My Notes to Myself and Others... : Security

Hyper-V security guide

Erik Rozman — Sat, 04 Apr 2009 16:20:31 GMT

This Solution Accelerator provides instructions and recommendations to help strengthen the security of computers running the Hyper-V role on Windows Server® 2008. It covers three core topics: hardening Hyper-V, delegating virtual machine management, and protecting virtual machines.

Download

Let the Panic begin?! (or maybe not…) [MS08-067]

Erik Rozman — Fri, 24 Oct 2008 09:04:25 GMT

Yesterday, Microsoft has released an out of band patch (in other words, not through
the standard cycle of releases,which means it’s really important and there is no time
to wait for the next cycle) for all Windows version. Such a release, obviously causes
concerns (as does everything that is not routine).

The patch is intended for all Windows versions, and it is supposed to plug a hole in
the Server service (specifically RPC) that might allow an attacker to run arbitrary code
under the system account (it also seems that the vulnerability is wormable).
Enter PANIC!!! (or maybe not)

First reason to lower the panic levels is that when stating that an attacker can do something we have to ask ourselves
whether the attacker is an anonymous attacker or an authenticated one (he difference
is obvious and major). In this case, older Windows version (2000, XP, 2003) are
vulnerable to an anonymous attack (thus the patch is critical).
Windows 2008 and Vista are only affected if the attacker is authenticated.

Second, security is a layered art. The vulnerability can only affect systems that do not
have firewalls that protect them. This statement sounds like a double edged sword:
on one hand you will obviously not have a firewall block the ports on a system that is
acting as a server(simply sharing a folder/printer),on the other hand how many personal computers that do not have
some type of firewall protection do you think are on the Internet today (a lot, but a lot
less since the days of Blaster).

Third reason to lower the panic levels is the fact that you are reading this. If your level
of awareness is high enough to pursue information on the subject it means that you
are security conscious and that you are protecting your computers and will apply
the patch. Security conscience has significantly grown which means that systems may
be hit, yet the damage (effect) will be significantly lower.

If you managed to bear with me, it’s time to go and patch:
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

http://www.kb.cert.org/vuls/id/827267

DEP and ASLR in Vista circumvented?

Erik Rozman — Sat, 09 Aug 2008 09:19:34 GMT

Two researchers claim to have found a way to circumvent both Data Execution
Protection (DEP) and Address Space Layout Randomization (ASLR). These techniques
are meant to protect the way information is stored in RAM, ASLR is relatively new
and it randomizes the way that DLLs are loaded on startup dealing a sever blow
to anyone that would try to estimate which space in RAM a worm would need to overwrite
during a buffer overflow attack.

The researchers (Mark Dowd of IBM Internet Security Systems (ISS) and Alexander
Sotirov, of VMware Inc.) will discuss the weaknesses they have found at the Black hat
briefings in Las Vegas.

Book Review – Administering Windows Vista Security ,The Big Surprises

Erik Rozman — Fri, 08 Aug 2008 20:46:24 GMT

Haven’t managed to go through a book from cover to back in a long time. Well,
the draught has been broken. I picked up “Administering Windows Vista Security
The big surprises” (known henceforth as ‘the book’) and just finished reading it
cover to back. Summing it up:One of the better technical books I read in a long time.

The book covers security issues related to Windows Vista with the correct balance of
theory and practice, while the authors (Mark Minasi, Byron Hynes and Jennifer Allen)
do a great job of keeping you interested.

The book covers the following topics (and a few additional topics):

UAC
File and Registry Virtualization
Mandatory Integrity Control (wrote about this a while back)
BitLocker (Part 1,Part 2,Part 3[I hope])

Pros

A relatively short and to the point book (255 pages)
Focused on the topic (ok,I said that already,but I was so happy to read book
that cuts down on the fluff that I had to mention it twice)
Well written,easy to read
Correct balance between theory and practice

Cons

Written a long time ago (how about a second edition?)
A few technical inaccuracies (due to the usage of pre-RTM software)

http://www.minasi.com/vistsecbook/

http://www.amazon.com/Administering-Vista-Security-Big-Surprises/dp/0470108320/sr=11-1/qid=1168300170

Doomsday DNS flaw!!! (or is it?)

