* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Auditing a Windows 2000 Advanced Server
Survey
Document related concepts
Network tap wikipedia , lookup
Airborne Networking wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Computer security wikipedia , lookup
Distributed firewall wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Microsoft Security Essentials wikipedia , lookup
Wireless security wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Transcript
Global Information Assurance Certification Paper Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission. Interested in learning more? Check out the list of upcoming events offering "Auditing & Monitoring Networks, Perimeters & Systems (Audit 507)" at http://www.giac.org/registration/gsna ull rig ht s. Auditing a Windows 2000 Advanced Server ins f SANS GSNA rr ho VERSION 3.2 eta ASSIGNMENT Key fingerprint = AF19 FA27PRACTICAL 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 William Hillis GSNA Monterey July 6-11, 2004 Submission Date 12 March 2005 © SA NS In sti tu te 20 00 -2 00 5, A ut ASSIGNMENT OPTION 1 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2000 - 2005 Author retains full rights. TABLE OF CONTENTS ins f ull rig ht s. 1 PART 1 – RESEARCH IN AUDIT, MEASUREMENT PRACTICE, AND CONTROL ..................................................................................................................... 1.1 ABSTRACT........................................................................................................... 3 1.2 DESCRIPTION OF THE SYSTEM...................................................................... 3 1.3 RISK TO THE ARCHITECTURE IN REVIEW .................................................. 7 1.4 CURRENT STATE OF PRACTICE ..................................................................... 8 eta 2. PART 2 – AUDIT PLAN ........................................................................................ Key WINDOWS fingerprint = AF19 2F94 998DSERVER FDB5 DE3D F8B5CHECKLIST 06E4 A169 4E46 2.1 2000FA27 ADVANCED AUDIT ....................... 9 00 5, A ASSIGNMENT 4 –REPORTING.......................................................................... TRANSMITTAL LETTER ............................................................................................ 40 EXECUTIVE SUMMARY .................................................................................. 41 AUDIT REPORT.................................................................................................. 42 -2 4. 4.1 4.2 4.3 ut ho rr 3. ASSIGNMENT 3 – CONDUCT THE AUDIT ..................................................... 3.1 CONDUCT THE AUDIT ..................................................................................... 11 © SA NS In sti tu te 20 00 5. REFERENCES....................................................................................................... 45 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 2 of 45 Author retains full rights. 1. ABSTRACT ull rig ht s. 1.1 RESEARCH IN AUDIT, MEASUREMENT PRACTICE AND CONTROL 1.2 ins f The objective of this audit is to perform a basic security assessment of a Windows 2000 Server. This review will include sections on operating system configuration, network configuration, and general wireless security. This server provides access to network and application services on the AUDITNET network, as well as serving as an intrusion detection system. DESCRIPTION OF THE SYSTEM eta Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Specification 500 MHz 192 MB 1 30 GB HDD 2 10/100 00 5, A ut Component Processor Memory Hard drive Network interface card -2 • • • • ho rr The system being audited is a Windows 2000 Advanced Server running on a Hewlett Packard (HP) Pavilion 6630. The system has been upgraded to the following specifications: sti tu te 20 00 The server provides the following functionality: • Web services • FTP services • Email • RDP (Remote Desktop), and an • Intrusion Detection system SA NS In System resources are accessed by a local area network (LAN); in addition, the system also services internet users. Applications on the system include Macromedia Dream Weaver, Microsoft Money, and the VNC Client. These applications are used to manage web pages, finances, and LAN workstations when the administrator is off-site. © The server is located behind a cable/DSL wireless router and uses a private address. Access to the server is controlled using the port forwarding feature built into the router. The port forwarding settings will be identified during the audit. The Windows 2000 Server is connected to the internet as outlined in the network diagram below. Additional configuration and application settings may be identified and addressed during the audit. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 3 of 45 Author retains full rights. NETWORK INFORMATION ins f ull rig ht s. The figure shown is a network diagram of the audited network. A hub has been placed between the ISP supplied cable modem and the Wireless router used to share the internet connection. Figure 1 -2 00 5, A ut ho rr eta Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Figure 2 © SA NS In sti tu te 20 00 The image shown is of the wired network equipment and systems from the network diagram above. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 4 of 45 Author retains full rights. ull rig ht s. The image shown is the network equipment responsible for routing and switching network traffic. The device on top is the NETGEAR 10/100 hub used as tap for the IDS system. The device in the middle is the cable modem that is rented and maintained by Comcast. The device on the bottom is a NETGEAR MR314 Wireless router. ins f Figure 3 ho ut 5, A 00 Figure 4 © SA NS In sti tu te 20 00 -2 The NETGEAR Wireless router shown has four 10/100 Ethernet ports for local area network LAN systems and one wide area network port (WAN) for connection to the cable or DSL connection. Currently, only 3 of the LAN ports are being utilized. One port is connected to a hub; one port is connected to a Windows 2000 workstation; another to the 2000 Server at the bottom left of the network diagram above. rr eta Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 5 of 45 Author retains full rights. ull rig ht s. This following image shows the two network interfaces that are installed in this system. There is no keyboard, mouse or monitor attached to this system so all administration access is performed through the Terminal services application. ins f The system is kept in a temperaturecontrolled environment at 74 degrees Fahrenheit. Figure 5 © SA NS In sti tu te 20 00 -2 00 5, A ut ho rr eta Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 . Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 6 of 45 Author retains full rights. 