Presentation is loading. Please wait.

Presentation is loading. Please wait.

Safeguarding your Business Assets through Understanding of the Win32 API.

Published byDinah Benson Modified over 9 years ago

Similar presentations

Presentation on theme: "Safeguarding your Business Assets through Understanding of the Win32 API."— Presentation transcript:

1 Safeguarding your Business Assets through Understanding of the Win32 API

2 Introduction David J. Goldman –CSA, Velosecure LLC –Managing the Windows Security Practice of PricewaterhouseCoopers’ Global Risk Management Solutions –david.goldman@us.pwcglobal.com –212-596-5682

3 Introduction Todd M Feinman –Candidate for MBA at Harvard Business School, 2002 –CEO, Velosecure LLC –Manager within PricewaterhouseCoopers’ Global Risk Management Solutions –security@feinman.net –212-596-7299

4 Objective Explain some of the vulnerabilities inherent to the Win32 API Talk through some examples of how these could affect real companies Discuss how to protect against such security breaches

5 Windows Management User –Users, groups, account policy… Resource –File, directory, service permissions… System –Services, registry, hotfixes… Network –Shares, trusts, remote access… Auditing –Audit policy, event logs, directory auditing…

6 Security Assertions Confidentiality –Sensitive information will not be read by unauthorized individuals Integrity –Reliable information will not be modified by unauthorized individuals Availability –Information will be accessible by authorized individuals in a timely manner.

7 A Malicious Plan of Attack Can I connect with NULL  –Yes? Procure any and all information Connect to shares, get a username, guess a password, run brute force attacks… Can I connect with Guest or User access  –Yes? Get Service information, Registry access, exploit daemons. Connect to service control manager, HKLM, ftp or web...

8 Case 1: Enterprise-Wide Employee Directory Background: –Pharmaceuticals company –60,000 employees’ information defined within a directory –Two dozen domains Concerns: –Primary: Availability –Secondary: Confidentiality and Integrity Why: –Numerous directors and managers require access –Complex hierarchical corporate authority

9 Primary Assessment To ensure that: –All domain controllers available for authentication (not using random sample) –Users can search directory for information about each other, including office number and email address –No one is trying to compromise availability of the servers –Printers accessible by doctors and researchers

10 User Security Methodology List all Users and their properties –NetUserEnum  NetUserGetInfo List all Groups, their properties, and members –NetGroupEnum  NetGroupGetInfo  NetGroupGetUsers –NetLocalGroupEnum  NetLocalGroupGetMembers

11 Resource Security Methodology List all Printers and their properties Retrieve the permissions for each printer –EnumPrinters  GetNamedSecurityInfo

12 System Security Methodology Retrieve the network information –NetWkstaGetInfo –NetWkstaTransportEnum Determine it’s domain membership –LsaQueryInformationPolicy Retrieve OS level and other Windows information –NetServerGetInfo

13 Network Security Methodology Enumerate the trusts between domain –Trusting NetUserEnum(FILTER_INTERDOMAIN_TRUST_A CCOUNT)  NetUserGetInfo –Trusted LsaEnumerateTrustedDomains

14 Network Security Methodology Enumerate the trusts between domain –Trusting NetUserEnum(FILTER_INTERDOMAIN_TRUST_A CCOUNT)  NetUserGetInfo –Trusted LsaEnumerateTrustedDomains

15 Auditing Security Methodology Event Log Settings –Registry Data HKLM\SYSTEM\CurrentControlSet\Services\Event log\Security Event Log Data –ReadEventLog (529, 539, 531, 517, 612)

16 Null Credentials NetUserEnum NetUserGetInfo NetGroupEnum NetGroupGetInfo NetGroupGetUsers NetLocalGroupEnum NetLocalGroupGetMembers NetWkstaGetInfo (not in NT4) NetWkstaTransportEnum NetServerGetInfo

17 Case 2: Data Warehouse Security Background: –Yellow Page Publishing company –100,000 customers’ account information and data –Over 100 file servers nationally Concerns: –Primary: Confidentiality –Secondary: Integrity and Availability Why: –Customers’ advertisements are competitive advantage –Need for authorized direct modification of data 24x7

18 Primary Assessment To ensure that: –File Server directory access controls are appropriate (using random sample) –Agents can update only their authorized companies’ data and only authorized projects within such companies. –Unauthorized reading of other companies’ information is prohibited –Raw data files are not accessible by anyone but programs

19 User Security Methodology Enumerate each individual’s user rights and access privileges –LsaEnumerateAccountsWithUserRight

20 Resource Security Methodology Retrieve the permissions for directories Retrieve the permissions for file executables that run as a service (localSystem) Retrieve the permissions for services –GetNamedSecurityInfo, GetAce, LookupAccountSid

21 System Security Methodology Enumerate scheduled jobs (backups) –NetScheduleJobEnum

22 Network Security Methodology Retrieve list of shares –NetShareEnum Check permissions on shares Check permissions on directories that are shared –GetNamedSecurityInfo, GetAce, LookupAccountSid

23 Auditing Security Methodology Retrieve Directory Auditing Lists (SACLs) –GetNamedSecurityInfo, GetAce, LookupAccountSid

24 Null Credentials NetShareEnum

25 Case 3: Securities Trading Background: –Company trading securities on the Internet –Multiple vendor network segments + Internet customers –Entry points on dozens of servers Concerns: –Primary: Integrity –Secondary: Confidentiality and Availability Why: –Transactions must be accurate, timely, and complete –Non-repudiation

26 Primary Assessment To ensure that: –No one can modify the data on machines used for trading securities –Services cannot be exploited to compromise the domain or local machine –A brute force attack will not succeed or go undetected

27 User Security Methodology Identify the parameters used for the password restrictions and account lockout –NetUserModalsGet Grab the password hashes and perform strength assessment –samdump

28 Resource Security Methodology Retrieve the information for each drive and ensure NTFS is running –GetVolInfo

29 System Security Methodology Enumerate registry values and permissions –RegConnectRegistry  RegOpenKeyEx  RegQueryInfoKey  RegEnumKey  RegEnumValue –RegGetKeySecurity  GetSecurityDescriptorDacl Enumerate Services and Device Drivers –EnumServicesStatus  QueryServiceStatus  QueryServiceConfig

30 Network Security Methodology Check if the built-in administrator can be locked out remotely –LsaOpenPolicy  LsaQueryInformationPolicy  SamConnect  SamOpenDomain  SamQueryInformationDomain Assess dial-in settings –RasAdminPortEnum  RasAdminPortGetInfo

31 Auditing Security Methodology Retrieve Audit Policy Information –OpenPolicy  LsaQueryInformationPolicy

32 Null Credentials NetUserModalsGet

Download ppt "Safeguarding your Business Assets through Understanding of the Win32 API."

Similar presentations

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.
Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
5.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.
1 Pertemuan 9 Network Security and E-Commerce Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi: >

1 Pertemuan 9 Network Security and E-Commerce Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi: >
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.

Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Similar presentations

Ads by Google