If an NT host has Simple Network Management Protocol (SNMP) installed, anyone who knows the community name can obtain the same information that is available through the previously mentioned techniques. The community name defaults to the well-known name public. Anyone who can connect to the SNMP UDP port and guesses the community name can obtain usernames, group names, password policies, machine roles, services that are running, and other information to plan an attack. The Microsoft SNMP implementation does not provide a mechanism for disabling set requests, so denial-of-service attacks can occur if an attacker determines the community name. In some cases, settable values can facilitate domainwide attacks.
Gaining Access
Many successful penetrations of NT systems occur because of weak passwords. Subtle trust relationships, such as using privileged domain accounts to run services, let attackers penetrate far into NT networks. Thus, an attacker who cracks one password on a local account can gain access to the network.
A common attack scenario starts with information gathering, as I described previously. Servers are the primary targets of attacks, because management software that uses domain accounts is often installed on servers. However, domain workstations can also be easy targets. Based on the information gathered, an attacker identifies servers with weak passwords and lockout policies. The attacker then uses anonymous connections, and the other techniques I discussed, to identify privileged accounts (e.g., members of the Administrator or Server Operator groups, accounts with backup privileges) on the server. Attackers then use simple password guessing, and they often find a local Administrator account with a simple password or no password. Attackers query the SCM for installed services, especially services running under domain accounts. If a service is running under a domain account, the account password is stored in plain text in the Registry. A short program that calls the LsaRetrievePrivateData( ) API extracts the password from the Registry. Depending on the account's privileges, the attacker can use the account to access the PDC. An alternative is to look in the Registry for cached password hashes of domain users who recently accessed the server.
Systems administrators often create local accounts with one username and password for many machines. A user who logs on locally to one machine can access remote resources without supplying a username and password, regardless of whether the machines are in the same domain, a trusted domain, or an untrusted domain. If an attacker compromises one local account, the attacker can access other machines on which the account exists with the same password, but without knowing the password. This situation commonly occurs on NT local Administrator accounts.
Many variations of these attack methodologies exist. An attacker who
can log on at the console can turn unprivileged NT accounts into local administrator accounts. Also, attackers can use publicly available utilities to subvert an NT system that is bootable from a 3.5" disk or CD-ROM. Users with local administrator privileges can obtain password hashes for domain users who access the host over the network.
Reducing Your Risk
Most NT break-ins occur through password cracking, remote Registry access by anonymous or unprivileged users, or unsecure Common Gateway Interface (CGI) or Active Server Pages (ASP) Programs on Web servers. The following tips will help you protect your NT hosts and network against various types of attacks.
Microsoft is patching security vulnerabilities as it discovers them. Thus, you need to stay up to date with hotfixes and service packs.
Enforce strong passwords: Use passfilt.dll or a custom password filter, the account lockout feature, password aging, and a minimum password length of eight characters. In the security account database, NT stores two versions of a user's password hashes: the LANMAN and NT versions. NT encrypts (hashes) the LANMAN version in a way that lets an attacker use a password-cracking tool such as L0phtCrack to recover the 8th through the 13th characters of the password. Your password policy needs to specify using punctuation and extended characters, with at least one of these characters beyond the 7th character of the password. Brute force password cracking on these passwords is difficult. Attackers can determine the values of most of these parameters remotely. In high-security environments, supplement logon passwords with token-based authentication systems such as SafeWord or SecurID.
Run only the services necessary to provide the intended functionality for a server or workstation. Disabling the Server, Alerter, and Messenger services helps prevent remote attacks. If you enable the Server service, enable the restrictions on the Anonymous account and limit remote access to the Registry to administrators only. (For more information about restricting the Anonymous account, see the Microsoft Support Online article "Restricting Information Available to Anonymous Logon Users," at http://support.microsoft.com/support/kb/articles/q143/4/74.asp.)
Prev. page
1
[2]
3
next page 