1.3 RISKS TO THE ARCHITECTURE IN REVIEW The tables below illustrate the most significant risks to the Windows 2000 Server being audited: ull rig ht s. System Threats Threat Weak passwords could lead system compromise and loss if information including bank and credit card account numbers and passwords. High Incorrect configuration of applications could lead to a web defacement Medium Wireless network could be a point of entry into the network and may be unencrypted exposing network traffic. High Incorrect configuration of network interfaces could increase internet and system compromise Key fingerprint =exposure AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Low Vulnerabilities in Internet Explorer could lead to system compromise or compromise user information. Low Internet data 00 Webpage files 5, A ut Threat Microsoft Money is used to track company finances. MS Money has the ability to store passwords, in which case it would not require a user to enter a password to access the information stored within the application or its files If compromised, web pages could be altered to deliver an alternate message, damaging company reputation. The wireless network traffic could be captured and analyzed in an attempt to gain access to sensitive information. In sti tu te 20 Medium -2 00 Importance Asset Very Financial Information in Microsoft Money ho Information Assets rr eta ins f Threat level High SA NS Vulnerabilities Weak High passwords High © Operating System not current Router configuration Major Vulnerabilities Exposure Potential Impact Weak passwords could result in the audited system being compromised as well as other systems on the network. Systems not kept up to date could result in compromise. High The server may have been set up in the DMZ increasing the risk of compromise Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 7 of 45 Author retains full rights. 1.4 CURRENT STATE OF PRACTICE Current state of practice links ull rig ht s. The Windows 2000 Advanced Server operating system was released for use on March 31, 2000. Over the past five years many books, articles, and opinions have been published detailing ideas on how to best secure this platform. There is no magic solution that is best for all installations. Multiple resources were reviewed during the preparation of this audit. Links have been included below, pertaining to general information regarding Windows 2000 Advanced Server, application settings, and auditing tools. rr eta ins f 1. NSA guide to securing IIS 5 This document is important in that it describes steps that can be taken to improve the reliability and security of IIS, the application responsible for providing web services on Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 many systems world wide, including the system in this audit. http://www.nsa.gov/snac/os/win2k/iis_5.pdf 5, A ut ho 2. Securing Terminal Services http://www.nsa.gov/snac/os/win2k/w2k_terminal_serv.pdf This document gives applicable suggestions on configuring a terminal server in an application server mode. 00 -2 00 3. Microsoft’s guidelines for securing Windows 2000 http://www.microsoft.com/technet/Security/topics/issues/w2kccscg/w2kscgc3.mspx This document details configuration options and gives some suggestions for configuring a Windows 2000 Server. sti tu te 20 4. Configuring Snort on a Windows system http://www.engagesecurity.com/docs/idscenter/ This document details the installation of the IDScenter application for Windows which also installs the Snort IDS system. NS In 5. MSDN article about the “localSystem” account type http://msdn.microsoft.com/library/default.asp?url=/library/enus/dllproc/base/localsystem_account.asp © SA 6. WinTasksUtility Pro Utility for identifying applications running on a windows system http://www.liutilities.com/ 7. DumpSec Utility for gathering a variety of system information about applications and users accounts. http://www.systemtools.com/somarsoft/ Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 8. Peer to Peer IPSec http://www.microsoft.com/technet/community/columns/cableguy/cg0501.mspx Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 8 of 45 Author retains full rights. 2. 2.1 AUDIT PLAN WINDOWS 2000 ADVANCED SERVER AUDIT CHECKLIST AUDIT CHECK LIST I. PHYSICAL SECURITY A. Identify the location of the system being audited and verify that the location is secure. B. Verify that employees and vendors with physical access have a business case for access. NOTES ull rig ht s. WP REF Page 11 ins f Page 11 II. OS SECURITY Page 11 A. Identify the operating system of the audited system to Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 eta verify that it is still supported by it’s vendor B. Determine if the system has the current operating system patches or those required by applicable security policies. C. Identify the applications that are running on the system; verify that there are no rogue processes. Discuss any discrepancies with system administrator D. Identify user accounts on the audited system 1. Determine if account names seem reasonable 2. Determine if passwords are changed regularly 3. Determine if users have more rights than required to do their job Pages 23-24 20 00 -2 00 5, A ut ho rr Pages 12-23 Page 25 Page 25 Page 26 tu te III. NETWORK SECURITY A. Determine if the interface configuration has been In sti appropriately configured as per the “stealth host” documentation on the Engage security website. (See sate of practice links) © SA NS In the registry check the following under this entry HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\Tcpip\ Parameters\Interfaces: 1. Verify that the “IPAudoconfigurationEnabled” Page 27 setting is set to 0 Page 27 2. Verify that “EnableDHCP” is set to 0 3. Verify that “IPAddress” is set to the following hex Page 27 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 values, “30 00 00 00 30 00 2E 00 30 00 2E 00 30 06E4 A169 4E46 00 00 00 00 00” Page 28 4. Determine if the settings resulted in an interface having a 0.0.0.0 IP address Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 9 of 45 Author retains full rights. AUDIT CHECK LIST (CONT) B. Determine if adequate steps have been taken to prevent © SA NS In sti tu te 20 00 -2 00 5, A ut ho rr eta ins f ull rig ht s. unauthorized access to the audited system from wireless users. Page 28 1. Determine if access to the wireless network has been restricted by MAC address Page 28 2. Determine if any authentication is required for access to the network Page 29 3. Determine if any sort of encryption is used to protect network traffic Page 30 4. Determine if the password on the router is frequently changed. Page 30 5. Determine if the firmware on the router is up to date.= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint Page 30 6. Determine steps should be taken keep wireless coverage from bleeding over into surrounding streets. C. Determine what ports are reachable from the internet and if these ports are configured as intended. Page 31 1. Use NMAP to determine what ports are available from the internet. Page 32 2. Identify what applications are using internet accessible ports and document their version. Determine if these applications are trojans. Pages 33-38 3. Use the RETNA application to identify weaknesses that may be exploitable on those ports. D. Verify that the IDS system is functioning as designed and that the alerts are analyzed. Page 39 1. Look at alerts generated by the IDS system to verify that it is analyzing network traffic. Page 39 2. Verify that alerts are analyzed and appropriate actions are taken against those who violate company policies. IV. Reporting Page 40 A. Transmittal Letter Page 41 B. Executive Summary Page 42 C. Audit Report & Management Responses Page 45 D. References Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 10 of 45 Author retains full rights. 