Secure OS

This blog is moving! - New location http://www.aniltj.com/blog

Anil John — Mon, 09 May 2005 18:03:00 GMT

This blog is moving!

RSS Feed @ http://www.aniltj.com/blog/SyndicationService.asmx/GetRss

Whew!!

Anil John — Mon, 20 Dec 2004 22:30:00 GMT

When I wrote about Reliability and Security in a home network environment earlier, I never realized that I would have to put it to the test so soon!

About a week ago, my SBS 2003 server started hootin' and hollerin' at me. It turned out that the 200GB hard drive that held all of my data was the culprit. I rebooted the machine, came into the drive diagnostics and found out that the new drive that held all of my data had just given up the ghost! But since that drive was configured in a RAID 1 (Mirrored) configuration I had a bit of a reprieve. I broke the array, took the defective drive out of the drive caddy and rebooted. Everything just came up just fine! Sweet!

I immediately increased the frequency of my backups to my external USB drive to daily instead of weekly and called the drive manufacturer to request a replacement. I got the replacement drive today, loaded it into the drive caddy, brought up the RAID controller console, and asked it to rebuild my RAID 1 array. It took more than 2 hours, but I just got notified that the drive array rebuild was complete and that my RAID 1 array was functioning properly. My paranoia.. ah.. excuse me.... My disaster recovery and contingency plan just got validated big time! :-)

Microsoft Security Resource Guide - November 2004

Anil John — Thu, 25 Nov 2004 11:06:00 GMT

Jerry Bryant [MS] has an excellent post with links to Security resources that are provided by Microsoft. I am copying this here so that I do not have to go looking for them later:

Tools

Microsoft Baseline Security Analyzer (MBSA)
Use this tool to identify common security misconfigurations and missing security updates. MBSA runs on the Windows Server™ 2003, Windows® 2000, and Windows XP operating systems and will scan for vulnerabilities in multiple products and technologies, including Microsoft Internet Information Services (IIS) and SQL Server™.
Software Update Services (SUS) / Windows Update Services (WUS)
Quickly and reliably deploy the latest security updates, and service packs with Software Update Services. This new site now has the latest info on WUS.
Windows Update
Scans your computer and provides a selection of updates tailored for your operating system, software, and hardware.
Microsoft Office Product Updates
Scans and updates Microsoft Office products.
IIS Web Server Lockdown Wizard
Reduces the attack surface of Internet Information Services (IIS) and includes URLScan to provide multiple layers of protection against attackers.
UrlScan Security Tool
Helps prevent potentially harmful HTTP requests from reaching IIS Web servers.

Removal Tools:

Other Tools:

Updating

Understanding Update Management: Microsoft’s Software Update Strategy
Updated white paper talks about the need for strong update management process.
Other Update Management info in the TechNet Topics Page

Isolation and Resiliency

Listing of resources for the IT Pro to evaluate and deploy XP SP2
Network Access Protection
Internet Security and Acceleration (ISA) Server 2004 whitepapers updated
Read about secure remote Outlook access in the Unique Protection for Microsoft Exchange Server whitepaper, a very viable business scenario with ISA Server

Engineering Excellence

Trustworthy Computing: Security
Whitepapers on Security Enhancements:
Describes the Trustworthy Computing initiative as applied to the Windows Server, Office 2003 and Exchange Server 2003 development processes respectively.
Windows Server 2003
Office 2003
Exchange Server 2003
Get the Facts:
Windows and Linux
SQL

Guidance and Training

Security Guidance Centers on Microsoft.com
Worldwide
US
Prescriptive guidance to help provide defence-in-depth security.
E-Learning Security Training
E-Learning self-paced clinics - 4 Developer and 8 ITPro modules
Now available in French, German, Spanish and Japanese
XP SP2
Security Guidance Kit CD (now shipping in US and Canada)
CD-ROM with tools, templates, and how-to guides
Microsoft IT Security Showcase
An insider view into Microsoft's process of deploying, and managing its own enterprise solutions.
Security Newsletter
Register for our free monthly e-mail newsletter that's packed with security news, guidance, updates, and community resources to help you protect your network.
Security Program Guide: Events and Training Information
Events, webcasts and training ivailable for both IT Professionals and Developers.
US Security Summit Keynote and Training Content
Security Notifications via e-mail
Sign up today to get e-mail alerts when an important security bulletin or virus alert has been released.
Security Update RSS Feed
Security Bulletin Search Page
Search on product, technology or KB article
Security Bulletin Webcast
Join Microsoft experts on the day after bulletin announcements to get the latest information and have the opportunity to ask questions.
How to Tell If a Microsoft Security-Related Message Is Genuine
Writing Secure Code, 2nd edition
Best practices for writing secure code and stopping malicious hackers.
Building and Configuring More Secure Web Sites
Best Practices used at OpenHack.
Recent Security Guidance Center additions:
Windows XP Guide, includes SP2
New Security Risk Management Guide
Windows NT 4.0 and Windows 98 Threat Mitigation Guide
Microsoft Identity and Access Management Series
Antivirus Defense-in-Depth
Securing Wireless LANs with PEAP and Passwords
Small Business Guidance
Guidance specifically for the smaller business
Configuring Windows XP 802.11 Wireless Networks for the Home / Small Business
Consumer Information:
http://www.microsoft.com/security/protect
http://www.microsoft.com/athome/security/default.mspx
Newsletter for home users
Security bulletin notifications for home users

