19 Mayıs 2008 Pazartesi
Wireless Taping
Securing Wireless, Remote and Mobile Computing - Quick Fixes
In an ideal world, the starting point would be risk assessment and management. This is a fundamental component of any wireless and mobile deployment. It will ensure that security is factored in at the beginning of a project and that everyone involved is aware of the risks. All security policies should be reviewed to make sure that they reflect current realities.
However, in many cases, the move from inside to outside the computer network perimeter has not been accompanied by either risk assessment and management, or by the education of the management, staff and users involved.
In an environment with ongoing mobile computer access, attempting to “backfill” security is going to be difficult and subject to active or passive resistance from users – and much more expensive than getting it right in the first place. A bite at a time is the best approach in this situation, and there are some quick fixes that will make it an easier case to sell to all involved.
Passwords and authentication
Static passwords are woefully inadequate for remote and mobile computer users, with huge identity theft risks (particularly for wireless). The answer is to deploy strong two- factor authentication. Companies such as VASCO provide low-cost, token-based solutions that can be easily deployed for remote users.
SSL VPNs
Consider using encrypted secure sockets layer (SSL) VPNs, alongside or instead of IPsec VPNs, as SSL can provide lower cost, easier to manage connections for large numbers of remote users. This is a growing area and there are a wide range of solutions from WatchGuard, Citrix, AEP, etc.
Regular Updating
Make sure that users regularly update anti-virus and firewall software. Failure to do so, alongside password and unauthorised software related issues, makes up the majority of remote help desk problems for organisations.
Wireless
Ensure that all traffic is over VPNs and is encrypted. Don’t use Wired Equivalent Privacy (WEP) for encryption because it is poor, insecure and weak. Use WPA or WPA2 (also known as 802.11i) and ensure that users always operate with it switched on - the default is with it switched off.
If you have remote wireless LANs, ensure that the service set ID (SSID) is changed from the default and is secured. Don’t change it to something blindingly obvious like your company name (or “control tower”, as seen by startled laptop users at a US airport).
Implement media access control (MAC) filtering. A MAC address is a physical address, so if you restrict access to devices whose address you have authorised, you can eliminate many ID theft issues. Another variation of this is device authentication, where the device authenticates itself to the network. Solutions are available from companies such as Phoenix Technologies, etc.
Also ensure your users have a wireless firewall/VPN to protect them and to manage encrypted VPNs from the wireless device. Companies such as WatchGuard and Check Point provide centrally manageable solutions in this area.
Bear in mind that many cheaper remote firewalls are incapable of dealing with application level attacks. A key requirement for remote firewalls, wireless or static, is to be able to deal with current and future threats, which include packet and, increasingly, application level attacks. All of these measures should greatly improve your mobile computing security with the minimum of fuss and resistance from staff.
How To Secure Your Laptop
Laptops these days contain vital data and are greatly used for remote data access. Its security should be top priority to all users. There are three aspects to consider in securing your laptop.
- Physical Security.
- Security Software.
- Security Consciousness.
Physical Security
Physical security involves physical barriers put in place to inhibit access to where your laptop is kept.
Such barriers, hinder the following circumstances;
- Theft of your laptop.
- Damage to your laptop.
- Theft of information on your laptop.
- Using your laptop to commit fraudulent activities.
The physical barriers should have the following features;
- The ability to properly lock the entrance to where your laptop is kept.
- An alarm system should be in place to notify you in case of a break in.
- An inbuilt security camera (cctv) should be placed where your laptop is kept. This is to monitor your laptop.
- All windows or doors must be screened to prevent prying eyes from seeing expensive information assets such as your laptop.
- The ability to fasten the laptop to a non-moveable object. This is stopping a thief from carrying the laptop away.
- The ability to trigger snap shots in case of a break in. These snap shots are directly targeted at the laptop.
Security Software
Access to your laptop can also be prevented using security software.
This security software prevents access to your desktop. It ensures that only the owner of the laptop has access to using the applications on the laptop.
Features of a Security Software
- It must prompt the user, to enter a user name and a password.
- The ability to generate audit report such as successful logins, failed logins should be an essential feature.
- The user should be able to lock the screen when not in use.
- Optional but also essential, the software should have the ability to beep when the screen is tampered with.