Erik Rozman — Sat, 26 Jul 2008 15:47:51 GMT

The last few days(actually almost a month now) have been very exciting in the relatively
“boring” world of DNS. In that world nothing much changes…DNS has been around for
quite a while now and it has always helped us translate friendly names into long and daunting
numbers (IP addresses).

It did so in a reliable and predicable manner. Yet that soothing effect of predictability seems
to have gotten it into trouble. According to security researcher Dan Kaminsky, a vulnerability
exists in the NDS implementation itself (affecting all vendors) that allows cache poisoning
(in other words, an incorrect IP address will be inserted into a DNS servers cache for a well
known website [e.g. your bank]).

Dan turned over the details to multiple vendors and worked with them to patch their systems.
He also decided to keep the details of this vulnerability confidential until his session at the Black
Hat security conference in Las Vegas (this seems to have failed, the details have leaked to the
Internet and discussion around his request to keep it quiet rages on).
In addition to that it seems that now there is an actual working exploit out there…

I won’t go into too much technical detail regarding this vulnerability (partly due to the fact that
I am not fully familiar with it), yet it seems that it has to do with the predictability of the
queries and replies being exchanged between servers and clients and servers.

Microsoft has release a patch for this vulnerability at:

http://support.microsoft.com/kb/953230

http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx

Note that the patch changes the behavior of DNS server(specifically which ports they use), and
this may confuse some firewall software.

CERT have published an article at:

http://www.kb.cert.org/vuls/id/800113

Perception is everything or who is more secure: Microsoft or Apple

Erik Rozman — Sat, 29 Mar 2008 07:46:21 GMT

Continuing my Microsoft fanboy weekend- In an article called: Microsoft vs. Apple: Who
patches zero-days faster? (by Computeworld) the writer describes a research done by
the Swiss Federal Institute of Technology. The research looked at how many times in the past
six years did the two vendors (Microsoft and Apple) have a patch ready for a zero day
vulnerability.

In other words they tried to designate (using statistics) which of the two companies is
better to react when a vulnerability is discovered. Well the result was/is surprising to many
as it turns out that according to the results Apple lags in patching.

An additional interesting fact is that the research found 658 vulnerabilities in Microsoft products
and 738 in Apple products...

So as usual: perception is everything.

MacBook Air Hacked in 2 minutes...

Erik Rozman — Fri, 28 Mar 2008 10:46:54 GMT

Ok,so as a Microsoft fanboy it is my turn to gloat. Vista Ultimate still stands strong
after the 2nd day of the PWN 2 OWN contest. Basically the contest provides three
laptops that have Windows Vista Ultimate, OSX 10.5.2 and Ubuntu.

The hacker receives a prize of 10k and the laptop he hacks...

After the first day(only network attacks were allowed) all three systems were still standing
on the 2nd day contestants were allowed to instruct organizers to work on the
systems...Charlie Miller (responsible for the first iPhone hack) pointed one of the organizers
to a website-and that was it (2 minutes).

Ok,so I am not really happy about this but it's still fun to see that after all the bashing
Vista is still standing!

Mandatory Integrity Control (What,how and why do we care?)

Erik Rozman — Sat, 19 Jan 2008 15:10:03 GMT

The theory

Mandatory Integrity Control (MIC) is an additional layer of security built into Vista and
Windows 2008. This particular layer helps Windows protect itself from harmful intentional and unintentional
changes to important objects. Among the objects protected we can find files, directories, registry
key, printers, and actually any object that has a security descriptor.

The beauty of MIC is that it has been there in the background all along protecting you, yet you never knew
it existed. You might have actually encountered it by trying to change a file that is protected by it, and even
though you had the permission you couldn't...

