4 Repair Disk.
   
   Countermeasures: Limit and monitor physical access to computer systems (especially domain controllers), backup media and Repair Disk.
   
   The following Microsoft articles provide useful references:
   • How to Disable LM Authentication on Windows NT [Q147706] details the required changes in the registry for Windows 9x and Windows NT/2000.
   • MS03-034 : Flaw in NetBIOS Could Lead to Information Disclosure (824105)
   • LMCompatibilityLevel and Its Effects [Q175641] explains interoperability issues with this parameter.
   • How to Enable NTLMv2 Authentication for Windows 95/98/2000/NT [Q239869] explains how to use Windows 2000's Directory Services Client for Windows 95/98 to overcome the compatibility limitation for NTLMv2.
   • New Registry Key to Remove LM Hashes from Active Directory and Security Account Manager

W4 Internet Explorer (IE)

W4.1 Description

Microsoft Internet Explorer (IE) is the default web browser installed on Microsoft Windows platforms. All existing versions of Internet Explorer have critical vulnerabilities if they are not kept up-to-date with current patches. A malicious web administrator can design web pages to exploit these vulnerabilities in the context of a user's Internet Explorer while browsing these web pages.

The vulnerabilities can be categorized into multiple classes including web page or Windows interface spoofing, ActiveX control vulnerabilities, Active scripting vulnerabilities, MIME-type and Content-type misinterpretation and Buffer overflows. The consequences may include disclosure of cookies, local files or data, execution of local programs, download and execution of arbitrary code, or complete takeover of the vulnerable system.

W4.2 Operating Systems Affected

These vulnerabilities exist on Microsoft Windows systems running any version of Microsoft Internet Explorer. It is important to note that IE is installed with a wide variety of Microsoft software and is therefore typically present on all Windows systems, even on servers where browsing is rarely necessary.

W4.3 CVE/CAN Entries

CVE-2001-0002 CVE-2001-0154 CVE-2001-0339 CVE-2001-0727 CVE-2001-0875 CVE-2002-0022 CVE-2002-0027 CVE-2003-0344

CAN-2002-0190 CAN-2002-0193 CAN-2002-1258 CAN-2003-0111 CAN-2003-0113 CAN-2003-0114 CAN-2003-0233 CAN-2003-0309 CAN-2003-1328

W4.4 How to Determine if you are Vulnerable

If you are using Internet Explorer on your system and have not installed the latest cumulative security patch, you are most likely vulnerable. If Windows Update is enabled on your machinery, you can verify whether IE is installed and which Internet Explorer patches are installed on your system by visiting http://windowsupdate.microsoft.com. If Windows Updating is not available for your system, you can use HFNetChk, the Network Security Hotfix Checker, or the Microsoft Baseline Security Analyzer (MBSA) to do the same.

You may also find online Internet Explorer analysis tools, such as the Qualys Browser Check, to be very valuable in assessing the security state of IE on your systems.

W4.5 How to Protect Against It

Patches for these vulnerabilities are available for Internet Explorer version 6.0. Earlier versions of Internet Explorer are also vulnerable; however patches may not be available for earlier versions. If you are using IE 5.5 or earlier, upgrading to IE 6.0 is strongly recommended as service packs for earlier versions of Internet Explorer are no longer available. If you are using IE 6.0, start by upgrading to the most recent service pack for Internet Explorer which can be found at this Internet Explorer 6 SP1 link.

You should also add the latest cumulative security patch (828750) which repairs additional vulnerabilities. For more information about the vulnerabilities this patch repairs and appropriate changes to your configuration which can mitigate the risks, please see the related Security Bulletin and Knowledge Base article.

To maintain your system's protection, keep abreast of any new IE updates with Windows Update, HFNetChk, or the Microsoft Baseline Security Analyzer (MBSA). You can also get general IE update information from Microsoft's Internet Explorer Home.

W4.6 How to secure Internet Explorer

To configure the Security settings for Internet Explorer:

1. Select Internet Options under the Tools menu.
2. Select the Security tab and then click Custom Level for the Internet zone.
   
   Most of the flaws in IE are exploited through Active Scripting or ActiveX Controls.
3. Under Scripting, select Prompt for Allow paste operations via script to prevent content from being exposed from your clipboard.
   
   Note: Active Scripting should not be disabled since it is used by many websites.
   
