Subscribe to Windows IT Pro
October 01, 1997 12:00 AM

Security Beyond Service Packs

M Edwards
Windows IT Pro
InstantDoc ID #475
Rating: (0)
Become a hacker's worst nightmare proactively protect your NT network

In the past, some users considered Windows NT to be bulletproof because no one had publicly revealed any of the various ways to break NT's security. But let's face the facts: NT isn't even close to being bulletproof--nor is any other commercial mainstream operating system.

Hackers are discovering security holes in NT at an alarming rate. Since March alone, they've found more than 20 new holes in NT or an associated application. And you can expect this rate to climb because former UNIX-only hackers are now turning their attention and expertise to NT. As one notable hacker recently said, "NT is sexy and attractive to hack."

More Than One Way to Protect Your OS
One way to protect NT against hacker attacks is to load the latest Service Pack (SP) and the associated hotfixes as Microsoft releases them. However, this solution will work only if you can load the current SP without breaking NT. SP2 is a perfect example of how an SP might render NT useless in one fell swoop, turning a seemingly harmless upgrade into an adventure in recovery. (For an illustration, see Mark Minasi, "Recovering from a Network Disaster," March 1997.)

In addition, SPs and associated hotfixes aren't always timely and effective. For example, to combat an attack called GetAdmin, Microsoft developed a post-SP3 hotfix, but by the time Microsoft released it, hackers had devised a new way to perform the same exploit. So Microsoft released an updated hotfix the following week. The second hotfix stopped the GetAdmin attack, but it didn't prevent a similar attack from crashing an NT system. (For more information about Microsoft's reaction to security holes, see "Microsoft Needs a Different Approach to Security Risks")

So what if you can't load the latest SP or hotfixes or you want to intensify security? If you study the nature of a given exploit, you can discern ways to protect your NT network without relying on Microsoft to deliver a patch. But protecting your network without a vendor's help requires basic knowledge of TCP/IP and NT architecture and operation. So if you're unfamiliar with how TCP/IP traffic works, what packets look like, and how NT handles security, you need to learn about TCP/IP and NT first.

Avoid Dangerous Attacks
As I mentioned, hackers have exploited more than 20 security holes in NT and associated applications since March. I'll go over some of the more dangerous attacks and how to prevent them without the use of SPs and hotfixes. To give you an idea of just how fast new problems are surfacing, I'll include (in parentheses) the month the risk was revealed to the public and the NT systems affected. Some security risks reside in applications and not the NT OS. These application-based risks are NT security risks because they pose an inherent danger to overall network security.

Bandwidth hogging with chargen (July; NT 4.0 Server and Workstation)
A hacker can launch a bandwidth-hogging attack by sending User Datagram Protocol (UDP) packets to the subnet broadcast address (X.X.X.255) using chargen port 19. In most cases, the hacker also falsifies the source IP address. Once the hacker launches the attack, every NT machine on the network responds to the broadcast, which creates a flood of UDP packets that eat up network bandwidth. The more NT systems you have on the network, the worse the packet flood becomes.

Preventing this attack is easy: Disable the chargen service. You use the chargen service only to generate a steady output of characters for testing purposes, so disabling it doesn't affect network performance.

To stop the chargen service, disable the Simple TCP/IP Service in the Control Panel, under Services. This step not only disables the chargen service, but also the echo, daytime, discard, and quote-of-the-day services--any of which hackers could use for the bandwidth-hogging attack. Although none of these services is required for proper network operation, you might find a particular service useful. For example, you might want the echo service operational if your network monitors occasionally test the echo port when they cannot get a response to a ping. You can run one or more services while turning the others off by adjusting the Registry entry found in the subtree HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SimpTcp\Parameters. To disable a particular service, change the established value of both the EnableTcp XXXX and EnableUdpXXXX parameters (where XXXX is the service name) from 0x1 to 0x0.

Gaining administrator access with GetAdmin (July; NT 4.0 Server and Workstation)
A Russian programmer discovered and revealed the GetAdmin attack. It is one of the most important discoveries in NT security breaches because it is the most commonly used attack against Windows OSs. The attack comes in the form of a program that, when run, adds any user to the Administrators group.

