Download Auditing a Windows 2000 Advanced Server

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
Document related concepts

Network tap wikipedia , lookup

Airborne Networking wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Lag wikipedia , lookup

Computer security wikipedia , lookup

Distributed firewall wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Microsoft Security Essentials wikipedia , lookup

Wireless security wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
Global Information Assurance Certification Paper
Copyright SANS Institute
Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Interested in learning more?
Check out the list of upcoming events offering
"Auditing & Monitoring Networks, Perimeters & Systems (Audit 507)"
at http://www.giac.org/registration/gsna
ull
rig
ht
s.
Auditing a Windows 2000 Advanced Server
ins
f
SANS GSNA
rr
ho
VERSION 3.2
eta
ASSIGNMENT
Key fingerprint = AF19 FA27PRACTICAL
2F94 998D FDB5
DE3D F8B5 06E4 A169 4E46
William Hillis
GSNA Monterey
July 6-11, 2004
Submission Date 12 March 2005
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ASSIGNMENT OPTION 1
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
TABLE OF CONTENTS
ins
f
ull
rig
ht
s.
1 PART 1 – RESEARCH IN AUDIT, MEASUREMENT PRACTICE, AND
CONTROL .....................................................................................................................
1.1 ABSTRACT........................................................................................................... 3
1.2 DESCRIPTION OF THE SYSTEM...................................................................... 3
1.3 RISK TO THE ARCHITECTURE IN REVIEW .................................................. 7
1.4 CURRENT STATE OF PRACTICE ..................................................................... 8
eta
2. PART 2 – AUDIT PLAN ........................................................................................
Key WINDOWS
fingerprint = AF19
2F94 998DSERVER
FDB5 DE3D
F8B5CHECKLIST
06E4 A169 4E46
2.1
2000FA27
ADVANCED
AUDIT
....................... 9
00
5,
A
ASSIGNMENT 4 –REPORTING..........................................................................
TRANSMITTAL LETTER ............................................................................................ 40
EXECUTIVE SUMMARY .................................................................................. 41
AUDIT REPORT.................................................................................................. 42
-2
4.
4.1
4.2
4.3
ut
ho
rr
3. ASSIGNMENT 3 – CONDUCT THE AUDIT .....................................................
3.1 CONDUCT THE AUDIT ..................................................................................... 11
©
SA
NS
In
sti
tu
te
20
00
5. REFERENCES....................................................................................................... 45
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 2 of 45
Author retains full rights.
1.
ABSTRACT
ull
rig
ht
s.
1.1
RESEARCH IN AUDIT, MEASUREMENT
PRACTICE AND CONTROL
1.2
ins
f
The objective of this audit is to perform a basic security assessment of a Windows 2000
Server. This review will include sections on operating system configuration, network
configuration, and general wireless security. This server provides access to network and
application services on the AUDITNET network, as well as serving as an intrusion
detection system.
DESCRIPTION OF THE SYSTEM
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Specification
500 MHz
192 MB
1 30 GB HDD
2 10/100
00
5,
A
ut
Component
Processor
Memory
Hard drive
Network interface card
-2
•
•
•
•
ho
rr
The system being audited is a Windows 2000 Advanced Server running on a Hewlett
Packard (HP) Pavilion 6630. The system has been upgraded to the following
specifications:
sti
tu
te
20
00
The server provides the following functionality:
• Web services
• FTP services
• Email
• RDP (Remote Desktop), and an
• Intrusion Detection system
SA
NS
In
System resources are accessed by a local area network (LAN); in addition, the system
also services internet users. Applications on the system include Macromedia Dream
Weaver, Microsoft Money, and the VNC Client. These applications are used to manage
web pages, finances, and LAN workstations when the administrator is off-site.
©
The server is located behind a cable/DSL wireless router and uses a private address.
Access to the server is controlled using the port forwarding feature built into the router.
The port forwarding settings will be identified during the audit. The Windows 2000
Server is connected to the internet as outlined in the network diagram below.
Additional configuration and application settings may be identified and addressed during
the audit.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 3 of 45
Author retains full rights.
NETWORK INFORMATION
ins
f
ull
rig
ht
s.
The figure shown is a network diagram of
the audited network. A hub has been
placed between the ISP supplied cable
modem and the Wireless router used to
share the internet connection.
Figure 1
-2
00
5,
A
ut
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Figure 2
©
SA
NS
In
sti
tu
te
20
00
The image shown is of the wired network
equipment and systems from the network
diagram above.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 4 of 45
Author retains full rights.
ull
rig
ht
s.
The image shown is the network
equipment responsible for routing and
switching network traffic. The device on
top is the NETGEAR 10/100 hub used as
tap for the IDS system. The device in the
middle is the cable modem that is rented
and maintained by Comcast. The device
on the bottom is a NETGEAR MR314
Wireless router.
ins
f
Figure 3
ho
ut
5,
A
00
Figure 4
©
SA
NS
In
sti
tu
te
20
00
-2
The NETGEAR Wireless router shown
has four 10/100 Ethernet ports for local
area network LAN systems and one
wide area network port (WAN) for
connection to the cable or DSL
connection. Currently, only 3 of the
LAN ports are being utilized. One port
is connected to a hub; one port is
connected to a Windows 2000
workstation; another to the 2000 Server
at the bottom left of the network
diagram above.
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 5 of 45
Author retains full rights.
ull
rig
ht
s.
This following image shows the two
network interfaces that are installed in this
system. There is no keyboard, mouse or
monitor attached to this system so all
administration access is performed
through the Terminal services application.
ins
f
The system is kept in a temperaturecontrolled environment at 74 degrees
Fahrenheit.
Figure 5
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
.
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 6 of 45
Author retains full rights.
1.3
RISKS TO THE ARCHITECTURE IN REVIEW
The tables below illustrate the most significant risks to the Windows 2000 Server being
audited:
ull
rig
ht
s.
System Threats
Threat
Weak passwords could lead system compromise and loss if information
including bank and credit card account numbers and passwords.
High
Incorrect configuration of applications could lead to a web defacement
Medium
Wireless network could be a point of entry into the network and may be
unencrypted exposing network traffic.
High
Incorrect configuration of network interfaces could increase internet
and system
compromise
Key fingerprint =exposure
AF19 FA27
2F94 998D
FDB5 DE3D F8B5 06E4 A169 4E46
Low
Vulnerabilities in Internet Explorer could lead to system compromise or
compromise user information.
Low
Internet data
00
Webpage files
5,
A
ut
Threat
Microsoft Money is used to track
company finances. MS Money has the
ability to store passwords, in which case
it would not require a user to enter a
password to access the information
stored within the application or its files
If compromised, web pages could be
altered to deliver an alternate message,
damaging company reputation.