   ActiveX Controls are not as popular but are potentially more dangerous as they allow greater access to the system.
4. Select Prompt for Download signed ActiveX Controls.
5. Select Disable for Download unsigned ActiveX Controls.
6. Also select Disable for Initialize and script ActiveX Controls not marked as safe.
   
   Java applets typically have more capabilities than scripts.
7. Under Microsoft VM, select High safety for Java permissions in order to properly sandbox the Java applet and prevent privileged access to your system.
8. Under Miscellaneous select Disable for Access to data sources across domains to avoid Cross-site scripting attacks.

Please also ensure that no un-trusted sites are in the Trusted sites or Local intranet zones as these zones have weaker security settings than the other zones.

W5 Windows Remote Access Services

W5.1 Description

The family of Windows Operating Platforms support a variety of different networking methods and technologies. There is native support for most industry standard networking protocols and built-in functionality for many Microsoft specific networking methods and techniques. Among these MS specific network technologies are notoriously insecure or misconfigured items such as NETBIOS Network Shares, Anonymous Logon NULL sessions, remote registry access, and remote procedure calls. These items make up a large share of the more common network level exploits on Windows and are outlined in the following text.

NETBIOS -- Unprotected Windows Networking Shares

Microsoft Windows provides a host machine with the ability to share files or folders across a network with other hosts through Windows network shares. The underlying mechanism of this feature is the Server Message Block (SMB) protocol, or the Common Internet File System (CIFS). These protocols permit a host to manipulate remote files just as if they were local.

Although this is a powerful and useful feature of Windows, improper configuration of network shares may expose critical system files or may provide a mechanism for a nefarious user or program to take full control of the host. One of the ways in which I-Worm.Klez.a-h (Klez Family) worm, Sircam virus (see CERT Advisory 2001-22) and Nimda worm (see CERT Advisory 2001-26) spread so rapidly in 2001 was by discovering unprotected network shares and placing copies of themselves in them. Many computer owners unknowingly open their systems to hackers when they try to improve convenience for co-workers and outside researchers by making their drives readable and writeable by network users. But when care is taken to ensure proper configuration of network shares, the risks of compromise can be adequately mitigated.

Anonymous Logon

A null session is a session established without credentials (i.e. blank username and password). Null sessions can be used to display information about users, groups, shares and password policies. Microsoft Windows NT services running as the Local System account on the local computer communicate with other services over the network by establishing null sessions. Windows 2000 and later services running as the Local System account on the local computer use the local computer account to authenticate to other servers. Active Directory running in native mode does not accept null session queries. In mixed mode, Active Directory allows Pre-Windows 2000 compatible access, accepting null session queries which, in turn, inherit the null session vulnerabilities of Windows NT.

Remote Registry Access

Microsoft Windows 9x, Windows CE, Windows NT, Windows 2000, Windows ME and Windows XP employ a central hierarchical database, known as the Registry, to manage software, device configurations, and user settings.

Improper permissions or security settings can permit remote registry access. Attackers can exploit this feature to compromise the system or form the basis for adjusting file association and permissions to enable malicious code.

Remote Procedure Calls

Many versions of Microsoft operating systems (Windows NT 4.0, 2000, XP, and 2003) provide an inter-process communication mechanism that allows programs running on one host to execute code on remote hosts. Three vulnerabilities have been published that would allow an attacker to run arbitrary code on susceptible hosts with Local System privileges. One of these vulnerabilities was exploited by Blaster/MSblast/LovSAN and Nachi/Welchia worms. There are also other vulnerabilities that would allow attackers to mount Denial of Service attacks against RPC components.

W5.2 Operating Systems Affected

Windows 95, Windows 98, Windows NT Workstation and Server, Windows Me, Windows 2000 Workstation and Server, Windows XP Home and Professional, and Windows 2003 are all vulnerable.

W5.3 CVE/CAN Entries

NETBIOS

CVE-2000-0979

CAN-1999-0518, CAN-1999-0519, CAN-1999-0621, CAN-2000-1079

Anonymous Logon

CVE-2000-1200

Remote Registry Access

CVE-2000-0377, CVE-2002-0049

CAN-1999-0562, CAN-2001-0045, CAN-2001-0046, CAN-2001-0047, CAN-2002-0642, CAN-2002-0649, CAN-2002-1117

Remote Procedure Calls

CAN-2002-1561, CAN-2003-0003, CAN-2003-0352, CAN-2003-0528, CAN-2003-0605, CAN-2003-0715

W5.4 How to Determine if you are Vulnerable

How to determine if you are vulnerable to NETBIOS related issues.

