October 8, 2002Bob Mahoney, MIT Network Security Team 1 Windows Security: Recent Threats and Responses (and whatever else comes up :-) Information Systems.

Slides:



Advertisements
Similar presentations
MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Advertisements

Windows XP Tutorial Securing Windows. Introduction This presentation will guide you through basic security principles for Windows XP.
Chapter 1: Fundamentals of Security JV Note: Images may not be relevant to information on slide.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
F HEPNT/HEPIX Sept, 1999 Use of SPQuery and STAT At FNAL.
Network security policy: best practices
1 Computer Security: Protect your PC and Protect Yourself.
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.
Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IT Essentials PC Hardware and Software 4.1 Instructional Resource Chapter.
Protect Your Computer from Viruses and Other Threats! 1. Use antivirus software. 2. Run Windows updates. 3. Use a strong password. 4. Only install reputable.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Enforcing Concurrent Logon Policies with UserLock.
User Manager for Domains.  Manages the user accounts in a domain  It is located in the PDC  While User Manager exists in each NT machine, but it is.
Managing Network Security ref: Overview Using Group Policy to Secure the User Environment Using Group Policy to Configure Account Policies.
CIS 450 – Network Security Chapter 8 – Password Security.
Honeypot and Intrusion Detection System
Troubleshooting Windows Vista Security Chapter 4.
1 Operating Systems Security. 2 Where Malware hides ? Autoexec.bat or autoexec.nt can start malware before windows start Config.sys, config.nt Autorun.inf.
The Microsoft Baseline Security Analyzer A practical look….
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 UNDERSTANDING USER ACCOUNTS  Local user accounts  stored in the Security.
Computer Security and Penetration Testing Chapter 16 Windows Vulnerabilities.
DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.
This tip sheet focuses on the elements required to access SMART. Total Pages: 5 Accessing SMART Logging In Agency/Facility/Program Access Logging Out IGSR.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Information Security Awareness Training. Why Information Security? Information is a valuable asset for all kinds of business More and more information.
Lesson 17-Windows 2000/Windows 2003 Server Security Issues.
Breno de MedeirosFlorida State University Fall 2005 Windows servers The NT security model.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
System Hacking Active System Intrusion. Aspects of System Hacking System password guessing Password cracking Key loggers Eavesdropping Sniffers Man in.
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
NT4 SP4 Security Jack Schmidt - Fermilab
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Small Business Security Keith Slagle April 24, 2007.
Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
TCOM Information Assurance Management System Hacking.
NT SECURITY: HACKING AND HOW TO PREVENT IT BY GREG WATSON.
Security fundamentals Topic 2 Establishing and maintaining baseline security.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
1 Day 2 Logging in, Passwords, Man, talk, write. 2 Logging in Unix is a multi user system –Many people can be using it at the same time. –Connections.
CHAPTER 5 MANAGING USER ACCOUNTS & GROUPS. User Accounts Windows 95, 98 & Me do not need a user account like Windows XP Professional to access computer.
Intro to Network Security. Vocabulary Vulnerability Weakness that can be compromised Threat A method to exploit a vulnerability Attack Use of one or more.
LM/NTLMv1 Retirement Hosted by LSP Services.
Computer Security Sample security policy Dr Alexei Vernitski.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
CACI Proprietary Information | Date 1 PD² v4.2 Increment 2 SR13 and FPDS Engine v3.5 Database Upgrade Name: Semarria Rosemond Title: Systems Analyst, Lead.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Hacking Windows.
Common Methods Used to Commit Computer Crimes
I have edited and added material.
Configuring Windows Firewall with Advanced Security
Wireless Network Security
Kennesaw State University
Information Security Session November 11, 2004
Information Security Session October 24, 2005
Lesson 16-Windows NT Security Issues
Administering Your Network
Information Security Awareness
Security through Group Policy
16. Account Monitoring and Control
6. Application Software Security
Presentation transcript:

October 8, 2002Bob Mahoney, MIT Network Security Team 1 Windows Security: Recent Threats and Responses (and whatever else comes up :-) Information Systems Fall Forum

