Eugene Schultz, Ph.D., CISSP, CISM, Principle Computer Systems Engineer, University of California-Berkeley, Prominent SANS speaker blind folio i Color profile: Generic CMYK printer profi
Trang 2HACKNOTES ™
“HackNotes Windows Security Portable Reference distills into a small form factor
the encyclopedic information in the originalHacking Exposed: Windows 2000.”
—Joel Scambray, coauthor ofHacking Exposed 4thEdition, HackingExposed Windows 2000, and Hacking Exposed Web Applications;
Senior Director of Security, Microsoft’s MSN
“HackNotes Windows Security Portable Reference takes a ‘Just the Facts,
Ma’am’ approach to securing your Windows infrastructure It checks the overly
long exposition at the door, focusing on specific areas of attack and defense
If you’re more concerned with securing systems than speed-readingthousand-page tech manuals, stash this one in your laptop case now.”
—Chip Andrews, www.sqlsecurity.com, Black Hat Speaker, and
coauthor ofSQL Server Security
“No plan, no matter how well-conceived, survives contact with the enemy
That’s why Michael O’Dea’sHackNotes Windows Security Portable Reference
is a must-have for today’s over-burdened, always-on-the-move security
professional Keep this one in your hip pocket It will help you prevent your
enemies from gaining the initiative.”
—Dan Verton, author ofBlack Ice: The Invisible Threat ofCyber-Terrorism and award-winning senior writer for Computerworld
“HackNotes Windows Security Portable Reference covers very interesting
and pertinent topics, especially ones such as common ports and services,
NetBIOS name table definitions, and other very specific areas that are essential
to understand if one is to genuinely comprehend how Windows systems are
attacked Author Michael O’Dea covers not only well-known but also more
obscure (but nevertheless potentially dangerous) attacks Above all else, he
writes in a very clear, well-organized, and concise style—a style that very few
technical books can match.”
—Dr Eugene Schultz, Ph.D., CISSP, CISM, Principle Computer Systems
Engineer, University of California-Berkeley, Prominent SANS speaker
blind folio i
Color profile: Generic CMYK printer profile
Composite Default screen
Trang 3About the Author
Michael O’Deais Project Manager of Product Services for the security firm
Foundstone, Inc Michael has been immersed in information technology for
over 10 years, working with technologies such as enterprise data encryption,
vi-rus defense, firewalls, and proxy service solutions on a variety of UNIX and
Windows platforms Currently, Michael develops custom integration solutions
for the Foundstone Enterprise vulnerability management product line Prior to
joining Foundstone, Michael worked as a senior analyst supporting Internet
se-curity for Disney Worldwide Services, Inc., the data services arm of the Walt
Disney Company; and as a consultant for Network Associates, Inc., Michael has
contributed to many security publications, including Hacking Exposed: Fourth
Edition and Special Ops: Internal Network Security.
About the Technical Editor
Arne Vidströmis an IT Security Research Scientist at the Swedish Defence
Re-search Agency Prior to that he was a Computer Security Engineer at the
telecom operator Telia, doing penetration testing, source code security reviews,
security configuration testing, and creation of security configuration checklists
Arne holds a University Diploma in Electronic Engineering and a B.Sc in
Math-ematics from the University of Karlstad In his spare time he runs the Windows
security web site ntsecurity.nu, where he publishes his own freeware security
tools and vulnerability discoveries
blind folio 1
Color profile: Generic CMYK printer profile
Composite Default screen
Trang 4blind folio iii
Color profile: Generic CMYK printer profile
Composite Default screen
Trang 52100 Powell Street, 10th
FloorEmeryville, California 94608
U.S.A
To arrange bulk purchase discounts for sales promotions, premiums, or
fund-raisers, please contact McGraw-Hill/Osborne at the above address For
informa-tion on translainforma-tions or book distributors outside the U.S.A., please see the
Interna-tional Contact Information page immediately following the index of this book
HackNotes TM
Windows ®
Security Portable Reference
Copyright © 2003 by The McGraw-Hill Companies All rights reserved Printed
in the United States of America Except as permitted under the Copyright Act of
1976, no part of this publication may be reproduced or distributed in any form
or by any means, or stored in a database or retrieval system, without the prior
written permission of publisher, with the exception that the program listings
may be entered, stored, and executed in a computer system, but they may not be
reproduced for publication
Illustrators
Kathleen Edwards Dick Schwartz Lyssa Wald
Series Design
Dick Schwartz Peter F Hancik
Cover Series Design
Dodie ShoemakerThis book was composed with Corel VENTURA™ Publisher
Information has been obtained by McGraw-Hill/Osborne from sources believed to be reliable However,
because of the possibility of human or mechanical error by our sources, McGraw-Hill/Osborne, or others,
McGraw-Hill/Osborne does not guarantee the accuracy, adequacy, or completeness of any information and is
not responsible for any errors or omissions or the results obtained from the use of such information.
