KEMBAR78
Microsoft Operating System Vulnerabilities | PPT
IT
Uploaded byInformation Technology
PPT, PDF1,434 views

Microsoft Operating System Vulnerabilities

This document discusses tools and techniques for assessing and hardening Microsoft systems against common vulnerabilities. It describes Microsoft tools like the Microsoft Baseline Security Analyzer (MBSA) that can identify vulnerabilities in Windows systems. It also outlines vulnerabilities in various Microsoft services and protocols like SMB, IIS, and SQL Server. The document concludes with best practices for securing Microsoft systems like regular patching, antivirus software, logging and monitoring, and disabling unused services.

Education◦
Downloaded 66 times
Hands-On Ethical Hacking and Network Defense Chapter 8 Microsoft Operating System Vulnerabilities
Objectives Tools to assess Microsoft system vulnerabilities Describe the vulnerabilities of Microsoft operating systems and services Techniques to harden Microsoft systems against common vulnerabilities Best practices for securing Microsoft systems
Tools to Identify Vulnerabilities on Microsoft Systems Many tools are available for this task Using more than one tool is advisable Using several tools help you pinpoint problems more accurately
Built-in Microsoft Tools Microsoft Baseline Security Analyzer (MBSA) Winfingerprint HFNetChk
Microsoft Baseline Security Analyzer (MBSA) Effective tool that checks for Patches Security updates Configuration errors Blank or weak passwords Others MBSA supports remote scanning Associated product must be installed on scanned computer
MBSA Results
 
