Mcgraw.Hill.Hacknotes.Windows.Security.Portable
Total Page:16
File Type:pdf, Size:1020Kb
HackNote / HackNotes Windows Security Portable Reference / O’Dea / 222785-0 / Color profile: Generic CMYK printer profile Composite Default screen blind folio i HACKNOTES™ “HackNotes Windows Security Portable Reference distills into a small form factor the encyclopedic information in the original Hacking Exposed: Windows 2000.” —Joel Scambray, coauthor of Hacking Exposed 4th Edition, Hacking Exposed Windows 2000, and Hacking Exposed Web Applications; Senior Director of Security, Microsoft’s MSN “HackNotes Windows Security Portable Reference takes a ‘Just the Facts, Ma’am’ approach to securing your Windows infrastructure. It checks the overly long exposition at the door, focusing on specific areas of attack and defense. If you’re more concerned with securing systems than speed-reading thousand-page tech manuals, stash this one in your laptop case now.” —Chip Andrews, www.sqlsecurity.com, Black Hat Speaker, and coauthor of SQL Server Security “No plan, no matter how well-conceived, survives contact with the enemy. That’s why Michael O’Dea’s HackNotes Windows Security Portable Reference is a must-have for today’s over-burdened, always-on-the-move security professional. Keep this one in your hip pocket. It will help you prevent your enemies from gaining the initiative.” —Dan Verton, author of Black Ice: The Invisible Threat of Cyber-Terrorism and award-winning senior writer for Computerworld “HackNotes Windows Security Portable Reference covers very interesting and pertinent topics, especially ones such as common ports and services, NetBIOS name table definitions, and other very specific areas that are essential to understand if one is to genuinely comprehend how Windows systems are attacked. Author Michael O’Dea covers not only well-known but also more obscure (but nevertheless potentially dangerous) attacks. Above all else, he writes in a very clear, well-organized, and concise style—a style that very few technical books can match.” —Dr. Eugene Schultz, Ph.D., CISSP, CISM, Principle Computer Systems Engineer, University of California-Berkeley, Prominent SANS speaker P:\010Comp\HackNote\785-0\fm.vp Friday, June 20, 2003 10:31:38 AM Color profile: Generic CMYK printerHackNote profile/ HackNotes Windows Security Portable Reference / O’Dea / 222785-0 / Composite Default screen blind folio 1 About the Author Michael O’Dea is Project Manager of Product Services for the security firm Foundstone, Inc. Michael has been immersed in information technology for over 10 years, working with technologies such as enterprise data encryption, vi- rus defense, firewalls, and proxy service solutions on a variety of UNIX and Windows platforms. Currently, Michael develops custom integration solutions for the Foundstone Enterprise vulnerability management product line. Prior to joining Foundstone, Michael worked as a senior analyst supporting Internet se- curity for Disney Worldwide Services, Inc., the data services arm of the Walt Disney Company; and as a consultant for Network Associates, Inc., Michael has contributed to many security publications, including Hacking Exposed: Fourth Edition and Special Ops: Internal Network Security. About the Technical Editor Arne Vidström is an IT Security Research Scientist at the Swedish Defence Re- search Agency. Prior to that he was a Computer Security Engineer at the telecom operator Telia, doing penetration testing, source code security reviews, security configuration testing, and creation of security configuration checklists. Arne holds a University Diploma in Electronic Engineering and a B.Sc. in Math- ematics from the University of Karlstad. In his spare time he runs the Windows security web site ntsecurity.nu, where he publishes his own freeware security tools and vulnerability discoveries. P:\010Comp\HackNote\785-0\fm.vp Friday, June 20, 2003 10:30:34 AM HackNote / HackNotes Windows Security Portable Reference / O’Dea / 222785-0 / Color profile: Generic CMYK printer profile Composite Default screen blind folio iii HACKNOTES™ Windows MICHAEL O’DEA McGraw-Hill/Osborne New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto P:\010Comp\HackNote\785-0\fm.vp Friday, June 20, 2003 10:30:34 AM Color profile: Generic CMYK printerHackNote profile/ HackNotes Windows Security Portable Reference / O’Dea / 222785-0 / Composite Default screen blind folio 1 McGraw-Hill/Osborne 2100 Powell Street, 10th Floor Emeryville, California 94608 U.S.A. To arrange bulk purchase discounts for sales promotions, premiums, or fund- raisers, please contact McGraw-Hill/Osborne at the above address. For informa- tion on translations or book distributors outside the U.S.A., please see the Interna- tional Contact Information page immediately following the index of this book. HackNotesTM Windows® Security Portable Reference Copyright © 2003 by The McGraw-Hill Companies. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. 1234567890 DOC DOC 019876543 ISBN 0-07-222785-0 Publisher Copy Editor Brandon A. Nordin Andrea Boucher Vice President & Associate Publisher Proofreader Scott Rogers Linda Medoff Editorial Director Indexer Tracy Dunkelberger Jack Lewis Executive Editor Composition Jane K. Brownlow Lucie Ericksen Project Editor John Patrus Jennifer Malnick Illustrators Executive Project Editor Kathleen Edwards Mark Karmendy Dick Schwartz Acquisitions Coordinator Lyssa Wald Athena Honore Series Design Technical Editor Dick Schwartz Arne Vidström Peter F. Hancik Series Editor Cover Series Design Mike Horton Dodie Shoemaker This book was composed with Corel VENTURA™ Publisher. Information has been obtained by McGraw-Hill/Osborne from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill/Osborne, or others, McGraw-Hill/Osborne does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information. P:\010Comp\HackNote\785-0\fm.vp Friday, June 20, 2003 10:30:34 AM HackNote / HackNotes Windows Security Portable Reference / O’Dea / 222785-0 / Color profile: Generic CMYK printer profile Composite Default screen CONTENTS Acknowledgments . ix HackNotes: The Series. xi Introduction . xiii Reference Center Hacking Fundamentals: Concepts . RC 2 ICMP Message Types . RC 5 Common Ports and Services . RC 7 Common NetBIOS Name Table Definitions . RC 12 Windows Security Fundamentals: Concepts . RC 13 Windows Default User Accounts . RC 14 Windows Authentication Methods . RC 15 Common Security Identifiers (SIDs) . RC 16 Windows NT File System Permissions . RC 17 Useful Character Encodings . RC 18 Testing for Internet Information Services ISAPI Applications . RC 21 Security Related Group Policy Settings . RC 22 Useful Tools . RC 26 Quick Command Lines . RC 28 WinPcap / libpcap Filter Reference . RC 29 nslookup Command Reference . RC 30 Microsoft Management Console . RC 31 Online References . RC 32 Part I Hacking Fundamentals ■ 1 Footprinting: Knowing Where to Look . 3 Footprinting Explained . 4 Footprinting Using DNS . 4 Footprinting Using Public Network Information . 10 Summary . 12 v P:\010Comp\HackNote\785-0\fm.vp Friday, June 20, 2003 10:30:34 AM HackNote / HackNotes Windows Security Portable Reference / O’Dea / 222785-0 / FM Color profile: Generic CMYK printer profile Composite Default screen vi HackNotes Windows Security Portable Reference ■ 2 Scanning: Skulking About . 13 Scanning Explained . 14 How Port Scanning Works . 14 Port Scanning Utilities . 21 Summary . 30 ■ 3 Enumeration: Social Engineering, Network Style . 31 Enumeration Overview . 32 DNS Enumeration (TCP/53, UDP/53) . 35 NetBIOS over TCP/IP Helpers (UDP/137, UDP 138, TCP/139, and TCP/445) . 37 Summary . 48 ■ 4 Packet Sniffing: The Ultimate Authority . 49 The View from the Wire . 50 Windows Packet Sniffing . 50 Summary . 57 ■ 5 Fundamentals of Windows Security . 59 Components of the Windows Security Model . 60 Security Operators: Users and User Contexts . 60 Authentication . 66 Windows Security Providers . 69 Active Directory and Domains . 70 Summary . 71 Part II Windows 2000 and 2003 Server Hacking Techniques & Defenses ■ 6 Probing Common Windows Services . 75 Most Commonly Attacked Windows Services . 76 Server Message Block Revisited . 76 Probing Microsoft SQL Server . 89 Microsoft Terminal Services / Remote Desktop (TCP 3389) . 93 Summary . 96 ■ 7 Hacking Internet Information Services . 97 Working with HTTP Services . 98 Simple HTTP Requests . 98 Speaking HTTP . 99 Delivering Advanced Exploits . 100 Introducing the Doors . 102 The Big Nasties: Command Execution . 102 A Kinder, Gentler Attack . 115 Summary . 117 P:\010Comp\HackNote\785-0\fm.vp Friday, June 20, 2003 10:30:34 AM HackNote / HackNotes Windows Security Portable Reference / O’Dea / 222785-0 / FM Color profile: Generic CMYK printer profile Composite Default screen Contents vii Part III Windows Hardening ■ 8 Understanding Windows Default Services . 121 Windows Services Revealed . 122 The Top Three Offenders . 122 Internet Information Services/ World Wide Web Publishing Service . 122 Terminal Services . 123 Microsoft SQL Server / SQL Server Resolution Service . 123 The Rest of the Field . 123 Summary . 134 ■ 9 Hardening Local User Permissions . 135 Windows Access Control Facilities . 136 File System Permissions . 136 Local Security Settings . 146 Summary . 154 ■ 10 Domain Security with Group Policies . 155 Group Policy Overview . 156 Group Policy Application . 157 Working with Group Policies . 157 Working with Group Policies in Active Directory . 163 Editing Default Domain Policies . 164 Controlling Who Is Affected by Group Policies . 165 Using the Group Policy Management Console . 166 Summary . ..