NT Security - Frequently Asked Questions version 0.41


NT Security - Frequently Asked Questions version 0.41

0.0 Information related to this FAQ

The official home for this FAQ is currently The Royal Institute of Technology, http://www.it.kth.se/~rom/ntsec.html

It will probably move to Incolumitas future WWW-server, whenever we feel that there is a web server that is secure enough and we got the time to set it up.

0.1 Legaleeze

First off, unfortunately, I must include this goobedygook.
  • This text is not an endorsement for any product.
  • Nor is it a cookbook to be used by crackers to gain access to Windows NT systems. The text tries to shed some light at security related issues and problems with Windows NT. Microsoft, and more especially, their technical writers and sales forces, often leave out several key words and key information when describing Windows NT.
  • The document is mainly a collection of pointers to other information already available, if you know where to look.
  • I am in no way affiliated with Microsoft
  • All trademarks, etc. are honored. Microsoft probably is the biggest holder of trademarks in this document. To keep them happy and their lawyers unhappy, I'll include extra blurb for them here. Microsoft is the keeper of the following trademarks, amongst others, e.g. product names:
  • All included material are copyrighted by their respective owners/copyright holders.

    This compilation is copyrighted material. Copyright © 1996, 1997 Robert Malmgren. You are hereby granted a permission to use the material for non-commercial purposes as long as you keep this copyright message, not pretend that you wrote the material and give me and/or the other contributors proper credits.


    0.2 Conventions used in this document

  • Links to all kind of protected pages where you have to be a member of some exclusive club of any sort, such as the Microsoft MSDN Online, is denoted with three dollar signs. Example: $$$: Exclusive Members Only


    0.3 Current version and updating information

    The current version number of the FAQ is 0.41 The FAQ was last updated 29th of October 1997.

    Please submit contributions and requests for updates to the current maintainers (ntsec@incolumitas.se) of the FAQ.


    0.4 Changes

    Version 0.41, Oct 29, 1997 Changes to Version 0.40, Oct 9, 1997 Version 0.39, Feb 19, 1997 Version 0.38, Feb 16, 1997 Version 0.37, Jan 24, 1997 Version 0.36, Jan 11, 1997 Version 0.35, Jan 4, 1997 Version 0.34, 1997-Jan-01 Version 0.33, 1996-Dec-24 Version 0.32, 1996-Nov-09 Version 0.31, 1996-Nov-08 Version 0.30, 1996-Nov-07 Version 0.29, 1996-Nov-07

    0.5 Credits


    1.0 Definitions and general security issues

    1.1 Orange book, red book and C2 security

    The so called orange book is part of the DoD "rainbow" series of books. The official name is Department of Defense Trusted Computer System Evaluation Criteria. There is another book, a red one, which is a "interpretation" of the Orange Book. The NCSC has published a number of different interpretations of the TCSEC. These interpretations clarify Orange Book requirements with respect to specific system components. The formal name of the red book is the NCSC's Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria. It is an interpretation of Orange Book security requirements as they would be applied to the networking component of a secure system. The Red Book does not change the original requirements, it simply describes how a network system should operate in order to meet Orange Book requirements for a C2 secure system.

    Microsoft had a certain version of Windows NT, with a specific configuration, on a specific hardware platform evaluated by NSA. The outcome was that that specific setup is considered C2 compliant and the NSA guys from the National Computer Security Center, NCSC, also wrote a report entitled the NSA?s Final Evaluation Report on Microsoft. Inc.: Windows NT Workstation and Server Version 3.5 with U.S. Service Pack 3. National Computer Security Center, 23 June 1995.

    The people at National Computer Security Center have an online description of the Microsoft NT evaluation, (http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-95-003.html) including information on what type of hardware was used during the test. They have an general page on evaluation ,http://www.radium.ncsc.mil/tpep, and a frequently asked question, FAQ, area (http://www.radium.ncsc.mil/tpep/process/faq.html).

    The evaluation was just according to the orange book, not the red book. Microsoft has since them continued the evaluation process to also match the red book (i.e. networking parts) criterias, but this is not yet finalized.

    To have a C2 compliant setup, you must amongst other things have

    In practice, it also means that you have to That leaves you a not so usable client-server system. There is a tool that come with the resource kit called c2config that you might use to harden your system to a C2 level. You might also want to see Microsoft's web page entitled What is C2 Evaluation? Microsoft Sets the Record Straight (http://www.microsoft.com/syspro/technet/boes/winnt/nt351/c2bltn.htm).