 
MBSA Versions 2.x for Win 2000 or later & Office XP or later 1.2.1 if you have older products After installing, MBSA can Scan the local machine Scan other computers remotely Be scanned remotely over the Internet
HFNetChk HFNetChk is part of MBSA Available separately from Shavlik Technologies Can be used to control the scanning more precisely, from the command line
Winfingerprint Administrative tool It can be used to scan network resources Exploits Windows null sessions Detects NetBIOS shares Disk information and services Null sessions
Winfingerprint Can find OS detection Service packs and hotfixes Running Services See Proj X6 for Details
Microsoft OS Vulnerabilities Microsoft integrates many of its products into a single package Such as Internet Explorer and Windows OS This creates many useful features It also creates vulnerabilities Security testers should search for vulnerabilities on The OS they are testing Any application running on the server
CVE (Common Vulnerabilities and Exposures ) A list of standardized names for vulnerabilities Makes it easier to share information about them cve.mitre.org (link Ch 8c) Demonstration: Search
Remote Procedure Call (RPC) RPC is an interprocess communication mechanism Allows a program running on one host to run code on a remote host Examples of worms that exploited RPC MSBlast (LovSAN, Blaster) Nachi Use MBSA to detect if a computer is vulnerable to an RPC-related issue
NetBIOS Software loaded into memory Enables a computer program to interact with a network resource or other device NetBIOS is not a protocol NetBIOS is an interface to a network protocol It’s sometimes called a session-layer protocol, or a protocol suite (Links Ch 8d, 8e, 8f)
NetBEUI NetBIOS Extended User Interface Fast, efficient network protocol Allows NetBIOS packets to be transmitted over TCP/IP NBT is NetBIOS over TCP
NetBIOS (continued) Newer Microsoft OSs do not need NetBIOS to share resources NetBIOS is used for backward compatibility You can turn off NetBIOS for Windows 2000 and later (links Ch 8g & 8h)
Server Message Block (SMB) Used by Windows 95, 98 and NT to share files Usually runs on top of NetBIOS, NetBEUI or TCP/IP Hacking tools L0phtcrack’s SMB Packet Capture utility SMBRelay Ettercap (see Project 23, Links Ch 8r & 8s)
Demonstration: ettercap
Common Internet File System (CIFS) CIFS replaced SMB for Windows 2000, XP, and Windows 2003 Server SMB is still used for backward compatibility CIFS is a remote file system protocol Enables computers to share network resources over the Internet
Common Internet File System (CIFS) (continued) Enhancements over SMB Resource locking (if 2 people use the same thing at once) Support for fault tolerance Capability to run more efficiently over dial-up Support for anonymous and authenticated access
Common Internet File System (CIFS) (continued) Server security methods Share-level security A password assigned to a shared resource User-level security An access control list assigned to a shared resource Users must be on the list to gain access Passwords are stored in an encrypted form on the server But CIFS is still vulnerable (see link Ch 8n) Don’t let NetBIOS traffic past the firewall
Understanding Samba Open-source implementation of CIFS Created in 1992 Samba allows sharing resources over multiple OSs Samba accessing Microsoft shares can make a network susceptible to attack Samba is used to “trick” Microsoft services into believing the *NIX resources are Microsoft resources
Samba is Built into Ubuntu Click Places, Connect to Server Windows shares are marked with SMB
Closing SMB Ports Best way to protect a network from SMB attacks Routers should filter out ports 137 to 139 445
Default Installations Windows 9x, NT, and 2000 all start out with many services running and ports open They are very insecure until you lock them down Win XP, 2003, and Vista are much more secure by default Services are blocked until you open them
Passwords and Authentication A comprehensive password policy is critical Change password regularly Require passwords length of at least six characters Require complex passwords Never write a password down or store it online or on the local system Do not reveal a password over the phone
Passwords and Authentication Configure domain controllers Enforce password age, length and complexity Account lockout threshold Account lockout duration Start, Run, GPEDIT.MSC
IIS (Internet Information Services) IIS 5 and earlier installs with critical security vulnerabilities Run IIS Lockdown Wizard (link Ch 8p) IIS 6.0 installs with a “secure by default” posture Configure only services that are needed Windows 2000 ships with IIS installed by default Running MBSA can detect IIS running on your network
IIS Buffer Overflows
SQL Server SQL vulnerabilities exploits areas The SA account with a blank password SQL Server Agent Buffer overflow Extended stored procedures Default SQL port 1433 Vulnerabilities related to SQL Server 7.0 and SQL Server 2000
The SA Account The SA account is the master account, with full rights SQL Server 6.5 and 7 installations do not require setting a password for this account SQL Server 2000 supports mixed-mode authentication SA account is created with a blank password SA account cannot be disabled
SQL Server Agent Service mainly responsible for Replication Running scheduled jobs Restarting the SQL service Authorized but unprivileged user can create scheduled jobs to be run by the agent
Buffer Overflow Database Consistency Checker in SQL Server 2000 Contains commands with buffer overflows SQL Server 7 and 2000 have functions that generate text messages They do not check that messages fit in the buffers supplied to hold them Format string vulnerability in the C runtime functions
Extended Stored Procedures Several of the extended stored procedures fail to perform input validation They are susceptible to buffer overruns
Default SQL Port 1443 SQL Server is a Winsock application Communicates over TCP/IP using port 1443 Spida worm Scans for systems listening on TCP port 1443 Once connected, attempts to use the xp_cmdshell Enables and sets a password for the Guest account Changing default port is not an easy task
Best Practices for Hardening Microsoft Systems Penetration tester Finds vulnerabilities Security tester Finds vulnerabilities Gives recommendations for correcting found vulnerabilities
Patching Systems The number-one way to keep your system secure Attacks take advantage of known vulnerabilities Options for small networks Accessing Windows Update manually Automatic Updates This technique does not really ensure that all machines are patched at the same time Does not let you skip patches you don’t want
Patching Systems Some patches cause problems, so they should be tested first Options for patch management for large networks Systems Management Server (SMS) Software Update Service (SUS) Patches are pushed out from the network server after they have been tested
Antivirus Solutions An antivirus solution is essential For small networks Desktop antivirus tool with automatic updates For large networks Corporate-level solution An antivirus tool is almost useless if it is not updated regularly
Enable Logging and Review Logs Regularly Important step for monitoring critical areas Performance Traffic patterns Possible security breaches Logging can have negative impact on performance Review logs regularly for signs of intrusion or other problems Use a log-monitoring tool
Disable Unused or Unneeded Services Disable unneeded services Delete unnecessary applications or scripts Unused applications or services are an invitation for attacks Requires careful planning Close unused ports but maintain functionality
Other Security Best Practices Use a firewall on each machine, and also a firewall protecting the whole LAN from the Internet Delete unused scripts and sample applications Delete default hidden shares Use different names and passwords for public interfaces
Other Security Best Practices Be careful of default permissions For example, new shares are readable by all users in Win XP Use available tools to assess system security Like MBSA, IIS Lockdown Wizard, etc. Disable the Guest account Rename the default Administrator account Enforce a good password policy Educate users about security Keep informed about current threats

