This chapter shows you some ways to keep your Windows system up-to-date and secure. Although many may scoff at the mention of Windows and security in the same sentence, you actually can make a Windows system fairly secure without too much effort. (Network Security Hacks by Andrew Lockhart, O'Reilly Media, ISBN: 0596006438, 2004.)
Contributed by O'Reilly Media Rating: / 13 September 20, 2004
This chapter shows you some ways to keep your Windows system up-to-date and secure, thereby making your network a safer place to work (and have fun). Although many may scoff at the mention of Windows and security in the same sentence, you actually can make a Windows system fairly secure without too much effort.
One of the main reasons that Windows gets a bad rap is the poorly administered state in which Windows machines seem to be kept. The recent deluge of worm and virus attacks that have brought down many a network shows this to hold true. Alot of this can be traced back to the “ease” of administration that Windows seems to provide by effectively keeping the Windows administrator out of the loop about the inner workings of her environment—effectively wresting control from the system administrator’s hands.
This chapter seeks to remedy that to some degree by showing you ways to see exactly what your server is really doing. While this may seem old hat to a Unix sysadmin, getting details on open ports and running services is often a new concept to the average Windows administrator. In addition, this chapter shows you how to disable some Windows “features,” such as sharing out all your files automatically and truncating log files. You’ll also learn how to enable some of the auditing and logging features of Windows, to give you early warning of possible security incidents (rather than waiting for the angry phone call from someone at the wrong end of a denial-of-service attack originating from your network).
Hack 21: Check Servers for Applied Patches
Make sure your Windows servers have the latest patches installed.
Keeping a network of systems patched and up-to-date is hard enough in Unix, but it can be even more difficult on Windows systems. A lack of robust built-in scripting and remote access capabilities makes Windows unsuitable for automation. Nevertheless, before you even attempt to update your systems, you need to know which updates have been applied to each system; otherwise, you might waste time and effort updating systems that don’t need it. Clearly, this problem gets more difficult as the number of systems that need to be managed increases. We can avoid much of the extra work of manually updating systems by using the tool, which was originally a standalone program from Shavlik Technologies. It is now a part of Microsoft’s Baseline Security Analyzer (search http://download.microsoft.com) and is available through its command-line interface, mbsacli.exe.
Not only can HFNetChk remotely check the status of Windows Server 2003 and Windows XP/2000/NT, but it can also check whether critical updates for IIS, SQL Server, Exchange Server, Media Player, and Internet Explorer have been applied. Although it can only check the update status of a system (and won’t actually bring the system up-to-date), it is still an invaluable timesaving tool. HFNetChk works by downloading a signed and compressed XML file from Microsoft that contains information on all currently available updates. This information includes checksums and versions of files covered by each update, as well as the registry keys modified by each update. Additional dependency information is also included. When scanning a system, HFNetChk will first scan the registry for the keys that are associated with the most current set of updates available for the current system configuration. If any of these registry keys are missing or do not match what is contained in the XML file, it will flag the update as not having been installed. If the registry key for an update is present and matches the information in the XML file, HFNetChk will then attempt to verify whether the files specified in the update information are present on the system and whether their version and checksum matches. If any of the checks fail, the update will be flagged. All flagged updates are then displayed in a report, along with a reference to the Microsoft Knowledge Base article with more information on the specific update.
To get HFNetChk installed on your system, you first need to download and install the Microsoft Baseline Security Analyzer. To run HFNetChk, open a command prompt and change to the directory that was created during the install (C:\Program Files\Microsoft Baseline Security Analyzer) is the default).