A number of tools are available that can help you make the determination if there are NETBIOS related vulnerabilities on your systems.

NAT' (NetBIOS Auditing Tool) is available form Afentis Security. NAT explores the NETBIOS file-sharing services available on target systems and implements a stepwise approach to gather information before attempting to obtain file system-level access. NAT is available under the GNU General Public License: http://www.afentis.com/resources/win32/nat/.

Windows 95/98/Me users can use Legion v2.11, the latest version of the Legion File Share scanner by Rhino9, to scan for Windows networking shares.

Windows 2000 Administrators can use Security Fridays Share Password Checker (SPC) to scan their Windows 95/98/Me file sharing clients to see if they are vulnerable to the Share Level Password vulnerability which will reveal the share level passwords to an attacker.

For Windows NT (SP4), Windows 2000, Windows XP, and Windows 2003, the Microsoft Baseline Security Advisor will report hosts that are vulnerable to SMB exploits and may be used to fix the problem. The tests can be run locally or on remote hosts.

Windows NT, Windows 2000, Windows XP, and Windows 2003 users can simply type net share from the cmd prompt to see what resources are being shared. For more information about the net share command, type net share /?.

IMPORTANT Note: This article contains information about modifying shared resources. Before you modify any shared resource, make that you understand how to restore the resource if a problem occurs. It is recommended that you thoroughly test any modifications before implementation in a production environment. For information about shared resources, click the following article numbers to view the article in the Microsoft Knowledge Base:

• 125996 - Saving and Restoring Existing Windows Shares
• Special shares
• 308419 - HOW TO Set, View, Change, or Remove Special Permissions for Files and Folders in Windows XP
• 307874 - HOW TO Disable Simplified Sharing and Password-Protect a Shared Folder in Windows XP
• 174273 - How to Copy Files and Maintain NTFS and Share Permissions

The default permissions on new shares:

• Windows NT, Windows 2000, and Windows XP (Pre Service Pack 1): Everyone - Full Control
• Windows XP SP1: Everyone - Read

Windows XP by default has one shared directory called "SharedDocs." The physical location of this share is:

• "C:\Documents and Settings\All Users\Documents": Everyone - Full Control

Most commercially-available network-based scanners will detect open shares. A quick, free, and secure test for the presence of SMB file sharing and its related vulnerabilities, effective for machines running any Windows operating system, is available at the Gibson Research Corporation web site. Follow links to "ShieldsUP" to receive a real-time appraisal of any system's SMB exposure. Detailed instructions are available to help Microsoft Windows users deal with SMB vulnerabilities. Note that if you are connected over a network where some intermediate device blocks SMB, the ShieldsUP tool will report that you are not vulnerable when, in fact, you are. This is the case, for example, for users on a cable modem where the provider is blocking SMB into the cable modem network. ShieldsUP will report that you are not vulnerable. However, the 4,000 or so other people on your cable modem link can still exploit this vulnerability.

Automated Scanning tools to detect share vulnerabilities:

• Nessus - a free, powerful, up-to-date and easy to use remote security scanner
• Winfingerprint by vacuum - Win32 Host/Network Enumeration Scanner

How to determine if you are vulnerable to Anonymous Logon related issues.

Try to establish a null session to your computer by issuing the following command from the cmd prompt (Start -> Run -> type cmd):

C:\>net use \\ipaddress\ipc$ "" /user:""

The preceding syntax connects to the hidden interprocess communications "share (IPC$) at ipaddress as the built-in anonymous user (/user:"") with a null () password.

If you receive System error 5 has occurred. Access is denied., then your system is not vulnerable.

If you receive The command completed successfully., then that means that your system is vulnerable.

The list of tools above Nessus, and Winfingerprint - can also be used to detect null session vulnerabilities.

How to determine if you are vulnerable to Remote Registry Access related issues.

NT Resource Kit (NTRK) available from Microsoft contains an executable file entitled "regdump.exe" that will passively test remote registry access permissions from a Windows NT host against other Windows NT/Windows 2000 or Windows XP hosts on the Internet or internal network.

In addition, a collection of command line shell scripts that will test for registry access permissions and a range of other related security concerns are available for download at http://www.afentis.com/top20.

How to determine if you are vulnerable to Remote Procedure Call related issues.