More Related Content

PPTX
System hacking
byCAS
 
PDF
Vulnerability Management
byasherad
 
PPTX
Cyber Threat Intelligence.pptx
byAbimbolaFisher1
 
PPTX
Tools and methods used in cybercrime
bypatelripal99
 
PPTX
Network security - Defense in Depth
byDilum Bandara
 
PPTX
Introduction To Vulnerability Assessment & Penetration Testing
byRaghav Bisht
 
PDF
VULNERABILITY ( CYBER SECURITY )
byKashyap Mandaliya
 
PPTX
Cyber Security 101: Training, awareness, strategies for small to medium sized...
byStephen Cobb
 
System hacking
byCAS
 
Vulnerability Management
byasherad
 
Cyber Threat Intelligence.pptx
byAbimbolaFisher1
 
Tools and methods used in cybercrime
bypatelripal99
 
Network security - Defense in Depth
byDilum Bandara
 
Introduction To Vulnerability Assessment & Penetration Testing
byRaghav Bisht
 
VULNERABILITY ( CYBER SECURITY )
byKashyap Mandaliya
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
byStephen Cobb
 

What's hot

PPT
Software Security (Vulnerabilities) And Physical Security
byNicholas Davis
 
PPTX
Identity and Access Management Introduction
byAidy Tificate
 
PPTX
seguridad de los sistemas operativos
byCarlos Guerrero
 
PPTX
Footprinting and reconnaissance
byNishaYadav177
 
PPTX
Phases of penetration testing
byAbdul Rahman
 
PDF
Wi-fi Hacking
byPaul Gillingwater, MBA
 
PDF
Security Awareness Training
byDaniel P Wallace
 
PPTX
Password Cracking
bySina Manavi
 
PDF
Threat Modelling
byn|u - The Open Security Community
 
PPTX
Vulnerability assessment & Penetration testing Basics
byMohammed Adam
 
PPTX
Security Awareness Training.pptx
byMohammedYaseen638128
 
PPTX
Types of Cyber Attacks
byRubal Sagwal
 
PPTX
Hyphenet Security Awareness Training
byJen Ruhman
 
PPT
Thick client application security assessment
bySanjay Kumar (Seeking options outside India)
 
PPTX
Threat Hunting with Splunk
bySplunk
 
PPTX
Denial of Service Attack
byDhrumil Panchal
 
PPTX
Malware and it's types
byAakash Baloch
 
PPT
Intrusion Detection Systems and Intrusion Prevention Systems
byCleverence Kombe
 
PDF
Access Control Presentation
byWajahat Rajab
 
PPT
Network Security
byRaymond Jose
 
Software Security (Vulnerabilities) And Physical Security
byNicholas Davis
 
Identity and Access Management Introduction
byAidy Tificate
 
seguridad de los sistemas operativos
byCarlos Guerrero
 
Footprinting and reconnaissance
byNishaYadav177
 
Phases of penetration testing
byAbdul Rahman
 
Wi-fi Hacking
byPaul Gillingwater, MBA
 
Security Awareness Training
byDaniel P Wallace
 
Password Cracking
bySina Manavi
 
Threat Modelling
byn|u - The Open Security Community
 
Vulnerability assessment & Penetration testing Basics
byMohammed Adam
 
Security Awareness Training.pptx
byMohammedYaseen638128
 
Types of Cyber Attacks
byRubal Sagwal
 
Hyphenet Security Awareness Training
byJen Ruhman
 
Thick client application security assessment
bySanjay Kumar (Seeking options outside India)
 
Threat Hunting with Splunk
bySplunk
 
Denial of Service Attack
byDhrumil Panchal
 
Malware and it's types
byAakash Baloch
 
Intrusion Detection Systems and Intrusion Prevention Systems
byCleverence Kombe
 
Access Control Presentation
byWajahat Rajab
 
Network Security
byRaymond Jose
 

Viewers also liked

PPT
Ch10 Conducting Audits
byInformation Technology
 
PPT
Ch03 Protecting Systems
byInformation Technology
 
PPT
Ch09 Performing Vulnerability Assessments
byInformation Technology
 
PPT
Ch04 Network Vulnerabilities and Attacks
byInformation Technology
 
PPT
Ch13 Business Continuity Planning and Procedures
byInformation Technology
 
PPT
Ch05 Network Defenses
byInformation Technology
 
PPT
Ch01 Introduction to Security
byInformation Technology
 
PPT
Ch14 Policies and Legislation
byInformation Technology
 
PPTX
Web303
byInformation Technology
 
PPT
Ch02 System Threats and Risks
byInformation Technology
 
PPT
Ch12 Cryptographic Protocols and Public Key Infrastructure
byInformation Technology
 