To check the update status of the local system, run this command:
C:\> Program Files\Microsoft Baseline Security Analyzer> mbsacli /hf Microsoft Baseline Security Analyzer Version 1.1.1 Powered by HFNetChk Technology - Version 3.82.0.1 Copyright (C) Shavlik Technologies, 2001-2003 Developed for Microsoft by Shavlik Technologies, LLC info@shavlik.com (www.shavlik.com) Please use the -v switch to view details for Patch NOT Found, Warning and Note messages Attempting to get cab from http://go.microsoft.com/fwlink/?LinkId=16932 XML successfully loaded. Scanning PLUNDER ............................. Done scanning PLUNDER ---------------------------- PLUNDER(192.168.0.65) ---------------------------- * WINDOWS XP SP1 Note MS02-008 317244 Warning MS02-055 323255 Note MS03-008 814078 Note MS03-030 819696 Patch NOT Found MS03-041 823182 Patch NOT Found MS03-044 825119 Patch NOT Found MS03-045 824141 Patch NOT Found MS03-049 828035 Note MS03-051 813360 * INTERNET EXPLORER 6 SP1 Patch NOT Found MS03-048 824145 * WINDOWS MEDIA PLAYER FOR WINDOWS XP SP1 Information All necessary hotfixes have been applied.
The first column tells why the check for a particular update failed. The second column shows which update failed the check, and the third column lists a Microsoft Knowledge Base (http://support.microsoft.com) article number that you can refer to for more information on the issue fixed by that particular update.
If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!
If you want more information on why a particular check failed, you can run the command with the -v (verbose) switch. Here are the results of the previous command, but this time with the verbose switch:
Scanning PLUNDER ............................. Done scanning PLUNDER ---------------------------- PLUNDER(192.168.0.65) ---------------------------- * WINDOWS XP SP1 Note MS02-008 317244 Please refer to Q306460 for a detailed explanation. Warning MS02-055 323255 File C:\WINDOWS\system32\hhctrl.ocx has a file version [5.2.3735.0] greater than what is expected [5.2.3669.0]. Note MS03-008 814078 Please refer to Q306460 for a detailed explanation. Note MS03-030 819696 Please refer to Q306460 for a detailed explanation. Patch NOT Found MS03-041 823182 File C:\WINDOWS\system32\cryptui.dll has a file version [5.131.2600.1106] that is less than what is expected [5.131.2600.1243]. Patch NOT Found MS03-044 825119 File C:\WINDOWS\system32\itircl.dll has a file version [5.2.3644.0] that is less than what is expected [5.2.3790.80]. Patch NOT Found MS03-045 824141 File C:\WINDOWS\system32\user32.dll has a file version [5.1.2600.1134] that is less than what is expected [5.1.2600.1255]. Patch NOT Found MS03-049 828035 File C:\WINDOWS\system32\msgsvc.dll has a file version [5.1.2600.0] that is less than what is expected [5.1.2600.1309]. Note MS03-051 813360 Please refer to Q306460 for a detailed explanation. * INTERNET EXPLORER 6 SP1 Patch NOT Found MS03-048 824145 The registry key **SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{69DEAF94-AF66-11D3-BEC0-00105AA9B6AE}** does not exist. It is required for this patch to be considered installed. * WINDOWS MEDIA PLAYER FOR WINDOWS XP SP1 Information All necessary hotfixes have been applied.
After applying the listed updates, you should see something like this:
Scanning PLUNDER ............................. Done scanning PLUNDER ---------------------------- PLUNDER(192.168.0.65) ---------------------------- * WINDOWS XP SP1 Information All necessary hotfixes have been applied. * INTERNET EXPLORER 6 SP1 Information All necessary hotfixes have been applied. * WINDOWS MEDIA PLAYER FOR WINDOWS XP SP1 Information All necessary hotfixes have been applied.
When scanning the local system, Administrator privileges are needed. If you wish to scan a remote machine, you will need Administrator privileges on it. There are several ways to scan remote machines. To scan a single remote system, a NetBIOS name can be specified with the -h switch. Likewise, an IP address can be specified with the -iswitch.
For example, to scan the machine PLUNDER from another machine, either of these two commands can be used:
You can also scan a handful of additional systems by listing them on the command line with commas separating each NetBIOS name or IP address.
Note that, in addition to having Administrator privileges on the remote machine, you must also ensure that you have not disabled the default shares [Hack #27. If the default administrative shares have been disabled, then HFNetChk will not be able to check for the proper files on the remote system and, consequently, will not be able to determine whether an update was applied.
