Security Basics mailing list archives

RE: Where are Local Passwords stored on Win2K

From: "Wilcox, Stephen" <StephenWilcox () universalcomputersys com>
Date: Thu, 23 Oct 2003 10:21:05 -0500
David,

Thanks you for the information.  I will defiantly incorporate this into our servers.  I will have to read up on #6 & 8, 
but this is great stuff.  

I was also going to rename the Admin account to something else, this should help in discouraging the attempts, though 
ENUM can still identify this information.  The WEB will not belong to the AD since it is on the DMZ, and rightfully so 
because no machine on a external network should be able have this information in case of compromise.  

I also looking the incorporate pvlans out on the DMZ as well.  This should restrict the likely hood of have access to 
multiple server if one is to get compromised.  What would be the pros or cons to this setup?



I have two concerns, I'm currently looking at.

1) Remotely taking over a server and how to prevent a compromised server for spreading to multiple compromised servers. 
 Some DMZ server still communicate with internal machines,  is there anything else besides retraction only the 
particular port to pass through for extra security?

2) A rouge/zombie machine on the internal network but not logged into the AD, with the right tools - LDP, ENUM, 
AirSnare,  ethereal,...  How long it would take to gather valuable information.  I know not long, because once I have 
on the local network I can get DC information - name, domain, root domain... right of the top, MAC addresses pc around, 
local admin accounts of the pc.  

I could restrict access on a mac but this is a management nightmare.. and mac can be spoofed.

MY company wants to incorporate wireless.. so how to make it hard to hack.  I am working on tighten up any possible 
holes and loose security prior to the installation.

Thanks in advance,

Stephen Wilcox


-----Original Message-----
From: dave kleiman [mailto:dave () netmedic net]
Sent: Tuesday, October 21, 2003 1:13 AM
To: Wilcox, Stephen; security-basics () securityfocus com
Subject: RE: Where are Local Passwords stored on Win2K 


Steven,

Nobody can tell you what could or could not be obtained if your web server
was compromised without a lot more information.

But you could decrease the likelihood of someone cracking the password file
by.

1.  Making sure that they and the DC are not storing the LM hash of the
password:
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash\bar=4,0   For 2000
machine\system\currentcontrolset\control\lsa\nolmhash=4,1   For XP and 2003
Sorry none for NT :(
After you make this change and reboot the system, You must re-apply all the
passwords, until you do the LM hash still exists.

2.  Force the "uncrackable" characters in all non-standard users passwords.
(Admin, Backup Operators, etc..)
See http://www.securityfocus.com/archive/88/312263 for details.

3.  Set your authentication level up to:
machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,5
Forcing the systems to only use NTLMv2 and refusing all others.

4.  Enable forced logoff, protection mode, restrict anonymous and remove
cached logon.

MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForc
edLogOff=4,1
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,2
machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount=1,0

5.  Restrict Null Session Access over named pipes:
MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters\NullSessio
nPipes=7,""
MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters\NullSessio
nShares=7,""
Unless there are some you need??

6.  Force SMB signing:
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecu
ritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSec
uritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\Enabl
eSecuritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\Requi
reSecuritySignature=4,0
You mat want to read a little on this if you have pre 2000 systems.

7.  Enable Idle force logoff and protection mode
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForc
edLogOff=4,1
machine\system\currentcontrolset\services\lanmanserver\parameters\autodiscon
nect=4,15
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\Enabl
ePlainTextPassword=4,0

7.  Require secure channel integrity checking:

MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChan
nel=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChan
nel=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrS
eal=4,1



Or if you feel like it Force Kerberos authentication.


Hope this helps,


 
_____________________
Dave Kleiman
secure () netmedic net
www.SecurityBreachResponse.com

"High achievement always takes place in the framework of high expectation."
Jack Kinder

 
-----Original Message-----
From: Wilcox, Stephen [mailto:StephenWilcox () universalcomputersys com] 
Sent: Monday, October 20, 2003 16:40
To: security-basics () securityfocus com
Subject: Where are Local Passwords stored on Win2K 


Hello, I'm looking for some information.  Walking through security =
compromises within our network.  Let me explain, I have two web server = in
a cluster on the DMZ.  they talk to a SQL cluster on the internal = network.
These two SQL server are not a member of the AD. =20

My boss want to know the good, bad, and ugly for making them members of =
the AD.

If someone compromised a WEB server, would they be able to find the = local
cached passwords that are stored on the box and decrypt them?  = Then login
to the web server with the AD account, and use a tool like = LDP to gather
AD DC information, and all pc's and usernames.

Where would I locate the cached stored password to see if the risk is = too
great to allow.

I know PWDUMP3 will get the SAM but I'm looking for the location of the =
stored cached password.

I also know if the local admin password is compromised then a key logger =
can be installed to gather the information anyway, but need the other =
information for my report.



----------------------------------------
The information transmitted in this message is intended only for the person or entity to whom it is addressed and may 
contain confidential and/or privileged material.  Any review, retransmission, dissemination or other use of, or taking 
of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. 
 If you received this in error, please contact the sender and destroy any copies of this document.

---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about
network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new 
network analysis tool that
makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021
----------------------------------------------------------------------------
Current thread:

Where are Local Passwords stored on Win2K Wilcox, Stephen (Oct 20)
- RE: Where are Local Passwords stored on Win2K dave kleiman (Oct 21)
- <Possible follow-ups>
- RE: Where are Local Passwords stored on Win2K Meidinger Chris (Oct 23)
- RE: Where are Local Passwords stored on Win2K Wilcox, Stephen (Oct 23)