Microsoft has made a hotfix and patch-checking tool freely available for download; this is probably the best way to determine if Windows hosts are susceptible to any of these vulnerabilities. It is called the Microsoft Baseline Security Analyzer (MBSA) and is available from http://www.microsoft.com/technet/security/tools/Tools/MBSAhome.asp. It will scan for configuration errors and missing security updates; you should check that the relevant hotfixes have been applied. There is also a standalone scanning tool that will check for missing security patches for CAN-2003-0352, CAN-2003-0528, CAN-2003-0605 and CAN-2003-0715 only; it is available from http://support.microsoft.com/?kbid=827363. However, you are encouraged to use the MBSA, which has a wider coverage. Home or small-scale users with only a few computers to take care of will probably find it easier to visit the Windows Update site at http://windowsupdate.microsoft.com/ and check individual machines for outdated software.

W5.5 How to Protect Against It

How to protect against NETBIOS related attacks.

Several actions can be taken to mitigate the risk of exploitation of a vulnerability through Windows Networking Shares:

• Disable sharing wherever it is not required. If the host does not need to share files, then disable Windows network shares in the Windows network control panel. If an open share should be closed, you can disable it through Explorer's properties menu for that directory, in Server Manager for Domains, or in Group Policy Editor.
• Windows 95/98/Me clients that are a part of a Windows NT domain are recommended to be setup with user-level file share access controls.
• Do not permit sharing with hosts on the Internet. Ensure all Internet-facing hosts have Windows network shares disabled in the Windows network control panel. File sharing with Internet hosts should be achieved using FTP or HTTP.
• Do not permit unauthenticated shares. If file sharing is required, then don't permit unauthenticated access to a share. Configure the share so a password is required to connect to the share.
• Restrict shares to only the minimum folders required. Shares should be generally only one folder and possibly sub-folders of that folder.
• Restrict permissions on shared folders to the minimum required. Be especially careful to only permit write access when it is absolutely required.
• For added security, allow sharing only to specific IP addresses because DNS names can be spoofed.

How to protect against Anonymous Logon problems on your systems.

IMPORTANT Note: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. It is recommended that you thoroughly test any modifications before implementation in a production environment. For information about how to back up, restore, and edit the registry, click the following article numbers to view the article in the Microsoft Knowledge Base:

• 256986 - Description of the Microsoft Windows Registry
• 323170 - HOW TO Backup, Edit, and Restore the Registry in Windows NT 4.0
• 322755 - HOW TO Backup, Edit, and Restore the Registry in Windows 2000
• 322756 - HOW TO Backup, Edit, and Restore the Registry in Windows XP Windows Server 2003

Windows NT Domain controllers require null sessions to communicate. Therefore, if you are working in a Windows NT domain or Windows 2000/2003 Active Directory running in mixed mode, which allows Pre-Windows 2000 compatible access, you can minimize the information that attackers can obtain, but you cannot stop all leakage by setting the RestrictAnonymous registry value to 1. For example; GetAcct from Security Friday sidesteps RestrictAnonymous=1 and will enumerate the SID and UserID. The ideal solution if you have a native Windows 2000/2003 Active Directory is to set the RestrictAnonymous registry value to 2.

To restrict information available via null sessions, click the following article numbers to view the articles in the Microsoft Knowledge Base:

• 143474 - Restricting Information Available to Anonymous Logon Users in Windows NT
• 246261 - How to Use the RestrictAnonymous Registry Value in Windows 2000

To troubleshoot the RestrictAnonymous registry value, click the following article number to view the article in the Microsoft Knowledge Base:

• 296405 - The RestrictAnonymous Registry Value May Break the Trust to a Windows 2000 Domain

How to protect against Remote Registry Access on your systems.

To address this threat, access to the system registry must be restricted and the permissions set for critical registry keys reviewed. Users of Microsoft Windows NT 4.0 should also ensure that Service Pack 3 (SP3) has been installed before adjusting the registry.

Important Note: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. It is recommended that you thoroughly test the modification of these settings before implementation in a production environment. For information about how to back up, restore, and edit the registry, click the following article numbers to view the article in the Microsoft Knowledge Base:

• 256986 - Description of the Microsoft Windows Registry
• 323170 - HOW TO Backup, Edit, and Restore the Registry in Windows NT 4.0
• 322755 - HOW TO Backup, Edit, and Restore the Registry in Windows 2000
• 322756 - HOW TO Backup, Edit, and Restore the Registry in Windows XP Windows Server 2003

Restrict Network Access. To restrict network access to the registry, follow the steps listed below to create the following Registry key:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Control\
  SecurePipeServers\winreg
• Description: REG_SZ
• Value: Registry Server

Security permissions set on this key define the Users or Groups that are permitted remote Registry access. Default Windows installations define this key and set the Access Control List to provide full privileges to the system Administrator and Administrators Group (and Backup Operators in Windows 2000).