The MIC layer is a barrier placed before your permissions are checked. Essentially this new road block checks
your privilege level against the object that you are trying to change. If your privilege level is equal or higher you are
allowed to make the change. On the other hand if your privilege is lower you cannot change the object even
though you may have the permission to.

Vista defines four integrity levels in order of precedence from low to high (the Untrusted and Trusted Installer are out
of scope here):

Low - Used by Internet Explorer 7 to enforce Protected Mode:
Medium - Used for standard users (assumed if no other level is set):
High - Used for administrative actions (CMD with Run as administrator):
System - Used by the system

Note that what happens is that each privilege level is represented by a different group SID.

Privilege levels are inherited, meaning that the privilege level of the creator is inherited by the object
that is created. If a user opens Notepad the users privilege level is attached to the process and the
file created by the process and so on...

A quick example

Ok, lets try something practical.
In the following example I will create a new file using an elevated CMD.exe ,view the integrity level by using ICACLS and then
I will try to delete the same file using a standard CMD.EXE...lets see what happens:

Note that CMD was started as an administrator and the file has been created with a privilege level of high (last line
of ICACLS output. The users privilege level is also high (see the WOAMI output and he belong to the Administrators
group).

Note that the second instance of CMD is not run as and administrator. The file is still there, still with a high level of privilege,
the user has permissions (ICACLS and WHOAMI output) yet he can not delete the file.
The reason is that the current privilege of the user is medium (note the output of WHOAMI).

Now to top it off-something odd(or actually normal,depends on how you look at it...). If you attempt to delete the file
from an Explorer window you will receive the following message:

Once acknowledged (by pressing Continue) the file will be deleted-what happened here?

Well by choosing to continue you elevated the Explorer processes level to High- thus you can delete the file...

Conclusion

Based on the above example you can see that MIC is an additional layer of security implanted into Vista. Vista
assigns the level of integrity a specific object belongs too, it's not configurable and the only way that a user
can elevate his own level of integrity is by interacting with the system an explicitly acknowledging an action(such as
the deletion of the file in our example). A very important point to understand about MIC is that it protects files
from being tampered with,not their privacy. In other words only ACLS will protect the file from being read.

Now I really love to contradict myself (at least I do it in different paragraphs...),there is a way to manipulate
files and even protect it's contents by using MIC but it's not a way I would recommend. On the other hand it's
still good to know and as Mark Minasi mentions what happens if a malware actually creates a file with the privilege
level of System -no one will be able to delete it?!?

Mark has created a tool called CHML.EXE that is a bit more versatile then ICACLS and it allows you to set privilege
levels.
For additional information on CHML look at:
http://www.minasi.com/vista/chml.htm

Temporary e-mail address

Erik Rozman — Sat, 13 Oct 2007 12:10:11 GMT

Anonymity is a commodity that most of us have lost in this age. At times though, you may
still attempt to seek anonymity so you can avoid being hit by a barrage of junk or due to the
fact that you do not trust a specific website(that requires you to register using a valid e-mail address)
that you wish to use (oxymoron,but curiosity did kill the cat-who can blame him?!).

For such cases I have found the following service:10 Minute Mail.

You will be provided with an address for 10 minutes and a web interface to manage received messages.

Note that you can prolong the validity period but I didn't find a way to save or forward messages(only read and
reply).

Technorati Tags: Security

iPhone runs everything as root?

Erik Rozman — Wed, 03 Oct 2007 07:21:17 GMT

This might be somewhat old but it still strikes me as odd. It seems that every process
on the iPhone runs as root, which basically means that if one process is breached it will
have full access to the whole system.

When looking at this situation, on one hand you might be confident that your software
has no security flaw, thus you have nothing to worry about or you have made a mistake.

A process/user should not run with higher privileges then the ones he really needs, even
administrators should be limited- if they need to use their admin privileges it should be
done in a controlled environment both technically and mentally (be afraid...very afraid...ok,
not afraid but aware of the fact that you can wipe out your companies information).