    There is an on-line html version (http://www.pinsight.com:80/~royg/security/dod/rainbow.html) available of the rainbow series books that you might want to check out. Microsoft has a blurb that describes the characteristics of a secure system - C2 and beyond (http://www.microsoft.com/ntserver/c2char.htm).

    There is a paper on a new information technology security standard called common criteria (http://csrc.ncsl.nist.gov/nistpubs/cc) that is available on-line. It is a proposed ISO-standard.


    1.2 Crypto

    Cryptography is one of the foundations for much of the new computer security mechanisms. It provides protection from interception of clear text data including: passwords, network packets, and storage (DASD and RAM). Crypto techniques are also used for checksums, integrity control, etc.

    The following links might be useful to read up on crypto issues:


    1.3 Where do I get generic security information?

    You might want to check out some places on the net and subscribe to some mailing lists.

    Check out the following web pages:

    Recommended mailing lists Check out the Security Mailing lists FAQ for more information on what lists that is available.


    2.0 Questions and answers on NT security

    2.0.1 How do I contact Microsoft on security issues?

    Microsoft have a mail alias which everyone can use to send questions, alerts, bug reports, etc. According to Microsoft, members from development teams participate on an internal mail exploder. The mail address is secure@microsoft.com Get their PGP-keys here (http://www.microsoft.com/security/pgpkeys.txt). For information on PGP, see the PGP-section in this FAQ.

    2.1 Security model

    2.1.1 Where do I get patches, or, what is a Service Pack or a Hot Fix?

    Microsoft have an on-line database, called the software library, with program fixes for both the NT operating system as well as applications. In Microsoft lingo a patch or program fix is called service pack (SP). There are a number of service packs out, both for different versions of Windows NT as well as applications such as SNA server.

    Service packs are cumulative. This means that SP2 contains all of SP1 as well as the fixes introduced in SP2. Service packs often update a great amount of code by replacing major DLLs. Since most large applications (such as back office and development components) bring their own versions of "system" DLLs, service packs has to be applied after each and every "system update", where the term "system update" is not clearly defined. Any action that replaces any component updated by a service pack or hotfix has to be followed by applying latest SP and all hotfixes. Remember that adding hardware often install new software, which may have to be updated by SP and/or hotfix.

    Hot fixes are intermediate fixes released between service packs and are not considered fully regression tested, and as such not recommended by Microsoft to be applied unless one really need the feature they provide. Lately, a bunch of security problems have been solved by means of releasing hot fixes.

    Another thing on the subject is language or locale. If you are running a non US version of NT, you will not be able to apply all of the hotfixes. Some of them are not language dependent, while others refuse to install on anything else but a US version. If you have the option to do so, run US version of NT at least on your servers. By doing so, you will have the option of installing a hot fix dealing with a security problem immediately when it's released and not have to wait for the next SP to appear. Not to mention that you'd have to wait for the next SP to be ported to your language, which of course may take a while, the time depending on what language you are using.

    If you cannot, or do not want to, download software like this from the net, you can contact your local Microsoft representant and ask them about the service pack you need.

    Visit Microsofts library of service packs or go directly to their FTP server.


    2.1.2 What is impersonation?

    Impersonation is the ability of a thread to execute in a security context other than from that of the process that owns the thread. This enables a server to act on behalf of a client to access its own objects.

    For more information, see


    2.1.3 What is a SID (Security ID)?

    SID stands for Security Identifier and is an internal value used to uniquely identify a user or a group.

    A SID contain

    For more information, see

    2.1.4 What are privileges (user rights)?

    A privilege is used to control access to a service or object more strictly than is normal with discretionary access control.

    For more information, see


    2.1.5 What is an ACE (Access Control Entry)?

    Access-Control Entries that is used to build Access-Control Lists (ACLs).

    Each ACE contains the following information:

    For more information, see

    2.1.6 What is an ACL (Access Control List)?

    An ACL is a list of ACEs.

    For more information, see


    2.1.7 What is SRM (Security Reference Monitor)?

    The Security Reference Monitor is the kernel mode component that does the actual access validation, as well as audit generation.