October 8, 2002Bob Mahoney, MIT Network Security Team 2 Who are we? 2 full-time IS staff Various IS staff who contribute occasional time upon request (begging works wonders) 6 student staff who give 1-10 hrs/week 2 voucher employees, hrs/week total 12 departmental computing staff, mostly focused on local incidents We had the equivalent of 4.6 FTE over the Summer (something like “Full Staff”)

October 8, 2002Bob Mahoney, MIT Network Security Team 3 Team Operations Scanning for known vulnerabilities and indications of compromise Advising users of vulnerable machines what steps to take Detecting and removing compromised hosts Advising IS and the community about security issues Act as POC for outside complaints about security events at MIT

October 8, 2002Bob Mahoney, MIT Network Security Team 4 Rules of Engagement Any host that is known to be compromised is administratively removed from the network, and remains disconnected until investigation and/or recovery is complete. The system contact for a host that exhibits a known vulnerability is contacted and advised on steps to be taken to resolve the vulnerability. A date is given at this point after which unpatched systems will be disconnected.

October 8, 2002Bob Mahoney, MIT Network Security Team 5 RoE & Windows Due to the virulence of recent Windows worms, and the wide publicity of the problem, response policies are firmer: Any Windows system that is vulnerable to a known IIS exploit will be disabled upon detection. Any Windows system with missing or inadequate Administrative password will be disabled upon detection.

October 8, 2002Bob Mahoney, MIT Network Security Team 6 Contact Procedures All security-related mail is sent to the current Moira contact for the machine. This contact info can be updated by users at: In non-urgent scenarios, advisories are sent w/o deadline. Depending upon urgency, various response deadlines are set.

October 8, 2002Bob Mahoney, MIT Network Security Team 7 What are we seeing? More clueful attackers, generally targeting Windows machines. Cracking passwords, rather than guessing/stealing Attackers being much more stealthy. Attackers are operating somewhat more ‘manually’, as opposed to using dumber, wider scan/attacking probes. Attackers are keeping track of machines that they have probed, presumably for later misuse.

October 8, 2002Bob Mahoney, MIT Network Security Team 8 How much of this goes on? 1895 security cases in the last 90 days (65% Windows, down from 78% last month) 264 cases currently open 212 cases were due to Windows worm activity 285 machines were disabled in the last 90 days 85 are currently disabled as of this morning (7 for non-security issues) 57 of those were “Pubstro” warez sites

October 8, 2002Bob Mahoney, MIT Network Security Team 9 What Can You Do? Apply all security updates ASAP. Make sure ALL machines in your area have correct contact information. Make sure all machines in your area have STRONG passwords. Review all machines for appropriate file- sharing configuration.

October 8, 2002Bob Mahoney, MIT Network Security Team 10 How to make this less painful: Don’t move compromised machines Don’t use “slush” addresses Don’t use hubs/repeaters/switches Don’t take shortcuts Don’t run services you don’t need Use your vendor’s “Update Service” Subscribe to security-fyi and netusers lists Backups, Backups, Backups!

October 8, 2002Bob Mahoney, MIT Network Security Team 11 Less painful, continued… Please reply/all to the mail we send you Don’t call the Help Desk because you have received mail from us We do not have a number where you can call us Don’t run IIS (Really) Look out for specialized machines with embedded Windows Please don’t cry. We’re already a little depressed.

October 8, 2002Bob Mahoney, MIT Network Security Team 12 Final thoughts on Pain… We know your system is important to you We aren’t doing this to be annoying We cannot send someone out to help you recover (but can refer to paid consultants) Plan ahead: how much work will it take for you to recover your critical systems RIGHT NOW?