The wireless network traffic could be
captured and analyzed in an attempt to
gain access to sensitive information.
In
sti
tu
te
20
Medium
-2
00
Importance
Asset
Very
Financial Information in
Microsoft Money
ho
Information Assets
rr
eta
ins
f
Threat level
High
SA
NS
Vulnerabilities
Weak
High
passwords
High
©
Operating
System not
current
Router
configuration
Major Vulnerabilities
Exposure
Potential Impact
Weak passwords could result in the
audited system being compromised as
well as other systems on the network.
Systems not kept up to date could
result in compromise.
High
The server may have been set up in the
DMZ increasing the risk of
compromise
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 7 of 45
Author retains full rights.
1.4
CURRENT STATE OF PRACTICE
Current state of practice links
ull
rig
ht
s.
The Windows 2000 Advanced Server operating system was released for use on March
31, 2000. Over the past five years many books, articles, and opinions have been
published detailing ideas on how to best secure this platform. There is no magic solution
that is best for all installations. Multiple resources were reviewed during the preparation
of this audit. Links have been included below, pertaining to general information
regarding Windows 2000 Advanced Server, application settings, and auditing tools.
rr
eta
ins
f
1. NSA guide to securing IIS 5
This document is important in that it describes steps that can be taken to improve the
reliability and security of IIS, the application responsible for providing web services on
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
many systems world wide, including the system in this audit.
http://www.nsa.gov/snac/os/win2k/iis_5.pdf
5,
A
ut
ho
2. Securing Terminal Services
http://www.nsa.gov/snac/os/win2k/w2k_terminal_serv.pdf
This document gives applicable suggestions on configuring a terminal server in an
application server mode.
00
-2
00
3. Microsoft’s guidelines for securing Windows 2000
http://www.microsoft.com/technet/Security/topics/issues/w2kccscg/w2kscgc3.mspx
This document details configuration options and gives some suggestions for configuring
a Windows 2000 Server.
sti
tu
te
20
4. Configuring Snort on a Windows system
http://www.engagesecurity.com/docs/idscenter/
This document details the installation of the IDScenter application for Windows which
also installs the Snort IDS system.
NS
In
5. MSDN article about the “localSystem” account type
http://msdn.microsoft.com/library/default.asp?url=/library/enus/dllproc/base/localsystem_account.asp
©
SA
6. WinTasksUtility Pro
Utility for identifying applications running on a windows system
http://www.liutilities.com/
7. DumpSec
Utility for gathering a variety of system information about applications and users
accounts. http://www.systemtools.com/somarsoft/
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
8. Peer to Peer IPSec
http://www.microsoft.com/technet/community/columns/cableguy/cg0501.mspx
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 8 of 45
Author retains full rights.
2.
2.1
AUDIT PLAN
WINDOWS 2000 ADVANCED SERVER AUDIT CHECKLIST
AUDIT CHECK LIST
I. PHYSICAL SECURITY
A. Identify the location of the system being audited and
verify that the location is secure.
B. Verify that employees and vendors with physical
access have a business case for access.
NOTES
ull
rig
ht
s.
WP REF
Page 11
ins
f
Page 11
II. OS SECURITY
Page 11
A. Identify the operating system of the audited system to
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
eta
verify that it is still supported by it’s vendor
B. Determine if the system has the current operating
system patches or those required by applicable security
policies.
C. Identify the applications that are running on the system;
verify that there are no rogue processes. Discuss any
discrepancies with system administrator
D. Identify user accounts on the audited system
1. Determine if account names seem reasonable
2. Determine if passwords are changed regularly
3. Determine if users have more rights than required
to do their job
Pages 23-24
20
00
-2
00
5,
A
ut
ho
rr
Pages 12-23
Page 25
Page 25
Page 26
tu
te
III. NETWORK SECURITY
A. Determine if the interface configuration has been
In
sti
appropriately configured as per the “stealth host”
documentation on the Engage security website. (See
sate of practice links)
©
SA
NS
In the registry check the following under this entry
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\Tcpip\
Parameters\Interfaces:
1. Verify that the “IPAudoconfigurationEnabled”
Page 27
setting is set to 0
Page 27
2. Verify that “EnableDHCP” is set to 0
3. Verify that “IPAddress” is set to the following hex Page 27
Key fingerprint
= AF19
FA27
2F94
998D
FDB5
DE3D
F8B5
values,
“30 00
00 00
30 00
2E 00
30 00
2E 00
30 06E4 A169 4E46
00 00 00 00 00”
Page 28
4. Determine if the settings resulted in an interface
having a 0.0.0.0 IP address
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 9 of 45
Author retains full rights.
AUDIT CHECK LIST (CONT)
B. Determine if adequate steps have been taken to prevent
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
unauthorized access to the audited system from
wireless users.
Page 28
1. Determine if access to the wireless network has
been restricted by MAC address
Page 28
2. Determine if any authentication is required for
access to the network
Page 29
3. Determine if any sort of encryption is used to
protect network traffic
Page 30
4. Determine if the password on the router is
frequently changed.
Page 30
5. Determine if the firmware on the router is up to
date.= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint
Page 30
6. Determine steps should be taken keep wireless
coverage from bleeding over into surrounding
streets.
C. Determine what ports are reachable from the internet
and if these ports are configured as intended.
Page 31
1. Use NMAP to determine what ports are available
from the internet.
Page 32
2. Identify what applications are using internet
accessible ports and document their version.
Determine if these applications are trojans.
Pages 33-38
3. Use the RETNA application to identify
weaknesses that may be exploitable on those ports.
D. Verify that the IDS system is functioning as designed
and that the alerts are analyzed.
Page 39
1. Look at alerts generated by the IDS system to
verify that it is analyzing network traffic.
Page 39
2. Verify that alerts are analyzed and appropriate
actions are taken against those who violate
company policies.
IV. Reporting
Page 40
A. Transmittal Letter
Page 41
B. Executive Summary
Page 42
C. Audit Report & Management Responses
Page 45
D. References
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 10 of 45
Author retains full rights.
3.
CONDUCT THE AUDIT
3.I PHYSICAL SECURITY
The system is physically located in a home
office on the second floor in a typical
residential nationhood.
ull
rig
ht
s.
A. Identify the location of the system
being audited and verify that the
location is secure.
Access to the facility is controlled using a
lock and key. Keys kept onsite for
with physical access have a business
administrative use and are inventoried
case for access.
weakly and only active employees have
keys. Keys are issued and collected as part
of the
termination
/ outA169
processing
Key fingerprint = AF19 FA27 2F94 998D FDB5
DE3D
F8B5 06E4
4E46 process.
eta
ins
f
B. Verify that employees and vendors
ho
rr
Vendors are not issues keys to the facility
and are always escorted.