    2.1.8 What is LSA (Local Security Authority)?

    LSA stands for Local Security Authority. This is an internal subsystem (as opposed to an environmental ditto, such as Win32) within Windows NT that "generates access tokens [...], manages the local security policy, and provides interactive user authentication services" (from "Windows NT resource guide", ISBN 1-55615-653-7).

    2.1.9 What is SAM (Security Account Manager)?

    SAM stands for Security Account Manager and is the one who maintains the security database, stored in the registry under HKLM\SAM. It serves the Local Security Authority (LSA) with SIDs. The SAM maintains the user account database.

    2.1.10 What is a secure channel?

    There is some confusion on this point when you consult the Microsoft sources on the subject. Ever since MS discovered the Internet, a secure channel is any point-to-point network connection established between a client and a server that "provides privacy, integrity, and authentication" (see $$$: Microsoft Internet Security Framework: Answers to Frequently Asked Questions ).

    "Before Internet", a secure channel was (and still is) the magic connection between WNT computers in a domain. This kind of channel is used for transportation of sensitive data, such as user credentials during a domain logon and replication of the account database between DCs.

    The secure channel is established as soon as the domain member machine is booted and is based on a shared secret that is used as the key for encrypting the data that travels through the channel. Each domain member has a machine account defined in the domain SAM database that is created when the machine joins the domain. The password of this account is used as the shared secret for encryption of the channel. The member machine stores it in the registry, where it can be retrieved using the lsadump program by Paul Ashton <paul@argo.demon.co.uk>.

    A problem with this is that the initial password (on a WS account) is poorly chosen (unicode(machine-name)). This means that anybody that can listen in to the network at the time of a domain join will be able to calculate the session key used to encrypt the channel, and by this can get hold of the user credentials of anybody doing a network logon from that particular machine. The password is changed as soon as the machine is rebooted after joining the domain and then periodically changed every 7:th day, but the new password is communicated through -- guess what -- the now not so secure channel, so as long as the listener keeps his ear on the wire, he will have the session key. No known solution, but the algorithm for encrypting the new password is not published (yet).

    More on the subject of secure channels:


    2.1.11 How does the logon process work?

    See

    2.1.12 What is an access token?

    Each process has an associated access token which is used by the system to verify whether the process should be granted access to a particular object or not. The access token consists of a user SID, a list of group SIDs representing the groups the user belongs to, and a list of user rights (privileges) the user is blessed with.

    2.1.13 What about passwords?

    See 2.14

    2.2 Host security

    In general, any computer that is not physically secured is not fully secured. If anyone is able to get access to the machine, it is possible to boot it from a diskette, CD-ROM or just steal the hard disk and use it in another computer.

    2.2.1 Are there any NT based viruses, or can NT be susceptible for other viruses?

    Symantec has a nice web page called Understanding Virus Behavior in the Windows NT Environment. (http://www.symantec.com/avcenter/reference/vbnt.html)

    Some types of viruses, such as those written in a high-level language such as Java, MS Word scripting language, Excel macros, etc, will be able to perform some tricks on a NT machine as well.

    According to DR Solomon, the MS Word based concept virus spread widely in part because several companies, including Microsoft, have shipped CD-ROMs containing the virus.

    Windows NT machines can be affected by other types of viruses if you use, for example, dual boot to run some other type of operating system on the same hardware, e.g. OS/2, UNIX or other version of Windows. When using a coexisting, bootable operating system, if you have a virus in effect that destroy the boot sector or something like that, your NT partition will probably be destroyed as well.

    Mikko Hermanni Hyppönen <Mikko.Hypponen@DataFellows.com> pointed out that

    Since Windows NT machines are used as file servers for other systems, such as MS-DOS, Windows 3.X and other clients, there are a number of NT-based anti-virus programs. Some of them are Windows NT is susceptible of application based macro viruses. A well-known example of this is word based macro viruses.

    For more information,


    2.2.2 How do I get my computer C2-level secure, or, what is c2config?

    On the CD-ROM that is included in the NT Resource Kit, there is a program called c2config that can be used for tighten the security of a NT based computer.

    Be aware, that c2config will not work well on systems with localized environment, e.g. a german NT that uses ACLs in german, not in english.

    See also Microsoft's web page entitled What is C2 Evaluation? Microsoft Sets the Record Straight (http://www.microsoft.com/syspro/technet/boes/winnt/nt351/c2bltn.htm).