PPT
Ch08 Authentication
byInformation Technology
 
PPT
Ch11 Basic Cryptography
byInformation Technology
 
PPT
Ch06 Wireless Network Security
byInformation Technology
 
PPT
Ch07 Access Control Fundamentals
byInformation Technology
 
PPTX
Introduction to Graphics
byprimeteacher32
 
PPTX
Python programming lab2
byprofbnk
 
PDF
OSCON 2008: Porting to Python 3.0
byguest4d09
 
PPT
Apache Web Server Setup 3
byInformation Technology
 
ODP
Python 3000
byBob Chao
 
Ch10 Conducting Audits
byInformation Technology
 
Ch03 Protecting Systems
byInformation Technology
 
Ch09 Performing Vulnerability Assessments
byInformation Technology
 
Ch04 Network Vulnerabilities and Attacks
byInformation Technology
 
Ch13 Business Continuity Planning and Procedures
byInformation Technology
 
Ch05 Network Defenses
byInformation Technology
 
Ch01 Introduction to Security
byInformation Technology
 
Ch14 Policies and Legislation
byInformation Technology
 
Web303
byInformation Technology
 
Ch02 System Threats and Risks
byInformation Technology
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
byInformation Technology
 
Ch08 Authentication
byInformation Technology
 
Ch11 Basic Cryptography
byInformation Technology
 
Ch06 Wireless Network Security
byInformation Technology
 
Ch07 Access Control Fundamentals
byInformation Technology
 
Introduction to Graphics
byprimeteacher32
 
Python programming lab2
byprofbnk
 
OSCON 2008: Porting to Python 3.0
byguest4d09
 
Apache Web Server Setup 3
byInformation Technology
 
Python 3000
byBob Chao
 

Similar to Microsoft Operating System Vulnerabilities

PPTX
Ethical hacking chapter 8 - Windows Vulnerabilities - Eric Vanderburg
byEric Vanderburg
 
PDF
CNIT 123 8: Desktop and Server OS Vulnerabilities
bySam Bowne
 
PDF
CNIT 123 Ch 8: OS Vulnerabilities
bySam Bowne
 
PDF
CNIT 123: 8: Desktop and Server OS Vulnerabilites
bySam Bowne
 
PDF
Ch 8: Desktop and Server OS Vulnerabilites
bySam Bowne
 
PPT
0828 Windows Server 2008 新安全功能探討
byTimothy Chen
 
PDF
INE_Assessment_Methodologies_Vulnerability_Assessment_Course_File.pdf
byanshulnautiyal2006
 
PDF
5 howtomitigate
byricharddxd
 
PPT
Securing Windows web servers
byInformation Technology
 
PPTX
Threat Modeling - Writing Secure Code
byCaleb Jenkins
 
PDF
Tips to Remediate your Vulnerability Management Program
byBeyondTrust
 
PPT
W982 05092004
bySumit Tambe
 
PPTX
Microsoft Platform Security Briefing
bytechnext1
 
PPT
Operating system security (a brief)
bycnokia
 
PPT
Windows network security
byInformation Technology
 
PPT
The Top 10/20 Internet Security Vulnerabilities – A Primer
byamiable_indian
 
PDF
Host Based Security Best Practices
bywebhostingguy
 
PDF
Packet capture and network traffic analysis
byCARMEN ALCIVAR
 
PPT
Information Security Lesson 4 - Baselines - Eric Vanderburg
byEric Vanderburg
 
PPTX
Operating system security
byRamesh Ogania
 
Ethical hacking chapter 8 - Windows Vulnerabilities - Eric Vanderburg
byEric Vanderburg
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
bySam Bowne
 
CNIT 123 Ch 8: OS Vulnerabilities
bySam Bowne
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
bySam Bowne
 