Changes to the system registry will require a reboot to take effect. To create the registry key to restrict access to the registry:

1. Start Registry Editor ("regedt32.exe" or "regedit.exe") and go to the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
2. On the "Edit" menu, click "Add Key."
3. Enter the following values:
   • Key Name: SecurePipeServers
   • Class: REG_SZ
4. Go to the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers
5. On the "Edit" menu, click "Add Key."
6. Enter the following values:
   • Key Name: winreg
   • Class: REG_SZ
7. Go to the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
8. On the "Edit" menu, click "Add Value."
9. Enter the following values:
   • Value Name: Description
   • Data Type: REG_SZ
   • String: Registry Server
10. Go to the following subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
11. Select "winreg." Click "Security" and then click "Permissions." Add Users or Groups to which you want to grant access.
12. Exit Registry Editor and restart Microsoft Windows.
13. If at a later stage you want to change the list of users that can access the registry, repeat steps 10-12.

Limit Authorized Remote Access. Enforcing strict restrictions upon the registry can have adverse side effects upon dependent services, such as the Directory Replicator and the network printer Spooler service.

It is therefore possible to add a degree of granularity to the permissions by adding either the account name that the service is running under to the access list of the "winreg" key or by configuring Windows to bypass the access restriction to certain keys by listing them in the Machine or Users value under the AllowedPaths key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
SecurePipeServers\winreg\AllowedPaths
Value: Machine
Value Type: REG_MULTI_SZ - Multi string
Default Data:

• System\CurrentControlSet\Control\ProductOptionsSystem\
• CurrentControlSet\Control\Print\PrintersSystem\CurrentControlSet\
• Services\EventlogSoftware\Microsoft\WindowsNT\CurrentVersionSystem\
• CurrentControlSet\Services\Replicator

Valid Range: (A valid path to a location in the registry)
Description: Allow machines access to listed locations in the registry provided that no explicit access restrictions exist for that location.

Value: Users
Value Type: REG_MULTI_SZ - Multi string
Default Data: (none)
Valid Range: (A valid path to a location in the registry)
Description: Allow users access to listed locations in the registry provided that no explicit access restrictions exist for that location.

In the Microsoft Windows 2000 and Windows XP Registry:

Value: Machine
Value Type: REG_MULTI_SZ - Multi string
Default Data:

• System\CurrentControlSet\Control\ProductOptionsSystem\
• CurrentControlSet\Control\Print\PrintersSystem\CurrentControlSet\
• control\Server ApplicationSystem\CurrentControlSet\Services\Eventlog\
• Software\Microsoft\Windows NT\CurrentVersion

Value: Users (does not exist by default)

It is common for there to be a lag between the time a vulnerability becomes public and the time a patch is made available. Or for other policy reasons, the vulnerability must be allowed. To mitigate the risk an organization can limit access through firewalls or routers. An additional measure would be to write new rules for an IDS (Intrusion Detection System) like Snort which would alert or trigger a response by the organization. Examples of documented rules for Snort are located here.

How to protect against Remote Procedure Call-related issues on your systems.

The best way by far is to apply the relevant patches as identified by the MBSA or Windows Update: see How to determine if you are vulnerable to Remote Procedure Call related issues above. Failing that there are a number of ways to disable or restrict some Remote Procedure Call functionality, and some can be found in the excellent synopsis at http://www.ntbugtraq.com/dcomrpc.asp. BE WARNED: disabling or restricting Remote Procedure Call functionality may break Windows services that you rely on, so you should always test any modifications in a non-production environment first.

If you cannot patch your systems, you should certainly block ports associated with Windows remote procedure calls (TCP ports 135, 139, 445 and 593; UDP ports 135, 137, 138 and 445) at your network perimeters. Of course, it is always best practice to block *all* unnecessary services at you network perimeter by default.

