Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: What server hardening are you doing these days?

from [Laura A. Robinson] Network Security [Permanent Link]
Subject: RE: What server hardening are you doing these days?
Date: Fri, 11 Nov 2005 16:38:15 -0500 
Matthew,

It's sounding as though it has perhaps been a while since you updated your
familiarity with the newer operating systems. When is the last time you
denied Local System access to "certain files" (and I'm familiar with what it
is of which you speak, but I haven't done that since NT4 in 1996 or so)?
This isn't a challenge; it's an honest question. 

Have you looked at IIS6 from an architectural standpoint? IIS 6 is an
entirely different product than its predecessors. Completely rearchitected
from the ground up, and not even close in terms of what resides where.

You're pointing out issues that have long been fixed. I'd suggest taking a
look at some of the links that people have provided, because among other
things, some of them actually outline how significantly the OS defaults
changed in Windows Server 2003. 

If we were debating NT 4 here, then the below might be valid. However, NT4
was released a decade ago, and we're now dealing with Windows Server 2003,
which has been out for over two years. Windows Server 2003 is an entirely
different animal, even down to things like kernel exception handling.
Speaking for myself, I always like to test anything I assert before making
statements, because sometimes I find out that my knowledge is outdated or
lacking when I do so. 

Since you say you've not looked at all of the information provided by
others, it's therefore a specious argument to say that 
none of them has bothered to address the basic, out of the box faults of the
windows filesystem permissions". The reality is, Microsoft has addressed
them. Start taking a deeper look, and read the Microsoft security guides.
Seriously. You'll find that you've made some statements that just aren't
true anymore.

Laura 


-----Original Message-----
From: matthew patton [mailto:pattonme@yahoo.com] 
Sent: Friday, November 11, 2005 2:00 AM
To: focus-ms@securityfocus.com
Subject: Re: What server hardening are you doing these days?

ok, seems I need to clarify since several people have 
responded with their bookmark collection of tips, cheats, 
workarounds, papers, etc.
etc. etc.

While not having looked at all of them, the point is none of 
them has bothered to address the basic, out of the box faults 
of the windows filesystem permissions, nor the culture of 
permissiveness that permeates all things windows. It's one 
band-aid after another.

LocalSystem isn't 'root'. It's similar in some aspects, but I 
can trash an NT box by denying LocalSystem permissions to 
certain files. I can lock out the Administrator likewise. The 
point is not that there aren't a zillion different guides to 
living "more safely" with windows. The point is that on a 
most rudimentary level, when you start with LocalSystem 
having Full Control over the entire disk and there is NOT ONE 
reason for it to be that way, you have a situation where 
security wasn't thought thru. IIS has no business running as 
LocalSystem for example. It should be fully capable of 
running as a 'normal' user with maybe a couple of special 
privs attached. The concept and implementation of 'sudo' has 
been around for what, more than 10 years?

How many of you throw the vendor documentation in the trash 
and actually make the product run as an unprivileged user? 
Say Oracle? or ColdFusion, or WEbsphere, BEA, etc? Think 
about it. You have all these operating system components, 3rd 
party "daemons", and who knows what all running as the same 
user. And said user has full control permissions to 
practically every file on the disk. So what that maybe there 
are 30% fewer buffer overflows in the unholy number of 
millions of lines of code. If the filesystem/registry 
permissions are such that LocalSystem can't do jack, I don't 
care so much if there are glaring problems. (not to imply I 
condone sloppy coding)

I have yet to find a guide that actually spelled out the REAL 
permissions needed for LocalSystem. It needs 'read' to pieces 
of the %system% tree and 'write' to a couple of files but 
that's it. Mention to Microsoft that you've wholesale mucked 
with their "anything goes"
permission set and they have a coronary and disavow any 
notion of support. Why is that? Are they ignorant about what 
their own product actually needs? Where is the security team 
that has gone thru and redefined all permissions to what they 
should be and told the programmers to go back and fix their code?

The filesystem is the easy one. I don't have the interest or 
the time to bother with the registry though in some respects 
that's probably more important.

--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------




---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: What server hardening are you doing these days?, Laura A. Robinson
Next by Date:  On the topic of Windows Hardening, Peter Hyvonen
Previous by Thread:  Re: What server hardening are you doing these days?, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Next by Thread:  Re: What server hardening are you doing these days?, James Eaton-Lee
Indexes:  [Date] [Thread] [Top] [All Lists]