Browsing the Web and Reading E-mail Safely as an Administrator

Anil John — Fri, 19 Nov 2004 21:41:00 GMT

Michael Howard discusses how you can run as an administrator and access Internet data safely by dropping unnecessary administrative privileges when using any tool to access the Internet.

He has created an application called DropMyRights to help users who must run as an administrator run applications in a much-safer context—that of a non-administrator. It does this by taking the current user's token, removing various privileges and SIDs from the token, and then using that token to start another process, such as Internet Explorer or Outlook. This tool works just as well with Mozilla's Firefox, Eudora, or Lotus Notes e-mail.

Check out the article...

Reliability and Security in a Home Network Environment...

Anil John — Sun, 14 Nov 2004 21:40:00 GMT

Like most computer savvy folks these days, the amount of digital "stuff" in my house is growing rather rapidly. That includes:

MP3 music files that I've ripped from my CDs
Photos from my digital camera
Videos that I've taken
Documents and Papers
Source Code stored in my CM system
Virtual Machine Images
and more...

Needless to say I have multiple computers in the house that are connected via both wired and wireless networks. Currently I am running a Windows 2000 Domain in the house as my server class machine, which is a bit old, is not one I have upgraded to Windows 2003. All my Windows 2003 machines are Virtual Machines :-)

Recently, I've bitten the bullet and am in the process standing up a server class machine that can run Windows 2003 at home. My requirements are that:

I need a redundant and reliable file storage for my network. A lot of the content that I have on the network is simply things I cannot afford to lose.
I want to lock down my wireless network.
ASP.NET Development environment.
I am seriously getting into collaboration via Windows SharePoint Services. So I am looking to make sure that I have an environment that I can play a bit with it.. A personal goal, at least for the home, is to have a shared calendar for the family.

(1) Starting out with the basics, I picked up a Dell server on sale. The only thing I upgraded was to bump up the memory and add a second network card to it. Redundant and reliable for me means that the storage in my machine needs to be configured either as a RAID 1 or RAID 5. For various reasons, I chose RAID 1. So, I also picked up a HighPoint RocketRaid IDE controller and two 200GB hard disks.

I am also picking up an external USB hard disk to which I intend to back up my RAID array on a weekly basis. I will be keeping this at work; a poor man's version of off-site backup. This way, at most I am not losing more than a week of data if something untoward happens to my entire home system.

(2) I love my Tivo but when it comes to security, it has some issues. My Tivo is set up with the Home Media Option such that I can play all of my MP3s, which are stored on my W2K server, via my Home Theater system. In addition, I can display all of my photos, again stored on my W2K box, on my TV. The Tivo is connected to my home network via a USB Wireless adapter and goes out over the network for program updates etc.

The issue I have is that the highest level of encryption Tivo supports is 128 WEP. It does not support WPA at all! This has limited my ability to upgrade the security of my Wireless network. So, I've gotten irritated enough that I am pulling wires to my Tivo to convert it from wireless to a hard line. Once this is done, my plan is to implement 802.11x authentication with certificates and lock down the the network.. Now, if I you ask me if I REALLY need to do this, the answer would be, probably not.. But I can, so I will :-)

(3) (4) Now this is the interesting part, I could install Windows 2003 with WSS and get *some* of the functionality that I want (ASP.NET/Collaboration). But why bother? There is a solution out there that will give me all of the components that I am looking for (Windows 2003, WSS, Exchange, SQL2K) supposedly integrated rather well and designed to run on a single box. Windows Small Business Server 2003.

From what I've seen of and heard about this product, it seems to be ideal for what I am looking for within the house. I am thinking that if I install SUS on top of the standard SBS 2003 install, I would also get the ability to update and patch the machines on my network as well.