00
5,
A
ut
3.II OS SECURITY
A. Identify the operating system of the audited system to verify that it is still
supported by it’s vendor
-2
To identify the OS system type and service
pack level
20
00
1 Right click on the my computer icon
sti
tu
te
2 Left click on properties
Figure 6
©
SA
NS
In
The system is a Windows 2000 Advanced
Server, Service Pack 5 build 5.00.2195.
This operating system is supported until
June 30 2005, with security updates
available until 2010.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 11 of 45
Author retains full rights.
B. Determine if the system has the current operating system patches or those
required by applicable security policies.
ull
rig
ht
s.
The Microsoft Baseline Security Analyzer tool was used to collect general system
information about patches, user accounts and installed Microsoft applications.
The MBSA Microsoft Baseline Security Analyzer tool can be downloaded using
this link <http://www.microsoft.com/technet/security/tools/mbsahome.mspx>
Computer
WORKGROUP\
name:
Key
fingerprint = AF19 FA27
IP address:
ins
f
The results from the Microsoft Baseline tool are below. Auditor notes and
explanations pertaining to issues noted can be found under the results.
AUDITNET-system
eta
rr
WORKGROUP - AUDITNET (
-2
00
5,
A
ut
ho
12/17/2004 10:34 AM
or more critical checks failed.)
20
Scanned
1.2.4013.0
with MBSA
version:
Security
2004.12.14.0
update
database
version:
Office
11.0.0.7209
update
database
version:
Security
Severe Risk (One
assessment:
00
Security
report
name:
Scan date:
2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tu
te
Security Update Scan Results
Result
sti
Score Issue
MSXML Security 1 products are using a service pack not at
Updates
the latest version or have other warnings.
What was scanned Result details
How to correct this
Windows
6 security updates could not be confirmed.
2
Security Updates What was scanned Result details
How to correct this
Microsoft VM
No critical security updates are missing.
3
Security Updates What was scanned
Office Updates No critical security updates are missing.
4 = AF19
Key fingerprint
FA27 2F94 998D
DE3D F8B5 06E4 A169 4E46
WhatFDB5
was scanned
IIS Security
No critical security updates are missing.
5
Updates
What was scanned
©
SA
NS
In
1
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 12 of 45
Author retains full rights.
Windows Media
Player Security
Updates
MDAC Security
Updates
7
No critical security updates are missing.
What was scanned
No critical security updates are missing.
What was scanned
ull
rig
ht
s.
6
Windows Scan Results
Vulnerabilities
Issue
Result
ins
f
Score
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
Local Account
Some user accounts (2 of 10) have blank or
8
Password Test
simple passwords, or could not be analyzed.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
What was scanned Result details How
to correct this
Restrict
Computer is running with RestrictAnonymous =
9
Anonymous
0. This level prevents basic enumeration of user
accounts, account policies, and system
information. Set RestrictAnonymous = 2 to
ensure maximum security.
What was scanned
How to correct
this
Password
Some user accounts (4 of 10) have non-expiring
10
Expiration
passwords.
What was scanned Result details How to
correct this
Windows Firewall Windows Firewall is not installed or configured
11
properly, or is not available on this version of
Windows.
In
Automatic Updates Updates are automatically downloaded and
installed on this computer.
What was scanned
File System
All hard drives (1) are using the NTFS file
13
system.
What was scanned Result details
Autologon
Autologon is not configured on this computer.
14
What was scanned
Guest Account
The Guest account is disabled on this computer.
15
was
scanned
Key fingerprint = AF19 FA27 2F94 998DWhat
FDB5
DE3D
F8B5 06E4 A169 4E46
Administrators
No
more
than
2
Administrators were found on
16
this computer.
What was scanned Result details
©
SA
NS
12
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 13 of 45
Author retains full rights.
Additional System Information
Score
Issue
Result
Auditing
Enable auditing for specific events like
logon/logoff. Be sure to monitor your event log
to watch for unauthorized access.
What was scanned
How to correct
this
Services
Some potentially unnecessary services are
18
installed.
What was scanned Result details How to
Key fingerprint = AF19 FA27 2F94 998Dcorrect
FDB5this
DE3D F8B5 06E4 A169 4E46
Shares
4
share(s)
are present on your computer.
19
What was scanned Result details How to
correct this
Windows Version Computer is running Windows 2000 or greater.
20
What was scanned
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
17
00
Internet Information Services (IIS) Scan Results
Issue
Result
00
Score
-2
Vulnerabilities
IIS Lockdown
Tool
The IIS Lockdown tool has not been run on the
machine.
What was scanned
How to correct
this
Sample
Some IIS sample applications are installed.
22
Applications
What was scanned Result details How to
correct this
Parent Paths
Parent paths are enabled in some web sites
23
and/or virtual directories.
What was scanned Result details How to
correct this
MSADC and
MSADC virtual directory was found under one
24
Scripts Virtual
or more web sites. Scripts virtual directory was
Directories
found under one or more web sites.
What was scanned
How to correct
this
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
IISAdmin Virtual IISADMPWD virtual directory is not present.
25
Directory
What was scanned
©
SA
NS
In
sti
tu
te
20
21
Additional System Information
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 14 of 45
Author retains full rights.
Score
Issue
Result
27
ull
rig
ht
s.
Domain Controller IIS is not running on a domain controller.
Test
What was scanned
IIS Logging
Some web or FTP sites are not using the
Enabled
recommended logging options.
What was scanned Result details How
to correct this
26
Score
Issue
ins
f
SQL Server Scan Results
Result
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SQL
SQL Server and/or MSDE is not installed on
28
Server/MSDE
this computer.
Status
ut
Desktop Application Scan Results
Result
29
IE Zones
30
Macro Security
Internet Explorer zones do not have secure
settings for some users.
What was scanned Result details How to
correct this
No Microsoft Office products are installed
-2
00
Issue
In
sti
tu
te
20
00
Score
5,
A
Vulnerabilities
NS
3.II.B.2.1 MSXML SECURITY UPDATE 2.6
©
SA
MSXML Security Update 2.6 was one of the Microsoft patches released in
2002. More information about this security update can be found be
researching MS02-008. For this patch to be critical, a user would have to
visit a website capable of exploiting this vulnerability, which could result in
information stored locally to the system being compromised.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 15 of 45
Author retains full rights.
ins
f
ull
rig
ht
s.
3.II.B.2.2 SECURITY UPDATES
00
5,
A
ut
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
00
-2
Figure 7
te
sti
In
NS
Microsoft
determined risk
level
Low
Critical
Auditor
Determined
system risk
Low
Low
Critical
Moderate
Critical
critical
Low
Low
Low
No
L
©
SA
Operating System
Windows script engine for
jscript (IE)
Direct X – (IE)
Direct Play (games)
Multiple (JPEG vul)
MSN messenger, media
player
tu
MS02-064
MS03-008
MS03-030
MS04-016
MS04-028
MS05-009
Application
20
Microsoft ID
Number
All of the exploits outlined above require additional software installation, user execution,
or require a user to browse to a webpage with malicious code. Since this server is not for
browsing the internet, these updates are not critical to the system but should be installed.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 16 of 45
Author retains full rights.
