DOCSLIB.ORG

Analysis of the Security of Windows NT

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Analysis of the Security of Windows NT Analysis of the Security of Windows NT Hans Hedbom, Stefan Lindskog {Hans.Hedbom, Stefan.Lindskog}@hks.se Department of Computer Engineering Chalmers University of Technology S-412 96 Göteborg, SWEDEN and Department of Computer Science University of Karlstad S-651 88 Karlstad, SWEDEN Stefan Axelsson, Erland Jonsson {sax, erland.jonsson}@ce.chalmers.se Department of Computer Engineering Chalmers University of Technology S-412 96 Göteborg, SWEDEN Abstract This paper presents an analysis of the security in Windows NT 4.0, working in both stand-alone and networking mode. The objective of the work was to find out how secure this operating system actually is. A technical overview of the system, and in particular its security features is given. The system security was analyzed and practical intrusion attempts were made in order to verify vulnerabilities or to find new ones. All vulnerbilities are described in detail and classified according to a classification scheme. A comparison to com- monly known UNIX weaknesses was made. It revealed generic similarities between the two systems to a surprisingly high degree. Finally a number of recommendations are given. The paper concludes that there are ample oppor- tunities to improve the security of Windows NT. We have reason to believe that it is probably not higher than that of UNIX. Analysis of the Security of Windows NT 1 March 1999 2 Table of Contents 1. Scope .............................................................................................................9 2. Introduction................................................................................................10 3. System Overview........................................................................................11 3.1 Background ............................................................................................................11 3.2 System Architecture ...............................................................................................11 3.3 Executive ................................................................................................................12 3.4 Protected Subsystems .............................................................................................13 3.5 Objects....................................................................................................................15 3.5.1 Microkernel objects .................................................................................15 3.5.2 Executive Objects ....................................................................................15 3.6 Users and groups ....................................................................................................16 3.7 File Systems ...........................................................................................................17 3.7.1 File Allocation Table (FAT)....................................................................17 3.7.2 High Performance File System (HPFS)...................................................18 3.7.3 NT File System (NTFS) ..........................................................................18 3.7.4 Namned Pipe File System (NPFS) ..........................................................19 3.7.5 Mailslot File System (MSFS) ..................................................................19 4. Networking .................................................................................................20 4.1 Network Architecture .............................................................................................21 4.1.1 OSI versus NT Layer Model....................................................................21 4.1.2 Network Driver Interface Specification (NDIS)......................................22 4.1.3 Transport Protocols..................................................................................22 4.1.4 STREAMS...............................................................................................23 4.1.5 Transport Driver Interface (TDI).............................................................23 4.1.6 Network APIs ..........................................................................................23 4.2 Domains..................................................................................................................24 4.3 Trust Relationships.................................................................................................25 4.4 Shares .....................................................................................................................26 4.5 Server Message Block (SMB)................................................................................26 4.6 Common Internet File System (CIFS)....................................................................28 4.7 Remote Access Service (RAS)...............................................................................30 4.7.1 Remote Client Requirements...................................................................30 4.7.2 Wide Area Network Connectivity ...........................................................30 4.7.3 Telephone Application Programming Interface (TAPI)..........................31 4.7.4 Remote Access Protocols ........................................................................31 