blind folio 1
Color profile: Generic CMYK printer profile
Composite Default screen
Trang 6Acknowledgments ixHackNotes: The Series xiIntroduction xiii
Reference Center
Hacking Fundamentals: Concepts RC2ICMP Message Types RC5Common Ports and Services RC7Common NetBIOS Name Table Definitions RC12Windows Security Fundamentals: Concepts RC13Windows Default User Accounts RC14Windows Authentication Methods RC15Common Security Identifiers (SIDs) RC16Windows NT File System Permissions RC17Useful Character Encodings RC18Testing for Internet Information Services
ISAPI Applications RC21Security Related Group Policy Settings RC22Useful Tools RC26Quick Command Lines RC28WinPcap / libpcap Filter Reference RC29nslookup Command Reference RC30Microsoft Management Console RC31Online References RC32
Part I
Hacking Fundamentals
■ 1 Footprinting: Knowing Where to Look 3
Footprinting Explained 4Footprinting Using DNS 4Footprinting Using Public
Network Information 10Summary 12
v
Color profile: Generic CMYK printer profile
Composite Default screen
Trang 7■ 2 Scanning: Skulking About 13
Scanning Explained 14
How Port Scanning Works 14
Port Scanning Utilities 21
Summary 30
■ 3 Enumeration: Social Engineering, Network Style 31
Enumeration Overview 32
DNS Enumeration (TCP/53, UDP/53) 35
NetBIOS over TCP/IP Helpers (UDP/137, UDP 138, TCP/139, and TCP/445) 37
Summary 48
■ 4 Packet Sniffing: The Ultimate Authority 49
The View from the Wire 50
Windows Packet Sniffing 50
Summary 57
■ 5 Fundamentals of Windows Security 59
Components of the Windows Security Model 60
Security Operators: Users and User Contexts 60
Authentication 66
Windows Security Providers 69
Active Directory and Domains 70
Summary 71
Part II Windows 2000 and 2003 Server Hacking Techniques & Defenses ■ 6 Probing Common Windows Services 75
Most Commonly Attacked Windows Services 76
Server Message Block Revisited 76
Probing Microsoft SQL Server 89
Microsoft Terminal Services / Remote Desktop (TCP 3389) 93
Summary 96
■ 7 Hacking Internet Information Services 97
Working with HTTP Services 98
Simple HTTP Requests 98
Speaking HTTP 99
Delivering Advanced Exploits 100
Introducing the Doors 102
The Big Nasties: Command Execution 102
A Kinder, Gentler Attack 115
Summary 117
vi HackNotes Windows Security Portable Reference
Color profile: Generic CMYK printer profile
Composite Default screen
Trang 8Part III
Windows Hardening
■ 8 Understanding Windows Default Services 121
Windows Services Revealed 122
The Top Three Offenders 122
Internet Information Services/ World Wide Web Publishing Service 122
Terminal Services 123
Microsoft SQL Server / SQL Server Resolution Service 123
The Rest of the Field 123
Summary 134
■ 9 Hardening Local User Permissions 135
Windows Access Control Facilities 136
File System Permissions 136
Local Security Settings 146
Summary 154
■ 10 Domain Security with Group Policies 155
Group Policy Overview 156
Group Policy Application 157
Working with Group Policies 157
Working with Group Policies in Active Directory 163
Editing Default Domain Policies 164
Controlling Who Is Affected by Group Policies 165
Using the Group Policy Management Console 166
Summary 168
■ 11 Patch and Update Management 169
History of Windows Operating System Updates 170
Automatic or Manual? 171
How to Update Windows Manually 172
Manual Updates in Disconnected Environments 173
Windows Update: What’s in a Name? 173
How to Update Windows Automatically 174
Verifying Patch Levels: The Baseline Security Analyzer 177
Summary 179
Contents vii
Color profile: Generic CMYK printer profile
Composite Default screen
Trang 9Part IV
Windows Security Tools
■ 12 IP Security Policies 183
IP Security Overview 184
Working with IPSec Policies 185
Default Policies: Quick and Easy 186
Advanced IPSec Policies 191
Troubleshooting Notes 197
Summary 197
■ 13 Encrypting File System 199
How EFS Works 200
Public Key Cryptography and EFS 200
User Encryption Certificates 201
Implementing EFS 202
Adding Data Recovery Agents 203
Configuring Auto-Enroll User Certificates 205
Setting Up Certificate Server 206
Using Encrypting File System 209
Summary 212
■ 14 Securing IIS 5.0 213
Simplifying Security 214
The IIS Lockdown Tool 215
How the IIS Lockdown Tool Works 217
URLScan ISAPI Filter Application 218
Disabling URLScan 220
IIS Metabase Editor 221
Summary 222
■ 15 Windows 2003 Security Advancements 223
What’s New in Windows 2003 224
Internet Information Services 6.0 224
More Default Security 227
Improved Security Facilities 232
Summary 233
■ Index 235
viii HackNotes Windows Security Portable Reference
Color profile: Generic CMYK printer profile
Composite Default screen
Trang 10There are many individuals who must be credited for