For additional information take a look at the following post on the Metaspolit blog and the
following message on Neophasis Archives (Full Disclosure).

Verify the strength of your password

Erik Rozman — Sun, 09 Sep 2007 17:41:36 GMT

Ever wondered if your password is strong enough?

Well if you did you can use either or both of the following sites to verify
the strength of your password:

http://www.geekwisdom.com/dyn/passwdmeter

https://www.microsoft.com/protect/yourself/password/checker.mspx

Testing RPC over HTTP through ISA Server 2006

Erik Rozman — Fri, 17 Aug 2007 10:10:42 GMT

The ISA server team has posted a guide on the subject (in three parts). The guide
covers most aspects of the subject including troubleshooting.

Part 1

Part 2

Part 3

A look at User Account Control (UAC)

Erik Rozman — Thu, 02 Aug 2007 23:00:31 GMT

Overview

UAC (also called Admin Approval Mode) is a new feature introduced with Windows Vista. The main goal of this
feature is to protect the operating system from malicious or accidental damage. This goal is achieved by
requesting consent from the user when an administrative action is attempted (installing an application, opening
computer management,etc.)

UAC has been introduced as the eternal battle between security and functionality rages on. While on one hand we
would like to allow our users to have full access to their systems (which essentially are their tools of trade), on the
other hand we are well aware that allowing unlimited access will without any doubt lead to unintentional/intentional
damage to the local system and far worse to the whole network(virus/worm/adaware infection).

On the same note, an additional issue we must deal with are administrative users. The majority of system admins will use
their privileged accounts for daily tasks. If such an account is compromised by malicious software it is literally unstoppable.
Several options were introduced to limit the access of administrative accounts without hampering their ability to manage a
system. One such example is 'Run as'. A system administrator can use a standard account for standard tasks, and use a
privileged account to invoke administrative tools (by using 'Run as'). Note that when using this feature a different account
is used to invoke a process and a different token (more about these later) is attached to that process (until the process
is stopped).

In my opinion, unless enforced by company policy, most system administrators kept on using privileged accounts as
they saw the need of using 'Run as' as a nuisance(invoking a different account,entering the user name again and then
the password, too much finger travel). Most system administrators, found the benefit in using 'Run as' when
standard users had to be awarded elevated permissions to perform a task (in other words when it didn't affect them...).

Enter UAC. UAC steps in and attempts to provide a type of a compromise between functionality and security by providing an
environment in which using an "elevated account" is less of a nuisance and not much of a choice...
Every time a standard user or an administrative user attempts to execute a command that requires elevated
privileges(not to be confused with permissions) he or she are queried if they are sure that they want to proceed (the exact
form of the query will be discussed later in this article).

So, how does(did) it work?

Privileges and permissions are different things:

Privileges/User rights -can be defined as broad abilities that apply to a system as a whole. Changing
the time on a system is a privilege/user right,backing up a system is a privilege/user right.
Permissions -what a user(process by proxy) can do to a specific object (be it a file or a printer, or an object in
Active Directory).

When a user logs on to the system he is authenticated(user/password), then a token is built for him by the system. The token,
will include the users privileges and Security Identifiers (SIDs). A token is very similar to a security pass.
[A SID is a unique string that uniquely (obviously) identifies security principals (user accounts,groups)]
A users token is attached to every process that the user initiates. The first process the user initiates in Vista is explorer.exe
which in turn initiates all process, which inherit the token from it.
When a user attempts to perform an administrative task,such as change the time, his token is examined-if he "owns" the privilege,
he will succeed- otherwise he will fail.
A similar process is undertaken when trying to access an object-each object has an Access Control List(ACL) that has Access Control
Entries (ACE). Each ACE defines a specific SID and wether this SID is allowed or denied a specific action. When the user attempts
to take a specific action on an object his token is examined and his SIDs are compared to the ones on the ACL,if there is a match
then the action defined is examined and according to it the user will either succeed or fail. If no match is found,the user will fail.
[the process is very similar to a private club,each member has a card(token) and the bouncer has the list(ACL) of who is allowed to enter]
A users token is created during the log-on process,thus if he is added to a new group for it to be reflected in his token, he has
to logoff and on again so a new token can be created for him.