Ch 8: Desktop and Server OS Vulnerabilites
bySam Bowne
 
0828 Windows Server 2008 新安全功能探討
byTimothy Chen
 
INE_Assessment_Methodologies_Vulnerability_Assessment_Course_File.pdf
byanshulnautiyal2006
 
5 howtomitigate
byricharddxd
 
Securing Windows web servers
byInformation Technology
 
Threat Modeling - Writing Secure Code
byCaleb Jenkins
 
Tips to Remediate your Vulnerability Management Program
byBeyondTrust
 
W982 05092004
bySumit Tambe
 
Microsoft Platform Security Briefing
bytechnext1
 
Operating system security (a brief)
bycnokia
 
Windows network security
byInformation Technology
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
byamiable_indian
 
Host Based Security Best Practices
bywebhostingguy
 
Packet capture and network traffic analysis
byCARMEN ALCIVAR
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
byEric Vanderburg
 
Operating system security
byRamesh Ogania
 

More from Information Technology

PDF
Sql Server Security Best Practices
byInformation Technology
 
PPT
SAN
byInformation Technology
 
PPT
SAN Review
byInformation Technology
 
PPT
SQL 2005 Disk IO Performance
byInformation Technology
 
PPT
RAID Review
byInformation Technology
 
PPT
Review of SQL
byInformation Technology
 
PPT
Sql 2005 high availability
byInformation Technology
 
PPT
IIS 7: The Administrator’s Guide
byInformation Technology
 
PPT
MOSS 2007 Deployment Fundamentals -Part2
byInformation Technology
 
PPT
MOSS 2007 Deployment Fundamentals -Part1
byInformation Technology
 
PPT
Clustering and High Availability
byInformation Technology
 
PDF
F5 beyond load balancer (nov 2009)
byInformation Technology
 
PPT
WSS 3.0 & SharePoint 2007
byInformation Technology
 
PPT
SharePoint Topology
byInformation Technology
 
PDF
Sharepoint Deployments
byInformation Technology
 
PPT
Microsoft Clustering
byInformation Technology
 
PDF
Scalable Internet Servers and Load Balancing
byInformation Technology
 
PPT
Web Hacking
byInformation Technology
 
PPT
Migration from ASP to ASP.NET
byInformation Technology
 
PPT
Internet Traffic Monitoring and Analysis
byInformation Technology
 
Sql Server Security Best Practices
byInformation Technology
 
SAN
byInformation Technology
 
SAN Review
byInformation Technology
 
SQL 2005 Disk IO Performance
byInformation Technology
 
RAID Review
byInformation Technology
 
Review of SQL
byInformation Technology
 
Sql 2005 high availability
byInformation Technology
 
IIS 7: The Administrator’s Guide
byInformation Technology
 
MOSS 2007 Deployment Fundamentals -Part2
byInformation Technology
 
MOSS 2007 Deployment Fundamentals -Part1
byInformation Technology
 
Clustering and High Availability
byInformation Technology
 
F5 beyond load balancer (nov 2009)
byInformation Technology
 
WSS 3.0 & SharePoint 2007
byInformation Technology
 
SharePoint Topology
byInformation Technology
 
Sharepoint Deployments
byInformation Technology
 
Microsoft Clustering
byInformation Technology
 
Scalable Internet Servers and Load Balancing
byInformation Technology
 
Web Hacking
byInformation Technology
 
Migration from ASP to ASP.NET
byInformation Technology
 
Internet Traffic Monitoring and Analysis
byInformation Technology
 

Recently uploaded

PPTX
ILA 2025 Prague CLS Presentation of Leadership journal
byjohanalvehus
 
PPTX
English Home Language & First Additional Language P2 Preparation.pptx
byMasingita Maswanganye
 
PPTX
🧪“Blood Chemistry Tests in Pharmacy Practice: Clinical Laboratory Guide for P...
byBanny S.V
 
PDF
Umlando kaMufi. IsiZulu Ulimi Lwebele...
byNokwandaNzuza2
 
PDF
Learning English by Project Based Learning: How to Make Foreign Friends
bysilvianalevana
 
PDF
The Minority Caucus in Parliament has called on government to take immediate ...
bynservice241
 
PPTX
Common problems or challenges faced by Indian adolescents
byDr. Harpal Kaur
 
PDF
1.1 Historical background & development of Profession of Pharmacy.pdf
byMr. SAKHARE R. S.
 