    2.2.3 Are there any known problems with the screen saver / screen lock program?

    Yes. In version 3.5 and 3.51, if the administrator decide to kick a user off, then the admin has a small time window to see the content of the users current screen and desktop.

    See article Q130932 in the Knowledge Base.

    Another problem is that a tool from the Resource kit might be (miss-)used to deactivate the screen saver on a remote computer. See article Q142018 on shutdown.exe in the Knowledge Base.


    2.2.4 How can I secure my client computers against my users?

    One way to make it harder for the local user to do any harm to the system is to have a local PC without any hard disk or floppy disk. To boot, the system will need to talk to a boot server over the network.

    Check out Dan Shearer's document on remote boot (ftp://lux.levels.unisa.edu.au/pub/doc/RemoteBoot.txt)

    In the case that you do have a hard disk, mandatory profiles is a way of restricting the users access to the computer. A couple of things pointed out by David LeBlanc in a posting to the NT Security mailing list:


    2.2.5 Can my page file hold sensitive data?

    It can. Memory pages are swapped or paged to disk when an application needs physical memory. Even though the page file (see Control Panel->System->Performance->Virtual Memory) is not accessible while the system is running, it can be accessed by, for example, booting another OS.

    There is a registry key that can be created so that the memory manager clears the page file when the system goes down:

    Note that the clearing of the page file only is done when the system is brought down in a controlled fashion. If the machine is just switched off or brought down in any other brute way, of course no clearing will be performed.


    2.3 File system

    As shipped from Microsoft, most versions of NT I've ever encountered have had very weird access control list settings on the system files and directories. A lot of files and directories have had "Everyone" with "full control" capabilities. This is true for both NT 3.51 and 4.0.

    One way to examine which files that have strange permissions are to use SomarSoft's DumpACL program.

    David LeBlanc <dleblanc@iss.net> has written a text on file permission:

    Examples of things that might break when one tighten file permission security includes Microsoft has an article with IDQ153094 (http://www.microsoft.com/kb/articles/q153/0/94/htm) that describes what to do if you secure some files and change some ACLs that you should not. Fixing Microsofts broken file system permission setup might hang your system real bad and make it un-bootable. Read the article before actually changing your system.

    Microsoft has a salesblurb on NTFS that describes it from a security perspective. (http://www.microsoft.com/ntserver/ntfs_mb.htm)


    2.3.1 I Just installed a service pack. Why is my file permissions changed?

    There are some known instances where service packs have reset permission to the state the permissions where on the first installation.

    For examples, see Knowledge Base articles Q108103


    2.3.2 Why can users without permissions delete files?

    There is a known problem in 3.5, 3.51 and 4.0 versions of NT that users might be able to delete files without permission. Check out Knowledge Base article Q142017 on the subject


    2.3.3 Is it possible to read or write data on a NTFS disk from another OS?

    Yes. There are at least two different OSes that is capable of this, MS-DOS and Linux.

    It is possible to use the NTFSDOS.exe program from MS-DOS to read information of a NTFS formatted disk.


    2.4 Registry

    As shipped from Microsoft, most versions of NT have very weird access control list settings on the system registry keys. Some registry keys have had permissions that let everyone access and change them over the network.

    Dan Shearer <itudps@lux.levels.unisa.edu.au> wrote in message <"ydd1N.0.UA4.0BSJo"@suburbia> dated Sat, 28 Sept 1996 14:05:28 +0930

    This is true for NT 3.51.

    David LeBlanc <dleblanc@iss.net> has written some text on the registry

    Microsoft has an article in the Knowledge Base, article Q153183 titled How to Restrict Access to NT Registry from a Remote Computer that gives some information on how to fix this very severe security problem.

    Playing around with permissions on objects in the registry might damage the system. Check out the article Q139342 Incorrect Permission in Registry Cause Unpredictable Results from the Knowledge Base.

    Some applications still uses old .INI-type files for initialization, especially ports of old Windows 3 and MS-DOS programs. Those programs might have vulnerabilities in such way that the file protection are wrong and by that let someone read sensitive data, such as password, or change data.

    See also


    2.4.1 Why does the HKEY_LOCAL_MACHINE key drop its settings?

    The HKEY_LOCAL_MACHINE key is recreated by the system each time the system is booted. This have the effect that changes in the ACLs for this key does not persist over a reboot.