Security Consciousness
After all said and done, without security consciousness on the part of the user or laptop owner, every control put in place to deter access to the laptop would be futile.
Security Consciousness Tips
- Always lock the door to your office.
- Always carry your laptop with you.
- If not in use put it in a safe and lock it.
- Make sure when nature calls you activate the screen lock and all access doors to your office are locked.
- Always keep your laptop locked in a box and in the boot of your car when driving.
- Do not use your laptop in overcrowded places.
- All the necessary details about your laptop must be written and stored in a safe place i.e. serial number, brand name, model e.t.c.
- Insure your laptop against loss, such as damage, fire e.t.c.
A Beginners Guide To Wireless Security
Wireless hacking or war driving is possible because of the inherent flaws in the 802.11 protocol. 802.11b protocol will receive any signal that is within its broadcast range. This is means that any network card that is within the 18 - 30 foot radius of a wireless access point, will in theory able to access the network from which the point is set up. Currently there are number of different methods of preventing access to wireless network.
One is through using wireless encryption protocol or WEP, as we will show within this article this form of security is not the only answer. Wireless encryption protocol encrypts the packets that the network sends out, if a person does not have the specific wireless encryption protocol key than in theory they will be unable to access the data.
Another method is by using a radius server, this server acts as if a domain controller for a wireless network.. A combination of both of these security measures provides the tightest form of security.
The question you may be asking yourself is, "why would someone want to do this?". The first and most innocent reason is simply to gain free Internet access. The second is to use your network as a jumping point to commit other computer crimes. Their identity will then be hidden behind your network, escaping prosecution.
Following are the tools and most computer criminals are using:
- airsnort
- Kismet
- scanchan
- arpping
The computer criminals will use these tools, to break the encryption on your network and gain access to the network and its bandwidth. Here is where you can find copies of these tools.
- airsnort http://airsnort.shmoo.com/
- Kismet http://www.kismetwireless.net/
- scanchan http://team.vantronix.net/reyk/prism2/
- arpping http://busybox.net/cgi-bin/cvsweb/udhcp/?sortby=file#dirlist
Now technically, you could try war driving at this moment. But, you must remember that the distance wireless LAN's capable of broadcasting, is relatively short distance; approximately about 18 feet to 30 feet with a normal consumer base product.
So , to increase the effectiveness of our audit policy, we will add an additional antenna to our wireless LAN card. Not every car that's available market is ready to have an external antenna attached. So some cards will require a bit of soldering and other modifications. But, to save use of the trouble try purchasing a car that as the capability of attaching an external antenna. Here are some additional resources for finding cards that fit this bill.
Goto: Seatlewireless.net
Now that you have one of these cards, you'll now be able to purchase something called "pigtail". This will allow you to connect the small usually proprietary connector on the card to an actual external antenna.
They may hear the Internet rumors, about building and antenna and, from a Pringles can. But, is not the best way to do it. A Pringles can wasn't no way me to actually be an antenna in the amount of metal that's actually contained in it is not the best way to focus the wireless LAN frequency onto the actual antenna receptor. If you going to have the most effective method for doing is, used actually just purchase an antenna from a local store. You can find this type of antenna at your local electronic store, usually a specialty store like RadioShack (not the best place to look, but most common) the best bet would actually be a ham radio shop, but these are usually a rarity in some areas.
Now the question I usually get is, "can I use my cars antenna?" The answer to that one is no, antennas are designed to capture the frequency of the signal they are designed for. For example: radio waves are long waves as the fact that a radio antenna is a long thin design. Wireless LAN waves are very tight and fast so the antenna has to be thin and long. This also means that the wireless LAN antenna is a directional antenna, so this means you have to face the antenna towards the source.
Now let's begin tracking down Roque signals.
The first thing to do in any type a security audit, is to take a look at the area that you're trying to secure. Is your area low to the ground? Or, is it in a skyscraper or other type of tall building. You need to take this into consideration because of the differences in the support structure of the building. Obviously, a skyscraper is going to have more steel in the support structure, the line building. Also depending of a little floor you're on the actual range of your wireless LAN may not even reach the ground levels. If you're on a low-lying structure will have more of an area cover.
