RE: Windows Server 2003 - Not secure from my test but OSX from Mac is secure from the start

From: Nero, Nick (Nick.Nero_at_disney.com)
Date: 09/17/03

  • Next message: m0use: "Re: penetration tester advice"
    Date: Wed, 17 Sep 2003 16:32:10 -0400
    To: "Damon McMahon" <inst_karma@hotmail.com>, <security-basics@securityfocus.com>, <ses@straightliners.de>
    
    

    About your point on resetting the local admin password . . .. Try
    Syskey. When enabled in mode 3 you can store the system encryption key
    on a removable floppy (or even a USB Jumpdrive mounted to A:). This
    means that without this device/disk on bootup, there is NO chance of
    decrypting/resetting the admin password without a lengthy brute force
    attack - I believe it uses RC4 at 128bit and the password is a minimum
    of 15 characters with the UTF-8 characterset. This should make for
    something like a 1 year cpu time bruteforce attack. Furthermore, the
    local data can be secured with Encrypting File System which on XP SP1
    and Win2k3 is 256bit AES. When coupled with roaming profiles (for the
    EFS cert storage), this means that a system with Syskey enabled in mode
    3 and encrypted data could not be compromised even with an incredible
    amount of unrestricted physical access (and remember, if someone has
    unrestricted physical access to your box, it ain't your box anymore)
    their only option is an equally incredible length of time and cpu cycles
    dedicated to a brute force attack of either the SAM database or the
    encrypted file system.

    Sadly most Windows admins are not fully aware of all the security tools
    at their disposal and therefore dismiss the security of the platform.

    Check out this page:
    http://www.infosecwriters.com/projects/osscan/results.php Although it
    doesn't show OSX, it does show that based on a default install Win2k3
    stands up extremely well to the Solaris's and other OS's.

    I have to agree with the previous statement that judging a default
    install is pretty stupid. Although, I am pretty sure that a huge
    portion of MS's security woes are that the average Joe installs a box
    and then just lets it go, no box that has any real exposure to anyone
    should be left at default. It is an interesting argument, but I think
    it is semantics.

    Nick Nero
    CISSP
    The Walt Disney Company

    -----Original Message-----
    From: Damon McMahon [mailto:inst_karma@hotmail.com]
    Sent: Tuesday, September 16, 2003 6:51 PM
    To: security-basics@securityfocus.com
    Subject: Re: Windows Server 2003 - Not secure from my test but OSX from
    Mac is secure from the start

    I think you miss the point, somewhat.

    Not wanting to turn this into a flame war [feel free to reject,
    moderator :)]:

    On Monday, Sep 15, 2003, Sebastian Schneider <ses@straightliners.de>
    wrote:

    > Secure and security are completly different things. As far as I
    > remember, there are several flaws in the software shipped with MacOS
    > X. I guess you might remember the last three security updates. If not
    > try running the Software Update panel.

    Nowhere near the number of Windows 2000/XP/Server 2003.

    > The concealment of ports is not really meaningful, since security is
    > more than about if port scans succeed or fail.

    I disagree. Concealment of (i.e. packet filtering based on) ports is an
    effective way of prohibiting - or at least restricting - remote access
    to vulnerable applications. If Windows hosts concealed ports 135 and
    445 the Blaster worm would have been a blip on the radar.

    Sure, layer 3/4 packet filtering is not the be-all-and-end-all, but the
    comparison of netstat/nmap/etc output on a MacOSX host compared with a
    Windows 2000/XP host is telling [I haven't seen it on a Server 2003
    host, but I'm led to believe it's almost as bad].

    I also believe that the Internet Connection Firewall on Windows
    XP/Server 2003 is _off_ by default, whereas the opposite is true of
    MacOSX. I may stand corrected on this...

    > I guess, there will be some more flaws within that operating system.

    Yes, as there are in Windows (several root-level RPC flaws discovered in
    several weeks). So the point is, knowing the probability of such flaws,
    how do we proactively minimise the risk? Layer 3/4 packet filtering goes
    some way towards this.

    > By the way, when having physical access to an Apple running MacOS X
    > everything's so easy. All you need is inserting the MacOS X setup CD
    > and welcome to wonderland. Even booting into single-user mode if
    > helpful much often. Thanks to Apple.

    There are so many tools out there that can reset the Administrator
    account with console access to Windows that _no_ Windows machine is safe
    if it is not physically secure.

    For anyone interested, it is quite simple to prevent access to the
    MacOSX file system through alternate boot disk or single user mode boot
    without a firmware password - something similar to the BIOS password on
    a WinTel (a little more user friendly, however).

    Sure, MacOSX security is not perfect, but on the
    security<->functionality scale it certainly sits closer to the
    'security' end... whether this is at the expense of functionality is a
    subjective judgement, I guess.

    ------------------------------------------------------------------------

    ---
    Captus Networks
    Are you prepared for the next Sobig & Blaster? 
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Precisely Define and Implement Network Security
     - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW -  FREE
    Vulnerability Assessment Toolkit
    http://www.captusnetworks.com/ads/42.htm
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    Captus Networks 
    Are you prepared for the next Sobig & Blaster? 
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
     - Precisely Define and Implement Network Security 
     - Automatically Control P2P, IM and Spam Traffic 
    FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
    http://www.captusnetworks.com/ads/42.htm
    ----------------------------------------------------------------------------
    

  • Next message: m0use: "Re: penetration tester advice"

    Relevant Pages

    • Re: Computer Security Information
      ... Well Known Port Numbers ... Beginners Step By Step Security Guide ... Windows 2000 Encrypting File System And Disk Wipe Software ... Documents About General Hardening ...
      (comp.sys.hp48)
    • RE: Remote Desktop vs VPN on Windows 2003
      ... Honeypots for Windows book. ... So, if a RDP buffer overflow worm came out, it would probably attack TCP port 3389. ... Now tell me again how changing the default port doesn't add ANY security value? ... Remote Desktop vs VPN on Windows 2003 ...
      (Security-Basics)
    • RE: Remote Desktop vs VPN on Windows 2003
      ... Remote Desktop vs VPN on Windows 2003 ... PORT STATE SERVICE ... If someone was looking to hack your network your security through obscurity ...
      (Security-Basics)
    • RE: Remote Desktop vs VPN on Windows 2003
      ... Remote Desktop vs VPN on Windows 2003 ... Security through obscurity is a type of security, ... simply changing the port number one port up. ...
      (Security-Basics)
    • RE: Remote Desktop vs VPN on Windows 2003
      ... So you have other security in place? ... I bet no one can figure out what port I am running. ... Remote Desktop vs VPN on Windows 2003 ...
      (Security-Basics)