3.II.B.2.2 SECURITY UPDATES (CONT)
ull
rig
ht
s.
The qfecheck.exe application was used to
validate the results provided by the
MBSA application.
Figure 8
Results from the qfecheck.exe
application to verify the installation
of hot-fixes
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
Installations of the hot-fixes were not
found using the qfecheck.exe application.
Each security update can be researched
individually using the MS0 numbers
following the blue asterisk. Links have
been provided in the table above on page
17. In some of the cases above, patches
should be downloaded; others require a
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
system setting change or registry entry.
The information regarding installation and
system settings are outlined in the
Microsoft notes.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 17 of 45
Author retains full rights.
ins
f
ull
rig
ht
s.
3.II.B.2.8 LOCAL ACCOUNT PASSWORD TEST
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
5,
A
ut
Figure 9
©
SA
NS
In
sti
tu
te
20
00
-2
00
The MBSA tool found two accounts that had weak passwords. The snort account was
created by the administrator with the intention of setting the account rights to user level
and using it to run the snort application. Setting account privileges to user helps maintain
system integrity and keeps system damage to a minimum in the event the system
becomes compromised through the snort application. This configuration was never
implemented and the snort account is not being used. The guest account is the other
instance of a weak password; however, the account is disabled.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 18 of 45
Author retains full rights.
3.II.B.2.9 RESTRICT ANONYMOUS
ins
f
ull
rig
ht
s.
The MBSA tool found that the Restrict Anonymous registry setting was not configured.
If not set to restrict anonymous users, it may be possible for an attacker to obtain system
information using various network based methods. Once an attacker is able to obtain a
user account name, a brute force password attack may be all that is needed to gain access
to the system.
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SA
NS
In
Figure 10
Restrict anonymous registry setting information.
©
3.II.B.2.10 PASSWORD EXPIRATION
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 19 of 45
Author retains full rights.
ins
f
ull
rig
ht
s.
The user accounts marked with a
yellow X in Figure 11 have passwords
that do not expire. Account password
policies will be reviewed in another
section and will not be detailed here.
Figure 11
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
5,
A
00
00
-2
User logins and logoff actions are
not recorded by the system. This
limits the amount of information
collected by the system and also
makes identifying who made
changes to the system.
ut
ho
3.II.B.2.11 AUDITING
Figure 12
©
SA
NS
In
sti
tu
te
20
<http://www.microsoft.com/resou
rces/documentation/WindowsSer
v/2003/enterprise/proddocs/enus/Default.asp?url=/resources/doc
umentation/WindowsServ/2003/e
nterprise/proddocs/enus/sag_seconceptsimpaudbp.asp>
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 20 of 45
Author retains full rights.
3.II.B.2.12 SERVICES
ins
f
ull
rig
ht
s.
The MBSA tool has flagged multiple
services as being potentially unnecessary.
Unnecessary services may provide
hackers and viruses an entry point into
your system. In this case, all of these
applications were known to be on the
system prior to that audit and are being
used.
-2
00
20
Figure 14
©
SA
NS
In
sti
tu
te
The MBSA tool detected
that the IIS lockdown tool
has not been run on the
system. This tool will
remove sample
applications and increasing
the systems risk of
compromise.
<http://www.microsoft.co
m/downloads/details.aspx?
FamilyID=dde9efc0-bb3047eb-9a61fd755d23cdec&DisplayLa
ng=en>
00
3.II.B.21 IIS LOCKDOWN TOOL
Figure 13
5,
A
ut
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 21 of 45
Author retains full rights.
ull
rig
ht
s.
3.II.B.2.23 SAMPLE APPLICATIONS
.
©
SA
NS
In
sti
tu
te
20
00
-2
00
3.II.B.2.24 PARENT PATHS
MBSA scanner found that parent
paths were enabled on the web
server. This allows applications
or scripts in subdirectories to
execute application or scripts in
parent directories. If this
functionality is not required, it
should be disabled. Here is a
Link to the Microsoft webpage
with information regarding this
issue.
<http://www.microsoft.com/reso
urces/documentation/appctr/200
0/all/proddocs/enus/accrsc_iisdpp.mspx>
Figure 15
5,
A
ut
ho
rr
eta
ins
f
The MBSA tool found that
sample applications bundled
with the web server installation
process are still installed. These
components or applications are
not typically necessary for
normal functionality and should
be disabled.
Key
fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Figure 16
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 22 of 45
Author retains full rights.
3.II.B.2.27 LOGGING
ull
rig
ht
s.
Internal Audit verified that the public website and ftp sites were logging to the
C:\WINNT\system32\LogFiles directory.
3.II.B.2.29 IE SECURITY SETTINGS
5,
A
ut
ho
rr
eta
ins
f
Internal Audit discussed the roll of this system with the system administrator in depth.
It was determined that Internet Explorer is only used by the system administrator for
verifying updates on the Windows update website. The ability to restrict applications is
Key
= AF19
2F94
998D application
FDB5 DE3D
06E4 A169mode.
4E46 System
notfingerprint
possible when
the FA27
terminal
services
is F8B5
in administration
administrators would be able to better control the capabilities of this server if it were in
application mode.
00
3.II.C APPLICATIONS
te
©
SA
NS
In
sti
tu
Using the WinTasksPro
utility from liutilities in
combination with the
DumpSec application,
Internal Audit was able to
identify all of the
applications and services
running on the system at
the time of the audit. A
summary of results from
the DumpSec application
were exported into an
Excel spread sheet and are
listed below for review.
20
00
-2
• Identify the applications that are running on the system
• Verify that there are no rogue processes.
• Discuss any discrepancies with system administrator
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Figure 17
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 23 of 45
Author retains full rights.
ull
rig
ht
s.
ins
f
Figure 18
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
No rogue applications or trojans, or spyware were discovered during the audit. All
of the applications running were legitimate and identifiable.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 24 of 45
Author retains full rights.
3.II.D USER ACCOUNTS
3.II.D.1 ACCOUNT NAMES
ins
f
ull
rig
ht
s.
Using the Sumarsoft DumpSec application, user accounts were exported into a text file,
and then an excel spreadsheet for review. The accounts highlighted in yellow are of
interest.
