RE: Where are Local Passwords stored on Win2K

• Previous message: Kelly Martin: "SecurityFocus new article announcement!"
• Maybe in reply to: Wilcox, Stephen: "Where are Local Passwords stored on Win2K"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 23 Oct 2003 10:21:05 -0500
To: "dave kleiman" <dave@netmedic.net>, <security-basics@securityfocus.com>

David,

Thanks you for the information. I will defiantly incorporate this into our servers. I will have to read up on #6 & 8, but this is great stuff.

I was also going to rename the Admin account to something else, this should help in discouraging the attempts, though ENUM can still identify this information. The WEB will not belong to the AD since it is on the DMZ, and rightfully so because no machine on a external network should be able have this information in case of compromise.

I also looking the incorporate pvlans out on the DMZ as well. This should restrict the likely hood of have access to multiple server if one is to get compromised. What would be the pros or cons to this setup?

I have two concerns, I'm currently looking at.

1) Remotely taking over a server and how to prevent a compromised server for spreading to multiple compromised servers. Some DMZ server still communicate with internal machines, is there anything else besides retraction only the particular port to pass through for extra security?

2) A rouge/zombie machine on the internal network but not logged into the AD, with the right tools - LDP, ENUM, AirSnare, ethereal,... How long it would take to gather valuable information. I know not long, because once I have on the local network I can get DC information - name, domain, root domain... right of the top, MAC addresses pc around, local admin accounts of the pc.

I could restrict access on a mac but this is a management nightmare.. and mac can be spoofed.

MY company wants to incorporate wireless.. so how to make it hard to hack. I am working on tighten up any possible holes and loose security prior to the installation.

Thanks in advance,

Stephen Wilcox

-----Original Message-----
From: dave kleiman [mailto:dave@netmedic.net]
Sent: Tuesday, October 21, 2003 1:13 AM
To: Wilcox, Stephen; security-basics@securityfocus.com
Subject: RE: Where are Local Passwords stored on Win2K

Steven,

Nobody can tell you what could or could not be obtained if your web server
was compromised without a lot more information.

But you could decrease the likelihood of someone cracking the password file
by.

1. Making sure that they and the DC are not storing the LM hash of the
password:
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash\bar=4,0 For 2000
machine\system\currentcontrolset\control\lsa\nolmhash=4,1 For XP and 2003
Sorry none for NT :(
After you make this change and reboot the system, You must re-apply all the
passwords, until you do the LM hash still exists.

2. Force the "uncrackable" characters in all non-standard users passwords.
(Admin, Backup Operators, etc..)
See http://www.securityfocus.com/archive/88/312263 for details.

3. Set your authentication level up to:
machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,5
Forcing the systems to only use NTLMv2 and refusing all others.

4. Enable forced logoff, protection mode, restrict anonymous and remove
cached logon.

MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForc
edLogOff=4,1
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,2
machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount=1,0

5. Restrict Null Session Access over named pipes:
MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters\NullSessio
nPipes=7,""
MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters\NullSessio
nShares=7,""
Unless there are some you need??

6. Force SMB signing:
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecu
ritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSec
uritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\Enabl
eSecuritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\Requi
reSecuritySignature=4,0
You mat want to read a little on this if you have pre 2000 systems.

7. Enable Idle force logoff and protection mode
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForc
edLogOff=4,1
machine\system\currentcontrolset\services\lanmanserver\parameters\autodiscon
nect=4,15
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\Enabl
ePlainTextPassword=4,0

7. Require secure channel integrity checking:

MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChan
nel=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChan
nel=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrS
eal=4,1

Or if you feel like it Force Kerberos authentication.

Hope this helps,

 
_____________________
Dave Kleiman
secure@netmedic.net
www.SecurityBreachResponse.com

"High achievement always takes place in the framework of high expectation."
Jack Kinder

 
-----Original Message-----
From: Wilcox, Stephen [mailto:StephenWilcox@universalcomputersys.com]
Sent: Monday, October 20, 2003 16:40
To: security-basics@securityfocus.com
Subject: Where are Local Passwords stored on Win2K

Hello, I'm looking for some information. Walking through security =
compromises within our network. Let me explain, I have two web server = in
a cluster on the DMZ. they talk to a SQL cluster on the internal = network.
These two SQL server are not a member of the AD. =20

My boss want to know the good, bad, and ugly for making them members of =
the AD.

If someone compromised a WEB server, would they be able to find the = local
cached passwords that are stored on the box and decrypt them? = Then login
to the web server with the AD account, and use a tool like = LDP to gather
AD DC information, and all pc's and usernames.

Where would I locate the cached stored password to see if the risk is = too
great to allow.

I know PWDUMP3 will get the SAM but I'm looking for the location of the =
stored cached password.

I also know if the local admin password is compromised then a key logger =
can be installed to gather the information anyway, but need the other =
information for my report.

----------------------------------------
The information transmitted in this message is intended only for the person or entity to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this document.

---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about
network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that
makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021
----------------------------------------------------------------------------

• Previous message: Kelly Martin: "SecurityFocus new article announcement!"
• Maybe in reply to: Wilcox, Stephen: "Where are Local Passwords stored on Win2K"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]