How does(now) it work

In Windows Vista there are two types of users, standard users and administrator accounts. Every user that is created and logs on
to a Vista system is classified as one or the other. The distinction is important due to the fact that the token creation process has
changed. Each user still gets a token,yet:

Standard user -Receives one token that identifies the user to the system
Administrator accounts -Receives two tokens,one that represents the user as a standard user and one that holds all of the elevated
privileges that the user has.

To facilitate the usage of two tokens a new service called 'Application Information' has been added to Vista. This service is responsible
to identify the attempted usage of an administrative privilege and to act upon it based on the policies configured.

Implementation and Experience

UAC is enabled by default.
When Vista is installed, the first user that is created is defined as an administrator account (with UAC enabled). The built-in Administrator
account is disabled (by default). If the Vista installation is an upgrade from XP, and the installation determines that the only administrative
account is the built-in administrator it will leave it enabled with UAC enabled.
You should also note, that the local built-in administrator account can not be used to log on to the system in Safe Mode. Only exception
is in the case of a non-domain joined system that has no other administrative accounts configured on it. If the system is joined to a domain
there are no exceptions(local built-in administrator can not be used to log-on),if there is no other administrative account to be used, and
no cached credentials, Safe Mode with Networking has to be used to enable logon.

When an administrator account attempts an administrative task the system will ask for consent. It does so by taking a "dark screenshot"
and imposing above it a window that asks for consent. Now this "dark screenshot",except being very dramatic is actually a safe environment
that only Windows processes can access. It is possible for malware to imitate the visual appearance of this environment, yet it has to be
already installed on the system(in other words you are already in a bad place).

fig.1 Consent Window

By the way, the visual structure of the prompt will vary:
Red background and red shield icon: The application is from a blocked publisher or is blocked by Group Policy.

Blue/green background: The application is a Windows Vista administrative application, such as a control panel.

Gray background and gold shield icon: The application is Authenticode signed and trusted by the local computer.

Yellow background and red shield icon: The application is unsigned or signed but not yet trusted by the local computer.
In addition to that the details button will provide the exact name of the executable trying to run. Personally,I would also
like to see the name of the process that invoked the command.

When a standard user attempts to run a task that is of administrative nature he will be prompted to enter the credentials
of an administrator account.

fig.2 Credentials Window

The third visual cue is a small shield being placed next to menu options that warrant for administrative privileges.

Configuring UAC

UAC can be configured by using the Local Security Policy or by using GPO(Group Policy Object). There are nine settings:

fig.3 UAC settings (local Security Policy)

In my opinion the two major settings that control the behavior of this feature are:

Behavior of the elevation prompt for administrators in Admin Approval Mode:
- Elevate without prompting
- Prompt for credentials
- Prompt for consent (Default)
Behavior of the elevation prompt for standard users:
- Automatically deny elevation request for users
- Prompt for credentials (Default)

An additional location that can be used to turn off UAC can be found on the 'User Accounts' applet in 'Control Panel'. As you can see
in figure 4 the option is "prefixed" by a shield meaning that is a protected action.

Fig. 4 Turn UAC off

Conclusion

Considering UAC and past attempts to do something similar, leads me to the conclusion that UAC is a an upgraded 'Run as'. What
I mean to say is that when analyzing how this works we can see that UAC saves the hassle of having to enter credentials for system
administrators by allowing them to use one account with two tokens.
UAC provides safety,it might prevent mistakes done by system administrators and it might prevent the installation/execution
of unwanted software by providing the user with a "second chance".