    2.4.2 Is the registry accessible over the network?

    It depends on the version and role of the computer.

    In NT 3.51, the registry is remotely accessible by default.

    In NT 4.0, the ACL on the registry key HKLM\CurrentcontrolSet\Control\SecurePipeServers\winreg (DWORD:1) defines who can access the registry remotely. On a NT server, this key exists with permissions set to Administrators:Full Control, but on a workstation there is no such key. The workstation do look for it though, so just create it and set its permissions if this is an issue.


    2.4.3 Are there any especially interesting keys to watch?

    The following keys are well suited for planting a back door in one way or another. Always ensure the ACLs on these are ok. To keep track of changes or tries to change them, one can set up auditing on the keys as well. See 2.10.5 Auditing .

    Please note that this is not an extensive list. There are more of these, and there is no way of knowing when new ones appear. Any suggestions of things that would fit here is gladly accepted. Contact the current maintainer of this FAQ.


    2.5 User security

    Users are susceptible to a number of attacks, such as dictionary password guessing. In Windows NT, one way to protect against those types of attacks is to set the number of failed logins before disabling the account temporary or until the system manager manually enables it again.

    For more info regarding passwords in Windows NT, see 2.14 Passwords.

    David LeBlanc <dleblanc@iss.net> wrote in a mail


    2.5.1 Administrator account

    Microsoft recommends that you changes the name of the administrator account so that outsiders cannot guess the name.

    This is of course just one of the things you can do. But unlike what some Microsoft employees believe, security does not stop there. Just changing name of administrator is to trying to protect yourself by the lowest level of security there is, security by obscurity .

    It is possible to obtain the new name of the administrator by using the command

    when the administrator is logged in on the console.

    2.5.2 Guest account

    As shipped, some older versions of Windows NT had a guest account that was easily used by outsiders. Newer versions of NT have their guest account closed as shipped from Microsoft. Anyway, you should check out your guest account and disable it as much as possible.

    Some people remove the guest account from their system, but unfortunately, Microsoft ship some product that relies upon the usage of that account. For example, if you use Microsoft Internet Studio in combination with Microsoft SQL or Microsoft Access running on another computer than the one running Internet Studio.


    2.6 Network security

    For some background information on Internet and Internet security, see

    2.6.1 Is NT susceptible to SYN flood attacks?

    Yes. To my knowledge, all IP based systems are possible victims for the attack.

    According to the article in phrack magazine, volume 48, (http://www.fc.net/phrach/files/p48/p48-13.html) NT have a queue size of 6 outstanding SYN packets. The article will serve as good reading if you want to understand the details of the problem.

    Check out


    2.6.2 Is it possible to use packet filters on an NT machine?

    NT 4 comes with built-in support for packet filtering. It is a simple but still usable filtering function that the administrator can configure to just let some IP packets reach the actual applications running on the system.

    You find configuration panel for the filtering function on "Control Panel->Network->TCP/IP->Services->Advanced->Security"

    Be aware that this simple filtering mechanism is not a substitute for a real firewall since it cannot do advanced stuff like protection against ip-spoofing, etc.


    2.6.3 What ports must I enable to let NBT (NetBios over TCP/IP) through my firewall

    First of all, you should really, really reconsider if this is such a good idea to let NBT traffic through your firewall. Especially if the firewall is between your internal network and Internet.

    The problem with NBT is that at once you open it up through the firewall, people will have potential access to all NetBios services, not just a selection of them, such as printing.

    The following is a list of the ports used by NBT.

    For more information, see RFC 1001, RFC 1002 and the list of IANA assigned port numbers


    2.6.4 What is Authenticode?

    Authenticode is a way to ensure users that code they download from the net has not been tampered with and gives the code an etched in ID of the software publisher. Microsoft is pushing this as a new way of getting better security into software distribution over the net.

    For more information, see Microsoft's FAQ on Authenticode


    2.6.5 What should I think about when using SNMP?

    In other SNMP-enabled machines you can configure both an write and a read community name. On a Windows NT system you can only set one. Not having a community name does not disable the service, as one might expect. According to David LeBlanc, <dleblanc@iss.net>:

    2.6.6 Is there any known problems with SNA?

    Check out item 2.8.8 on Microsoft's SNA


    2.6.7 What servers have TCP ports opened on my NT system? Or: Is netstat broken?

    Normally, the netstat program should report information on the status of the networking connections, routing information, etc. With the option -A or -a, it should list all TCP and UDP available connections and servers that are accepting connection. On Windows NT, even though the documentation states otherwise, this is not the case.