5. Security Features .......................................................................................34 5.1 Subjects and Objects ..............................................................................................34 5.2 Access Control Lists (ACLs) .................................................................................34 5.3 User Logon and Authentication .............................................................................35 5.4 Network Logon.......................................................................................................38 5.4.1 Netlogon ..................................................................................................38 5.4.2 Pass-through Logon .................................................................................39 5.4.3 Remote Logon .........................................................................................39 5.5 User Rights and Account Policies ..........................................................................40 5.6 Port Filtering...........................................................................................................42 5.7 Security Features in RAS .......................................................................................42 5.7.1 Authentication..........................................................................................42 5.7.2 Callback ...................................................................................................42 5.7.3 Default Deny...........................................................................................43 5.7.4 Access Restrictions..................................................................................43 Analysis of the Security of Windows NT 1 March 1999 3 5.7.5 PPTP Filtering .........................................................................................43 5.8 Auditing..................................................................................................................43 6. Utility Programs.........................................................................................46 6.1 Different Types of Utility Programs ......................................................................46 6.1.1 Security Analysis Programs.....................................................................46 6.1.2 Information Retrieval Programs ..............................................................46 6.1.3 Maintenance programs.............................................................................47 6.2 The Source Code Problem......................................................................................47 7. Vulnerabilities............................................................................................48 7.1 Methodology ..........................................................................................................48 7.2 Experimental System..............................................................................................48 7.3 Known Security Problems......................................................................................48 7.3.1 Installation Problems ...............................................................................48 7.3.2 Collisions in MD4 ...................................................................................49 7.3.3 Parameter Checks in System Calls ..........................................................49 7.3.4 Undocumented System Variables and Functions ....................................49 7.3.5 Plain-text Passwords over the Network...................................................50 7.3.6 Non NTFS File Systems ..........................................................................50 7.3.7 System Initialization ................................................................................50 7.4 Suggested Attacks ..................................................................................................50 7.4.1 Weaknesses in SMB and Challenge/Response........................................51 7.4.2 Weaknesses in SMB Signing...................................................................52 7.5 Availability Attacks................................................................................................53
Load more

Recommended publications
  • Windows - Run/Kör Kommando
    Windows - Run/Kör kommando Accessibility Controls - access.cpl Network Connections - ncpa.cpl Add Hardware Wizard - hdwwiz.cpl Network Setup Wizard - netsetup.cpl Add/Remove Programs - appwiz.cpl Notepad - notepad Administrative Tools - control admintools Nview Desktop Manager - nvtuicpl.cpl Automatic Updates - wuaucpl.cpl Object Packager - packager Bluetooth Transfer Wizard - fsquirt ODBC Data Source Administrator - odbccp32.cpl Calculator - calc On Screen Keyboard - osk Certificate Manager - certmgr.msc Opens AC3 Filter - ac3filter.cpl Character Map - charmap Password Properties - password.cpl Check Disk Utility - chkdsk Performance Monitor - perfmon.msc Clipboard Viewer - clipbrd Performance Monitor - perfmon Command Prompt - cmd Phone and Modem Options - telephon.cpl Component Services - dcomcnfg Power Configuration - powercfg.cpl Computer Management - compmgmt.msc Printers and Faxes - control printers Control Panel - control panel Printers Folder - printers Date and Time Properties - timedate.cpl Private Character Editor - eudcedit DDE Share - ddeshare Quicktime (If Installed) - QuickTime.cpl Device Manager - devmgmt.msc Regional Settings - intl.cpl Direct X Control Panel -directx.cpl Registry Editor - regedit Direct X Troubleshooter - dxdiag Registry Editor - regedit32 Disk Cleanup Utility - cleanmgr Remote Desktop - mstsc Disk Defragment - dfrg.msc Removable Storage - ntmsmgr.msc Disk Management - diskmgmt.msc Removable Storage Operator Requests - ntmsoprq.msc Disk Partition Manager - diskpart Resultant Set of Policy (XP Prof)