Let's start with a low-lying area wireless LAN audit first. Get your gear and hop into the car. Now an additional piece of equipment would be a DC power inverter. This will let you run your laptop off of the car battery. First drive the pattern of traffic frequently followed at the different times a day. This will establish the most common points that a criminal would use access the network. So it is usually the first place that I would try to pick up the signal from your wireless LAN.
Someone to have the laptop up and running start of netStumbler and crank up the soundcard. As you drive around you'll notice that net Stumbler will beep when it runs into a wireless LAN signal. First thing you should take notice of is it the wireless LAN signal is W. E. P. encrypted. This will show up as a lock icon on net Stumbler. This means that the wireless connection is not exactly open. If it shows up without a lock this means that the wireless LAN is completely open, a person could merely just configure their wireless LAN card to DHCP and connect to the network. Now some wireless LANs are not set up for DHCP. In this case of the people would have to configure their card to use an unused IP. All that is needed to do that is a little bit of guesswork. Which is a lot easier than you would think, especially since most networks use the normal private 192.168 network address scheme.
If the connection does have W. E. P. enabled, then you can use air snort to collect W. E. P. data, which after about 1 GB of collect data the software program would be able to break the encryption algorithm.
They would then take the resulting key, and configure it to be used by their neck card, this will allow them to then access the encrypted network traffic.
Now criminals use a multitude of methods to prevent administrators from noticing them on the new network. One way is that they set up a firewall on the laptop, which has all of the incoming ports blocked to their machine. This to prevent their machine from showing up on a networks can, especially if the scan used ping to determine if there is a computer answering at that IP address. Most good scanning software can scan a network without using paying. This merely causes the scan to take any extreme amount of time. But, a good network administrator should always supplement their normal scanning routine with a non ping based solution.How To Eliminate The Ten Most Critical Internet Security Threats
The majority of the successful attacks on operating systems come from only a few software vulnerabilities. This can be attributed to the fact that attackers are opportunistic, take the easiest and most convenient route, and exploit the best-known flaws with the most effective and widely available attack tools. They count on organizations not fixing the problems, and they often attack indiscriminately, scanning the Internet for any vulnerable systems. System compromises in the Solar Sunrise Pentagon hacking incident, for example, and the easy and rapid spread of the Code Red and NIMDA worms can be traced to exploitation of unpatched vulnerabilities.
Two years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations used that list, and the expanded Top Twenty, which followed a year later, to prioritize their efforts so they could close the most dangerous holes first. The vulnerabilities that led to all three examples above - the Solar Sunrise Pentagon incident, and the Code Red and NIMDA worms - are on that list.
This updated SANS/FBI Top Twenty is actually two Top Ten lists: the ten most commonly exploited vulnerable services in Windows, and the ten most commonly exploited vulnerable services in Unix. Although there are thousands of security incidents each year affecting these operating systems, the overwhelming majority of successful attacks target one or more of these twenty services.
While experienced security administrators will find the Top Twenty to be a valuable resource in their arsenal, the list is especially intended for those organizations that lack the resources to train, or those without technically-advanced security administrators. The individuals with responsibility networks in those organizations often report Printer Friendly Version (PDF) >>
Related Resources
FBI/GSA/SANS/British NISCC/Canadian OCIPEP Press Release on the Top Twenty
Tools that Test for the Top Twenty
(Updated Nov. 21, 02)
Testing for the Top Twenty Internet
Security Vulnerabilities
Staying Current: The Critical Vulnerability Assessment (e-mail every Monday, free)
Monitoring All New Vulnerabilities (email every Thursday, free)
Upcoming Training programs for Hardening Windows or UNIX Systems
GISRA Scanning Requirements and NASA Case Study
SANS/FBI Top 20 List, October 2001
Air Force CIO John Gilligan's remarks at 2001 Top 20 Announcement
SANS/FBI Original Top 10 List, July 2000
Weekly Update of Critical New Vulnerabilities
v3.21 - 10/29/02
- Sections W9.1 & W9.3 added Windows ME
- Section U4.1/U4.5 - General Edits
v3.2 - 10/17/02
- Section W3 - Cumulative patch for SQL Server
- Sections WS, U1, U2, U4, U5, U8, U9 -
CVE/CAN listings
- Section U9.5 - General Edits
- Section U4.1/U4.5 - General Edits
v3.1 - 10/07/02
- Section W3 - Cumulative patch for SQL Server
Server
v.3.0 - 10/01/02
- New Version Posted
that they have not corrected many of these flaws because they simply do not know which vulnerabilities are most dangerous, they are too busy to correct them all, or they do not know how to correct them safely. Traditionally, auditors and security managers have used vulnerability scanners to search for five hundred or a thousand or even two thousand very specific vulnerabilities, blunting the focus administrators need to ensure that all systems are protected against the most common attacks. When a system administrator receives a report showing thousands of vulnerabilities across hundreds of machines, he is often paralyzed.