    There are no simple way to check what services that are running with TCP ports opened to accept connections. Currently the only way to get some information about this is to use a port scanner program and test through each TCP port on the NT machine. This is not a fool proof way of dealing with the problem.

    This is a serious problem if you plan to have NT based computers in the firewall environment. You cannot easily hardened them to become bastion hosts, since you are not confident what types of network services that might be reachable from the outside.

    It is a confirmed bug in Windows NT 3.5, 3.51 and 4.0. I do not expect Microsoft to fix it soon enough.

    Update:
    netstat.exe is fixed as of NT4 SP3, but it still shows some strange behavior. For example, on a moderately loaded machine, you can find numerous duplicates of open connections. Why is that?

    For more information see


    2.6.8 What are giant packets? Or, is Windows NT susceptible to the PING attack?

    There are mixed reports whether or not NT is vulnerable to this attack. By using ping to send a large packet to certain systems, they might hang or crash.

    Windows NT 3.51 seem to be vulnerable to this attack. A knowledge base article, Q132470, describes symptoms in Windows NT 3.51, and also include a pointer to a patch for this problem

    Check out Mike Bremford's Ping o' Death web page (http://www.sophist.demon.co.uk/ping) for more information on what systems are vulnerable and how.

    Update: The PoD site has moved to http://prospect.epresence.com/ping, which doesn't seem to exist in the DNS for the moment.

    There is a PoD II, which utilizes a bug in the way Microsofts IP-stack assembles fragmented IP packets.

    See $$$: Q154174 - Invalid ICMP Datagram Fragments Hang Windows NT, Windows95

    There is a fix for this, both NT4 and NT3.51, released in July 1997:


    2.6.9 What about the denial-of-service problem with RPC

    There exists a problem with the RPC on port 135. This can be misused to launch a denial-of-service attack against a NT system. The example below, which uses the SAMBA package, illustrates how this can be done

    Microsoft have issued a fix for this problem ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP2/RPC-fix.

    This fix is included in SP3.


    2.6.11 Chargen flooding?

    The "Simple TCP/IP Services" service is susceptible to a denial of service attack. See $$$: Q154460.

    Microsoft has released a fix for this: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/simptcp-fix.


    2.6.12 WINS denial of service?

    The WINS server is susceptible to a denial of service attack. See $$$: Q155701.

    Microsoft has released a fix for this: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/winsupd-fix.


    2.6.13 Dynamic Host Configuration Protocol, DHCP

    Security problems with DHCP include, but is not limited to One of the big limitations with DHCP has been the inability to log and keep a historical track of which machine has leased which IP-address in the past. In SP3 Microsoft is said to have added this possibility. (Note: Not verified by FAQ maintainer.)

    2.6.14 How do I enumerate all listening named pipes?

    Beats me. Any clue? Mail ntsec@incolumitas.se

    Same goes for RPC servers.


    2.6.15 What is the OOB (Out of Band) attack?

    The "OOB attack" is a denial of service attack that utilizes a bug in Microsofts implementation of its IP-stack. Source code for a program called Winnuke that does this was posted to BugTraq in May 1997 by _eci <myst@LIGHT-HOUSE.NET>.

    See

    There is a fix for this called icmp-fix, see 2.6.8 What are giant packets? Or, is Windows NT susceptible to the PING attack?


    2.6.16 How does NT deal with fragmented IP packets?

    Prior to NT4 SP3, not too good.

    Due to a bug in Microsofts IP implementation, one can fool the stack to reassemble fragmented packets in such ways that it is possible to send arbitrary data to an arbitrary port even when the target machine is protected by a firewall. There are firewalls that prevent this by handling all reassembling before forwarding the complete packet to the target host. It is probably wise to check up your firewall and/or apply SP3 if not done already.

    Visit Thomas Lopatic's <thomas@dataprotect.com> page A New Fragmentation Attack (http://www.dataprotect.com/ntfrag/).


