SCARE NUMBER THREE: RedButton
RedButton is a program that a firm wrote to demonstrate a security hole in
NT. (The firm's main line of business is--surprise--NT security consulting.)
RedButton interrogates an NT machine via TCP port 139 and reports the name of
the built-in Administrator account.
This program raises the question of whether releasing such a program
without an antidote demonstrates good ethics, but what can you do? Again, use
PASSPROP to make the built-in Administrator account lock out, just like other
accounts.
Advice: Use either PASSPROP or a very long password for the
built-in Administrator account. And, filter out TCP port 139 on your router or
firewall. (For another view of RedButton, see Mark Joseph Edwards, "RedButton
Reveals Bugs in NT," page 48.)
SCARE NUMBER FOUR: The RPC/Telnet Bug
NT systems talk to one another via an inter-process communication mechanism
called remote procedure calls (RPCs). When one NT machine tries to talk to
another, it establishes an RPC connection. The RPC/Telnet bug exploits that
connection and slows your system drastically.
Use Telnet to attach to port 135 on an NT machine. For example, if the
machine's IP address is 199.34.57.7, open a command line and type
telnet 199.34.57.7 135
The Telnet screen will appear, looking like a standard dumb terminal
interface. Type a few random characters, and close the Telnet window. Within a
minute or two, the victim NT machine (199.34.57.7, in this case) will devote 98
percent of its CPU power to the RPCSS.EXE (Remote Procedure Call SubSystem)
routine. This activity will, of course, slow anything else running on the victim
machine.
When you established a link to 135 and typed some characters, you started
the session setup process for the RPC system. When you broke the connection, the
RPC system wasn't smart enough to figure out that interruption, and it ran
around in circles trying to finish setting up the session. This bug doesn't kill
a system, but it does slow it. You have to reboot to reset the system. Microsoft
has a hotfix for this NT problem at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/
fixes/usa/NT40/hotfixes-postSP2/RPC-fix.
Advice: Get the hotfix (Service Pack 3--SP3--which came out
as soon as I finished writing this article, includes the fix). And filter out
TCP port 135 on your router or firewall.
SCARE NUMBER FIVE: The Password Cracker
Another security consulting firm wrote a program advertised as an NT
password cracker, a program that according to some accounts, can crack the
Security Accounts Manager (SAM) file on an NT machine and dump all the
passwords. (For more information on this scare, see Mark Joseph Edwards, "NT
Passwords Compromised?" June 1997.) This boogeyman was largely bad
journalism.
You see, passwords in SAM are doubly encrypted. When you give a password to
a new account, or change a password in an existing account, NT does not store
that password. Instead, NT runs the password through a one-way hash function,
producing a one-way function (OWF) password. (For more information on how NT
encrypts passwords, see "Windows NT Logons," June 1997.)
What's an OWF? The password is just a series of bits. So you can think of a
password as nothing more than a very large binary number, and one that you can
run through a mathematical function. Many math functions are as easy to do as to
undo: For example, halving a number is as easy as doubling a number. But other
math functions aren't as simple: For example, squaring a number is much easier
than taking the square root of a number. In another example, multiplying two
large prime numbers to get a product is much simpler than taking the resulting
number and trying to figure out what its prime factors are. OWFs are designed to
be much easier to do than to undo.
So suppose my password is "swordfish." Suppose also that the bad
guys get my OWF password, the result of running "swordfish" through
the OWF. What can they do with it? They know the OWF--Microsoft has documented
it--and so they know the result of the function, the OWF password. They want to
know the original value that led to the OWF result. They now do a dictionary
hack. They write a program that takes every word in the English language, runs
it through the OWF, and compares it to the OWF password. If the values match,
then they've found the original word, "swordfish," that led to the OWF
password. They know my password--unless, of course, the password isn't an
English word. If that's the case, they just have to start testing every possible
combination of characters from zero to 14 characters long, and then we're back
to doing septillions of operations. Hmmm. Assume that a computer can do a
billion operations per second. (Hey, trust me, I've heard that Merced will be
really fast.) Septillions of operations (ten to the 25th, recall) would take
that machine ten to the 16th seconds, or about one billion years. By then, I
suspect I will have changed my password once or twice. Doesn't sound like much
of a security hole to me.
But wait, this situation gets even better. To run this program, you must be
physically logged on to the domain controller using an Administrator account.
When last I checked, administrators could change passwords. Any administrator
crooked enough to run this program is also crooked enough to just change a
password or modify an object's permissions (taking ownership of any object is a
built-in administrative right).
Advice: Be sure to change your passwords at least once every billion years. And don't hire crooked administrators.
And More Advice
My best advice is stop worrying and watch the passwords. Never enable the
Guest account. Take some special pains with the built-in administrative account
(either run PASSPROP or give Administrator some very long, random password),
make all users change their passwords frequently, avoid Telnet and RSH servers,
and isolate the FTP and HTTP servers and lock down their files with file and
directory permissions. And be wary of people who want to panic you about NT
security and then charge you money to repair the problems.
SP3 provides solutions to several of the problems I discussed here. Windows
NT Magazine news editor, Mark Joseph Edwards, dubbed SP3 Security Pack 3, and he's right. Install it today.