Section 12

For Administrators Only

12-1. How do I secure my server?
12-2. I'm an idiot. Exactly how do hackers get in?

12-1. How do I secure my server?

• Upgrade to NT 4.0.
• Physically secure all servers.
• Disable remote logins to workstations.
• No dual booting. NT only on the harddrives, and format NTFS only.
• Remove the group Everyone from being able to read so much of the registry.
• Use Auditing. Heavily if Internet connected.
• Load the latest Service Pack (v.3 as of this writing will be out very soon).
• Make sure program file directories have just Read and Execute permissions. Try to separate public files from private files.
• Note the owners of directories. The owner can still change things inside a directory, despite permissions being reset.
• Go into User Manager and create a restrictive password policy.
• Disable the Last Logon username display.
• Add the domain administrator's global group to all of your workstation's local administrator group for control.
• Remove the "Access this computer from network" logon right from administrators on domain controllers.
• If you can, remove Scheduler service.
• Restrict access to certain executables you deem dangerous (possibly CMD.EXE or NTBACKUP.EXE if you are real paranoid).
• Re-read this FAQ and note every time you see "this attack won't work if the Sys Admin did..." and actually do it.
• Use a firewall. As a minimum, do not allow outside access to ports 135 through 139 for both TCP and UDP.
• Put web, ftp, and any other public servers OUTSIDE the firewall, or in a DMZ between a couple of firewalls.
• Come to think of it, read a book on firewalls.
• Consider using "internal" firewalls if you need to secure certain servers from certain groups of users, i.e. protect the accounting server from the disgruntled marketing group.
• Use Jeremy Allison's PWAudit program to monitor the keys that PWDump accesses. This way you can logs attempts at grabbing the password.
• Read your logs. Daily. Use them as a guide, however don't blindly trust that every action is in the logs, and every action reflected in the logs should not be taken at face value. INVESTIGATE ODD THINGS.
• Run C2Config after you have adjusted the INF file to meet your needs.
• Regularly run virus scans, non-Microsoft-written security scanners, and your C2Config utility (if you initially used it).
• Subscribe to the mailing lists and read the newsgroups listed in section 10. Daily. Read the NT Security FAQ. Repeatedly. Read all the pages at www sites listed in section 10. Frequently.
• Read Hobbit's paper on CIFS. If it's too technical, hire a new Sys Admin.
• Don't panic, but be paranoid all the time. Take every security concern or oddball alert seriously.

12-2. I'm an idiot. Exactly how do hackers get in?

I mentioned the World Star Holdings Inc. Cybertest '96 contest earlier in the FAQ. I wish I could say that this contest involved some type of massive attack rich in color and unbelievable hacking genius, but alas, it was too easy. Using techiques outlined in this FAQ, I simply got a list of exported shares and logged in as GUEST. I enjoyed trying to get past the special HTML scripting language they were using, and only did it because I wanted the $50,000.00 prize money. But I wasn't the first one in, and they changed the rules mid-contest anyway.

Here's a scenario that pulls some of this together.

The Exploit
-----------

The attacker has a copy of Samba on his Linux machine, and applied the patches from Hobbit's paper making smbclient a little more dangerous. He starts looking at his target innocent.nmrc.org. Using a port scanner he determines that ports 135-139 are open, and suspects the box might be NT.

The target IP address is 10.10.10.2. So he tries his hack version of nmblookup like so -

    nmblookup -B 10.10.10.2 -S \*

The name INNOCENT is returned, and this is plugged into the hacked smbclient like so -

    smbclient \\\\INNOCENT\\WINNT$ -I 10.10.10.2 -d 3 -n WHATEVER -m
     LANMAN2 -U ADMINISTRATOR

Note that the hacker is trying to access the C drive, is using debug level 3 to see errors (and see how long before an error occurs), forged his computer's name, and dummied down the passwords to try Lan Manager style (uppercase) only.

Several simple passwords are tried, and it looks like Administrator has not been altered to lock out incorrect tries. However the usual easy passwords do not work. The hacker is not frustrated. He decides to throw his uppercase dictionary at it -

    smbclient \\\\INNOCENT\\WINNT$ -I 10.10.10.2 -d 0 -n WHATEVER -m
     LANMAN2 -U ADMINISTRATOR < dictionary.file.upppercase

The hacked smbclient will continue until the dictionary file is exhausted, the hacker stops the program, or he gets in. After a while, success.

The hacker uploads a trojan to \SYSTEM32 to capture passwords. Then the hacker goes to \SYSTEM32\CONFIG\SAM and \REPAIR and finds copies of the SAM database. These are copied down to his home machine.

The hacker disconnects and proceeds to use PWDump and L0phtcrack to get ALL passwords. The hacker knows that some of the passwords might be old -- after all, he couldn't grab the live SAM database. But between the old passwords and the trojan, the hacker isn't even worried if the Administrator changes passwords. The hacker will simply use another account name and check the \TEMP directory for the collected passwords.