    [Show full text]
  • Powershell Core Ja Sitä Edeltävät Komentorivi- Pohjaiset Hallintatyökalut
    Ismail Belmostefa PowerShell Core ja sitä edeltävät komentorivi- pohjaiset hallintatyökalut Metropolia Ammattikorkeakoulu Insinööri (AMK) Tietotekniikan koulutusohjelma Insinöörityö 12.12.2016 Tiivistelmä Tekijä Ismail Belmostefa Otsikko PowerShell Core ja sitä edeltävät komentorivipohjaiset hallin- tatyökalut Sivumäärä 38 sivua + 2 liitettä Aika 12.12.2016 Tutkinto Insinööri (AMK) Koulutusohjelma Tietotekniikka Suuntautumisvaihtoehto Ohjelmistotekniikka Ohjaaja Kari Sundberg Ohjaajat Yliopettaja Markku Nuutinen Insinöörityön aiheena oli PowerShell Core ja sitä edeltävät komentorivipohjaiset hallinta- työkalut. Tavoite oli ymmärtää näiden asennusympäristö, alla käytetyt teknologiat ja niihin liittyvä terminologia. Tutkimustyö syntyi harjoittelutyön muistiinpanojen lopputuloksena sekä tutkimalla alan kirjallisuutta ja verkkomateriaalia. Insinöörityössä selvitettiin PowerShell Coren ja sitä edeltävien komentorivipohjaisten hal- lintatyökalujen alla käytetyt teknologiat, terminologia, käyttökohteet ja motivaatio niiden syntyyn. Koska komentorivipohjaiset hallintatyökalut on rakennettu asennusympäristön tar- joamien palveluiden päälle, palveluiden toiminnan hahmottaminen edesauttaa komentori- vin käyttöä ja soveltamista. Tutkimustyötä on hyödynnetty tietokoneen ylläpidossa, ohjel- moinnissa ja peruskäytössä. Tutkimustyö osoitti asennusympäristön kokonaiskuvan hallit- semisen tärkeyden komentorivipohjaisten työkalujen käytössä. Avainsanat DDE, OLE, COM, .NET, CMD.EXE, COMMAND.COM, WSH, MOM, PowerShell Abstract Author Ismail Belmostefa Title
    [Show full text]
  • Feature Description
    NTLM Feature Description UPDATED: 19 March 2021 NTLM Copyright Notices Copyright © 2002-2021 Kemp Technologies, Inc. All rights reserved. Kemp Technologies and the Kemp Technologies logo are registered trademarks of Kemp Technologies, Inc. Kemp Technologies, Inc. reserves all ownership rights for the LoadMaster and Kemp 360 product line including software and documentation. Used, under license, U.S. Patent Nos. 6,473,802, 6,374,300, 8,392,563, 8,103,770, 7,831,712, 7,606,912, 7,346,695, 7,287,084 and 6,970,933 kemp.ax 2 Copyright 2002-2021, Kemp Technologies, All Rights Reserved NTLM Table of Contents 1 Introduction 4 1.1 Document Purpose 6 1.2 Intended Audience 6 1.3 Related Firmware Version 6 2 Configure NTLM Authentication 7 2.1 Configure Internet Options on the Client Machine 7 2.2 Configure the LoadMaster 11 2.2.1 Enable NTLM Proxy Mode 13 2.2.2 Configure the Server Side SSO Domain 13 2.2.3 Configure the Client Side SSO Domain 15 2.2.4 Configure the Virtual Service 15 2.3 Configure Firefox to Allow NTLM (if needed) 17 2.4 Troubleshooting 18 References 19 Last Updated Date 20 kemp.ax 3 Copyright 2002-2021, Kemp Technologies, All Rights Reserved NTLM 1 Introduction 1 Introduction NT LAN Manager (NTLM) is a Windows Challenge/Response authentication protocol that is often used on networks that include systems running the Windows operating system and Active Directory. Kerberos authentication adds greater security than NTLM systems on a network and provides Windows-based systems with an integrated single sign-on (SSO) mechanism.
    [Show full text]
  • Logs & Event Analysis and Password Cracking
    Logs & Event Analysis and Password Cracking MODULE 6 Page 1 of 29 Contents 6.1 Learning Objectives ............................................................................................................. 4 6.2 Introduction .......................................................................................................................... 4 6.3 Windows registry ................................................................................................................. 5 6.3.1 Registry and forensics ................................................................................................... 5 6.3.1.1 System information ................................................................................................ 5 6.4 Windows event log file ........................................................................................................ 9 6.4.1 Windows Event Log File Format .................................................................................. 9 6.4.2 Reading from Windows event log file ........................................................................ 11 6.4.3 Using Microsoft log parser ......................................................................................... 11 6.4.4 Understanding Windows user account management logs .......................................... 13 6.4.5 Understanding Windows file and other object Access sets ........................................ 14 6.4.6 Auditing policy change ..............................................................................................