The only decision I have not made as of yet, is where to put the SBS server on the network. I am currently connected to the Internet via a cable modem, which in turn is coming into a Wireless router with hard line ports. The router has NAT capabilities and has a built in simplistic firewall that has done the job for me so far. But SBS 2003 premium comes with ISA server and I have 2 NICs in the box, so I could hook it up to be Internet facing. Or I could simply hook up the SBS machine to the internal network behind the Router. I'll have to think a bit more about it..

One resource that I am finding extremely helpful is "Windows Small Business Server 2003 Administrator's Companion" by Charlie Russel, Sharon Crawford and Jason Gerend.

Security focused Issues - TechNet Magazine & MSDN Magazine

Anil John — Sat, 30 Oct 2004 22:26:00 GMT

The premier issue of TechNet Magazine is out and it is focused on Security. Sections include

Hacking: Fight Back
Cross-Platform Security
Security: Beyond the Basics

Check it out the full issue which is availabe for free online.

Of course, the current issue of MSDN Magazine is also focused on security. Topics include Attack Surface minimization, App Lockdown, Crypto and more. Check it out online as well.

Integrated Windows Authentication on the Internet

Anil John — Mon, 25 Oct 2004 22:30:00 GMT

One of my fellow CMAP User Group Members, Scott McMaster, recently posted a question on our listserve:

"Like most people, I imagine, I've always considered Windows Authentication for intranet-only scenarios. However, from what little relevant discussion I've been able to find on the subject, it appears that using Windows Authentication to access domain-hosted ASP.NET applications over the Internet using IE5+ is a valid approach as long as IIS is properly configured (i.e. no anonymous access, no basic auth). IE and IIS do NTLM/Kerberos without sending passwords around, and the world is nice and safe."

Just to level-set here, this is the web server and browser configuration:

Website is set for only Integrated Windows Authentication
Stand alone client machine on the Internet (Not logged into domain)
Browser is IE 5+

Now, I am a bit... ah.. paranoid when it comes to things like this. Given the fact that if you are on the Internet and are not connected to a domain, you get a login prompt, I went with the assumption that if the login prompt came up and you had to enter your domain credentials, then they were sent as clear text. Well, Scott was persistent and was backed up by our local DCC, Geoff Snowman, who also chimed in that it was valid to use Integrated Windows Authentication on the Internet.

By this time, I was well and truly engaged. In communicating privately with Scott, the resources that we were finding in our searches were simply not that clear on this point ... at least to me :-) So, following my traditional method of when in doubt, ask the experts, I asked the question regarding this scenario on a list that I am on and got a definitive answer from Ken Schaefer, who just so happens to be an IIS MVP.

The short answer, Scott's research proved to be right, my assumptions were wrong, and the world is a safer place :-)

The long answer is as follows (The answers are pretty much a direct quote from Ken. My stuff in bold):

Integrated Windows Authentication covers two authentication mechanisms - Kerberos and NTLM. Neither authentication mechanism allows for plain-text credentials (well, not of the password anyway).

In general:

Whether the site is in the Intranet security zone determines whether IE attempts to automatically authenticate when prompted by the server.

Whether the site is in the Internet security zone determines whether IE attempts to use Kerberos authentication (Kerberos authentication requires the client machine to be able to contact the KDC to get TGTs etc, and generally this isn't possible in an Internet setting, so IE uses NTLM instead).

Whether your user is logged on to the domain or not, on their workstation, is irrelevant to determining the authentication mechanism used, or how IE sends credentials to the server.

If the site is placed into the local Intranet security zone -and- Internet Explorer is still in its default configuration (if you go to Tools -> Internet Options -> Security -> Custom settings for Intranet zone, there is an option "automatic logon only in Intranet zone"), then Internet Explorer will attempt to log you on using your current logged on credentials when the web server sends back its 401 response (IE will attempt an anonymous request first no matter what the configuration, then the server will send back a 401, then IE will attempt to auto-logon). If the credentials IE sends automatically are not accepted by the server (the server sends back another 401), then IE will prompt you to supply alternate credentials.

The important thing to note here is that if the browser is IE, the domain credentials that I enter are NOT sent in cleartext but instead use either NTLM or Kerberos depending on the configuration above.

Neither NTLM nor Kerberos authentication uses plain text to pass the password. NTLM authentication uses the NTLM hashing algorithm to generate a hash of the password. This is sent across the wire by the client and is compared to the hash of the password stored by the web server (for local accounts) or by the DC (for domain accounts). If the hash matches, then the user is authenticated. (The process is actually a little more complex, otherwise anyone could just sniff a hash and use that). If you want the gory details, check out: http://davenport.sourceforge.net/ntlm.html (about 40% of the way down the page is a section titled "The NTLM v2 Response" which describes how the hash is constructed when using NTLM v2). Kerberos authentication uses Kerberos tickets.

