Analysis of the Security of Windows NT Hans Hedbom, Stefan Lindskog {Hans.Hedbom, Stefan.Lindskog}@hks.se Department of Computer Engineering Chalmers University of Technology S-412 96 Göteborg, SWEDEN and Department of Computer Science University of Karlstad S-651 88 Karlstad, SWEDEN Stefan Axelsson, Erland Jonsson {sax, erland.jonsson}@ce.chalmers.se Department of Computer Engineering Chalmers University of Technology S-412 96 Göteborg, SWEDEN Abstract This paper presents an analysis of the security in Windows NT 4.0, working in both stand-alone and networking mode. The objective of the work was to find out how secure this operating system actually is. A technical overview of the system, and in particular its security features is given. The system security was analyzed and practical intrusion attempts were made in order to verify vulnerabilities or to find new ones. All vulnerbilities are described in detail and classified according to a classification scheme. A comparison to com- monly known UNIX weaknesses was made. It revealed generic similarities between the two systems to a surprisingly high degree. Finally a number of recommendations are given. The paper concludes that there are ample oppor- tunities to improve the security of Windows NT. We have reason to believe that it is probably not higher than that of UNIX. Analysis of the Security of Windows NT 1 March 1999 2 Table of Contents 1. Scope .............................................................................................................9 2. Introduction................................................................................................10 3. System Overview........................................................................................11 3.1 Background ............................................................................................................11 3.2 System Architecture ...............................................................................................11 3.3 Executive ................................................................................................................12 3.4 Protected Subsystems .............................................................................................13 3.5 Objects....................................................................................................................15 3.5.1 Microkernel objects .................................................................................15 3.5.2 Executive Objects ....................................................................................15 3.6 Users and groups ....................................................................................................16 3.7 File Systems ...........................................................................................................17 3.7.1 File Allocation Table (FAT)....................................................................17 3.7.2 High Performance File System (HPFS)...................................................18 3.7.3 NT File System (NTFS) ..........................................................................18 3.7.4 Namned Pipe File System (NPFS) ..........................................................19 3.7.5 Mailslot File System (MSFS) ..................................................................19 4. Networking .................................................................................................20 4.1 Network Architecture .............................................................................................21 4.1.1 OSI versus NT Layer Model....................................................................21 4.1.2 Network Driver Interface Specification (NDIS)......................................22 4.1.3 Transport Protocols..................................................................................22 4.1.4 STREAMS...............................................................................................23 4.1.5 Transport Driver Interface (TDI).............................................................23 4.1.6 Network APIs ..........................................................................................23 4.2 Domains..................................................................................................................24 4.3 Trust Relationships.................................................................................................25 4.4 Shares .....................................................................................................................26 4.5 Server Message Block (SMB)................................................................................26 4.6 Common Internet File System (CIFS)....................................................................28 4.7 Remote Access Service (RAS)...............................................................................30 4.7.1 Remote Client Requirements...................................................................30 4.7.2 Wide Area Network Connectivity ...........................................................30 4.7.3 Telephone Application Programming Interface (TAPI)..........................31 4.7.4 Remote Access Protocols ........................................................................31 5. Security Features .......................................................................................34 5.1 Subjects and Objects ..............................................................................................34 5.2 Access Control Lists (ACLs) .................................................................................34 5.3 User Logon and Authentication .............................................................................35 5.4 Network Logon.......................................................................................................38 5.4.1 Netlogon ..................................................................................................38 5.4.2 Pass-through Logon .................................................................................39 5.4.3 Remote Logon .........................................................................................39 5.5 User Rights and Account Policies ..........................................................................40 5.6 Port Filtering...........................................................................................................42 5.7 Security Features in RAS .......................................................................................42 5.7.1 Authentication..........................................................................................42 5.7.2 Callback ...................................................................................................42 5.7.3 Default Deny...........................................................................................43 5.7.4 Access Restrictions..................................................................................43 Analysis of the Security of Windows NT 1 March 1999 3 5.7.5 PPTP Filtering .........................................................................................43 5.8 Auditing..................................................................................................................43 6. Utility Programs.........................................................................................46 6.1 Different Types of Utility Programs ......................................................................46 6.1.1 Security Analysis Programs.....................................................................46 6.1.2 Information Retrieval Programs ..............................................................46 6.1.3 Maintenance programs.............................................................................47 6.2 The Source Code Problem......................................................................................47 7. Vulnerabilities............................................................................................48 7.1 Methodology ..........................................................................................................48 7.2 Experimental System..............................................................................................48 7.3 Known Security Problems......................................................................................48 7.3.1 Installation Problems ...............................................................................48 7.3.2 Collisions in MD4 ...................................................................................49 7.3.3 Parameter Checks in System Calls ..........................................................49 7.3.4 Undocumented System Variables and Functions ....................................49 7.3.5 Plain-text Passwords over the Network...................................................50 7.3.6 Non NTFS File Systems ..........................................................................50 7.3.7 System Initialization ................................................................................50 7.4 Suggested Attacks ..................................................................................................50 7.4.1 Weaknesses in SMB and Challenge/Response........................................51 7.4.2 Weaknesses in SMB Signing...................................................................52 7.5 Availability Attacks................................................................................................53