The Top Twenty is a prioritized list of vulnerabilities that require immediate remediation. The list is sorted by service because in many cases a single remedy -- disabling the service, upgrading to the most recent version, applying a cumulative patch -- can quickly solve dozens of specific software flaws, which might show up on a scanner. This list is designed to help alleviate that problem by combining the knowledge of dozens of leading security experts. They come from the most security-conscious federal agencies, the leading security software vendors and consulting firms, the top university-based security programs, and CERT/CC and the SANS Institute. A list of participants may be found at the end of this document.
The SANS/FBI Top Twenty is a living document. It includes step-by-step instructions and pointers to additional information useful for correcting the security flaws. We will update the list and the instructions as more critical threats and more current or convenient methods are identified, and we welcome your input along the way. This is a community consensus document -- your experience in fighting attackers and in eliminating the vulnerabilities can help others who come after you. Please send suggestions via e-mail to info@sans.org with the subject "Top Twenty Comments."
Notes For Readers:
CVE Numbers
You'll find references to CVE (Common Vulnerabilities and Exposures) numbers accompanying each vulnerability. You may also see CAN numbers. CAN numbers are candidates for CVE entries that have not yet been fully verified. For more data on the award-winning CVE project, see http://cve.mitre.org.
The CVE and CAN numbers reflect the top priority vulnerabilities that should be checked for each item. Each CVE vulnerability reference is linked to the associated vulnerability entry in the National Institute of Standards and Technology's ICAT vulnerability indexing service (http://icat.nist.gov). ICAT provides a short description of each vulnerability, a list of the characteristics of each vulnerability (e.g. associated attack range and damage potential), a list of the vulnerable software names and version numbers, and links to vulnerability advisory and patch information.
Ports to Block at the Firewall
At the end of the document, you'll find an extra section offering a list of the ports used by commonly probed and attacked services. By blocking traffic to these ports at the firewall or other network perimeter protection devices, you add an extra layer of defense that helps protect you from configuration mistakes. Note, however, that using a firewall to block network traffic directed to a port does not protect the port from disgruntled co-workers who are already inside your perimeter, or from hackers who may have penetrated your perimeter using other means.
Back to Top ^
Top Vulnerabilities to Windows Systems
W1 Internet Information Services (IIS)
W2 Microsoft Data Access Components (MDAC) -- Remote Data Services
W3 Microsoft SQL Server
W4 NETBIOS -- Unprotected Windows Networking Shares
W5 Anonymous Logon -- Null Sessions
W6 LAN Manager Authentication -- Weak LM Hashing
W7 General Windows Authentication -- Accounts with No Passwords or Weak Passwords
W8 Internet Explorer
W9 Remote Registry Access
W10 Windows Scripting Host
Top Vulnerabilities to Unix Systems
U1 Remote Procedure Calls (RPC)
U2 Apache Web Server
U3 Secure Shell (SSH)
U4 Simple Network Management Protocol (SNMP)
U5 File Transfer Protocol (FTP)
U6 R-Services -- Trust Relationships
U7 Line Printer Daemon (LPD)
U8 Sendmail
U9 BIND/DNS
U10 General Unix Authentication -- Accounts with No Passwords or Weak Passwords
Back to Top ^
Top Vulnerabilities to Windows Systems (W)
W1 Internet Information Services (IIS)
W1.1 Description
IIS is prone to vulnerabilities in three major classes: failure to handle unanticipated requests, buffer overflows, and sample applications. Each will be addressed briefly here.
Failure to Handle Unanticipated Requests. Many IIS vulnerabilities involve a failure to handle improperly (or just deviously) formed HTTP requests. A well-known example is the Unicode directory traversal vulnerability, which was exploited by the Code Blue worm. By crafting a request to exploit one of these vulnerabilities, a remote attacker may:
View the source code of scripted applications.