Excellent! It is a good day when you learn something new. It is a great day when what you have learned can improve your security. Thanks Guys!

Password Memorability and Security

Anil John — Thu, 14 Oct 2004 19:24:00 GMT

There has been much talk about what is considered a secure password. So it was a true pleasure for me to recently read a fascinating study on this topic that provided some hard numbers to back up the claims. The study was published in the current issue of IEEE Security and Privacy and is titled "Password Memorability and Security: Empirical Results" by Jeff Yan, Alan Blackwell, Ross Anderson and Alasdair Grant.

First some background. Per the article "Human memory for sequences is temporally limited, with a short term capacity of around seven, plus or minus two items. In addition, when humans do remember a sequence of items, those items be familiar chunks such as words or familiar symbols. Finally, human memory thrives on redundancy-we're much better at remembering information we can encode in multiple ways"

So what these folks did was have three separate test groups:

The control group were asked to choose a seven-character password with at least one nonletter
Second group chose passwords by closing their eyes and pointing randomly to a grid of numbers and letters
The third group was instructed to chose passwords based on mnemonic phrases and given examples of how to go about doing so

Then the testers ran the following types of attacks against the passwords:

Dictionary attacks: Simply use different dictionary files to crack the passwords
Permutation of words and numbers: For each word from a dictionary file, permute with 0, 1, 2 and 3 digits and also use common number substitutions such as 1 for an I and 5 for S etc.
User information attacks: Exploit user data that is collected from password files such as userid, full name etc
They also tried brute force attacks (Try all possible combination of keys) against passwords 6 characters long.

Pick up and read the article itself for the details and the numbers, but the conclusions are interesting. The permuted dictionary attack was the most successful and the brute force attack successfully cracked all six-character passwords.

They also confirmed the two folk beliefs that "... user have difficulty remembering random passwords and that passwords based on mnemonic phrases are harder to guess than naively selected passwords." They have also debunked the folk beliefs that "... random passwords are better than passwords based on mnemonic phrases. Each appeared to be as strong as the other" and that "... passwords based on mnemonic phrases are harder to remember than naively selected passwords. In fact, each type is as easy to remember as the other".

Some of the key take-aways were:

"... security can be significantly improved by educating users to select mnemonic passwords
Size of the password matters
Entropy per character matters, so instruct users to choose passwords containing numbers and special characters as well as letters."

So what does this mean for me? Well from now on, my password selection page is going to have the following (Some of the content is adapted from the directions that were given to the mnemonic group in the test):

Choosing a good password is critical to maintaining the security of this system. To construct a good password, create a simple sentence of 8 to 9 words and choose letters from the words to make up a password. You might take the initial or final letters; you should put some letters in upper case to make the password harder to guess; and at least one number and special character should be inserted as well. An example is the phrase "It's 12 noon and I am hungry" which can be used to create the password "I's12n&Iah". All passwords will be checked to make sure that the following complexity requirements are met:
- Must be at least 9 characters
- Must contain at least one lower case letter, one upper case letter, one digit and one special character
- Valid special characters are - @#'$%^&+=

The key point here is not to just to show them the 3 above bullet items but to provide explicit guidance on how a password should be chosen to meet the outlined complexity criteria.

Oh yes, as a bonus here is a regex that will enforce the above complexity requirement:

^.*(?=.{9,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@#'$%^&+=]).*$

ASP.NET Vulnerability Mitigation

Anil John — Thu, 07 Oct 2004 22:17:00 GMT

In response to the vulnerability in ASP.NET forms authentication that was posted to NTBugtraq, Microsoft has released a HTTP Module and associated installer that "... protects all ASP.NET applications on a Web server against canonicalization problems that are currently known to Microsoft.."

Find more info about it and install NOW!

Making USB Devices Read-Only

Anil John — Mon, 06 Sep 2004 17:43:00 GMT

A link to this info (Thanks Susan!) came across on one of the lists that I am on:

USB "thumb drives" drive some security folks crazy because they're so small physically and so big storage-wise; what's to keep people from popping a USB drive into a USB slot, copying corporate data and walking out the door? For the USB-paranoid, SP2 includes an ability to let users read data from a USB drive, but not write data to that drive. It's a simple Registry change. First, create a whole new key: HKLM\System\CurrentControlSet\Control \ StorageDevicePolicies. Then create a REG_DWORD entry in it called WriteProtect. Set it to 1 and you'll be able to read from USB drives but not write to them.

Cool!