-2
00
5,
A
ut
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
00
Figure 19
te
20
Account
Pass does not expire
Pass does not expire
Pass does not expire
©
SA
NS
In
sti
tu
Administrator
ASPNET
Burchts
Crackhead
Guest
Hilliwt
IUSR_ AUDITNET-5N345H
IWAM_ AUDITNET -5N345H
Snort
TsinternetUser
Auditor Notes
Notes from system
administrator
No notes
No notes
Not needed
Not needed
No notes
No notes
No notes
No notes
Not needed
No notes
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 25 of 45
Author retains full rights.
3.II.D.2 PASSWORD POLICY
2/18/2005 3:31 PM - Somarsoft DumpSec
(formerly DumpAcl) - \\GOHILLIS5N345H (local)
Policies
ull
rig
ht
s.
Using the DumpSec application, Internal
Audit was able to easily determine the
systems configured password policy.
There is not a formal written policy, so the
systems configured policy was used as a
baseline. The system is configured to
require the password to be changed every
42 days. There is no required password
length, passwords can be reused and can be
changed multiple times.
Figure 20
-2
00
5,
A
ut
ho
rr
eta
ins
f
Account Policies
Min password len: 0 chars
Max password age: 42 days
Min password age: 0 days
Password history: 0 passwords
Do not force logoff when logon hours
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
expire
Information about creating good pass
No account lockout
words can be found here On Microsoft’s
Audit Policies
web page.
All auditing disabled
<http://www.microsoft.com/resources/docu
mentation/WindowsServ/2003/all/deploygu
CrashOnAuditFail=False
ide/enus/Default.asp?url=/resources/documentati
on/WindowsServ/2003/all/deployguide/enus/dsscc_aut_xbby.asp>
20
00
3.II.D.3 USER RIGHTS
SA
NS
In
sti
tu
te
The DumpSec application was
used identify account
permissions for user accounts.
There is only one administrator
account but its password has not
changed in months and is in
violation of the system policy of
42 days.
©
The accounts of interest have
been highlighted in yellow. As
noted above, Three should be
removed per the administrator.
Account hilliwt should be
Figure 21
required to conform to the
password policy. Accounts do
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
not appear to have unneeded
system rights, like a user having
administrative rights.
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 26 of 45
Author retains full rights.
3.III
NETWORK SECURITY
A. INTERFACE CONFIGURATION
Determine if the interface configuration
has been appropriately configured.
ull
rig
ht
s.
1
Documentation for creating a stealthy
host was obtained from engage security.
A link can be found in state of practice
links.
ins
f
Figure 22
Determine if the interface
eta
Keyconfiguration
fingerprint = AF19
FA27appropriately
2F94 998D FDB52 DE3D F8B5 06E4 A169 4E46
has been
In the registry check the
following under this entry
Figure 23
00
HKEY_LOCAL_MACHINE\SYST
EM\
CurrentControlSet\Services\Tcpip\
Parameters\Interfaces:
5,
A
ut
ho
rr
configured as per the “stealth host”
documentation on the Engage
security website. (See sate of
practice links)
20
00
-2
3
NS
In
sti
tu
te
1. Verify that the
“IPAudoconfigurationEnable
d” setting is set to 0
2. Verify that “EnableDHCP” is
set to 0
3. Verify that “IPAddress” is set
to the following hex values,
“30 00 00 00 30 00 2E 00 30 00
Screen Shots taken from the registry
editor to verify configuration.
©
SA
2E 00 30 00 00 00 00 00”
Figure 24
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 27 of 45
Author retains full rights.
4. Determine if the
settings resulted in an
interface having a
0.0.0.0 IP Address.
ins
f
ull
rig
ht
s.
The First interface has a 0.0.0.0
IP address. This address can not
be reached from inside or out
side of the AUDITNET
network.
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
rr
Figure 25
ut
ho
3.III.B WIRELESS NETWORK CONFIGURATION
Figure 26
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
1. Determine if access
to the wireless
network has been
restricted by MAC
address
The router does not support any type of authentication
2. Determine if any
other than requiring a WEP key see next step.
authentication is
required for access to
Key fingerprint
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
the network
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 28 of 45
Author retains full rights.
3. Determine if any sort
of encryption is used
to protect network
traffic
ull
rig
ht
s.
WEP is enabled. See red
arrow. The configured WEP
key has been obfuscated.
eta
ins
f
WEP is not as secure as
other technologies like VPN.
WEP can be broken using
AirSnort and found at this
link
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
rr
http://airsnort.shmoo.com/
ho
Figure 27
00
5,
A
ut
To verify that traffic is encrypted, the WildPackets AiroPeek application was used with a
Cisco 350 wireless card. Traffic was sent through Internal Audit’s Proxim / Orinoco Gold
card with MAC address ending with 40BB. This can be seen in the far left column of the
application in the screen shot below.
-2
The red circle is showing traffic on the network from LAN users being WEP encrypted.
©
SA
NS
In
sti
tu
te
20
00
< http://www.wildpackets.com/products/airopeek >
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Figure 28
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 29 of 45
Author retains full rights.
The default password is used, and can be
found in the documentation on the
manufactures website. Link to PDF
<ftp://downloads.netgear.com/files/mr314_
ref_guide_326.zip>
ull
rig
ht
s.
4. ROUTER PASSWORD POLICY
5. FIRMWARE
ins
f
Router software is at it’s current version
(Version 3.29)
ut
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
5,
A
Figure 29
00
6. WIFI COVERAGE
tu
te
20
00
-2
Using an HP IPAQ 5555, Orinoco Gold
wireless card, and the WiFiFoFum
application, Internal Audit was able to
determine that wireless coverage does
extend on to neighboring streets using a
method sometimes called war-driving.
©
SA
NS
In
sti
From this particular location on the
Figure 30
street, there were four other wireless
networks available. Two of those
wireless networks do not have WEP
enabled and are likely “open”. This
means that anyone can associate with
and use the access point for an internet
or network connection. With other
networks in the area being “open”, this
reduces the risk that the AUDITNET
network will be accessed by a casual
WiFi seeker. Moving the access point
may further reduce the risk of curb side
Keyhacking.
fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 30 of 45
Author retains full rights.
3.III.C NMAP APPLICATION
1. PORT AVAILABILITY
ins
f
ull
rig
ht
s.
NMAP results from an off site
scan using the default options of
a Syn scan which gave the same
results as other types of scans
like Syn Fin, and Syn Ack.
00
©
SA
NS
In
sti
tu
te
20
As you can see there are 6
“open” ports in this router
configuration screen that
coincide what was screen using
the NMAP application. From a
network compliance and policy
stand point, the system is in
compliance if the router
configuration is to be
recognized as an implied policy.
Figure 31
-2
00
5,
A
ut
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Figure 32
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 31 of 45
Author retains full rights.
Application
Lotus Notes
IIS 5 Web server
IIS 5 FTP
Port
Version
6.0.2 CF2
5.0
5.0
ull
rig
ht
s.