View files outside of the Web document root.
View files the Web server has been instructed not to serve.
Execute arbitrary commands on the server (resulting in, for example, deletion of critical files or installation of a backdoor).
Buffer Overflows. Many ISAPI extensions (including the ASP, HTR, IDQ, PRINTER, and SSI extensions) are vulnerable to buffer overflows. A well-known example is the .idq ISAPI extension vulnerability, which was exploited by the Code Red and Code Red II worms. A carefully crafted request from a remote attacker may result in:
Denial of service.
Execution of arbitrary code and/or commands in the Web server's user context (e.g., as the IUSR_servername or IWAM_servername user).
Sample Applications. Sample applications are generally designed to demonstrate the functionality of a server environment, not to withstand attacks, and are not intended to serve as production applications. Combined with the facts that their default location is readily known and their source code is readily available for scrutiny, this makes them prime exploit targets. The consequences of such exploits can be severe; for example:
A sample application, newdsn.exe, allowed the remote attacker to create or overwrite arbitrary files on the server.
A number of such applications allow remote viewing of arbitrary files, which may be used to gather information such as database userids and passwords.
An iisadmin application, ism.dll, allows remote access to sensitive server information including the Administrator's password.
W1.2 Operating Systems Affected
Windows NT 4 (any flavor) running IIS 4
Windows 2000 Server running IIS 5
Windows XP Professional running IIS 5.1
W1.3 CVE Entries
CVE-2001-0241, CVE-2001-0333, CVE-2001-0500, CAN-2002-0079, CVE-2000-0884,
CVE-2000-0886, CAN-2002-0071, CAN-2002-0147, CAN-2002-0150, CAN-2002-0364,
CAN-2002-0149, CVE-1999-0191, CAN-1999-0509, CVE-1999-0237, CVE-1999-0264,
CVE-2001-0151, CAN-1999-0736, CVE-1999-0278, CAN-2002-0073, CVE-2000-0778,
CVE-1999-0874, CVE-2000-0226, CAN-1999-1376, CVE-2000-0770, CVE-2001-0507
W1.4 How to Determine if you are Vulnerable
Given the number of vulnerabilities, some of which are addressed only in a cumulative security roll-up package from Microsoft, it is simplest to presume that you are vulnerable if the cumulative roll-up has not been applied. To determine whether the cumulative roll-up has been applied on your server, check the registry for the entry listed for your platform below.
Windows NT 4:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q319733
Windows NT 4 Terminal Server Edition:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q317636
Windows 2000:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q319733
Windows XP:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q319733
Alternatively, you may use HFNetChk (see "Stay Current" under W1.5) to verify the presence of the corresponding patch:
NT 4: Q319733
NT 4 Terminal Server Edition: Q317636
2000 or XP: Q319733
You are probably vulnerable to sample application exploits if any of the following files resides in your %wwwroot%/scripts directory (e.g., C:\inetpub\wwwroot\scripts or D:\web\scripts) or any subdirectory thereof:
code.asp
codebrws.asp
ism.dll
newdsn.exe
viewcode.asp
winmsdp.exe
W1.5 How to Protect Against It
Apply the current patches. In the case of IIS 4 on NT 4 with Service Pack 6a, this means applying a cumulative security roll-up package and a single hotfix. In the case of IIS 5 or 5.1 on Windows 2000 or XP (respectively), the roll-up and the hotfix are included in service packs. URLs are provided below.
IIS 4 on NT 4:
Service Pack 6a: http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/allSP6.asp
Security Rollup: http://www.microsoft.com/ntserver/nt s/downloads/security/q319733/
Hotfix: http://www.microsoft.com/ntserver/nts/downloads/security/q321599/
IIS 4 on NT 4 Terminal Server Edition:
Service Pack 6: http://www.microsoft.com/ntserver/terminalserver/downloads/recommended/tsesp6/
Security Rollup: http://www.microsoft.com/ ntserver/terminalserver/downloads/critical/q317636/
Hotfix: http://www.microsoft.com/ntserver/nts/downloads/security/q321599/
IIS 5 on Windows 2000:
Service Pack 3: http://www.microsoft.com/windows2000/downloads/servicepacks/sp3/
IIS 5.1 on Windows XP:
Service Pack 1: http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/
Stay Current. These service packs, rollup patches and hotfixes only remedy vulnerabilities that are already known. As new IIS weaknesses are uncovered, you will need to patch accordingly. HFNetChk, the Network Security Hotfix Checker, assists the system administrator in scanning local or remote systems for current patches. The tool works on Windows NT 4, Windows 2000, and Windows XP. The current version can be downloaded from Microsoft at http://www.microsoft.com/technet/security/tools/hfnetchk.asp.