According to Microsoft, a hacker needs direct access to the NT system's keyboard and console to launch the GetAdmin attack. But if a particular NT system is running a Web or Telnet server, a hacker can use a remote Web browser or Telnet client to launch the attack.

You need a combination of tactics to prevent the GetAdmin attack. Start by protecting access to the local console. First, adjust the User Rights so that only trusted network administrators can log on to the local console. Second, never assign a user the right to debug a process unless absolutely necessary.

To prevent a remote GetAdmin attack, don't let users place unknown or untested programs in a Web server's /scripts directory. If you can't analyze and compile the source code, don't use the program. Furthermore, providing Telnet access to an NT system is extremely risky, so don't permit access.

Fragmenting with POD 2 (June; NT 3.51 and 4.0 Server and Workstation)
The Ping of Death (POD) 2 attack is a variation of the previously discovered POD 1 attack. Both versions involve sending Internet Control Message Protocol (ICMP) packets to an NT system. These packets fragment, causing the NT system to lock up. Whereas POD 1 sent one 64KB ICMP packet, POD 2 sends a barrage of 64KB ICMP packets. The barrage of packets causes Win95 and NT systems to lock up cold without warning.

Preventing this attack involves blocking all inbound ICMP traffic on your routers to bordering untrusted networks. If you use Remote Access Service (RAS) instead of a router, install the newer Routing and Remote Access (RRAS--formerly Steelhead) software. With RRAS, you can establish a packet filter that permits access to only the necessary ports, such as those used by Web and mail servers.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • David Wilson
    11 years ago
    Aug 14, 2001

    I was pleased -- after several long searches through documents that *should* have provided answers, to find a succinct, clear answer on how chargen is disabled, what it does, why you want it disabled, etc.

    Too often the security scanning software points out weaknesses, but provides only vague indications of how one plugs the holes. This helped immensely.

    There should be more clearly defined instruction sets on topics such as this, printer SNMP security is a big problem, as well as information on ports, who and what uses each and how they can be protected.

    Thanks

  • Pete Szczepankiewicz
    13 years ago
    Aug 10, 1999

    After reading Mark Joseph Edwards’, “Security Beyond Service Packs,” October 1997, I felt compelled to write. I hope the article helps other Windows NT Administrators in some way.
    We performed an experiment on security aspects of NT 4.0. We looked for countermeasures to attacks on NT 4.0 Workstation from the Internet, to make sure a hacker could not gain access to the local keyboard. The results were surprising.
    We used NT on a home PC dialing in to an Internet Service Provider (ISP). Not only did we log on without a name or password, but we gained access to every file on the hard disk. We used the NBTSTAT command to locate the NT box and logged on without a name or password with the IPC$ share. We used RedButton to find the administrator name and log on. Also, we were able to use the current logon name listed from the first NBTSTAT probing. We used the GetAdmin utility to gain Administrator access remotely. With that status, we were able not only to erase the audit log but to successfully obscure specific security events during the attack. We downloaded the rest of the accounts and passwords and cracked them locally.
    We can secure the NT Workstation from this attack by removing the server service and disabling NetBIOS. This tactic effectively shuts off Common Internet File System (CIFS), which is basically Server Message Blocks (SMBs) over the Internet.
    Incidentally, we used the NT scheduler’s AT command to run GetAdmin remotely. A hacker could then wait until somebody onsite performed a logoff/logon to grant Administrator access. I figure you can expect a logoff/logon at least once a month. In addition to the Web and telnet server, tally up the AT service as another vulnerability and something that you need to remove if it’s not required.
    Our most surprising observation was that Service Pack (SP) 3 stopped none of the attacks, except for denying the Everyone group read rights to the Registry. You have to configure SP3 to defend against the rest of these attacks. Our findings support the claim that Microsoft needs a different approach to security risks. I like NT, but I need to know the vulnerabilities so that I can tailor the software to meet my requirements.

    --Pete Szczepankiewicz

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.