3. CONDUCT THE AUDIT 3.I PHYSICAL SECURITY The system is physically located in a home office on the second floor in a typical residential nationhood. ull rig ht s. A. Identify the location of the system being audited and verify that the location is secure. Access to the facility is controlled using a lock and key. Keys kept onsite for with physical access have a business administrative use and are inventoried case for access. weakly and only active employees have keys. Keys are issued and collected as part of the termination / outA169 processing Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 4E46 process. eta ins f B. Verify that employees and vendors ho rr Vendors are not issues keys to the facility and are always escorted. 00 5, A ut 3.II OS SECURITY A. Identify the operating system of the audited system to verify that it is still supported by it’s vendor -2 To identify the OS system type and service pack level 20 00 1 Right click on the my computer icon sti tu te 2 Left click on properties Figure 6 © SA NS In The system is a Windows 2000 Advanced Server, Service Pack 5 build 5.00.2195. This operating system is supported until June 30 2005, with security updates available until 2010. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 11 of 45 Author retains full rights. B. Determine if the system has the current operating system patches or those required by applicable security policies. ull rig ht s. The Microsoft Baseline Security Analyzer tool was used to collect general system information about patches, user accounts and installed Microsoft applications. The MBSA Microsoft Baseline Security Analyzer tool can be downloaded using this link <http://www.microsoft.com/technet/security/tools/mbsahome.mspx> Computer WORKGROUP\ name: Key fingerprint = AF19 FA27 IP address: ins f The results from the Microsoft Baseline tool are below. Auditor notes and explanations pertaining to issues noted can be found under the results. AUDITNET-system eta rr WORKGROUP - AUDITNET ( -2 00 5, A ut ho 12/17/2004 10:34 AM or more critical checks failed.) 20 Scanned 1.2.4013.0 with MBSA version: Security 2004.12.14.0 update database version: Office 11.0.0.7209 update database version: Security Severe Risk (One assessment: 00 Security report name: Scan date: 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tu te Security Update Scan Results Result sti Score Issue MSXML Security 1 products are using a service pack not at Updates the latest version or have other warnings. What was scanned Result details How to correct this Windows 6 security updates could not be confirmed. 2 Security Updates What was scanned Result details How to correct this Microsoft VM No critical security updates are missing. 3 Security Updates What was scanned Office Updates No critical security updates are missing. 4 = AF19 Key fingerprint FA27 2F94 998D DE3D F8B5 06E4 A169 4E46 WhatFDB5 was scanned IIS Security No critical security updates are missing. 5 Updates What was scanned © SA NS In 1 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 12 of 45 Author retains full rights. Windows Media Player Security Updates MDAC Security Updates 7 No critical security updates are missing. What was scanned No critical security updates are missing. What was scanned ull rig ht s. 6 Windows Scan Results Vulnerabilities Issue Result ins f Score sti tu te 20 00 -2 00 5, A ut ho rr eta Local Account Some user accounts (2 of 10) have blank or 8 Password Test simple passwords, or could not be analyzed. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 What was scanned Result details How to correct this Restrict Computer is running with RestrictAnonymous = 9 Anonymous 0. This level prevents basic enumeration of user accounts, account policies, and system information. Set RestrictAnonymous = 2 to ensure maximum security. What was scanned How to correct this Password Some user accounts (4 of 10) have non-expiring 10 Expiration passwords. What was scanned Result details How to correct this Windows Firewall Windows Firewall is not installed or configured 11 properly, or is not available on this version of Windows. In Automatic Updates Updates are automatically downloaded and installed on this computer. What was scanned File System All hard drives (1) are using the NTFS file 13 system. What was scanned Result details Autologon Autologon is not configured on this computer. 14 What was scanned Guest Account The Guest account is disabled on this computer. 15 was scanned Key fingerprint = AF19 FA27 2F94 998DWhat FDB5 DE3D F8B5 06E4 A169 4E46 Administrators No more than 2 Administrators were found on 16 this computer. What was scanned Result details © SA NS 12 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 13 of 45 Author retains full rights. Additional System Information Score Issue Result Auditing Enable auditing for specific events like logon/logoff. Be sure to monitor your event log to watch for unauthorized access. What was scanned How to correct this Services Some potentially unnecessary services are 18 installed. What was scanned Result details How to Key fingerprint = AF19 FA27 2F94 998Dcorrect FDB5this DE3D F8B5 06E4 A169 4E46 Shares 4 share(s) are present on your computer. 19 What was scanned Result details How to correct this Windows Version Computer is running Windows 2000 or greater. 20 What was scanned 5, A ut ho rr eta ins f ull rig ht s. 17 00 Internet Information Services (IIS) Scan Results Issue Result 00 Score -2 Vulnerabilities IIS Lockdown Tool The IIS Lockdown tool has not been run on the machine. What was scanned How to correct this Sample Some IIS sample applications are installed. 22 Applications What was scanned Result details How to correct this Parent Paths Parent paths are enabled in some web sites 23 and/or virtual directories. What was scanned Result details How to correct this MSADC and MSADC virtual directory was found under one 24 Scripts Virtual or more web sites. Scripts virtual directory was Directories found under one or more web sites. What was scanned How to correct this Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 IISAdmin Virtual IISADMPWD virtual directory is not present. 