Eliminate Sample Applications. Sample applications, including the iisadmin tool, may be used to verify that a server installation works as expected, but should be deleted immediately thereafter. These applications can be found in the %wwwroot%/scripts directory. Ideally, however, the administrator should choose not to install the sample applications and Web-based administration tools at all.
Unmap Unnecessary ISAPI Extensions. Most IIS deployments have no need for most of the ISAPI extensions that are mapped by default, particularly .htr, .idq, .ism, and .printer. All unused ISAPI extensions should be unmapped. This can be done by hand through the Internet Services Manager, but the IIS Lockdown Wizard from Microsoft will also do the job. The current version can be downloaded from Microsoft at http://www.microsoft.com/technet/security/tools/locktool.asp.
Filter HTTP Requests. Many IIS exploits, including Code Blue and the Code Red family, use maliciously formed HTTP requests in directory traversal or buffer overflow attacks. The URLScan filter can be configured to reject such requests before the server attempts to process them. The current version has been integrated into the IIS Lockdown Wizard, but can be downloaded separately from Microsoft at http://www.microsoft.com/technet/security/tools/urlscan.asp.
Back to Top ^
W2 Microsoft Data Access Components (MDAC) -- Remote Data Services
W2.1 Description
The Remote Data Services (RDS) component in older versions of Microsoft Data Access Components (MDAC) has a program flaw which allows remote users to run commands locally with administrative privilege. Combined with a flaw in Microsoft Jet database engine 3.5 (part of MS Access), this exploit may also provide anonymous external access to internal databases. These flaws are well-documented and solutions have been available for more than two years, but outdated or misconfigured systems remain exposed and subject to attack.
W2.2 Operating Systems Affected
Most Microsoft Windows NT 4.0 systems running IIS 3.0 or 4.0, Remote Data Services 1.5, or Visual Studio 6.0.
W2.3 CVE Entries
CVE-1999-1011
W2.4 How to Determine if you are Vulnerable
If you are running Microsoft Windows NT 4.0 and IIS 3.0 or 4.0, then check for the existence of "msadcs.dll" (this is typically installed in "C:\Program Files\Common Files\System\Msadc\msadcs.dll", but that may vary depending on your system).
W2.5 How to Protect Against It
An excellent guide to the RDS and Jet weaknesses and how to correct them is available at http://www.wiretrip.net/rfp/p/doc.asp?id=29&iface= 2.
Microsoft has also issued several security bulletins detailing this exploit and how to repair it via configuration changes:
http://support.microsoft.com/support/kb /articles/q184/3/75.asp
http://www.microsoft.com/technet/secur ity/bulletin/ms98-004.asp
http://www.microsoft.com/technet/secur ity/bulletin/ms99-025.asp
Alternatively, you can prevent this problem by upgrading to MDAC version 2.1 or greater (although this may introduce compatibility issues). The most recent MDAC versions are available at http://www.microsoft.com/data/download.htm
Back to Top ^
W3 Microsoft SQL Server
W3.1 Description
The Microsoft SQL Server (MSSQL) contains several serious vulnerabilities that allow remote attackers to obtain sensitive information, alter database content, compromise SQL servers, and, in some configurations, compromise server hosts.
MSSQL vulnerabilities are well-publicized and actively under attack. A recent MSSQL worm in May 2002 exploited several known MSSQL flaws. Hosts compromised by this worm generate a damaging level of network traffic when they scan for other vulnerable hosts. Additional information on this worm can be found at
http://www.incidents.org/diary/diary.php?id=157
http://www.eeye.com/html/Research/Advisories/AL20020522.html
Port 1433 (MSSQL default port) has also been regularly registered as one of the top scan ports in the Internet Storm Center. More detailed information about recent MSSQL exposures can be found in CERT Advisory 2002-22.