    [Show full text]
  • Scribbler Windows Agent
    Reach us [email protected] | [email protected] www.syskeysoftlabs.com Follow us Copyright © 2020 Syskey Softlabs Pvt Ltd. Trademarks Windows and Windows Server are either trademarks or registered trademarks of their respective owners in the United States and/or other countries. Contents Scribbler Windows Agent ...................................................................................................... 2 Installing Scribbler Windows Agent ........................................................................................ 2 Configuring Scribbler Windows Agent .................................................................................... 3 How to configure Windows Event Logs ...................................................................................... 3 How to set Event Log Filter ......................................................................................................... 4 How to configure Windows Firewall Logs ................................................................................... 8 How to forward Windows logs to Syslog Server ......................................................................... 9 Reference Links ................................................................................................................... 10 Scribbler Windows Agent Scribbler Windows Agent is one of the easiest and light weighted tools for gathering Windows Logs from Windows machines. It enables system administrators to easily monitor key metrics and change activities over the
    [Show full text]
  • Windows 10 in Year Two – Creators Update Windows 10  Changes Expected in Near Future Two Years out – Fall Creators Update
    For the next 90 minutes… Major changes to Windows 10 in year two – Creators Update Windows 10 Changes expected in near future two years out – Fall Creators Update Chris Taylor Growth of Windows 10 Major “feature” releases Microsoft announcement date Monthly active devices Name Release date Version Build Codename July 29, 2015 (first 24 hours) 14 million Original release * 2015-07-29 1507 10240 Threshold 1 August 26, 2015 75 million November Update 2015-11-12 1511 10586 Threshold 2 October 6, 2015 110 million (2 months to 100 m) Anniversary Update 2016-08-02 1607 14393 Redstone January 4, 2016 200 million (+ 3 months to 200 m) Creators Update 2017-04-11 1703 15063 Redstone 2 March 30, 2016 270 million Fall Creators Update 2017-10-17 1709 Redstone 3 May 5, 2016 300 million (+ 4 months to 300 m) 2018-04 1803 Redstone 4 June 29, 2016 350 million September 26, 2016 400 million (+ 5 months to 400 m) May 10, 2017 500 million (+ 7 months to 500 m) * No longer receiving any updates Find your version/build Free upgrade ended Microsoft offered a free upgrade from Windows 7/8 Free upgrade ended July, 2016 1 … or did it? Clean install Creators Update using Win7/8.1 Version 1703 product key Build 15063 Upgrade for those who Released 2017-04-11 use assistive Codename “Redstone 2” technologies Settings More migrated from Control Panel to Changes to Settings Settings – not everything … yet New top level – Apps was under System – Gaming – Mixed reality If you have a VR headset Settings | System Settings | System | |Display Storage Custom scaling
    [Show full text]
  • Program Name Run Command About Windows Winver Add a Device
    List of Run Commands in Win7/8 to Windows Managment By Shree Krishna Maharjan in some commands need to use .msc Program Name Run Command About Windows winver Add a Device devicepairingwizard Add Hardware Wizard hdwwiz Advanced User Accounts netplwiz Authorization Manager azman Backup and Restore sdclt Bluetooth File Transfer fsquirt Calculator calc Certificates certmgr Change Computer Performance Settings systempropertiesperformance Change Data Execution Prevention Settings systempropertiesdataexecutionprevention Change Printer Settings printui Character Map charmap ClearType Tuner cttune Color Management colorcpl Command Prompt cmd Component Services comexp Component Services dcomcnfg Computer Management compmgmt.msc Computer Management compmgmtlauncher Connect to a Network Projector netproj Connect to a Projector displayswitch Control Panel control Create A Shared Folder Wizard shrpubw Create a System Repair Disc recdisc Credential Backup and Restore Wizard credwiz Data Execution Prevention systempropertiesdataexecutionprevention Default Location locationnotifications Device Manager devmgmt.msc Device Pairing Wizard devicepairingwizard Diagnostics Troubleshooting Wizard msdt Digitizer Calibration Tool tabcal DirectX Diagnostic Tool dxdiag Disk Cleanup cleanmgr Disk Defragmenter dfrgui Disk Management diskmgmt.msc Display dpiscaling Display Color Calibration dccw Display Switch displayswitch DPAPI Key Migration Wizard dpapimig Driver Verifier Manager verifier Ease of Access Center utilman EFS REKEY Wizard rekeywiz Encrypting File System
    [Show full text]
  • Understanding the Windows SMB NTLM Authentication Weak Nonce Vulnerability