25 Directory What was scanned © SA NS In sti tu te 20 21 Additional System Information Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 14 of 45 Author retains full rights. Score Issue Result 27 ull rig ht s. Domain Controller IIS is not running on a domain controller. Test What was scanned IIS Logging Some web or FTP sites are not using the Enabled recommended logging options. What was scanned Result details How to correct this 26 Score Issue ins f SQL Server Scan Results Result ho rr eta Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SQL SQL Server and/or MSDE is not installed on 28 Server/MSDE this computer. Status ut Desktop Application Scan Results Result 29 IE Zones 30 Macro Security Internet Explorer zones do not have secure settings for some users. What was scanned Result details How to correct this No Microsoft Office products are installed -2 00 Issue In sti tu te 20 00 Score 5, A Vulnerabilities NS 3.II.B.2.1 MSXML SECURITY UPDATE 2.6 © SA MSXML Security Update 2.6 was one of the Microsoft patches released in 2002. More information about this security update can be found be researching MS02-008. For this patch to be critical, a user would have to visit a website capable of exploiting this vulnerability, which could result in information stored locally to the system being compromised. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 15 of 45 Author retains full rights. ins f ull rig ht s. 3.II.B.2.2 SECURITY UPDATES 00 5, A ut ho rr eta Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 00 -2 Figure 7 te sti In NS Microsoft determined risk level Low Critical Auditor Determined system risk Low Low Critical Moderate Critical critical Low Low Low No L © SA Operating System Windows script engine for jscript (IE) Direct X – (IE) Direct Play (games) Multiple (JPEG vul) MSN messenger, media player tu MS02-064 MS03-008 MS03-030 MS04-016 MS04-028 MS05-009 Application 20 Microsoft ID Number All of the exploits outlined above require additional software installation, user execution, or require a user to browse to a webpage with malicious code. Since this server is not for browsing the internet, these updates are not critical to the system but should be installed. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 16 of 45 Author retains full rights. 3.II.B.2.2 SECURITY UPDATES (CONT) ull rig ht s. The qfecheck.exe application was used to validate the results provided by the MBSA application. Figure 8 Results from the qfecheck.exe application to verify the installation of hot-fixes © SA NS In sti tu te 20 00 -2 00 5, A ut ho rr eta ins f Installations of the hot-fixes were not found using the qfecheck.exe application. Each security update can be researched individually using the MS0 numbers following the blue asterisk. Links have been provided in the table above on page 17. In some of the cases above, patches should be downloaded; others require a Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 system setting change or registry entry. The information regarding installation and system settings are outlined in the Microsoft notes. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 17 of 45 Author retains full rights. ins f ull rig ht s. 3.II.B.2.8 LOCAL ACCOUNT PASSWORD TEST ho rr eta Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 5, A ut Figure 9 © SA NS In sti tu te 20 00 -2 00 The MBSA tool found two accounts that had weak passwords. The snort account was created by the administrator with the intention of setting the account rights to user level and using it to run the snort application. Setting account privileges to user helps maintain system integrity and keeps system damage to a minimum in the event the system becomes compromised through the snort application. This configuration was never implemented and the snort account is not being used. The guest account is the other instance of a weak password; however, the account is disabled. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 18 of 45 Author retains full rights. 3.II.B.2.9 RESTRICT ANONYMOUS ins f ull rig ht s. The MBSA tool found that the Restrict Anonymous registry setting was not configured. If not set to restrict anonymous users, it may be possible for an attacker to obtain system information using various network based methods. Once an attacker is able to obtain a user account name, a brute force password attack may be all that is needed to gain access to the system. sti tu te 20 00 -2 00 5, A ut ho rr eta Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 SA NS In Figure 10 Restrict anonymous registry setting information. © 3.II.B.2.10 PASSWORD EXPIRATION Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 19 of 45 Author retains full rights. ins f ull rig ht s. The user accounts marked with a yellow X in Figure 11 have passwords that do not expire. Account password policies will be reviewed in another section and will not be detailed here. Figure 11 rr eta Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 5, A 00 00 -2 User logins and logoff actions are not recorded by the system. This limits the amount of information collected by the system and also makes identifying who made changes to the system. ut ho 3.II.B.2.11 AUDITING Figure 12 © SA NS In sti tu te 20 <http://www.microsoft.com/resou rces/documentation/WindowsSer v/2003/enterprise/proddocs/enus/Default.asp?url=/resources/doc umentation/WindowsServ/2003/e nterprise/proddocs/enus/sag_seconceptsimpaudbp.asp> Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 20 of 45 Author retains full rights. 3.II.B.2.12 SERVICES ins f ull rig ht s. The MBSA tool has flagged multiple services as being potentially unnecessary. Unnecessary services may provide hackers and viruses an entry point into your system. In this case, all of these applications were known to be on the system prior to that audit and are being used. -2 00 20 Figure 14 © SA NS In sti tu te The MBSA tool detected that the IIS lockdown tool has not been run on the system. This tool will remove sample applications and increasing the systems risk of compromise. <http://www.microsoft.co m/downloads/details.aspx? FamilyID=dde9efc0-bb3047eb-9a61fd755d23cdec&DisplayLa ng=en> 00 3.II.B.21 IIS LOCKDOWN TOOL Figure 13 5, A ut ho rr eta Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 21 of 45 Author retains full rights. ull rig ht s. 3.II.B.2.23 SAMPLE APPLICATIONS . © SA NS In sti tu te 20 00 -2 00 3.II.B.2.24 PARENT PATHS MBSA scanner found that parent paths were enabled on the web server. This allows applications or scripts in subdirectories to execute application or scripts in parent directories. If this functionality is not required, it should be disabled. Here is a Link to the Microsoft webpage with information regarding this issue. <http://www.microsoft.com/reso urces/documentation/appctr/200 0/all/proddocs/enus/accrsc_iisdpp.mspx> Figure 15 5, A ut ho rr eta ins f The MBSA tool found that sample applications bundled with the web server installation process are still installed. These components or applications are not typically necessary for normal functionality and should be disabled. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Figure 16 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 22 of 45 Author retains full rights. 3.II.B.2.27 LOGGING ull rig ht s. Internal Audit verified that the public website and ftp sites were logging to the C:\WINNT\system32\LogFiles directory. 