October 8, 2002Bob Mahoney, MIT Network Security Team 13 Mailing Lists = (public) Notification of maintenance events, CERT = (public) Local security news, and threat = Working list for security team. Questions or problems go Mail to “-request” to join public lists

October 8, 2002Jon Hunt, Software Release Team14 Cracking passwords, and how to make it harder Jon Hunt, Software Release Team and Security Team

October 8, 2002Jon Hunt, Software Release Team15 Cracking Passwords Active vs. Passive – Both Use –Guess (user name, machine name, blank, “test”, “help”, “student”, “password”) –Dictionary (high powered guessing) –Brute Force (try everything) Tools –GetAcct –Null Sessions with SecDump –L0pht Crack –Scripts Italics = Specific Hacker (white or black) Tool

October 8, 2002Jon Hunt, Software Release Team16 Active Password Attack Hacker will try to get account information –GetAcct or NULL Sessions –If that fails, tries standard accounts Administrator, Guest, Backup, Test, IIS… Repeatedly attempts to logon to computer remotely using a script and series of passwords

October 8, 2002Jon Hunt, Software Release Team17 GetAcct & SecDump GetAcct –Enumerates all user information (except password) on NT 4 & 2000 out of box Groups, last logon, real name, password last changed, and much more Do NOT know how to lock down NT 4 to stop it –Enter machine name and the number of accounts you want the info for NULL Sessions & DumpSec –Similar thing, more configurable, harder to use –Login as a blank user C:\>net use \\machine\ipc$ /user:”” *\\machine\ipc$

October 8, 2002Jon Hunt, Software Release Team18

October 8, 2002Jon Hunt, Software Release Team19 If you have auditing setup, you will see something like this

Bob Mahoney, MIT Network Security Team 20

October 8, 2002Jon Hunt, Software Release Team21 Passive Password Attack Sniff clear text and hashed passwords Dump the SAM Database - pwdump Crack the passwords using L0pht Crack or other tools Grab from Remote Registry (requires admin rights)

October 8, 2002Jon Hunt, Software Release Team22 L0pht Crack 560,000 dictionary words in a minute –Unlimited dictionaries available on the web Slang, scifi, names, places, mythology, yiddish, kjb, Shakespeare, common_passwds, Chinese and many more. Brute Force on Pentium III 800MHz –A-Z, 0-9 in 13 hours –A-Z, 0-9 and in 5 days –A-Z, 0-9 and in 48 Full version only costs $350 – free 15 day trial Built in sniffer for LM & NTLM hashed passwords

23

October 8, 2002Jon Hunt, Software Release Team24 What can you do? Use and require strong passwords –MiXeD cAse –Special<>characters! (in the middle is better) –Longer the better, over 14 characters much harder (only works for Win2K and later) –Change them about every 42 days –Automatically lock accounts for 30 minutes after repeated failed attempts Enable Auditing and check the logs

October 8, 2002Jon Hunt, Software Release Team25 What else can you do? Use NTFS instead of FAT Apply patches –Windows Update – all critical updates * –Application Vendors release patches too Disable stuff you do not need –NULL Sessions –LM Hashes (require NTLMv2 if possible) Do NOT connect from Win95/98/ME * Wait for IS’s recommendation for Service Packs

October 8, 2002Jon Hunt, Software Release Team26 What further can you do? Run Anti-Virus Software and keep it up to date Do NOT open attachments from people you are not expecting to receive them from Have a BACKUP SOLUTION!!! Use your Backup Solution Check that you Backup Solution is working –We have seen hackers delete client data to make room for warez

October 8, 2002Jon Hunt, Software Release Team27 What are we (IS) doing to help? Working on Security Templates –Make it easier to apply policies –Have a first pass for Windows 2000 and XP that are currently in review Working on guidelines: – Scanning MITnet for basic vulnerabilities and compromises and informing the machine contact (update your machine contact info)

October 8, 2002Jon Hunt, Software Release Team28 Should I be testing my user’s passwords? It depends, but probably not More useful to setup a good policy –Require strong passwords –Set passwords to expire (e.g. 42 days) –Disable NULL Sessions –Require NTLMv2 (disable LANMAN and NTLM) –Run regularly updated virus scans –Lockout Accounts after repeated failed attempts

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.