    2.7 File sharing security

    For more information see

    2.7.1 What is CIFS?

    CIFS stand for Common Internet File System and is a specification for a file sharing protocol. It is based on the Server Message Block protocol, SMB.

    There is a mailing list where the designers from Microsoft and the designers of SAMBA and other network file systems discuss CIFS. Check it out on 'listserv@msn.com'. Send the command subscribe CIFS yourname to subscribe. The mailing list is archived at http://microsoft.ease.lsoft.com/archives/cifs.html

    For more information see


    2.7.2 Is it possible to turn off the default sharing?

    NT by default makes a share for each hard disk or partition. One have to manually disable this behavior.

    Patrik Carlsson <patrik@netman.se> gives a solution for the problem in a mail to NT-security mailing list:

    Another way is to create the registry key AutoShareServer or AutoShareWks, depending on the machine role, as a REG_DWORD under HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters and set it to 0. Restart the Server service.

    Note that this does not prevent IPC$ to be shared! A safer bet is to stop and disable the Server service altogether if that is an option.

    (Note: I have verified this a while ago, but cannot reproduce it on my current installation. Please report any better luck to ntsec@incolumitas.se. BTW, try to search MS for the string "C$", on the web or the MSDN Library CD.)

    There is a KB article touching the subject: $$$: Q156365 - Hidden Shares Are No Longer Available After Using System Policy


    2.7.3 Are there any known bugs for File sharing?

    Yes. Some good security enhancements, include

    See *Hobbit*'s excellent paper (http://www.avian.org/avian/papers/cifs.txt) on the Common Internet File System, CIFS, and its security problems.


    2.7.4 What is a NULL session?

    A NULL session connection, also known as Anonymous Logon, is a way of letting a not logged on user to retrieve information such as user names and shares over the network. It is used by applications such as explorer.exe to enumerate shares on remote servers. The sad part is that it lets non-authorized users to do more than that. Particularly interesting is remote registry access, where the NULL session user has the same permissions as built-in group Everyone.

    With SP3 for NT4.0 or a fix for NT3.51, a system administrator can restrict the NULL session access, see $$$: Q143474. With this fix, a new well-known SID is defined, named "Authenticated Users", which is Everyone except NULL session connected users. Replacing Everyone in all ACLs on the machine with this Authenticated User would be a good thing. To do this in a controlled fashion, one can use cacls.exe for the file system, but have to rely on some third party product for the registry ACLs. Using explorer.exe/winfile.exe or regedt32.exe will most certainly break the system. The cause for this is that these tools replace the ACL instead of editing it.


    2.8 Application and subsystem security

    2.8.1 Web server security

    There are a number of problems with web servers. Bugs in the server, stupid CGI scripts, erroneous configurations, strange other services (e.g. data base connections) are just a few things that might be used to damage your security.

    You might want to look at the WWW Security FAQ to get some general security information on WWW.

    If you install an Windows NT machine as a web server or a firewall, you should tighten up the security on that box more that you should do to ordinary machines on your internal network since a machine accessible from the Internet are more vulnerable and more likely to be attacked. Securing the machine gives you a bastion host. Some of the things you should do include

    Internet Information Server

    Check out Andy Baron's bug reports on earlier versions of the Internet Information Server. Microsoft also has some information on this bug as well as suggestions to workaround in Knowledge Base article Q148188.

    Microsoft has some information on known vulnerabilities in IIS available in Knowledge Base

    Another bug has been found in IIS servers that will hang or kill the web server. Sending the HTTP command "GET ../.." will hang a IIS version 2.0 server on NT 4. There are conflicting rumors whether this will work on NT 3.51 or not.

    Microsoft recommend that you upgrade your IIS server to version 3.0 or the latest available version.

    IIS version 2.0 and 3.0 is vulnerable of a denial of service attack using a "CGI request from a browser that contains between 4 and 8 kilobytes of data in the URL" (cited from Q143484 - IIS Services Stop with Large Client Requests).

    A fix can be found at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/iis-fix/.

    Netscape

    People have found bugs in Netscape's Communications server on NT as well. Check out this e-mail to the www-security mailing list.

    One should definitely be aware of CERTs advisory CA-96.11 that describes the problem with having a perl interpreter accessible over the net.

    There is some work going on to get a better situation for people who want to use perl on NT-machines running webs. Check out Softshore's web page on PERL for NT.