PPTX
How can education build trust in a polarised world_Jonathan James_OECD .pptx
byEduSkills OECD
 
PPTX
Classification and Applied Aspects of Joints.pptx
byMathew Joseph
 
PPTX
Hudson Vitale "AI Essentials: From Tools to Strategies: A 2025 NISO Training ...
byNational Information Standards Organization (NISO)
 
PPTX
DBP - BITA Introduction Slides Oct 202526
byGreat Files
 
PPTX
Capital Budgeting - Risk Analysis Using Payback Period Method
bySundar B N
 
PDF
Total Quality Management : A presentation by a third year student.
byMbalenhle Ndlovu
 
PPTX
How to Create a Manifest File in Odoo 18
byCeline George
 
PDF
Who Owns the Narrative? Data, Disinformation, and the Missing Voice of Academia
byIsmail Fahmi
 
PDF
History of Department of AIHC and Archaeology_BHU
byBanaras Hindu University
 
PPTX
Basics for Conducting Bibliometric Analysis - Dr Ahsan Riaz
bySystematic Reviews Network (SRN)
 
PPTX
Capitol Webinar October 2025 Dr. Jha.pptx
byCapitolTechU
 
DOCX
PRESS STATEMENT - Response to Minority_ Press Ready.docx
bynservice241
 
ILA 2025 Prague CLS Presentation of Leadership journal
byjohanalvehus
 
English Home Language & First Additional Language P2 Preparation.pptx
byMasingita Maswanganye
 
🧪“Blood Chemistry Tests in Pharmacy Practice: Clinical Laboratory Guide for P...
byBanny S.V
 
Umlando kaMufi. IsiZulu Ulimi Lwebele...
byNokwandaNzuza2
 
Learning English by Project Based Learning: How to Make Foreign Friends
bysilvianalevana
 
The Minority Caucus in Parliament has called on government to take immediate ...
bynservice241
 
Common problems or challenges faced by Indian adolescents
byDr. Harpal Kaur
 
1.1 Historical background & development of Profession of Pharmacy.pdf
byMr. SAKHARE R. S.
 
How can education build trust in a polarised world_Jonathan James_OECD .pptx
byEduSkills OECD
 
Classification and Applied Aspects of Joints.pptx
byMathew Joseph
 
Hudson Vitale "AI Essentials: From Tools to Strategies: A 2025 NISO Training ...
byNational Information Standards Organization (NISO)
 
DBP - BITA Introduction Slides Oct 202526
byGreat Files
 
Capital Budgeting - Risk Analysis Using Payback Period Method
bySundar B N
 
Total Quality Management : A presentation by a third year student.
byMbalenhle Ndlovu
 
How to Create a Manifest File in Odoo 18
byCeline George
 
Who Owns the Narrative? Data, Disinformation, and the Missing Voice of Academia
byIsmail Fahmi
 
History of Department of AIHC and Archaeology_BHU
byBanaras Hindu University
 
Basics for Conducting Bibliometric Analysis - Dr Ahsan Riaz
bySystematic Reviews Network (SRN)
 
Capitol Webinar October 2025 Dr. Jha.pptx
byCapitolTechU
 
PRESS STATEMENT - Response to Minority_ Press Ready.docx
bynservice241
 
In this document
Powered by AI

Introduction to Microsoft OS vulnerabilities and objectives to secure systems.

Overview of tools for identifying vulnerabilities, including MBSA, HFNetChk, and Winfingerprint.

Discussion on vulnerabilities from integration of Microsoft products and RPC issues.

Explains NetBIOS, its necessity, and associated security challenges like SMB.

Introduces CIFS over SMB, its enhancements, and security measures for network resources.

Discussion on Samba's role in sharing resources across OS and its vulnerabilities.

Advice on securing SMB, including port filtering and password policies.

Overview of IIS vulnerabilities and the importance of running secured configurations.

Identification of vulnerabilities in SQL Server, focusing on common weaknesses and best practices.

Best practices for system hardening, including regular patching, antivirus solutions, and service management.