If you wish to scan a group of systems, there are several options for this as well. Using the -fh option, you can specify a file containing up to 256 Net-BIOS hostnames (one on each line) that will be scanned. You can do the same thing with IP addresses, using the -fip option. Ranges of IP addresses may also be specified by using the -r option.
For example, you could run a command like this to scan from 192.168.1.23 to 192.168.1.172:
mbsacli /hf –r 192.168.1.123 – 192.168.1.172
All of these options are very flexible, and you can use them in any combination to specify which remote systems will be scanned.
In addition to specifying remote systems by NetBIOS name and IP address, you can also scan systems by domain name by using the -d option, or you can scan your entire local network segment by using the -n command-line option.
When scanning systems from a personal workstation, the -u and -p options can prove useful. These allow you to specify a username and password to use when accessing the remote systems. These switches are particularly handy if you don’t normally log in using the Administrator account. The account that is specified with the -u option will of course need to have Administrator privileges on the remote machines being scanned.
Also, if you’re scanning a large number of systems, you might want to use the -t option. This allows you to specify the number of threads used by the scanner, and increasing this value generally will speed up scanning. Valid values are from 1 to 128; the default value is 64.
If you are scanning more than one machine, a huge amount of data will simply be dumped to the screen. Use the -f option to specify a file to store the results of the scan in, and view it at your leisure using a text editor.
HFNetChk is a very flexible tool and can be used to check the update status of a large number of machines in a very short amount of time. It is especially useful when a new worm has come onto the scene and you need to know if all of your systems are up-to-date on their patches.
Hack 22: Get a List of Open Files and Their Owning Processes
Look for suspicious activity by monitoring file accesses.
Suppose you’re looking at the list of processes in the task manager one day after noticing some odd behavior on your workstation, and you notice a process you haven’t seen before. Well, what do you do now? If you were running something other than Windows, you might try to determine what the process is doing by looking at the files it has open. Unfortunately, Windows doesn’t provide a tool to do this.
Sysinternals makes an excellent tool called Handle, which is available for free at http://www.sysinternals.com/ntw2k/freeware/handle.shtml. Handle is a lot like lsof [Hack #8], but it can list many other types of operating resources, including threads, events, and semaphores. It can also display open registry keys and IOCompletion structures.
Running handle without any command-line arguments will list all open file handles on the system. You can also specify a filename, which will list the processes that are currently accessing it, by typing this:
C:handle filename
Or you can list only files that are opened by a particular process -- in this case Internet Explorer:
C:\> handle –p iexplore Handle v2.10 Copyright (C) 1997-2003 Mark Russinovich Sysinternals - www.sysinternals.com ----------------------------------------------------------- IEXPLORE.EXE pid: 688 PLUNDER\andrew 98: Section \BaseNamedObjects\MTXCOMM_MEMORY_MAPPED_FILE 9c: Section \BaseNamedObjects\MtxWndList 12c: Section \BaseNamedObjects\__R_0000000000d4_SMem_ _ 18c: File C:\Documents and Settings\andrew\Local Settings\ Temporary Internet Files\Content.IE5\index.dat 198: Section \BaseNamedObjects\C:_Documents and Settings_andrew_ Local Settings_Temporary Internet Files_Content.IE5_index.dat_3194880 1a0: File C:\Documents and Settings\andrew\Cookies\index.dat 1a8: File C:\Documents and Settings\andrew\Local Settings\ History\History.IE5\index.dat 1ac: Section \BaseNamedObjects\C:_Documents and Settings_andrew_ Local Settings_History_History.IE5_index.dat_245760 1b8: Section \BaseNamedObjects\C:_Documents and Settings_andrew_ Cookies_index.dat_81920 228: Section \BaseNamedObjects\UrlZonesSM_andrew 2a4: Section \BaseNamedObjects\SENS Information Cache 540: File C:\Documents and Settings\andrew\Application Data\ Microsoft\SystemCertificates\My 574: File C:\Documents and Settings\All Users\Desktop 5b4: Section \BaseNamedObjects\mmGlobalPnpInfo 5cc: File C:\WINNT\system32\mshtml.tlb 614: Section \BaseNamedObjects\WDMAUD_Callbacks 640: File C:\WINNT\system32\Macromed\Flash\Flash.ocx 648: File C:\WINNT\system32\STDOLE2.TLB 6a4: File \Dfs 6b4: File C:\Documents and Settings\andrew\Desktop 6c8: File C:\Documents and Settings\andrew\Local Settings\ Temporary Internet Files\Content.IE5\Q5USFST0\softwareDownloadIndex[1].htm 70c: Section \BaseNamedObjects\MSIMGSIZECacheMap 758: File C:\WINNT\system32\iepeers.dll 75c: File C:\Documents and Settings\andrew\Desktop 770: Section \BaseNamedObjects\RotHintTable