25
80
99 (anonymous),
100 (password protected, IP
restricted)
1352,
rr
eta
ins
f
6.0.2 CF2
Lotus Notes password
protected, encrypted
Terminal Services, High
3389,
5.0
encryption, in admin mode
6.0.2 CF2
Lotus
Notes, =(Web
for 998D
8080
Key
fingerprint
AF19server
FA27 2F94
FDB5 DE3D F8B5 06E4 A169 4E46
web email)
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
3.III.C.2 RETNA SECURITY SCAN (FOLLOWING PAGE)
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 32 of 45
Author retains full rights.
Retina - Network Security Scanner
Network Vulnerability Assessment & Remediation Management
ull
rig
ht
s.
Thursday, December 23, 2004
NETWORK ANALYSIS RESULTS
Report Summary
Retina
Machines Scanned
1
Scanner Version
5.0.17.1107
Vulnerabilities Total
2
Scan Start Date
12/23/2004
High Risk Vulnerabilities
ins
f
Scanner Name
2
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
0
Low Risk Vulnerabilities
0
Information only Audits
0
Credential Used
---
Medium Risk
Vulnerabilities
5:20:31 PM
Scan Duration
0h 0m 20s
Scan Name
Windows top 20
Scan Status
Completed
-2
00
5,
A
ut
ho
rr
Scan Start Time
SA
NS
In
sti
tu
te
20
00
Top 5 Most Vulnerable Hosts
% of Vulnerabilities By Risk
Avg. of Vulnerabilities By Risk
©
Num. of Vulnerabilities By Risk
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 33 of 45
Author retains full rights.
Retina - Network Security Scanner
Network Vulnerability Assessment & Remediation Management
ull
rig
ht
s.
Thursday, December 23, 2004
TOP 20 VULNERABILITIES
The following is an overview of the top 20 vulnerabilities on your network.
Vulnerability Name
Null Session
LM Hash
Count
1
1
ins
f
Rank
1.
2.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
Key
fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Top 20 Vulnerabilities
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 34 of 45
Author retains full rights.
Retina - Network Security Scanner
Network Vulnerability Assessment & Remediation Management
Thursday, December 23, 2004
The following is an overview of the top 20 open ports on your network.
eta
rr
ho
ut
5,
A
00
-2
00
20
te
Count
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
In
14.
15.
16.
17.
18.
19.
20.
tu
13.
sti
1.
2.
3.
Key
4.
5.
6.
7.
8.
9.
10.
11.
12.
Port
Description
Number
TCP:7
ECHO - Echo
TCP:9
DISCARD - Discard
TCP:13
DAYTIME - Daytime
fingerprint
= AF19QOTD
FA27 -2F94
TCP:17
Quote998D
of theFDB5
Day DE3D F8B5 06E4 A169 4E46
TCP:19
CHARGEN - Character Generator
TCP:26
TCP:42
NAMESERVER / WINS - Host Name Server
TCP:80
WWW-HTTP - World Wide Web HTTP (Hyper Text Transfer Protocol)
TCP:99
METAGRAM - Metagram Relay
TCP:100
NEWACCT - [unauthorized use]
TCP:135
RPC-LOCATOR - RPC (Remote Procedure Call) Location Service
TCP:139
NETBIOS-SSN - NETBIOS Session Service
HTTPS - HTTPS (Hyper Text Transfer Protocol Secure) - SSL (Secure Socket
TCP:443
Layer)
TCP:445
MICROSOFT-DS - Microsoft-DS
TCP:1025
LISTEN - listen
TCP:1031
IAD2 - BBN IAD
TCP:1034
TCP:1035
TCP:1037
TCP:1038
ins
f
Rank
ull
rig
ht
s.
TOP 20 OPEN PORTS
©
SA
NS
Top 20 Open Ports
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 35 of 45
Author retains full rights.
Retina - Network Security Scanner
Network Vulnerability Assessment & Remediation Management
ull
rig
ht
s.
Thursday, December 23, 2004
TOP 20 RUNNING SERVICES
The following is an overview of the top 20 running services on your network.
8.
9.
10.
11.
12.
13.
ins
f
eta
rr
ho
ut
5,
A
00
7.
-2
3.
4.
5.
6.
00
2.
20
Key
Description
Maintains an up-to-date list of computers on your network and supplied
Browser
the list to requesting programs.
fingerprint = AF19 FA27 Logs
2F94event
998Dmessages
FDB5 DE3D
06E4 A169
4E46 Event Log
issuedF8B5
by programs
and Windows.
EventLog
reports contain information that can be useful in diagnosing problems.
Reports are viewed in Event Viewer.
IIS
LanmanServer
Provides RPC support and file, print, and named pipe sharing.
LanmanWorkstation Provides network connections and communications.
LicenseService
Sends and receives messages transmitted by administrators or by the
Messenger
Alerter service.
Supports pass-through authentication of account logon events for
Netlogon
computers in a domain.
RPCLOCATOR
Manages the RPC name service database.
RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
Scheduler
SMTPSVC
Simple Mail Transport Service
Spooler
Loads files to memory for later printing.
te
1.
Name
1
1
1
1
1
1
1
1
1
1
1
1
1
©
SA
NS
In
sti
Top 20 Running Services
Count
tu
Rank
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Retina - Network Security Scanner
Network Vulnerability Assessment & Remediation Management
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 36 of 45
Author retains full rights.
Thursday, December 23, 2004
TOP 20 OPERATING SYSTEMS
Operating System Name
Windows 2000, Service Pack 4
Count
1
ins
f
Rank
1.
ull
rig
ht
s.
The following is an overview of the top 20 operating systems on your network.
Retina
- Network
Security
Scanner
Key fingerprint
= AF19 FA27 2F94
998D FDB5
DE3D F8B5 06E4 A169 4E46
eta
Network Vulnerability Assessment & Remediation Management
ho
rr
Thursday, December 23, 2004
5,
A
ut
TOP 20 USER ACCOUNTS
The following is an overview of the top 20 user accounts on your network.
In
sti
tu
te
20
00
-2
00
Account Name
Administrator
ASPNET
burchts
Crackhead
Guest
Hilliwt
IUSR_GOHILLIS-5N345H
IWAM_GOHILLIS-5N345H
Snort
TsInternetUser
Count
1
1
1
1
1
1
1
1
1
1
©
SA
NS
Rank
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 37 of 45
Author retains full rights.
Retina - Network Security Scanner
Network Vulnerability Assessment & Remediation Management
ull
rig
ht
s.
Thursday, December 23, 2004
TOP 20 NETWORK SHARES
ins
f
The following is an overview of the top 20 network shares on your network.
00
5,
A
ut
ho
rr
eta
Rank
Share Name
Count
1.
