Local Vulnerabilities

A number of security policy settings can compromise a system. A vulnerability checker, such as SAFESuite, eNTrax, or KSA, needs to plow through the system and find any weaknesses. A vulnerability is not necessarily a hack. For example, if the Administrator password is blank, this is not exactly what you would call a well-known and carefully orchestrated hack. A configuration error such as this is simply poor administration, unless you had set the password yesterday, and today you find that it has been cleared.

NT vulnerability checkers look for NT configuration problems such as the following:

•  Guest account enabled, which allows remote users without an account to be able to access some of the resources on your system.

•  Guest account has no password, allowing remote users access without requiring a password (at one time this was a default setting on NT).

•  Password composition and aging rules.

•  Weak passwords that can be broken with a cracker.

•  Failed login thresholds.

•  Permissions on registry entries (numerous hacks have occurred because registry entries were not adequately controlled with DAC, including the famous HKEY-CLASSES_ROOT key whose lack of protection in NT 3.51 allowed arbitrary users to control which programs were launched for given file extensions).

•  Remote registry access enabled, allowing remote administrators the opportunity to change critical system settings.

•  Individual registry settings.

•  Improper permissions on system files and directories, such as the NT perfmon utility that can be used to sniff network packets.

•  Unknown services that do not ship by default with NT.

•  Running services that are vulnerable to attack, such as SMB running on a Web server, which gives remote probers plenty of information useful for cracking attempts (or the Alerter, which might be used by internal hackers to display Trojan Horse screens asking other users for passwords).

•  Shares with permission access control settings, giving full access to remote users.

•  Whether IP forwarding is enabled, which can be used to facilitate network attacks.

For each of the problems listed, many scenarios exist. David LeBlanc of ISS identified registry key permissions for the Winlogon entry, which allowed Server Operator users to set the initial program for other users. The same flaw allowed operators to change the initial program run when the NT operating system booted. Thus, one easily could get a copy of files from another user even though under normal conditions one would not have read permission to those files. Also, Server Operator users could exploit this hole to easily gain Administrator rights. Plenty of other examples demonstrate vulnerabilities ranging from mild to severe.

This list represents only a subset of the suite of vulnerabilities a local system can face. Because tracking the security state of these items is nearly impossible with automation, you should invest in one of the NT scanners described in this chapter.

Intrusion Detection Products for NT

In this section are descriptions of some of the leading NT IDSs. Unfortunately, it is impossible to describe all of the IDS offerings for NT today. The selections here were chosen because in many ways they are complementary rather than competitive.

Look for These Features

As in your examination of UNIX IDSs, you need to consider both the features provided by the tools that are important for managing the IDS and the list of attacks detected. You should consider the following systems management factors:

•  Is the product client-server? If so, is it heterogeneous so that it works across UNIX and NT systems?

•  Does the product provide distributed systems management? For example, if the event log is used, can you configure event logs on all of the target machines from the central console?

•  How useful are the reports? Can you create your own reports from the data?

•  What is the scalability of the tool? How many target nodes can the tool concurrently analyze?

•  What kinds of alerts and countermeasures are possible? Can the IDS disable network connections, kill logins, disable logins, or execute administrator defined programs or scripts?

Because new product releases appear at least every quarter, you should contact the IDS vendors directly for the latest information on tools you are interested in deploying. Naturally, only by running the products in pilot projects will you be able to properly evaluate them.

Centrax

Slightly more than a year old, Centrax (www.centraxcorp.com) is a company formed primarily by experts from the CMDS team formerly with SAIC. Many skilled IDS programmers also have joined the Centrax team. The chief product developed by Centrax is called eNTrax.

eNTrax provides key benefits to an organization including the following:

•  Detection and response of information threats and misuse

•  Deterrence of further misuse

•  Damage assessment

•  Possible prosecution support

eNTrax is comprised of two main components: a Command Console and a Target Service. The Command Console provides centralized management of the network. Figure 10.1 shows the main eNTrax console. From the console, you can monitor, detect, and respond to security problems on remote systems. At the console an administrator is alerted to potential misuses and attacks. Responses to attacks can be configured in advance, or an administrator can choose a security alert and interactively respond. Today, eNTrax supports remote system shutdown, remotely killing the login session of the offending user, and disabling the login capabilities of a user. The Command Console manages configuration and collection of audit data from target computers. This feature is valuable because it consolidates log files from NT targets onto a common server. You can keep the raw audit data as NT records it or rely on the event database that eNTrax constructs from the data.

Figure 10.1  Command Console for eNTrax.

A target computer is any workstation or server on the network. Each target computer creates audit data as a user performs work such as opening files, copying files, or deleting files. The Target Service, installed on each workstation and server in the network, enables a communications channel between the Command Console and the target.