    Understanding the Windows SMB NTLM Authentication Weak Nonce Vulnerability Hernan Ochoa Agustin Azubel [email protected] [email protected] Understanding the Windows SMB NTLM Authentication Weak Nonce Vulnerability Presentation goals: ‣ Describe the vulnerability in detail ‣ Explain & demonstrate exploitation • Three different exploitation methods ‣ Clear up misconceptions ‣ Determine vulnerability scope, severity and impact ‣ Share Conclusions BlackHat USA 2010 Understanding the Windows SMB NTLM Authentication Weak Nonce Vulnerability Vulnerability Information ‣ Flaws in Windows’ implementation of NTLM - attackers can access SMB service as authorized user - leads to read/write access to files, SMB shared resources in general and remote code execution ‣ Published February 2010 ‣ CVE-2010-0231, BID 38085 ‣ Advisory with Exploit Code: • http://www.hexale.org/advisories/OCHOA-2010-0209.txt ‣ Addressed by MS10-012 BlackHat USA 2010 Understanding the Windows SMB NTLM Authentication Weak Nonce Vulnerability Why talk about this vulnerability? ‣ Major 14-year old vulnerability affecting Windows Authentication Mechanism! - Basically, all Windows versions were affected (NT4, 2000, XP, 2003, Vista, 2008, 7) - Windows NT 4 released in ∼1996 - Windows NT 3.1 released in ∼1993 (∼17 years ago) - All this time, we assumed it was working correctly.. but it wasn’t... - Flew under the radar... BlackHat USA 2010 Understanding the Windows SMB NTLM Authentication Weak Nonce Vulnerability Why talk about this vulnerability? ‣ Interesting vulnerability, not your common buffer overflow - Issues in the Pseudo-Random Number Generator (PRNG) - Challenge-response protocol implementation issues - Replay attacks - Attack to predict challenges is interesting BlackHat USA 2010 Understanding the Windows SMB NTLM Authentication Weak Nonce Vulnerability Why talk about this vulnerability? ‣ There’s a lesson to be learned..
    [Show full text]
  • Chapter 15-70-411FINAL[1]
    Lesson 15: Configuring Service Authentication MOAC 70-411: Administering Windows Server 2012 Overview • Exam Objective 5.1: Configure Service Authentication • Configuring Service Authentication • Managing Service Accounts © 2013 John Wiley & Sons, Inc. 2 Configuring Service Authentication Lesson 15: Configuring Service Authentication © 2013 John Wiley & Sons, Inc. 3 Authentication • Authentication is the act of confirming the identity of a user or system and is an essential part used in authorization when the user or system tries to access a server or network resource. • Two types of authentication that Windows supports are NT LAN Manager (NTLM) and Kerberos. • Kerberos is the default authentication protocol for domain computers. • NTLM is the default authentication protocol for Windows NT, standalone computers that are not part of a domain, and situations in which you authenticate to a server using an IP address. © 2013 John Wiley & Sons, Inc. 4 Understanding NTLM Authentication • NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. • NTLM is an integrated single sign-on mechanism. • NTLM uses a challenge-response mechanism for authentication in which clients are able to prove their identities without sending a password to the server. © 2013 John Wiley & Sons, Inc. 5 Managing Kerberos Kerberos: • Is a computer network authentication protocol, which allows hosts to prove their identity over a non-secure network in a secure manner. • Can provide mutual authentication
    [Show full text]
  • Level One Benchmark Windows NT 4.0 Operating Systems V1.0.5
    Level One Benchmark Windows NT 4.0 Operating Systems V1.0.5 Copyright 2003, The Center for Internet Security www.cisecurity.org Page 2 of 32 Terms of Use Agreement Background. CIS provides benchmarks, scoring tools, software, data, information, suggestions, ideas, and other services and materials from the CIS website or elsewhere (“Products”) as a public service to Internet users worldwide. Recommendations contained in the Products (“Recommendations”) result from a consensus-building process that involves many security experts and are generally generic in nature. The Recommendations are intended to provide helpful information to organizations attempting to evaluate or improve the security of their networks, systems and devices. Proper use of the Recommendations requires careful analysis and adaptation to specific user requirements. The Recommendations are not in any way intended to be a “quick fix” for anyone’s information security needs. No representations, warranties and covenants. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the Products or the Recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any Product or Recommendation. CIS is providing the Products and the Recommendations “as is” and “as available” without representations, warranties or covenants of any kind. User agreements. By using the Products and/or the Recommendations, I and/or my organization (“we”) agree and acknowledge that: 1. No network, system, device, hardware, software or component can be made fully secure; 2.