3.II.B.2.29 IE SECURITY SETTINGS 5, A ut ho rr eta ins f Internal Audit discussed the roll of this system with the system administrator in depth. It was determined that Internet Explorer is only used by the system administrator for verifying updates on the Windows update website. The ability to restrict applications is Key = AF19 2F94 998D application FDB5 DE3D 06E4 A169mode. 4E46 System notfingerprint possible when the FA27 terminal services is F8B5 in administration administrators would be able to better control the capabilities of this server if it were in application mode. 00 3.II.C APPLICATIONS te © SA NS In sti tu Using the WinTasksPro utility from liutilities in combination with the DumpSec application, Internal Audit was able to identify all of the applications and services running on the system at the time of the audit. A summary of results from the DumpSec application were exported into an Excel spread sheet and are listed below for review. 20 00 -2 • Identify the applications that are running on the system • Verify that there are no rogue processes. • Discuss any discrepancies with system administrator Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Figure 17 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 23 of 45 Author retains full rights. ull rig ht s. ins f Figure 18 NS In sti tu te 20 00 -2 00 5, A ut ho rr eta Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SA No rogue applications or trojans, or spyware were discovered during the audit. All of the applications running were legitimate and identifiable. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 24 of 45 Author retains full rights. 3.II.D USER ACCOUNTS 3.II.D.1 ACCOUNT NAMES ins f ull rig ht s. Using the Sumarsoft DumpSec application, user accounts were exported into a text file, and then an excel spreadsheet for review. The accounts highlighted in yellow are of interest. -2 00 5, A ut ho rr eta Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 00 Figure 19 te 20 Account Pass does not expire Pass does not expire Pass does not expire © SA NS In sti tu Administrator ASPNET Burchts Crackhead Guest Hilliwt IUSR_ AUDITNET-5N345H IWAM_ AUDITNET -5N345H Snort TsinternetUser Auditor Notes Notes from system administrator No notes No notes Not needed Not needed No notes No notes No notes No notes Not needed No notes Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 25 of 45 Author retains full rights. 3.II.D.2 PASSWORD POLICY 2/18/2005 3:31 PM - Somarsoft DumpSec (formerly DumpAcl) - \\GOHILLIS5N345H (local) Policies ull rig ht s. Using the DumpSec application, Internal Audit was able to easily determine the systems configured password policy. There is not a formal written policy, so the systems configured policy was used as a baseline. The system is configured to require the password to be changed every 42 days. There is no required password length, passwords can be reused and can be changed multiple times. Figure 20 -2 00 5, A ut ho rr eta ins f Account Policies Min password len: 0 chars Max password age: 42 days Min password age: 0 days Password history: 0 passwords Do not force logoff when logon hours Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 expire Information about creating good pass No account lockout words can be found here On Microsoft’s Audit Policies web page. All auditing disabled <http://www.microsoft.com/resources/docu mentation/WindowsServ/2003/all/deploygu CrashOnAuditFail=False ide/enus/Default.asp?url=/resources/documentati on/WindowsServ/2003/all/deployguide/enus/dsscc_aut_xbby.asp> 20 00 3.II.D.3 USER RIGHTS SA NS In sti tu te The DumpSec application was used identify account permissions for user accounts. There is only one administrator account but its password has not changed in months and is in violation of the system policy of 42 days. © The accounts of interest have been highlighted in yellow. As noted above, Three should be removed per the administrator. Account hilliwt should be Figure 21 required to conform to the password policy. Accounts do Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 not appear to have unneeded system rights, like a user having administrative rights. Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 26 of 45 Author retains full rights. 3.III NETWORK SECURITY A. INTERFACE CONFIGURATION Determine if the interface configuration has been appropriately configured. ull rig ht s. 1 Documentation for creating a stealthy host was obtained from engage security. A link can be found in state of practice links. ins f Figure 22 Determine if the interface eta Keyconfiguration fingerprint = AF19 FA27appropriately 2F94 998D FDB52 DE3D F8B5 06E4 A169 4E46 has been In the registry check the following under this entry Figure 23 00 HKEY_LOCAL_MACHINE\SYST EM\ CurrentControlSet\Services\Tcpip\ Parameters\Interfaces: 5, A ut ho rr configured as per the “stealth host” documentation on the Engage security website. (See sate of practice links) 20 00 -2 3 NS In sti tu te 1. Verify that the “IPAudoconfigurationEnable d” setting is set to 0 2. Verify that “EnableDHCP” is set to 0 3. Verify that “IPAddress” is set to the following hex values, “30 00 00 00 30 00 2E 00 30 00 Screen Shots taken from the registry editor to verify configuration. © SA 2E 00 30 00 00 00 00 00” Figure 24 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 27 of 45 Author retains full rights. 4. Determine if the settings resulted in an interface having a 0.0.0.0 IP Address. ins f ull rig ht s. The First interface has a 0.0.0.0 IP address. This address can not be reached from inside or out side of the AUDITNET network. eta Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 rr Figure 25 ut ho 3.III.B WIRELESS NETWORK CONFIGURATION Figure 26 © SA NS In sti tu te 20 00 -2 00 5, A 1. Determine if access to the wireless network has been restricted by MAC address The router does not support any type of authentication 2. Determine if any other than requiring a WEP key see next step. authentication is required for access to Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 the network Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 28 of 45 Author retains full rights. 