ADMIN$
1
Key fingerprint
=
AF19
FA27
2F94
998D
FDB5
DE3D
F8B5
06E4
2.
C$
1 A169 4E46
3.
CertConfig
1
4.
CertEnroll
1
5.
D
1
6.
IPC$
1
-2
3.III.C.2 RETINA SECURITY SCAN (AUDITOR SUMMARY)
Vulnerability
sti
tu
te
1. Null Sessions
20
00
The Retina top 20 scan reviled that there were 2 vulnerabilities.
requires access to ports 139 and 445 to
exploit
Microsoft Article and instructions
Is a form of password storage in this case a
2000 server. It’s enabled by default for
backward compatibility of systems older
than 2000. This network has no need for
compatibility for systems older than 2000
so it can be safely disabled.
Microsoft Article and instructions.
©
SA
NS
In
2. LM Hash
Notes
The Lotus notes application had been stopped during the time system information
was being collected for this audit. If this application had been running during the
scan, additional ports would have been seen on the scan results including 1352,
and
Microsoft’s
SMTP
server
port 25
hadF8B5
been 06E4
enabled
for4E46
testing
Key 8080.
fingerprint
= AF19 FA27
2F94
998DonFDB5
DE3D
A169
purposes before the audit.
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 38 of 45
Author retains full rights.
3.III.D INTRUSION DETECTION
1. Look at alerts generated by the IDS
ull
rig
ht
s.
system; verify that the system is
analyzing network traffic.
ins
f
Intrusion attempts were recorded by
the intrusion detection system. The
alert dates reveal that the system
had logged alerts the same day that
this control was checked. The
system administrator stated that the
events were checked daily.
ut
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4
A169
Figure
32 4E46
IDS NOTES: The intrusion detection system (IDS) is a Snort IDS version 2.3.0. Events
are logged into a Mysql database (V4.017) which is access using the ACID front end
utility.
2. Verify alerts are analyzed and escalated when appropriate.
00
5,
A
Below is an email sent to [email protected], they handle and are to be notified for
network security issues regarding net block 218.237.186.0-218.237.187.255. No response
was received regarding this incident.
20
00
-2
From: AUDITNET Admin < [email protected]>
Date: Thu, 3 Feb 2005 13:05:43 -0600
Subject: Code red?
To: [email protected]
In
sti
tu
te
One of your systems may be infected with virus. Please review system
configuration and activity for the system using IP 218.237.187.235 on
1/29/2005, at 15:29:36 CDT to determine proper steps for
administrative action.
Thank you,
NS
See IDS logs below
SA
IT administrator
©
#0-(3-16558),[snort] WEB-IIS cmd.exe access 1/29/2005,
15:29:36,,218.237.187.235:3759, AUDITNET-system:80,
TCP
#1-(3-16559),[snort] WEB-IIS cmd.exe access 1/29/2005,
15:29:36,,218.237.187.235:3762,69.137. AUDITNET-system:80,
TCP
#2-(3-16560),[snort] (http_inspect) DOUBLE DECODING,,ATTACK
1/29/2005,
15:29:36,,218.237.187.235:3762
AUDITNET-system:80,
TCP
#3-(3-16561),[snort] WEB-IIS cmd.exe access 1/29/2005,
Key
fingerprint = AF19 FA27 2F94 998DAUDITNET-system:80,
FDB5 DE3D F8B5 06E4 A169
15:29:37,,218.237.187.235:3765,
TCP 4E46
#4-(3-16562),[snort] (http_inspect) DOUBLE DECODING,,ATTACK
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 39 of 45
Author retains full rights.
4.
4.1
REPORTING
TRANSMITTAL LETTER
ull
rig
ht
s.
March 9, 2005
Sans Grader
[email protected]
ins
f
Dear Grader:
ut
• Will periodically review all user accounts insuring that they
comply with established system password policies
5,
A
OS SECURITY
ho
rr
eta
Enclosed
is the =
internal
for theFDB5
AUDITNET
system.
The
outcomes
Key
fingerprint
AF19 audit
FA27 report
2F94 998D
DE3D F8B5
06E4
A169
4E46 of the
audit are summarized on page 41 of this report. Management responses indicated
concurrence with the recommendations and are incorporated into the report to facilitate
your review. An overview of planned and implemented actions is presented below:
-2
00
• We will change account settings on all accounts to require
password changes every 42 days, and enable account event
logging.
te
20
00
• Non-critical patches will be installed on the audited system after
being tested on standby servers. The system will be self audited
monthly and updated accordingly.
tu
• Will allow only approved wireless network cards on the network.
sti
NETWORK
SECURITY
• Will disable unnecessary legacy password compatibility to
increase system security.
©
SA
NS
In
• Will configure current and future systems in a way to ensure
secure communication when possible
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 40 of 45
Author retains full rights.
4.2
EXECUTIVE SUMMARY
Executive Summary
ull
rig
ht
s.
The Office of Internal Audit has completed a review of the AUDITNET system. The
purpose of the review was to:
ins
f
• Determine whether access management practices provided assurance that system
access is appropriately restricted;
• Verify that system management practices are effective and that the system is kept
up-to-date;
• Verify that network security practices ensure that network communications are
secure.
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Our review indicates that the system is physically secure, supported by Microsoft, not
infected with malicious software, and is monitored by an intrusion detection system.
However, improvements can be made in the areas of OS security, and network security.
• Will periodically review all user accounts insuring that they
comply with established system password policies.
5,
A
ut
OS
SECURITY
-2
00
• Will configure account settings on all accounts to require and
enforce password changes every 42 days.
te
20
00
• Non-critical patches will be installed on the audited system after
being tested on standby servers. The system will be self audited
monthly and updated accordingly.
• Will allow only approved wireless cards on the network.
tu
NETWORK
SECURITY
In
sti
• Will configure current and future system in a way to ensure
secure communication when possible
©
SA
NS
• Will disable unnecessary legacy password compatibility to
increase system security.
• Will enforce
equipment.
password
policies
on
supporting
network
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 41 of 45
Author retains full rights.
4.3
AUDIT REPORT
OS SECURITY
Issues
Implications
Recommendations
Cost
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
Three user accounts Accounts that may become System administrators Cost $0
are configured not to compromised will remain should regularly verify
require
password accessible
until
the that accounts conform
changes and are in password
is
changed to system policies.
violation
of
the resulting possibly resulting
implied forty two day in the loss of information
system
password or intellectual property.
policy.
Key fingerprint
AF19
2F94 have
998D FDB5
DE3D System
F8B5 06E4
A169 4E46 Cost $0
Three
accounts =on
the FA27
Former
continued
administrators
system
are
not access to the system and should routinely verify
required, only one of may be able delete, each users need for
those accounts are manipulate,
or
steal continued
system
disabled.
company information
access and remove
accounts that are no
longer needed.