For more information:

• Microsoft Knowledge Base Article Q153183. How to Restrict Access to NT Registry from a Remote Computer.
• Microsofts HotFix & Security Bulletin Service.
• Welcome to the MSDN Library (Search for Securing Registry)
• Microsoft Knowledge Base Article 310426 : HOW TO: Use the Windows XP and Windows Server 2003 Registry Editor
• Network access: Remotely accessible registry paths and subpaths
• Windows Server 2003 Security Guide

W6. Microsoft Data Access Components (MDAC)

W6.1 Description

Microsoft Data Access Components (MDAC) are a series of database technologies which are present in many recent versions of Windows. There are a number of different instances where an attacker can exploit vulnerabilities in MDAC to run malicious commands and code. There are both older RDS related issues outlined below as well as newer problems where an attacker masquerading as a SQL server can cause a buffer overflow and potential complete system compromise with a carefully crafted UDP packet.

The Remote Data Services (RDS) component in older versions of Microsoft Data Access Components (MDAC) has a program flaw which allows remote users to run commands locally with administrative privilege. Combined with a flaw in Microsoft Jet Database Engine 3.5 (part of MS Access), this exploit may also provide anonymous external access to internal databases. These flaws are well-documented and solutions have been available for more than three years, but outdated or misconfigured systems remain exposed and subject to attack.

More recent vulnerabilities that affect many versions of Windows have surfaced as well, such as the buffer overflow in MDAC outlined in Microsoft Security Bulletin MS03-033 and CAN-2003-0353 that affects most versions of MS Windows is use today. The MDAC implementation in Windows 2003 does not appear to be vulnerable to this exploit.

W6.2 Operating Systems Affected

Most Microsoft Windows NT 4.0 systems running IIS 3.0 or 4.0, Remote Data Services 1.5, or Visual Studio 6.0. Systems Running Windows 2000 and XP, as well as systems with Office 2000 SR1 or greater installed. SQL Server 7 SP2 and later, and SQL Server 2000 also include vulnerable MDAC technology.

Most versions of Windows should be considered vulnerable.

W6.3 CVE/CAN Entries

CVE-1999-1011, CVE-2002-0700

CAN-2002-1142, CAN-2003-0353

W6.4 How to Determine if you are Vulnerable

If you are running Microsoft Windows NT 4.0 and IIS 3.0 or 4.0, then check for the existence of "msadcs.dll" (this is typically installed in "C:\Program Files\Common Files\System\Msadc\msadcs.dll", but that may vary depending on your system). If you meet this criteria, then an upgrade and patching regimen would be the wisest direction to go in, since there have proven to be multiple other vulnerabilities in these outdated software packages.

If you are running any of the previously mentioned software or using any of the operating systems oultined above, then you are most likely vulnerable to the latest MDAC exploits. Detailed information on identifying and eliminating the most recent MDAC vulnerabilities can be found in the detailed overview of Microsoft Security Bulletin MS03-033.

One of the easiest ways to determine if you have this vulnerability to MDAC issues is to visit the Windows Update site, and check your machine for outdated software. The Windows Update tool will identify outdated MDAC versions and give you the ability to upgrade.

W6.5 How to Protect Against It

An excellent guide to the RDS and Jet weaknesses and how to correct them is available at http://www.wiretrip.net/rfp/txt/rfp9907.txt.

Microsoft has also issued several security bulletins detailing this exploit and how to repair it via configuration changes:

• http://support.microsoft.com/support/kb/articles/q184/3/75.asp
• http://www.microsoft.com/technet/security/bulletin/ms98-004.asp
• http://www.microsoft.com/technet/security/bulletin/ms99-025.asp
• http://www.microsoft.com/security/security_bulletins/ms03-033.asp
• http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-033.asp
• http://support.microsoft.com/default.aspx?scid=kb;en-us;823718

Alternatively, you can prevent this problem by upgrading to MDAC components version 2.8 (although this may introduce compatibility issues). The most recent MDAC versions and additional stand alone data access downloads are available at http://msdn.microsoft.com/library/default.asp?url=/downloads/list/dataaccess.asp.

Using Windows Update (http://windowsupdate.microsoft.com) to identify this problem and upgrade your systems or manually updating your MDAC implementation are the suggested remedies to this vulnerability.

W7. Windows Scripting Host (WSH)

W7.1 Description

Windows Scripting Host (WSH) is a Microsoft technology that serves to extend the functionality of Windows, supporting both JavaScript and Visual Basic Script. First introduced into the Windows platform by Internet Explorer 5, it became a standard feature in the Windows operating systems starting with Windows 98.