3. Determine if any sort of encryption is used to protect network traffic ull rig ht s. WEP is enabled. See red arrow. The configured WEP key has been obfuscated. eta ins f WEP is not as secure as other technologies like VPN. WEP can be broken using AirSnort and found at this link Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 rr http://airsnort.shmoo.com/ ho Figure 27 00 5, A ut To verify that traffic is encrypted, the WildPackets AiroPeek application was used with a Cisco 350 wireless card. Traffic was sent through Internal Audit’s Proxim / Orinoco Gold card with MAC address ending with 40BB. This can be seen in the far left column of the application in the screen shot below. -2 The red circle is showing traffic on the network from LAN users being WEP encrypted. © SA NS In sti tu te 20 00 < http://www.wildpackets.com/products/airopeek > Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Figure 28 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 29 of 45 Author retains full rights. The default password is used, and can be found in the documentation on the manufactures website. Link to PDF <ftp://downloads.netgear.com/files/mr314_ ref_guide_326.zip> ull rig ht s. 4. ROUTER PASSWORD POLICY 5. FIRMWARE ins f Router software is at it’s current version (Version 3.29) ut ho rr eta Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 5, A Figure 29 00 6. WIFI COVERAGE tu te 20 00 -2 Using an HP IPAQ 5555, Orinoco Gold wireless card, and the WiFiFoFum application, Internal Audit was able to determine that wireless coverage does extend on to neighboring streets using a method sometimes called war-driving. © SA NS In sti From this particular location on the Figure 30 street, there were four other wireless networks available. Two of those wireless networks do not have WEP enabled and are likely “open”. This means that anyone can associate with and use the access point for an internet or network connection. With other networks in the area being “open”, this reduces the risk that the AUDITNET network will be accessed by a casual WiFi seeker. Moving the access point may further reduce the risk of curb side Keyhacking. fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 30 of 45 Author retains full rights. 3.III.C NMAP APPLICATION 1. PORT AVAILABILITY ins f ull rig ht s. NMAP results from an off site scan using the default options of a Syn scan which gave the same results as other types of scans like Syn Fin, and Syn Ack. 00 © SA NS In sti tu te 20 As you can see there are 6 “open” ports in this router configuration screen that coincide what was screen using the NMAP application. From a network compliance and policy stand point, the system is in compliance if the router configuration is to be recognized as an implied policy. Figure 31 -2 00 5, A ut ho rr eta Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Figure 32 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 31 of 45 Author retains full rights. Application Lotus Notes IIS 5 Web server IIS 5 FTP Port Version 6.0.2 CF2 5.0 5.0 ull rig ht s. 25 80 99 (anonymous), 100 (password protected, IP restricted) 1352, rr eta ins f 6.0.2 CF2 Lotus Notes password protected, encrypted Terminal Services, High 3389, 5.0 encryption, in admin mode 6.0.2 CF2 Lotus Notes, =(Web for 998D 8080 Key fingerprint AF19server FA27 2F94 FDB5 DE3D F8B5 06E4 A169 4E46 web email) © SA NS In sti tu te 20 00 -2 00 5, A ut ho 3.III.C.2 RETNA SECURITY SCAN (FOLLOWING PAGE) Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 32 of 45 Author retains full rights. Retina - Network Security Scanner Network Vulnerability Assessment & Remediation Management ull rig ht s. Thursday, December 23, 2004 NETWORK ANALYSIS RESULTS Report Summary Retina Machines Scanned 1 Scanner Version 5.0.17.1107 Vulnerabilities Total 2 Scan Start Date 12/23/2004 High Risk Vulnerabilities ins f Scanner Name 2 eta Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 0 Low Risk Vulnerabilities 0 Information only Audits 0 Credential Used --- Medium Risk Vulnerabilities 5:20:31 PM Scan Duration 0h 0m 20s Scan Name Windows top 20 Scan Status Completed -2 00 5, A ut ho rr Scan Start Time SA NS In sti tu te 20 00 Top 5 Most Vulnerable Hosts % of Vulnerabilities By Risk Avg. of Vulnerabilities By Risk © Num. of Vulnerabilities By Risk Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 33 of 45 Author retains full rights. Retina - Network Security Scanner Network Vulnerability Assessment & Remediation Management ull rig ht s. Thursday, December 23, 2004 TOP 20 VULNERABILITIES The following is an overview of the top 20 vulnerabilities on your network. Vulnerability Name Null Session LM Hash Count 1 1 ins f Rank 1. 2. © SA NS In sti tu te 20 00 -2 00 5, A ut ho rr eta Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Top 20 Vulnerabilities Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 34 of 45 Author retains full rights. Retina - Network Security Scanner Network Vulnerability Assessment & Remediation Management Thursday, December 23, 2004 The following is an overview of the top 20 open ports on your network. eta rr ho ut 5, A 00 -2 00 20 te Count 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 In 14. 15. 16. 17. 18. 19. 20. tu 13. sti 1. 2. 3. Key 4. 5. 6. 7. 8. 9. 10. 11. 12. Port Description Number TCP:7 ECHO - Echo TCP:9 DISCARD - Discard TCP:13 DAYTIME - Daytime fingerprint = AF19QOTD FA27 -2F94 TCP:17 Quote998D of theFDB5 Day DE3D F8B5 06E4 A169 4E46 TCP:19 CHARGEN - Character Generator TCP:26 TCP:42 NAMESERVER / WINS - Host Name Server TCP:80 WWW-HTTP - World Wide Web HTTP (Hyper Text Transfer Protocol) TCP:99 METAGRAM - Metagram Relay TCP:100 NEWACCT - [unauthorized use] TCP:135 RPC-LOCATOR - RPC (Remote Procedure Call) Location Service TCP:139 NETBIOS-SSN - NETBIOS Session Service HTTPS - HTTPS (Hyper Text Transfer Protocol Secure) - SSL (Secure Socket TCP:443 Layer) TCP:445 MICROSOFT-DS - Microsoft-DS TCP:1025 LISTEN - listen TCP:1031 IAD2 - BBN IAD TCP:1034 TCP:1035 TCP:1037 TCP:1038 ins f Rank ull rig ht s. TOP 20 OPEN PORTS © SA NS Top 20 Open Ports Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 35 of 45 Author retains full rights. Retina - Network Security Scanner Network Vulnerability Assessment & Remediation Management ull rig ht s. Thursday, December 23, 2004 TOP 20 RUNNING SERVICES The following is an overview of the top 20 running services on your network. 8. 9. 10. 11. 12. 13. ins f eta rr ho ut 5, A 00 7. -2 3. 4. 5. 6. 00 2. 20 Key Description Maintains an up-to-date list of computers on your network and supplied Browser the list to requesting programs. fingerprint = AF19 FA27 Logs 2F94event 998Dmessages FDB5 DE3D 06E4 A169 4E46 Event Log issuedF8B5 by programs and Windows. EventLog reports contain information that can be useful in diagnosing problems. Reports are viewed in Event Viewer. IIS LanmanServer Provides RPC support and file, print, and named pipe sharing. LanmanWorkstation Provides network connections and communications. LicenseService Sends and receives messages transmitted by administrators or by the Messenger Alerter service. Supports pass-through authentication of account logon events for Netlogon computers in a domain. RPCLOCATOR Manages the RPC name service database. RpcSs Provides the endpoint mapper and other miscellaneous RPC services. Scheduler SMTPSVC Simple Mail Transport Service Spooler Loads files to memory for later printing. te 1. Name 1 1 1 1 1 1 1 1 1 1 1 1 1 © SA NS In sti Top 20 Running Services Count tu Rank Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Retina - Network Security Scanner Network Vulnerability Assessment & Remediation Management Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 36 of 45 Author retains full rights. Thursday, December 23, 2004 TOP 20 OPERATING SYSTEMS Operating System Name Windows 2000, Service Pack 4 Count 1 ins f Rank 1. ull rig ht s. The following is an overview of the top 20 operating systems on your network. Retina - Network Security Scanner Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 eta Network Vulnerability Assessment & Remediation Management ho rr Thursday, December 23, 2004 5, A ut TOP 20 USER ACCOUNTS The following is an overview of the top 20 user accounts on your network. In sti tu te 20 00 -2 00 Account Name Administrator ASPNET burchts Crackhead Guest Hilliwt IUSR_GOHILLIS-5N345H IWAM_GOHILLIS-5N345H Snort TsInternetUser Count 1 1 1 1 1 1 1 1 1 1 © SA NS Rank 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 37 of 45 Author retains full rights. Retina - Network Security Scanner Network Vulnerability Assessment & Remediation Management ull rig ht s. Thursday, December 23, 2004 TOP 20 NETWORK SHARES ins f The following is an overview of the top 20 network shares on your network. 