this book First and foremost, the author wishes tothank his family and friends for their continued sup-port and encouragement, without which this book couldnever have been published
In the field of information security, no individual can standalone; rather, it is by working in teams that the best solutions arediscovered As such, the author wishes to thank all of his col-leagues throughout the years whose ideas and mentorship havehelped shape the content of this book, including the Foundstonecrew (in no particular order)—Steve Andrés, Brian Kenyon,John Bock, Dave Cole, Stuart McClure, Robin Keir, Mike Barry,Joe Wu, Chris Moore, Erik Birkholz, Marshall Beddoe, and ahost of others who have challenged and educated the author oncountless occasions
Special thanks to Arne Vidström, whose superb tions in technical editing were integral to ensuring the accu-racy and completeness of this publication Last and certainlynot least, the McGraw Hill/Osborne editing staff, includingJane Brownlow for enduring a never-ending stream of ques-tions, Athena Honore for keeping the project on schedule, andAndrea Bouchard and Jennifer Malnick for their extensive ed-iting contributions, and making it appear as though the authorwrites well
contribu-ix
Color profile: Generic CMYK printer profile
Composite Default screen
Trang 11blind folio 1
Color profile: Generic CMYK printer profile
Composite Default screen
This page intentionally left blank
Trang 12HACKNOTES: THE SERIES
McGraw-Hill/Osborne has created a brand-new series
of portable reference books for security professionals
These are quick-study books kept to an acceptablenumber of pages and meant to be a truly portable reference
The goals of the HackNotes series are
■ To provide quality condensed security referenceinformation that is easy to access and use
■ To educate you in how to protect your network or system byshowing you how hackers and criminals leverage knownmethods to break into systems and best practices in order todefend against hack attacks
■ To get someone new to the security topics covered in eachbook up to speed quickly, and to provide a concise singlesource of knowledge To do this, you may find yourselfneeding and referring to this book time and time again
These books are designed so that they can easily be carriedwith you or toted in your computer bag without much addedweight and without attracting unwanted attention while youare using them They make use of charts, tables, and bulletedlists as much as possible and only use screen shots if they are in-tegral to getting across the point of the topic Most importantly,
so that these handy portable references don’t burden you withunnecessary verbiage to wade through during your busy day,
we have kept the writing clear, concise, and to the point
xi
Color profile: Generic CMYK printer profile
Composite Default screen
Trang 13Whether you are new to the information security field and need useful
start-ing points and essential facts without havstart-ing to search through 400+ pages, or
whether you are a seasoned professional who knows the value of using a
hand-book as a peripheral brain that contains a wealth of useful lists, tables, and specific
details for a fast confirmation, or as a handy reference to a somewhat unfamiliar
security topic, the HackNotes series will help get you where you want to go
Key Series Elements and Icons
Every attempt was made to organize and present this book as logically as
possi-ble A compact form was used and page tabs were put in to mark primary
head-ing topics Since the Reference Center contains information and tables you’ll
want to access quickly and easily, it has been strategically placed on blue pages
directly in the center of the book, for your convenience
Visual Cues
The icons used throughout this book make it very easy to navigate Every
hack-ing technique or attack is highlighted with a special sword icon
This Icon Represents a Hacking Technique or Attack
Get detailed information on the various techniques and tactics used by hackers
to break into vulnerable systems
Every hacking technique or attack is also countered with a defensive
mea-sure when possible, which also has its own special shield icon
This Icon Represents Defense Steps to Counter Hacking
Techniques and Attacks
Get concise details on how to defend against the presented hacking technique
or attack
There are other special elements used in the HackNotes design containing
little nuggets of information that are set off from general text so they catch your
over-Commands and Code Listings
Throughout the book, user input for commands has been highlighted as bold,
for example:
[bash]# whoami
root
xii HackNotes Windows Security Portable Reference
Color profile: Generic CMYK printer profile
Composite Default screen