Account auditing is User actions can not be System administrators Cost $0
not enabled
easily tracked and may should
enable
the
result in malicious actions logging of events like
going undetected.
logon and logoff.
System
support Cost $0
personnel should install
updates and use the
MBSA tool to regularly
conduct self audits in
order to maintain a
secure system.
Management Response
SA
NS
In
sti
tu
te
20
All Hot fixes were not The system could become
installed on audited compromised if used to
system.
browse websites with
malicious code.
©
We are in agreement with your comments and recommendations.
We will remove the non-essential accounts from the system and verify monthly that stale
accounts are removed.
We will change account settings on all accounts to require password changes every forty
two
and to=log
events
like
logon
andFDB5
logoff.DE3D F8B5 06E4 A169 4E46
Key days,
fingerprint
AF19
FA27
2F94
998D
Non critical patches will be installed on the audited system after being tested on standby
servers. The system will be self audited monthly and updated accordingly.
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 42 of 45
Author retains full rights.
NETWORK SECURITY
Issues
Implications
Recommendations
There is no policy
requiring
MAC
address filtering on
wireless routers.
Any wireless card can
attempt to gain wireless
network access by guessing
the encryption key.
WEP is only form of
access control and data
security
used
on
wireless network
User
information
and
accounting information my
be
intercepted
or
compromised by
Cost
eta
ins
f
ull
rig
ht
s.
Network
security Cost $0
should
enable
the
wireless routers MAC
filter and periodically
verify that wireless
access is still required
by those who have
been authorized.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
5,
A
ut
ho
rr
Wireless users should Cost $0
use secure protocols
communicating
with
other systems.
System
engineers Cost $0
should disable the
storage LM hashes in
current and future
system installations if
not required.
sti
tu
An unauthorized user could
gain access to the device
possibly causing a network
outage.
Passwords on network Cost $0
equipment should be
changed
change
regularly.
©
SA
NS
In
There is no policy in
place requiring the
regular change of
passwords on network
routers.
te
20
00
-2
00
LM Hashes are used Passwords
can
be
for
backwards discovered using brute
compatibility
force methods resulting in
a system and information
compromise.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 43 of 45
Author retains full rights.
Management Response
We are in agreement with your comments and recommendations.
ull
rig
ht
s.
We will enable MAC filtering within 30 business days, and periodically contact the
managers of the employee who was assigned the wireless card and verify their need for
continued wireless access. If wireless access in not required, they will be moved to the
wired network
ins
f
We encourage our employees to use secure protocols like SSH and VPN technologies.
We are currently working to enable per to per IPSec tunnels to help ensure that our data
stays secure. We expect to have our IPSec solution implemented within 90 days.
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
We have already started configuring our systems to comply with Microsoft’s
recommendation of disabling LM hashes. We expect the project to be completed within
30 days.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
We will change our password on current and future wireless devices every 42 days
matching our desktop and server password standards. In the event a more stringent
server and workstation password policy is implemented, network equipment that support
passwords will follow comply those standards.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 44 of 45
Author retains full rights.
5.
REFERENCES
These resources were consulted during the audit the AUDITNET system, a Windows
2000 Advanced Server:
ull
rig
ht
s.
1. Vanderbilt Internal Audit. Vanderbilt University Internal Audit Staff Manual. 11
March 2005
ins
f
2. Walker, William E. “Guide to the Secure Configuration and Administration of
Microsoft Internet Information Services 5.0” NSA website. 1 January 2005
<http://www.nsa.gov/snac/os/win2k/iis_5.pdf>
rr
eta
3. DiMaria, Vincent, Barnes, James, Birdsong, Jerry, and Merenyi, Kathryn. “Guide
to securing Microsoft Windows 2000 Terminal Services” NSA Website. 2
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
January 2005 <http://www.nsa.gov/snac/os/win2k/w2k_terminal_serv.pdf>
5,
A
ut
ho
4. Microsoft TechNet, “ Microsoft Windows 2000 Security Configuration Guide”
Microsoft TechNet 10 March 2005
<http://www.microsoft.com/technet/Security/topics/issues/w2kccscg/w2kscgc3.m
spx>
00
5. Microsoft lifecycle Dates,
<http://support.microsoft.com/default.aspx?scid=fh;%5Bln%5D;LifeWin>
00
-2
6. Kistler, Ueli. “Snort IDScenter 1.1 manual” Engage Security 10 March 2005
<http://www.engagesecurity.com/docs/idscenter/>
tu
te
20
7. MSDN, “LocalSystem Account” MSDN Website 10 March 2005
<http://msdn.microsoft.com/library/default.asp?url=/library/enus/dllproc/base/localsystem_account.asp>
NS
In
sti
8. Davies, Joseph. “Exploring Peer-to-Peer IPSec in Windows 2000” Microsoft
TechNet 10 March 2005
<http://www.microsoft.com/technet/community/columns/cableguy/cg0501.mspx>
SA
9. Snort download page. 9 March 2005
<http://www.snort.org/dl/binaries/win32/>
©
10. SANS Institute. Track 7 – Auditing Networks, Perimeters & Systems.
Volume 7.5. SANS Press, 2004
11. AspectoSoftware. Home page. 11 March 2005
< http://www.aspecto-software.com/WiFiFoFum/ >
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Auditing a Windows 2000 Advanced Server
GSNA Assignment
© SANS Institute 2000 - 2005
Page 45 of 45
Author retains full rights.
Last Updated: April 29th, 2017
Upcoming Training
SANS Secure Europe 2017
Amsterdam, Netherlands
Jun 12, 2017 - Jun 20, 2017
Live Event
SANSFIRE 2017
Washington, DC
Jul 22, 2017 - Jul 29, 2017
Live Event
SANS Network Security 2017
Las Vegas, NV
Sep 10, 2017 - Sep 17, 2017
Live Event
SANS OnDemand
Online
Anytime
Self Paced
SANS SelfStudy
Books & MP3s Only
Anytime
Self Paced
Related documents
Our Catalog of Multi-Platform Data
Our Catalog of Multi-Platform Data
Covert Channels: A Primer for Security Professionals
Covert Channels: A Primer for Security Professionals
The Spectroscope
The Spectroscope
A Dual System Capture Biometric Fingerprint Scanner.
A Dual System Capture Biometric Fingerprint Scanner.
Pattern Recognition
Pattern Recognition
Biostatistics
Biostatistics
Materials Research for Sustainable Development
Materials Research for Sustainable Development
Parmesan and Yohe, 2003
Parmesan and Yohe, 2003
pattern recognition - CIS @ Temple University
pattern recognition - CIS @ Temple University
Database Security and Auditing
Database Security and Auditing
Sexually Transmitted Infections
Sexually Transmitted Infections