If you want to find the Internet Explorer process that owns a resource with a partial name of handle, you could type:
C:\> handle –p iexplore handle Handle v2.10 Copyright (C) 1997-2003 Mark Russinovich Sysinternals - www.sysinternals.com IEXPLORE.EXE pid: 1396 C:\Documents and Settings\andrew\Local Settings\Temporary Internet Files\Content.IE5\H1EZGFSH\handle[1].htm
Additionally, if you wanted to list all types of resources, you could use the -a option. Handle is quite a powerful tool, and any of its command-line options can be mixed together to quickly narrow your search and find just what you want.
If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!
Check for remotely accessible services the Windows way.
Unix makes it quick and easy to see which ports on a system are open, but how can you do that on Windows? Well, with FPort from Foundstone(http://www.foundstone.com/resources/index_resources.htm) it’s as quick and easy as running good old netstat.
FPort has very few command-line options, and those deal mostly with specifying how you’d like the output sorted. For instance, if you want the output sorted by application name, you can use /a; if you want it sorted by process ID, you can use /i. While it may not be as full of features as netstat, it definitely gets the job done.
To get a listing of all ports that are open on your system, simply type fport. If you want the list to be sorted by port number, use the /pswitch:
Notice that there are some processes listed—such as navapw32, putty, and IEXPLORE—that don’t appear to be services. These show up in the output because FPort lists all open ports, not just opened ports that are listening.
While FPort is not as powerful as some of the commands available under other operating systems, it is still a valuable, quick, and easy-to-use tool that is a great addition to Windows.
If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!
Windows 2000 includes some very powerful auditing features, but unfortunately they are all disabled by default. Windows 2003 has corrected this by enabling some features by default, but it is still wise to check that you are tracking precisely what you want to audit. Using these capabilities, you can monitor failed logins, account management events, file access, privilege use, and more. You can also log security policy changes as well as system events.
To enable auditing in any one of these areas, locate and double-click the Administrative Tools icon in the Control Panel. Now find and double-click the Local Security Policy icon. Expand the Local Policies tree node, and you should see something similar to Figure 2-1.
Now you can go through each of the audit policies and check whether to log successes or failures for each type. You can do this by double-clicking the policy you wish to modify, located in the right pane of the window. After double-clicking, you should see a dialog similar to Figure 2-2.
Leaving auditing off is akin to not logging anything at all, so you should enable auditing for all policies. Once you’ve enabled auditing for a particular policy, you should begin to see entries in the event logs for when a particular audit event occurs. For example, once you have enabled logon event auditing, you should begin to see entries for logon successes and failures in the system’s security event log.
If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!
Windows has some very powerful logging features. Unfortunately, by default the event logs are not protected against unauthorized access or modification. You may not realize that even though you have to view the logs through the Event Viewer, the event logs are simply regular files just like any other. To secure them, all we have to do is locate them and apply the proper ACLs.
Unless their location has been changed through the registry, you should be able to find the logs in the %SystemRoot%system32configdirectory.
The three files that correspond to the Application Log, Security Log, and System Log are AppEvent.Evt, SecEvent.Evt, and SysEvent.Evt, respectively.