    [Show full text]
  • Automated Testing of Firmware Installation and Update Scenarios for Peripheral Devices
    DEGREE PROJECT IN COMPUTER SCIENCE AND ENGINEERING, SECOND CYCLE, 30 CREDITS STOCKHOLM, SWEDEN 2019 Automated testing of firmware installation and update scenarios for peripheral devices DAG REUTERSKIÖLD KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE Automated testing of firmware installation and update scenarios for peripheral devices DAG REUTERSKIÖLD Master in Computer Science Date: August 12, 2019 Supervisor: Hamid Faragardi Examiner: Elena Troubitsyna School of Electrical Engineering and Computer Science Host company: Tobii AB Swedish title: Automatisering av enhetsinstallation, uppdatering och testning med hjälp av virtuella maskiner iii Abstract This research presents an approach to transition from manual to automated testing of hardware specific firmware. The manual approach for firmware test- ing can be repetitive and time consuming. A significant proportion of the time is spent on cleaning and re-installing operating systems so that old firmware does not interfere with the newer firmware that is being tested. The approach in this research utilizes virtual machines and presents an automation framework. One component of the automation framework is an application to imitate con- nected peripheral devices to bypass hardware dependencies of firmware in- stallers. The framework also consists of automation and pipeline scripts with the objective to execute firmware installers and detect errors and abnormalities in the installation and updating processes. The framework can run on locally hosted virtual machines, but is most applicable using cloud hosted virtual ma- chines, where it is part of a continuous integration that builds, downloads, installs, updates and tests new firmware versions, in a completely automated manner. The framework is evaluated by measuring and comparing execution times with manually conducted installation and updating tests, and the result shows that the framework complete tests much faster than the manual approach.
    [Show full text]
  • Microsoft Windows NT
    Microsoft Windows NT Securing Windows NT Installation October 23, 1997 Microsoft Corporation Contents Abstract Establishing Computer Security Levels of Security Off-the-Shelf vs. Custom Software Minimal Security Standard Security High-Level Security High-Level Software Security Considerations User Rights Protecting Files and Directories Protecting the Registry Secure EventLog Viewing Secure Print Driver Installation The Schedule Service (AT Command) Secure File Sharing FTP Service NetBios Access From Internet Hiding the Last User Name Restricting the Boot Process Allowing Only Logged-On Users to Shut Down the Computer Controlling Access to Removable Media Securing Base System Objects Enabling System Auditing Enhanced Protection for Security Accounts Manager Database Restricting Anonymous network access to Registry Restricting Anonymous network access to lookup account names and groups and network shares Enforcing strong user passwords Disabling LanManager Password Hash Support Wiping the System Page File during clean system shutdown Disable Caching of Logon Credentials during interactive logon. C2 Security Evaluation vs. Certification Setting up a C2-compliant System Abstract Microsoft® Windows NT® operating system provides a rich set of security features. However, the default out-of-the-box configuration is highly relaxed, especially on the Workstation product. This is because the operating system is sold as a shrink-wrapped product with an assumption that an average customer may not want to worry about a highly restrained but secure system on their desktop. This assumption has changed over the years as Windows NT gains popularity largely because of its security features. Microsoft is investigating a better secured default configuration for future releases. In the meantime, this white paper talks about various security issues with respect to configuring all Windows NT version 4.0 OS products for a highly secure computing environment.
    [Show full text]