The Windows Scripting Host enables the automation of Windows tasks by providing access to the Windows shell, file system, registry, and more through the use of relatively simple scripting code. Scripts can be run directly from the desktop by clicking on a script file, or from within a program - such as an email client.

It is this auto-execution feature of WSH that was exploited in the spring of 2000 by "The Love Bug" (also known as "ILOVEYOU") Visual Basic script (VBScript) worm, causing millions of dollars in damages. This worm, and others which have since followed it, took advantage of Windows Scripting Host (WSH) which permits any text file with extensions .vbs,.vbe, .js, .jse, and .wsf to be executed as a Visual Basic Script/JScript with the application or system level privileges.

While administrators should endeavor to keep all applications and operating systems suitably up-to-date with the latest patches and security roll-ups, a more direct approach should be taken to address the threats posed by WSH - as detailed in section 'W7.5 How to Protect Against It'.

W7.2 Operating Systems Affected

Windows Scripting Host (WSH) can be installed manually or with Internet Explorer 5 (or higher) on Windows 95 or NT. It is installed by default on Windows 98, Windows 98 SE, ME, 2000, XP and 2003 machines.

You can find the most recent version on Microsoft's MSDN site here:

• Download Windows Script (includes Windows Scripting Host)

W7.3 CVE/CAN Entries

CVE-2001-0149

CAN-2001-1325

W7.4 How to Determine if you are Vulnerable

Computers running Windows 95 or NT with IE 5 or higher or those running Windows 98, ME, 2000, XP or 2003 without explicitly disabled WSH are vulnerable to WSH threats. It is recommended that individuals check their systems manually in line with the recommendations outlined in section 'W7.5 How to Protect Against It' to see if corrective action is necessary.

W7.5 How to Protect Against It

Important Note: Some applications and administrative functions require Windows Scripting Host (WSH) and will cease to function if it is disabled or removed.

Disable Windows Scripting Host

Symantec Security Response gives the following description of the WSH and the possibility of disabling it.

Windows Scripting Host is an optional part of the Windows operating system and may be safely removed or disabled from computers in many cases. To protect against attacks and security concerns directly related to WSH it is recommended that it is always disabled unless expressly required (see section Change default behavior of Windows Scripting Host). The program Noscript.exe, from Symantec, will disable the Windows Scripting Host by renaming the file association classes for any class that has either Wscript.exe or Cscript.exe in its Shell\Open\Command or Shell\Open2\Command registry keys. This actively prevents all scripts from running on the system whether they are malicious or intentional.

Install Instructions derived from Symantec Security Response

1. Download Noscript.exe to a folder on the hard disk.
2. Double-click the Noscript.exe icon. The Norton Script Disabler/Enabler appears.
   • If the WSH is currently enabled on the system, you will be prompted whether you want to disable it. To do so, click Disable, and then click OK.
   • If the WSH is currently disabled on the system, you will be prompted whether you want to enable it. To do so, click Enable, and then click OK.

Change default behavior of Windows Scripting Host

In order to preserve functionality of WSH for administrative and desktop automation purposes while safeguarding against potential threats, it is possible to change default behavior of the Windows Operating System with respect to script files (with extensions: .vbs, .vbe, .js, jse, .wsf). By default, Windows treats script files similar to standard Windows executable files with extensions .exe and .com - it immediately executes them.

By removing the default action of Automatic Execution for WSH scripts it is possible to prevent the unintended execution of all scripts. The recommended approach is to change the configuration so that by default all scripts are opened in a text editor. In addition to ensuring that scripts cannot be executed without suitable permissions, it also allows users to review code on a script-by-script basis before deciding whether it should be run. Similarly, this approach can help trap scripts trying to masquerade as innocent file-types through the use of double (or multiple) extensions.

Legitimate WSH scripts may still be executed by explicitly specifying the filename as argument for cscript.exe or wscript.exe, i.e:

cscript.exe myscript.vbs
or
wscript.exe myscript.vbs

Reference: Symantec Security Response How to Disable or Remove the Windows Scripting Host http://www.symantec.com/avcenter/venc/data/win.script.hosting.html

Anti-Virus

It is recommended that up-to-date Anti-Virus solutions be installed at gateways, servers and hosts - in addition to the disabling of WSH - to provide tiered levels of assurance and security and to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .vbe, .js, .jse, .wsf, .bat, .exe, .pif and .scr files. Such screening can also help filter out files that make use of double (or multiple) file-type extensions, which are almost exclusively malicious in nature. For example, Norton AntiVirus 2001 and later provides Script Blocking functionality that can help protect individual hosts against WSH viruses and related malware.