00 5, A ut ho rr eta Rank Share Name Count 1. ADMIN$ 1 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 2. C$ 1 A169 4E46 3. CertConfig 1 4. CertEnroll 1 5. D 1 6. IPC$ 1 -2 3.III.C.2 RETINA SECURITY SCAN (AUDITOR SUMMARY) Vulnerability sti tu te 1. Null Sessions 20 00 The Retina top 20 scan reviled that there were 2 vulnerabilities. requires access to ports 139 and 445 to exploit Microsoft Article and instructions Is a form of password storage in this case a 2000 server. It’s enabled by default for backward compatibility of systems older than 2000. This network has no need for compatibility for systems older than 2000 so it can be safely disabled. Microsoft Article and instructions. © SA NS In 2. LM Hash Notes The Lotus notes application had been stopped during the time system information was being collected for this audit. If this application had been running during the scan, additional ports would have been seen on the scan results including 1352, and Microsoft’s SMTP server port 25 hadF8B5 been 06E4 enabled for4E46 testing Key 8080. fingerprint = AF19 FA27 2F94 998DonFDB5 DE3D A169 purposes before the audit. Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 38 of 45 Author retains full rights. 3.III.D INTRUSION DETECTION 1. Look at alerts generated by the IDS ull rig ht s. system; verify that the system is analyzing network traffic. ins f Intrusion attempts were recorded by the intrusion detection system. The alert dates reveal that the system had logged alerts the same day that this control was checked. The system administrator stated that the events were checked daily. ut ho rr eta Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 Figure 32 4E46 IDS NOTES: The intrusion detection system (IDS) is a Snort IDS version 2.3.0. Events are logged into a Mysql database (V4.017) which is access using the ACID front end utility. 2. Verify alerts are analyzed and escalated when appropriate. 00 5, A Below is an email sent to [email protected], they handle and are to be notified for network security issues regarding net block 218.237.186.0-218.237.187.255. No response was received regarding this incident. 20 00 -2 From: AUDITNET Admin < [email protected]> Date: Thu, 3 Feb 2005 13:05:43 -0600 Subject: Code red? To: [email protected] In sti tu te One of your systems may be infected with virus. Please review system configuration and activity for the system using IP 218.237.187.235 on 1/29/2005, at 15:29:36 CDT to determine proper steps for administrative action. Thank you, NS See IDS logs below SA IT administrator © #0-(3-16558),[snort] WEB-IIS cmd.exe access 1/29/2005, 15:29:36,,218.237.187.235:3759, AUDITNET-system:80, TCP #1-(3-16559),[snort] WEB-IIS cmd.exe access 1/29/2005, 15:29:36,,218.237.187.235:3762,69.137. AUDITNET-system:80, TCP #2-(3-16560),[snort] (http_inspect) DOUBLE DECODING,,ATTACK 1/29/2005, 15:29:36,,218.237.187.235:3762 AUDITNET-system:80, TCP #3-(3-16561),[snort] WEB-IIS cmd.exe access 1/29/2005, Key fingerprint = AF19 FA27 2F94 998DAUDITNET-system:80, FDB5 DE3D F8B5 06E4 A169 15:29:37,,218.237.187.235:3765, TCP 4E46 #4-(3-16562),[snort] (http_inspect) DOUBLE DECODING,,ATTACK Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 39 of 45 Author retains full rights. 4. 4.1 REPORTING TRANSMITTAL LETTER ull rig ht s. March 9, 2005 Sans Grader [email protected] ins f Dear Grader: ut • Will periodically review all user accounts insuring that they comply with established system password policies 5, A OS SECURITY ho rr eta Enclosed is the = internal for theFDB5 AUDITNET system. The outcomes Key fingerprint AF19 audit FA27 report 2F94 998D DE3D F8B5 06E4 A169 4E46 of the audit are summarized on page 41 of this report. Management responses indicated concurrence with the recommendations and are incorporated into the report to facilitate your review. An overview of planned and implemented actions is presented below: -2 00 • We will change account settings on all accounts to require password changes every 42 days, and enable account event logging. te 20 00 • Non-critical patches will be installed on the audited system after being tested on standby servers. The system will be self audited monthly and updated accordingly. tu • Will allow only approved wireless network cards on the network. sti NETWORK SECURITY • Will disable unnecessary legacy password compatibility to increase system security. © SA NS In • Will configure current and future systems in a way to ensure secure communication when possible Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 40 of 45 Author retains full rights. 4.2 EXECUTIVE SUMMARY Executive Summary ull rig ht s. The Office of Internal Audit has completed a review of the AUDITNET system. The purpose of the review was to: ins f • Determine whether access management practices provided assurance that system access is appropriately restricted; • Verify that system management practices are effective and that the system is kept up-to-date; • Verify that network security practices ensure that network communications are secure. ho rr eta Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Our review indicates that the system is physically secure, supported by Microsoft, not infected with malicious software, and is monitored by an intrusion detection system. However, improvements can be made in the areas of OS security, and network security. • Will periodically review all user accounts insuring that they comply with established system password policies. 5, A ut OS SECURITY -2 00 • Will configure account settings on all accounts to require and enforce password changes every 42 days. te 20 00 • Non-critical patches will be installed on the audited system after being tested on standby servers. The system will be self audited monthly and updated accordingly. • Will allow only approved wireless cards on the network. tu NETWORK SECURITY In sti • Will configure current and future system in a way to ensure secure communication when possible © SA NS • Will disable unnecessary legacy password compatibility to increase system security. • Will enforce equipment. password policies on supporting network Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 41 of 45 Author retains full rights. 