Microsoft Operating System Vulnerabilities

  • 1.
    Hands-On Ethical Hackingand Network Defense Chapter 8 Microsoft Operating System Vulnerabilities
  • 2.
    Objectives Tools toassess Microsoft system vulnerabilities Describe the vulnerabilities of Microsoft operating systems and services Techniques to harden Microsoft systems against common vulnerabilities Best practices for securing Microsoft systems
  • 3.
    Tools to IdentifyVulnerabilities on Microsoft Systems Many tools are available for this task Using more than one tool is advisable Using several tools help you pinpoint problems more accurately
  • 4.
    Built-in Microsoft ToolsMicrosoft Baseline Security Analyzer (MBSA) Winfingerprint HFNetChk
  • 5.
    Microsoft Baseline SecurityAnalyzer (MBSA) Effective tool that checks for Patches Security updates Configuration errors Blank or weak passwords Others MBSA supports remote scanning Associated product must be installed on scanned computer
  • 6.
  • 7.
  • 8.
  • 9.
    MBSA Versions 2.xfor Win 2000 or later & Office XP or later 1.2.1 if you have older products After installing, MBSA can Scan the local machine Scan other computers remotely Be scanned remotely over the Internet
  • 10.
    HFNetChk HFNetChk ispart of MBSA Available separately from Shavlik Technologies Can be used to control the scanning more precisely, from the command line
  • 11.
    Winfingerprint Administrative toolIt can be used to scan network resources Exploits Windows null sessions Detects NetBIOS shares Disk information and services Null sessions
  • 12.
    Winfingerprint Can findOS detection Service packs and hotfixes Running Services See Proj X6 for Details
  • 13.
    Microsoft OS VulnerabilitiesMicrosoft integrates many of its products into a single package Such as Internet Explorer and Windows OS This creates many useful features It also creates vulnerabilities Security testers should search for vulnerabilities on The OS they are testing Any application running on the server
  • 14.
    CVE (Common Vulnerabilitiesand Exposures ) A list of standardized names for vulnerabilities Makes it easier to share information about them cve.mitre.org (link Ch 8c) Demonstration: Search
  • 15.
    Remote Procedure Call(RPC) RPC is an interprocess communication mechanism Allows a program running on one host to run code on a remote host Examples of worms that exploited RPC MSBlast (LovSAN, Blaster) Nachi Use MBSA to detect if a computer is vulnerable to an RPC-related issue
  • 16.
    NetBIOS Software loadedinto memory Enables a computer program to interact with a network resource or other device NetBIOS is not a protocol NetBIOS is an interface to a network protocol It’s sometimes called a session-layer protocol, or a protocol suite (Links Ch 8d, 8e, 8f)
  • 17.
    NetBEUI NetBIOS ExtendedUser Interface Fast, efficient network protocol Allows NetBIOS packets to be transmitted over TCP/IP NBT is NetBIOS over TCP
  • 18.
    NetBIOS (continued) NewerMicrosoft OSs do not need NetBIOS to share resources NetBIOS is used for backward compatibility You can turn off NetBIOS for Windows 2000 and later (links Ch 8g & 8h)
  • 19.
    Server Message Block(SMB) Used by Windows 95, 98 and NT to share files Usually runs on top of NetBIOS, NetBEUI or TCP/IP Hacking tools L0phtcrack’s SMB Packet Capture utility SMBRelay Ettercap (see Project 23, Links Ch 8r & 8s)
  • 20.
  • 21.
    Common Internet FileSystem (CIFS) CIFS replaced SMB for Windows 2000, XP, and Windows 2003 Server SMB is still used for backward compatibility CIFS is a remote file system protocol Enables computers to share network resources over the Internet
  • 22.
    Common Internet FileSystem (CIFS) (continued) Enhancements over SMB Resource locking (if 2 people use the same thing at once) Support for fault tolerance Capability to run more efficiently over dial-up Support for anonymous and authenticated access
  • 23.
    Common Internet FileSystem (CIFS) (continued) Server security methods Share-level security A password assigned to a shared resource User-level security An access control list assigned to a shared resource Users must be on the list to gain access Passwords are stored in an encrypted form on the server But CIFS is still vulnerable (see link Ch 8n) Don’t let NetBIOS traffic past the firewall
  • 24.
    Understanding Samba Open-sourceimplementation of CIFS Created in 1992 Samba allows sharing resources over multiple OSs Samba accessing Microsoft shares can make a network susceptible to attack Samba is used to “trick” Microsoft services into believing the *NIX resources are Microsoft resources
  • 25.
    Samba is Builtinto Ubuntu Click Places, Connect to Server Windows shares are marked with SMB
  • 26.
    Closing SMB PortsBest way to protect a network from SMB attacks Routers should filter out ports 137 to 139 445