Update Script Engine

WSH has been upgraded several times over the years, providing greater in-built stability and security. The most recent version is available at Microsoft's MSDN: Download Windows Script (includes Windows Scripting Host)

NTFS Permissions

NTFS access permissions may be used to define the level of access available to wscript.exe and cscript.exe, the Windows Scripting Host executables, from specific users and groups of users with valid Windows accounts.

When sharing a directory or file, the default access settings for NTFS directories and files grants Full Control access to the Windows user group Everyone, including all users. This means that all users have permission to modify, move, and delete files or directories and to change NTFS permissions. This default setting is inappropriate for the wscript.exe and cscript.exe. Securing files and folders involves removing unnecessary users and groups or groups that have no specific need to access the resource.

To change NTFS permissions for a directory or file.

Instructions Derived from the Microsoft Windows Server Documentation - Setting NTFS Permissions for a Directory or File:

1. Open My Computer, select the drive, directory, or file you want to secure, and open its property sheets.
2. On the Security property sheet, select the Windows account you want to change permissions for.
3. Under Permissions, select the types of access for the selected user or group. Use Allow to specifically allow access and Deny to specifically deny access. For more choices, click Advanced. For more information about setting and configuring permissions for files and directories refer to the Windows documentation.
   
   Note: If you do not see the Security tab in the drive, directory, or file property sheets, the host file system is not configured as NTFS.

To convert the file system to NTFS, refer to the Windows documentation. In addition, be careful when using the Deny option - this takes precedence over Allow. Applying Deny to the Everyone group might close the resource to that level of access by anyone, including the Administrator.

Reference: Setting NTFS Permissions for a Directory or File - http://www.microsoft.com/windows2000/en/server/iis/htm/core/iidfpsc.htm

W8. Microsoft Outlook and Outlook Express

W8.1 Description

Microsoft Outlook, part of the Microsoft Office suite, is a personal information manager and email client program from Microsoft. Whilst primarily an e-mail application, it also provides calendar, task and contact management. When used in conjunction with a Microsoft Exchange Server, Microsoft Outlook can provide additional and enhanced functionality, such as supporting multiple users, helping to co-ordinate meeting times,and providing shared calendars and mailboxes.

Outlook Express (OE), a less functional but free version of Outlook, has been bundled with Internet Explorer since version 1.0, an integral part of Microsoft Windows 95. By integrating products such as Internet Explorer and Outlook Express into other product lines, including Office, BackOffice, and the Windows operating system, common technologies and code may be used across the platform. For instance, Microsoft Outlook 98 like its cousin Outlook Express uses Internet Explorers HTML parsing and rendering engine. Therefore, if you install Outlook 98 onto a computer without version 4 or higher, Internet Explorer gets installed as well. This foundational approach makes sense and allows for more efficient code usage. However, this practice introduces both single points of failure and heightens the impact that any single security vulnerability may pose, thus adding to the mounting challenges of maintaining a safe and secure operating environment.

One of Microsoft's goals has been to develop a usable and intuitive email and information management solution. Unfortunately, the embedded automation features are at odds with the built-in security controls (often disregarded by end-users). This has led to exploitation, giving rise to e-mail viruses, worms, malicious code to compromise the local system, and many other forms of attack.

W8.2 Operating Systems Affected

Outlook Express (OE) is a free, basic mail client that is bundled with all versions of Internet Explorer and Microsoft Windows.

To identify the current version of OE, start Internet Explorer and then select About Internet Explorer from the Help menu. Versions below 5 should be upgraded immediately in line with the recommendation in section 10.5 How to Protect Against It.

Outlook is a full-featured information manager that ships both as a stand-alone product and as part of the Office family. Its only installed on a machine if the user has specifically installed it. Versions of Outlook for Microsoft Windows include:

• Outlook 95
• Outlook 97
• Outlook 2000, also known as Outlook 9
• Outlook XP, also known as Outlook 10 or Outlook 2002

To identify the current version of Outlook, start the program and then select About Outlook from the Help menu. Versions below Outlook 2000 should be patched or upgraded immediately.

Reference:

• Outlook Express http://www.microsoft.com/windows/oe/
• Outlook