Download presentation
Presentation is loading. Please wait.
Published byAubrey Fitzgerald Modified over 9 years ago
2
Windows NT Based Web Security COSC 573 By:Ying Li
3
Basic Concepts of Windows NT AdvantagesAdvantages –User-friendly graphic front end –Point-and-click configuration –Excellent software development tools DisadvantagesDisadvantages –Relative newcomer to the Internet –A variety of security problems
4
Basic Concepts of Windows NT Windows NT Server vs. NT WorkstationWindows NT Server vs. NT Workstation –Windows NT Server: More expensiveMore expensive has complete functionalityhas complete functionality can coordinate the activities of other machines, provide remote access services, run Windows name resolution, and host the Internet Information Servercan coordinate the activities of other machines, provide remote access services, run Windows name resolution, and host the Internet Information Server
5
–Windows NT Workstation a water-down version of the Server producta water-down version of the Server product with most of the server functions disabledwith most of the server functions disabled –Microsoft Internet Information Server runs only on NT Server –However, Web servers from other vendors run with the Workstation version of operating system, as well From the point of view of system security, the main difference between the two flavors is that NT Workstation comes with an undesirably permissive configuration, while NT Server is stricter. Basic Concepts of Windows NT (cont’)
6
Windows NT Security Risks In theory, the Windows NT system of access control lists, domains, and trust relationships provides a high level of security. In practice, many NT server on the Internet are not secure. How can this be?
7
Widespread Misconfiguration Problems An out-of-the-box Windows NT Workstation installation is not secure.An out-of-the-box Windows NT Workstation installation is not secure. –Most of the system’s files and directories are read/write by Everyone, which means that any local user can tamper with the system to his heart’s content. –Because of the strange properties of the built-in Everyone group, there are a variety of ways for unidentified Internet users to view and /or alter the system, as well.
8
Widespread Misconfiguration Problems (Cont’) Windows NT Server, in contrast, has a more reasonable set of default permissions when first installed.Windows NT Server, in contrast, has a more reasonable set of default permissions when first installed. However, it still contains gaps in its configuration that allow for unwanted mischief.However, it still contains gaps in its configuration that allow for unwanted mischief. In practice, many Windows NT Servers are not installed from scratch but are upgraded from previous versions of Windows NT or from Windows 95. In such cases, the access control lists are probably at their least restrictive setting.In practice, many Windows NT Servers are not installed from scratch but are upgraded from previous versions of Windows NT or from Windows 95. In such cases, the access control lists are probably at their least restrictive setting.
9
Widespread Misconfiguration Problems (Cont’) An Additional problem for Windows NT:An Additional problem for Windows NT: Windows NT actually supports two different file systems: FAT and NTFS. Only NTFS provides access control lists. Machines that use an FAT file system have no file protection.
10
Vulnerability to NetBIOS Attacks Concept: Windows NT uses a family of networking protocols, known collectively as “NetBIOS,” to provide Windows file sharing, network printing, and remote system administrationConcept: Windows NT uses a family of networking protocols, known collectively as “NetBIOS,” to provide Windows file sharing, network printing, and remote system administration NetBIOS is network-independent. However, NetBIOS was designed with a local area network in mind, not large networks like the Internet.NetBIOS is network-independent. However, NetBIOS was designed with a local area network in mind, not large networks like the Internet. For this reason, it has certain vulnerabilities.For this reason, it has certain vulnerabilities.
11
NetBIOS Vulnerability Information leakageInformation leakage –NetBIOS will advertise information about a system’s shared volumes, workgroup name, domain name and machine name without requiring the remote machine or user to authenticate Client-Controlled fallback to weaker authenticationClient-Controlled fallback to weaker authentication –In order to be compatible with less-capable operating systems, such as Windows for Workgroups, and Windows 95, NetBIOS will fall back to weaker authentication when a remote client requests it. Anonymous log-inAnonymous log-in –NetBIOS allows a limited form of anonymous, unauthenticated log-in. Designed to allow machines on the local area network to exchange information about themselves, this loophole has been used by would-be intruders to gain access to sensitive parts of the system, such as the registry.