A subject I have not mentioned here is the issue of application compatibility this is an important subject
since it enable us to use applications that have not been built with UAC in mind.
For that and more on UAC you can visit:

http://technet.microsoft.com/en-us/windowsvista/aa905113.aspx

Known issues with updates MS07-040 & MS07-041

Erik Rozman — Fri, 13 Jul 2007 07:11:00 GMT

Take a look at:

http://support.microsoft.com/kb/931212

http://support.microsoft.com/kb/939373

This has also been mentioned on Donna's Security Flash (which is a great resource for security news/updates).

TCP Header Checksums Displayed as Corrupted (using Network Monitor)

Erik Rozman — Wed, 11 Jul 2007 16:12:00 GMT

OK,so I was troubleshooting and odd issue with an FTP server and one of the things
that caught my attention while using Network Monitor (on a Windows 2000 server)
was that some(actually almost all) of the TCP checksums (originating from the server)
were found to be incorrect.

At first I thought I was having a networking problem,yet someone pointed out the fact
that since the calculation was being offloaded to the NIC Network Monitor may be
calculating the checksums incorrectly.

http://support.microsoft.com/kb/243294

Vista Tip-Administrative CMD

Erik Rozman — Sat, 27 Jan 2007 13:47:00 GMT

Most administrators use the command prompt to run administrative tasks.
The problem is that if you are using Vista, opening the CMD will not allow you to run
commands as an administrator(unclear to me as to why couldn't they simply let the UAC
take care of it).

To solve this you could start the CMD using a shortcut with RUNAS, a better solution
though is creating a shortcut for CMD and setting the check box by the 'Run as administrator'
(Properties>Advanced).

Which process uses a specific port (TCP/UDP)

Erik Rozman — Fri, 05 Jan 2007 13:34:00 GMT

The most common reason for such a question to come up is security.
TCP/UDP ports are virtual windows on the walls that represent your computer.
If a perpetrator would like to gain access to your system he would do such using one
such window.

We might close all those windows (and it is advisable to do so when accessing the
Internet, by using a firewall that blocks direct access to the ports on your system),
yet due to their nature there may be times when you would like to allow access to your
system (hosting a website on your system or simply sharing files among systems).

Another important facet of the issue is that once a system is penetrated by a perpetrator
he might want to call his friends and have a party or in other words a malicious software
might open a port and allow access to others(publish your IP and port on an IRC channel).

Better yet,if you are infected by a virus, it might be using your system to scan for other
systems that might be vulnerable while striving to infect them.

How can we check who exactly is opening windows on our systems?

The best way to do this is to verify which process has opened a specific port.
If the process is familiar you are OK yet if you identify a process which you can not
account for you may be in trouble.

The following methods can be used to match open ports to processes:

Windows XP and higher- use the NETSTAT -O command
Pre XP- Download a neat tool called FPORT from Foundstone (McAffe)

Once you have the output you can simply Google the process names to determine their roles.
If you do this from time to time it possible to track behavioral changes and easily track down
unknown open ports on a system.

Zotob,or worms that you get punished by...

Erik Rozman — Sat, 20 Aug 2005 21:16:00 GMT

Hmmmm...
This one really got me going(on the other hand this shouldn't be a usrprise since it had me
up unttil 3am).

What makes a vulnerability more dangerous/famous then another?
How come there are dozens of vulnerabilities yet you really remmember only some of them
such as Blaster?

The answers may vary:

No high profile exploit was created.
No high profile company was hit.

So what is it this time?

Who said fonts aren't important???

Erik Rozman — Sat, 06 Aug 2005 22:51:00 GMT

You may receive a “Stop 0x000000ab” error message when you log off a Terminal Services session on a Windows Server 2003 SP1-based Terminal Server

http://support.microsoft.com/default.aspx?scid=kb;en-us;901150

You cannot connect to a Telnet server that is running on a Windows Server 2003-based computer

Erik Rozman — Sat, 06 Aug 2005 22:48:00 GMT

Don't really see a major reason for using Telnet,but:

http://support.microsoft.com/default.aspx?scid=kb;en-us;902439