4.3 AUDIT REPORT OS SECURITY Issues Implications Recommendations Cost 00 -2 00 5, A ut ho rr eta ins f ull rig ht s. Three user accounts Accounts that may become System administrators Cost $0 are configured not to compromised will remain should regularly verify require password accessible until the that accounts conform changes and are in password is changed to system policies. violation of the resulting possibly resulting implied forty two day in the loss of information system password or intellectual property. policy. Key fingerprint AF19 2F94 have 998D FDB5 DE3D System F8B5 06E4 A169 4E46 Cost $0 Three accounts =on the FA27 Former continued administrators system are not access to the system and should routinely verify required, only one of may be able delete, each users need for those accounts are manipulate, or steal continued system disabled. company information access and remove accounts that are no longer needed. Account auditing is User actions can not be System administrators Cost $0 not enabled easily tracked and may should enable the result in malicious actions logging of events like going undetected. logon and logoff. System support Cost $0 personnel should install updates and use the MBSA tool to regularly conduct self audits in order to maintain a secure system. Management Response SA NS In sti tu te 20 All Hot fixes were not The system could become installed on audited compromised if used to system. browse websites with malicious code. © We are in agreement with your comments and recommendations. We will remove the non-essential accounts from the system and verify monthly that stale accounts are removed. We will change account settings on all accounts to require password changes every forty two and to=log events like logon andFDB5 logoff.DE3D F8B5 06E4 A169 4E46 Key days, fingerprint AF19 FA27 2F94 998D Non critical patches will be installed on the audited system after being tested on standby servers. The system will be self audited monthly and updated accordingly. Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 42 of 45 Author retains full rights. NETWORK SECURITY Issues Implications Recommendations There is no policy requiring MAC address filtering on wireless routers. Any wireless card can attempt to gain wireless network access by guessing the encryption key. WEP is only form of access control and data security used on wireless network User information and accounting information my be intercepted or compromised by Cost eta ins f ull rig ht s. Network security Cost $0 should enable the wireless routers MAC filter and periodically verify that wireless access is still required by those who have been authorized. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 5, A ut ho rr Wireless users should Cost $0 use secure protocols communicating with other systems. System engineers Cost $0 should disable the storage LM hashes in current and future system installations if not required. sti tu An unauthorized user could gain access to the device possibly causing a network outage. Passwords on network Cost $0 equipment should be changed change regularly. © SA NS In There is no policy in place requiring the regular change of passwords on network routers. te 20 00 -2 00 LM Hashes are used Passwords can be for backwards discovered using brute compatibility force methods resulting in a system and information compromise. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 43 of 45 Author retains full rights. Management Response We are in agreement with your comments and recommendations. ull rig ht s. We will enable MAC filtering within 30 business days, and periodically contact the managers of the employee who was assigned the wireless card and verify their need for continued wireless access. If wireless access in not required, they will be moved to the wired network ins f We encourage our employees to use secure protocols like SSH and VPN technologies. We are currently working to enable per to per IPSec tunnels to help ensure that our data stays secure. We expect to have our IPSec solution implemented within 90 days. ho rr eta Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 We have already started configuring our systems to comply with Microsoft’s recommendation of disabling LM hashes. We expect the project to be completed within 30 days. © SA NS In sti tu te 20 00 -2 00 5, A ut We will change our password on current and future wireless devices every 42 days matching our desktop and server password standards. In the event a more stringent server and workstation password policy is implemented, network equipment that support passwords will follow comply those standards. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 44 of 45 Author retains full rights. 5. REFERENCES These resources were consulted during the audit the AUDITNET system, a Windows 2000 Advanced Server: ull rig ht s. 1. Vanderbilt Internal Audit. Vanderbilt University Internal Audit Staff Manual. 11 March 2005 ins f 2. Walker, William E. “Guide to the Secure Configuration and Administration of Microsoft Internet Information Services 5.0” NSA website. 1 January 2005 <http://www.nsa.gov/snac/os/win2k/iis_5.pdf> rr eta 3. DiMaria, Vincent, Barnes, James, Birdsong, Jerry, and Merenyi, Kathryn. “Guide to securing Microsoft Windows 2000 Terminal Services” NSA Website. 2 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 January 2005 <http://www.nsa.gov/snac/os/win2k/w2k_terminal_serv.pdf> 5, A ut ho 4. Microsoft TechNet, “ Microsoft Windows 2000 Security Configuration Guide” Microsoft TechNet 10 March 2005 <http://www.microsoft.com/technet/Security/topics/issues/w2kccscg/w2kscgc3.m spx> 00 5. Microsoft lifecycle Dates, <http://support.microsoft.com/default.aspx?scid=fh;%5Bln%5D;LifeWin> 00 -2 6. Kistler, Ueli. “Snort IDScenter 1.1 manual” Engage Security 10 March 2005 <http://www.engagesecurity.com/docs/idscenter/> tu te 20 7. MSDN, “LocalSystem Account” MSDN Website 10 March 2005 <http://msdn.microsoft.com/library/default.asp?url=/library/enus/dllproc/base/localsystem_account.asp> NS In sti 8. Davies, Joseph. “Exploring Peer-to-Peer IPSec in Windows 2000” Microsoft TechNet 10 March 2005 <http://www.microsoft.com/technet/community/columns/cableguy/cg0501.mspx> SA 9. Snort download page. 9 March 2005 <http://www.snort.org/dl/binaries/win32/> © 10. SANS Institute. Track 7 – Auditing Networks, Perimeters & Systems. Volume 7.5. SANS Press, 2004 11. AspectoSoftware. Home page. 11 March 2005 < http://www.aspecto-software.com/WiFiFoFum/ > Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Auditing a Windows 2000 Advanced Server GSNA Assignment © SANS Institute 2000 - 2005 Page 45 of 45 Author retains full rights. Last Updated: April 29th, 2017 Upcoming Training SANS Secure Europe 2017 Amsterdam, Netherlands Jun 12, 2017 - Jun 20, 2017 Live Event SANSFIRE 2017 Washington, DC Jul 22, 2017 - Jul 29, 2017 Live Event SANS Network Security 2017 Las Vegas, NV Sep 10, 2017 - Sep 17, 2017 Live Event SANS OnDemand Online Anytime Self Paced SANS SelfStudy Books & MP3s Only Anytime Self Paced