  • 27.
    Default Installations Windows9x, NT, and 2000 all start out with many services running and ports open They are very insecure until you lock them down Win XP, 2003, and Vista are much more secure by default Services are blocked until you open them
  • 28.
    Passwords and AuthenticationA comprehensive password policy is critical Change password regularly Require passwords length of at least six characters Require complex passwords Never write a password down or store it online or on the local system Do not reveal a password over the phone
  • 29.
    Passwords and AuthenticationConfigure domain controllers Enforce password age, length and complexity Account lockout threshold Account lockout duration Start, Run, GPEDIT.MSC
  • 30.
    IIS (Internet InformationServices) IIS 5 and earlier installs with critical security vulnerabilities Run IIS Lockdown Wizard (link Ch 8p) IIS 6.0 installs with a “secure by default” posture Configure only services that are needed Windows 2000 ships with IIS installed by default Running MBSA can detect IIS running on your network
  • 31.
  • 32.
    SQL Server SQLvulnerabilities exploits areas The SA account with a blank password SQL Server Agent Buffer overflow Extended stored procedures Default SQL port 1433 Vulnerabilities related to SQL Server 7.0 and SQL Server 2000
  • 33.
    The SA AccountThe SA account is the master account, with full rights SQL Server 6.5 and 7 installations do not require setting a password for this account SQL Server 2000 supports mixed-mode authentication SA account is created with a blank password SA account cannot be disabled
  • 34.
    SQL Server AgentService mainly responsible for Replication Running scheduled jobs Restarting the SQL service Authorized but unprivileged user can create scheduled jobs to be run by the agent
  • 35.
    Buffer Overflow DatabaseConsistency Checker in SQL Server 2000 Contains commands with buffer overflows SQL Server 7 and 2000 have functions that generate text messages They do not check that messages fit in the buffers supplied to hold them Format string vulnerability in the C runtime functions
  • 36.
    Extended Stored ProceduresSeveral of the extended stored procedures fail to perform input validation They are susceptible to buffer overruns
  • 37.
    Default SQL Port1443 SQL Server is a Winsock application Communicates over TCP/IP using port 1443 Spida worm Scans for systems listening on TCP port 1443 Once connected, attempts to use the xp_cmdshell Enables and sets a password for the Guest account Changing default port is not an easy task
  • 38.
    Best Practices forHardening Microsoft Systems Penetration tester Finds vulnerabilities Security tester Finds vulnerabilities Gives recommendations for correcting found vulnerabilities
  • 39.
    Patching Systems Thenumber-one way to keep your system secure Attacks take advantage of known vulnerabilities Options for small networks Accessing Windows Update manually Automatic Updates This technique does not really ensure that all machines are patched at the same time Does not let you skip patches you don’t want
  • 40.
    Patching Systems Somepatches cause problems, so they should be tested first Options for patch management for large networks Systems Management Server (SMS) Software Update Service (SUS) Patches are pushed out from the network server after they have been tested
  • 41.
    Antivirus Solutions Anantivirus solution is essential For small networks Desktop antivirus tool with automatic updates For large networks Corporate-level solution An antivirus tool is almost useless if it is not updated regularly
  • 42.
    Enable Logging andReview Logs Regularly Important step for monitoring critical areas Performance Traffic patterns Possible security breaches Logging can have negative impact on performance Review logs regularly for signs of intrusion or other problems Use a log-monitoring tool
  • 43.
    Disable Unused orUnneeded Services Disable unneeded services Delete unnecessary applications or scripts Unused applications or services are an invitation for attacks Requires careful planning Close unused ports but maintain functionality
  • 44.
    Other Security BestPractices Use a firewall on each machine, and also a firewall protecting the whole LAN from the Internet Delete unused scripts and sample applications Delete default hidden shares Use different names and passwords for public interfaces
  • 45.
    Other Security BestPractices Be careful of default permissions For example, new shares are readable by all users in Win XP Use available tools to assess system security Like MBSA, IIS Lockdown Wizard, etc. Disable the Guest account Rename the default Administrator account Enforce a good password policy Educate users about security Keep informed about current threats