Now, apply ACLs to limit access to only Administrator accounts. You can do this by bringing up the Properties dialog for the files and clicking the Security tab. After you’ve done this, remove any users or groups other than Administrators and SYSTEM from the top pane.
Hack 26: Change Your Maximum Log File Sizes
Change your log properties so that they see the whole picture.
From a security point of view, logs are one of the most important assets contained on a server. After all, without logs how will you know if or when someone has gained access to your machine? Therefore, it is imperative that your logs not miss a beat. If you’re trying to track down the source of an incident, having missing log entries is not much better than having no logs at all.
One common problem is that the maximum log size is set too low—the default is a measly 512KB. To change this, open the Administrative Tools control panel, and then open the Event Viewer. You should now see something similar to Figure 2-3.
After you have done this, select one of the log files from the left pane of the Event Viewer window and right-click it. Now select the Properties menu item. You should now see something similar to Figure 2-4.
Now locate the text input box with the label “Maximum log size”. You can type in the new maximum size directly, or you can use the arrows next to the text box to change the value. Anything above 1MB is good to use here. It all depends on how often you want to review and archive your logs. However, keep in mind that having very large log files won’t inherently slow down the machine, but can slow down the Event Viewer when you’re trying to view the logs. While you’re here, you may also want to change the behavior for when the log file reaches its maximum size. By default, it will start overwriting log entries that are older than seven days with newer log entries. It is recommended that you change this value to something higher—say 31 days. Alternatively, you could elect not to have logs overwritten automatically at all, in which case you’ll need to clear the log manually.
If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!
By default, Windows enables sharing for each logical disk on your system (C$ for the C drive) in addition to another share called ADMIN$ for the %SystemRoot% directory (e.g., C:WINNT). Although this is accessible only to Administrators, it is wise to disable these shares (if at all possible) since they still present a potential security hole.
To disable these shares, open the Registry by running regedit.exe and then find the HKey_Local_MachineSYSTEMCurrentControlSetServices lanmanserverparameterskey.
If you’re using Windows 2000 workstation, add an AutoShareWks DWORD key with the value of 0 (as shown in Figure 2-5) by clicking Edit ->New ->DWORD Value. For Windows 2000 Server, add an AutoShareServer key with a value of 0. When you’re done editing the Registry, restart Windows for the change to take effect.
After Windows has finished loading, you can verify that the default shares no longer exist by running net share:
C:\>net share Share name Resource Remark ----------------------------------------------------------- IPC$ Remote IPC The command completed successfully.
Before doing this, you should be sure that disabling these shares will not negatively affect your environment. Lack of these shares can cause some system management software—such as HFNetChk [Hack #21] or System Management Server—to not work. This is because software like this depends on remote access to the default administrative shares in order to access the contents of the systems disks.
Hack 28: Encrypt Your Temp Folder
Keep prying eyes out of your temporary files.
Many Windows applications will create intermediary files while they do their work. They typically store these files in a temporary folder within the current user’s settings directory. Most often these files are created world-readable and aren’t always cleaned up when the program exits. How would you like it if your word processor left a copy of the last document you were working on for anyone to come across and read? Not a pretty thought, is it?
One way to guard against this situation is to encrypt your temporary files folder. To do this, open an Explorer window and go to the C:Documents and Settings Local Settings folder. In this folder you should see another folder called Temp. This is the folder that holds the temporary files. Right-click the folder and bring up its Properties dialog. Make sure the General tab is selected, and click the button labeled Advanced. This will bring up an Advanced Attributes dialog, as seen in Figure 2-6. Here you can choose to encrypt the folder.
Check the “Encrypt contents to secure data” box and click the OK button. When you have done that, click the Apply button in the Properties dialog. Another dialog (as seen in Figure 2-7) will open asking you whether you would like the encryption to apply recursively.