W3.2 Operating Systems Affected
Any Microsoft Windows system with Microsoft SQL Server 7.0, Microsoft SQL Server 2000 or Microsoft SQL Server Desktop Engine 2000 installed.
W3.3 CVE Entries
CAN-2002-1138, CAN-2002-1137, CAN-2002-0056, CAN-2002-0649, CAN-2001-0542,
CAN-2000-1081, CVE-1999-0999, CAN-2002-0624, CAN-2002-0154, CAN-2000-1209,
CAN-2002-1123, CAN-2002-0186, CVE-2000-0202, CVE-2000-0402, CVE-2000-0485,
CVE-2000-0603, CVE-2001-0344, CVE-2001-0879, CAN-2000-0199, CAN-2000-1082,
CAN-2000-1083, CAN-2000-1084, CAN-2000-1085, CAN-2000-1086, CAN-2000-1087,
CAN-2000-1088, CAN-2001-0509, CAN-2002-0187, CAN-2002-0224, CAN-2002-0641,
CAN-2002-0642, CAN-2002-0643, CAN-2002-0644, CAN-2002-0645, CAN-2002-0650,
CAN-2002-0695, CAN-2002-0721, CAN-2002-0729, CAN-2002-0859, CAN-2002-0982
W3.4 How to Determine if you are Vulnerable
If the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer is defined, then you have SQL Server or SQL Server Desktop Engine installed. If you are running an un-patched system or you have not updated your system with the latest patch, your system is very likely to be vulnerable.
Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA). MBSA will scan for missing hotfixes and vulnerabilities in SQL Server 7.0 and 2000. It is available at http://www.microsoft.com/technet/security/tools/Tools/MBSAhome.asp.
Microsoft also has a HOWTO document to help you check your current version: HOW TO: Identify Your SQL Server Service Pack Version and Edition.
To ensure the fix is installed properly, verify the individual files by consulting the date/time stamp of the files listed in the file manifest in Microsoft Knowledge Base article. They can be found at:
Microsoft SQL Server 7.0
Microsoft SQL Server 2000
W3.5 How to Protect Against It
Summary:
Apply the latest service pack for Microsoft SQL server.
Apply the latest cumulative patch that is released after the latest service pack.
Apply any individual patches that are released after the latest cumulative patch.
Secure the server at system and network level.
Detail:
Apply the latest service pack for Microsoft SQL server. The current Microsoft SQL Server service pack version is:
SQL Server 7.0 Service Pack 4
SQL Server 2000 Service Pack 2
To ensure that you are current with any future upgrades, monitor Make Your SQL Servers Less Vulnerable from Microsoft Technet.
Apply the latest cumulative patch that is released after the latest service pack. The current cumulative patch for all versions of SQL Server is available at MS02-061 Elevation of Privilege in SQL Server Web Tasks (Q316333/Q327068).
To ensure that you are current with any future upgrades, you can check for the latest cumulative patch for Microsoft SQL Server at:
Microsoft SQL Server 7.0
Microsoft SQL Server 2000
Microsoft SQL Server Desktop Engine 2000
Apply any individual patches that are released after the latest cumulative patch. Currently, there is no individual patch after the release of the MS02 -061 Elevation of Privilege in SQL Server Web Tasks (Q316333/Q327068). But to ensure that you are current with any future upgrades, you can check for any newly released individual patches at:
Microsoft SQL Server 7.0
Microsoft SQL Server 2000
Microsoft SQL Server Desktop Engine 2000
Secure the server at system and network level.
One of the most commonly attacked MSSQL exposures is that the default administrative account (known as "sa") is installed with a blank password. If your SQL "sa" account is not password-protected, you effectively have no security and can be affected by worms and other exploits. Therefore, you should follow the recommendation from the "System Administrator (SA) Login" topic in SQL Server Books Online to make sure that the built-in "sa" account has a strong password, even if your SQL server does not run using this account.
Microsoft Developer's Network has documentation on Changing the SQL Server Administrator Login and how to Verify and Change the System Administrator Password by Using MSDE.