12
Securing a Windows NT Web Server 1Apply all service patches 2Fix the file system permissions 3Fix the registry access permissions 4Remove or disable all extraneous network services 5Add the minimum number of user accounts necessary to maintain the server 6Install the server software and adjust file and directory permissions to restrict unnecessary access 7Remove or disable unnecessary Web server features, CGI scripts, and extensions 8Monitor system and server log files
13
Apply All Service Packs and Updates Microsoft releases operating system patches called “service packs” at regular intervalsMicrosoft releases operating system patches called “service packs” at regular intervals These service packs contain patches for known security holes in the operating system, as well as other bug fixes and feature enhancementsThese service packs contain patches for known security holes in the operating system, as well as other bug fixes and feature enhancements Back up your system if it has any valuable data on itBack up your system if it has any valuable data on it
14
Fix the File System and Registry Permissions After applying operating system patches, the next step is to check and adjust the file system and registry permissionsAfter applying operating system patches, the next step is to check and adjust the file system and registry permissions To get the benefit of file system permissions, you must have formatted Windows NT disk partition as NTFSTo get the benefit of file system permissions, you must have formatted Windows NT disk partition as NTFS For fixing the file system, you should log into the system as Administrator and use the Properties -> Security -> Permissions window to change the access control listsFor fixing the file system, you should log into the system as Administrator and use the Properties -> Security -> Permissions window to change the access control lists For fixing the registry, like the file system, the keys and values of the Windows registry are protected by access control listsFor fixing the registry, like the file system, the keys and values of the Windows registry are protected by access control lists
15
An Example DirectoryC:\WINNT\PROFILES\DEFAULT_USERDirectoryC:\WINNT\PROFILES\DEFAULT_USERC:\WINNT\PROFILES\ALL_USERS OwnerAdministrator Change contents tooFiles and subdirectories AdministratorsFull control SYSTEMFull control Users Read Rationale: These two directories contain common preferences shared by all users. Users can view the defaults but not change them
16
User Rights Policies The Windows NT User Manager program establishes certain global user rights. Some of the rights on a default installation are inappropriate for Web server machines; others are simply accident prone. To change these rights, select Policies-> User Rights… in the User Manager program to bring up the User Rights PolicyThe Windows NT User Manager program establishes certain global user rights. Some of the rights on a default installation are inappropriate for Web server machines; others are simply accident prone. To change these rights, select Policies-> User Rights… in the User Manager program to bring up the User Rights Policy
17
Install Web Server Software If the software isn’t already preinstalled, go ahead and install it by running whatever install program the vendor provides.If the software isn’t already preinstalled, go ahead and install it by running whatever install program the vendor provides. The main task at this point is to tune the directory permissions so that authorized users can make changes to the Web tree without having to become full administrator to do soThe main task at this point is to tune the directory permissions so that authorized users can make changes to the Web tree without having to become full administrator to do so
18
Turn off Unnecessary Features Microsoft IIS and other servers support a few optional features that potentially can be used by unscrupulous individuals to gain information about your system. Unless you really need these features, you should turn them off.Microsoft IIS and other servers support a few optional features that potentially can be used by unscrupulous individuals to gain information about your system. Unless you really need these features, you should turn them off. –Directory Browsing –Read-Access to the Scripts Directory –Execute-Access to Non-Scripts Directories –Active Server Pages
19
Monitor the Web Server and Event Logs Both the Web server and Windows NT itself are capable of performing extensive logging. Although the Web server logs are turned on by default, NT event logging (“auditing”) is turned off. It is recommended to enable it.Both the Web server and Windows NT itself are capable of performing extensive logging. Although the Web server logs are turned on by default, NT event logging (“auditing”) is turned off. It is recommended to enable it.
20
Create a Backup System A recent and complete system-wide backup is essential for recovering from a break-inA recent and complete system-wide backup is essential for recovering from a break-in Even if your system isn’t broken into, a backup will allow you to recover from disasters, ranging from hard disk crash to the accidental deletion of an essential fileEven if your system isn’t broken into, a backup will allow you to recover from disasters, ranging from hard disk crash to the accidental deletion of an essential file
21
?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.