To apply the encryption recursively, choose the “Apply changes to this folder, subfolders and files” option. This will automatically create a public-key pair if you have never encrypted any files before. Otherwise, Windows will use the public key that it generated for you previously. When decrypting, Windows ensures that the private keys are stored in nonpaged kernel memory, so that the decryption key will never be left in the paging file. Unfortunately, the encryption algorithm used, DESX, is barely an improvement on DES and is nowhere near as strong as 3DES. However, it serves the purpose of transparently encrypting temporary files very well. If you want to encrypt other files, it is suggested you use a third-party utility such as GnuPG (http://www.gnupg.org), which has Windows binaries available on its web site.
If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!
Prevent information leaks by automatically clearing the swap file before shutting down.
Virtual memory management (VMM) is truly a wonderful thing. It protects programs from one another and lets them think that they have more memory available than is physically in the system. To accomplish this, the VMM uses what is called a paging file.
As you run more and more programs over the course of time, you’ll begin to run out of physical memory. Since things can start to go awry when this happens, the memory manager will look for the least frequently used pieces of memory owned by programs that aren’t actively doing anything at the moment and write the chunks of memory out to the disk (i.e., the virtual memory). This is known as swapping.
However, there is one possibly bad side effect of this feature: if a program containing confidential information in its memory space is running, the memory containing such information may be written out to disk. This is fine when the operating system is running and there are safeguards to prevent the paging file from being read, but what about when the system is off or booted into a different operating system?
This is where this hack comes in handy. What we’re going to do is tell the operating system to overwrite the paging file with zeros when it shuts down. Keep in mind that this will not work if the cord is pulled from the system or the system is shut down improperly, since this overwrite will only be done during a proper shutdown.
To enable this feature of Windows, we must edit the system registry. To do this, open the Registry and find the HKEY_LOCAL_MACHINESYSTEM CurrentControlSetControlSession ManagerMemory Management key. You should now see something that looks like Figure 2-8.
Locate the ClearPageFileAtShutdown entry in the right pane of the window and change its value to 1. Now restart Windows for the change to take effect, and your swap file will be cleared at shutdown. The only side effect of enabling this is that Windows may take longer to shut down. However, this is very much dependent on your hardware (e.g., disk controller chipset, disk drive speed, processor speed, etc.), since that’s what will govern how long it will take to overwrite your paging file with zeros.
Hack 30: Restrict Applications Available to Users
Prevent your users from running potentially dangerous applications.
Keeping users from running certain applications isn’t so important when you’re an administrator using your own workstation. But when you’re dealing with regular users in an enterprise network environment, you don’t want your users running any nefarious programs. Such programs include those that can break their operating system installation, introduce security holes to their system, or even attack other machines on your network.
There are a couple ways to restrict the applications available to your users. First you can modify the ACLs for a particular program so that users cannot execute it. For example, suppose you have a sniffer installed on a user’s machine for network diagnostic purposes. Access to this program is fine for an administrator, but probably is not appropriate for a normal user. You can prevent normal users from running the program by removing execution permissions for the Users group. To do this, locate the program’s executable file and right-click it. Now click the Properties menu item, and you should see a dialog box like the one shown in Figure 2-9.
Now click on the Security tab and select the Users group from the list at the top of the dialog. You should now see something similar to Figure 2-10.
Now click the Deny checkbox that applies to the Read & Execute permission. After clicking the Apply button, anyone that is a member of the Users group will not be able to run the program. Alternatively, you could also modify the ACL for the directory that the program resides in and disallow read access. This approach could be useful if you want to keep all of your administrative tools under a single folder and restrict access to all of them at once.
If you are running a terminal-server version of Windows, there is another alternative to using ACLs. If you have the Microsoft Windows 2000 resource kit installed, you can use the AppSec program to disallow program access with just a few clicks. To use AppSec, locate its directory and start the program. After the program loads, you will be presented with a list of programs. If the program that you want to disallow from your terminal-service users is on the list, simply click the Disabled radio button. For instance, if you wanted to disable cmd.exe, you would see something similar to Figure 2-11.
If the application you want to restrict is not on the list, you can click the Add button and browse for the application. After you have made your choices, click Exit. Before these changes can fully take effect, all users will have to log off of the terminal server.
If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!
Windows Security 
Windows 2000 Security