Run the MSSQLServer service and SQL Server Agent under a valid domain account with minimal privileges, not as a domain administrator or the SYSTEM (on NT) or LocalSystem (on 2000 or XP) account. A compromised service running with local or domain privileges would give an attacker complete control of your machine and/or your network.
Enable Windows NT Authentication, enable auditing for successful and failed logins, and then stop and restart the MSSQLServer service. Configure your clients to use NT Authentication.
Packet filtering should be performed at network borders to prohibit non-authorized externally-initiated inbound connections to services. Ingress filtering of TCP ports 1433 and 1434 could prevent attackers outside of your network from scanning or infecting vulnerable Microsoft SQL servers in the local network that are not explicitly authorized to provide public SQL services.
If TCP ports 1433 and 1434 need to be available on your Internet gateways, enable and customize egress/ingress filtering to prevent misuse of this port.
Additional information on securing Microsoft SQL Server can be found at
Microsoft SQL Server 7.0 Security
Microsoft SQL Server 2000 Security
Back to Top ^
W4 NETBIOS -- Unprotected Windows Networking Shares
W4.1 Description
Microsoft Windows provides a host machine with the ability to share files or folders across a network with other hosts through Windows network shares. The underlying mechanism of this feature is the Server Message Block (SMB) protocol, or the Common Internet File System (CIFS). These protocols permit a host to manipulate remote files just as if they were local.
Although this is a powerful and useful feature of Windows, improper configuration of network shares may expose critical system files, or may provide a mechanism for a nefarious user or program to take full control of the host. One of the ways in which both the Sircam virus (see CERT Advisory 2001-22) and Nimda worm (see CERT Advisory 2001-26) spread so rapidly in the summer of 2001 was by discovering unprotected network shares and placing a copy of itself in them. Many computer owners unknowingly open their systems to hackers when they try to improve convenience for co-workers and outside researchers by making their drives readable and writeable by network users. But when care is taken to ensure proper configuration of network shares, the risks of compromise can be adequately mitigated.
W4.2 Operating Systems Affected
Windows 95, Windows 98, Windows NT, Windows Me, Windows 2000, and Windows XP are all vulnerable.
W4.3 CVE Entries
CAN-1999-0519, CVE-2000-0979, CAN-2000-1079, CAN-1999-0621, CAN-1999-0520,
CAN-1999-0518
W4.4 How to Determine if you are Vulnerable
For Windows NT (SP4), Windows 2000 or Windows XP, the Microsoft Baseline Security Advisor, will report hosts are vulnerable to SMB exploits, and may be used to fix the problem. The tests can be run locally or on remote hosts.
Most commercially-available network-based scanners will detect open shares. A quick, free, and secure test for the presence of SMB file sharing and its related vulnerabilities, effective for machines running any Windows operating system, is available at the Gibson Research Corporation web site at http://grc.com/. Follow links to "ShieldsUP" to receive a real-time appraisal of any system's SMB exposure. Detailed instructions are available to help Microsoft Windows users deal with SMB vulnerabilities. Note that if you are connected over a network where some intermediate device blocks SMB, the ShieldsUP tool will report that you are not vulnerable when, in fact, you are. This is the case, for example, for users on a cable modem where the provider is blocking SMB into the cable modem network. ShieldsUP will report that you are not vulnerable. However, the 4,000 or so other people on your cable modem link can still exploit this vulnerability.
W4.5 How to Protect Against It
Several actions can be taken to mitigate the risk of exploitation of a vulnerability through a Windows Networking Shares:
Do not permit sharing with hosts on the Internet. Ensure all Internet-facing hosts have Windows network shares disabled in the Windows network control panel. File sharing with Internet hosts should be achieved using FTP or HTTP.
Do not permit unauthenticated shares. If file sharing is required then don't permit unauthenticated access to a share. Configure the share so a password is required to connect to the share.
Restrict shares to only the minimum folders required. Generally only one folder and possibly sub-folders of that folder.
Restrict permissions on shared folders to the minimum required. Be especially careful to only permit write access when it is absolutely required.
For added security, allow sharing only to specific IP addresses because DNS names can be spoofed.
Block ports used for Windows shares at your network perimeter. Block the NetBIOS ports commonly used by Windows shares at your network perimeter using either your external router or perimeter firewall. The ports that should be blocked are 137-139 TCP and 137-139 UDP, and 445 TCP and 445 UDP.