    Microsoft have some on-line articles on security and web servers. There is articles on


    2.8.2 Frontpage

    There are an article on the Bug Net Alert that describes some security problems in Frontpage.

    There are some texts on Microsoft's web server on Frontpage security


    2.8.3 FTP server security

    There is known problems with the FTP server that ships with Windows NT. There is another FTP server that comes with the Internet Information Server, IIS, that is supposedly more secure.

    As stated elsewhere in this document, logging is not turned on by default. To turn on logging of the FTP server, there are a number of registry key parameters that can be changed. They are located under the following key

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FtpSvc\Parameters

    Some of the parameters are LogAnonymous, LogFileAccess, LogNonAnonymous.

    See Microsoft's articles on how to turn on


    2.8.4 Internet Explorer

    Some of the security issues on MSIE:

    For more information on Internet Explorer see Microsofts web page "Microsoft Internet Explorer Security Information" (http://www.microsoft.com/security/ieprod.htm).


    2.8.5 Rollback.exe

    On the NT 4.0 CD-ROM there are a utility called rollback.exe that will corrupt your system if run. It is not intended for end-users, but someone slipped and the tool is now out on many users systems.

    Without any sign of warning, rollback.exe will remove all system registry entries, which in turn will leave the system in a state where there are not easy way to recover. One have to grab the emergency repair disk and do a restore from the latest backup.

    For more information see


    2.8.6 Shutdown.exe

    There are a bug in the utility shutdown.exe that are part of the NT Resource Kit. That bug disables the screen saver on a remote machine.

    It is confirmed to be a problem on 3.51 systems.

    For more information see


    2.8.7 Exchange

    There is some information both on Microsoft's web and FTP server as well on some other sites

    2.8.8 Microsoft SNA

    When installing the complete SNA package, you will get at least three more services, AFTP, NVAlert and NVRunCmd. Make sure that you have disabled these services if you want to run a more secure setup.

    2.8.9 cc:Mail

    According to a posting to Bugtraq by Carl Byington <carl@five-ten-sg.com >, default installation of cc:Mail version 8 with an smtp link has some problems:

    2.8.10 NT Spooler Service

    According to a posting to NTBugTraq by Ondøej Holas <OHolas@EXCH.DIGI-TRADE.CZ>, the Spooler Service shipping with Windows NT is susceptible to a denial of service attack:

    2.8.11 ODBC Security

    There are several security issues related to ODBC usage Any call with indirections, such as calls to ODBC data sources, are possible to intercept by attaching to pre-made hooks. By tracing ODBC connections, which is a completely legitime thing to do during software development, you can get access to sensitive data, such as user name for the connected database. For more information, see


    2.9 RAS security

    There are a number of things to do to get better security on remote connections To turn on auditing for RAS, use the regedit utility to set the key

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\Parameters\Logging

    to 1, then restart RAS.

    Microsoft have a generic RAS FAQ entitled Windows NT Remote Access Services - Common Questions and Answers.


    2.10 Logging and auditing

    By default, all auditing in Windows NT is turned off. You have to manually turn on auditing on whatever object you want audited. First off, you should have a policy for Then you should configure the auditing. You should also remember that it is hard to have a good use of auditing (or any use at all), if you don't have good tools and a good suite of policies on how to handle the logs.

    You have to remember that cranking up auditing might give you performance degradation. The trick is to find the balance between how much to log without getting problem.

    Remember that Windows NT saves the logs locally on disk. If someone can take control over the machine, it is quite likely that the logs might be manipulated as well. A better solution might be to send away the logs to one or more protected, centralized log-servers.

    For more information see, Microsofts paper called Auditing, or the Other Side of Security


    2.10.1 Is there a syslog function in NT?

    No, not out of the box. If you want to have centralized logging for both UNIX and NT machines you can check out Larry Kahn's syslogutils. To get access to it, you have to send an email to an autoresponder, access@kahn.drcoffsite.com, which mail you back information on how to access his FTP server.

    Another syslog server is a program called SL4NT by Franz Krainer.

    Also, see the section 3.4 Logging products.


    2.10.2 Can I move the logs to another partition?

    Yes. There is a note on this in the Knowledge Base.

    2.10.3 Can I grant access to someone to view or change the logfiles?

    Yes you can, but there is an error on the manual on how to do it. Check out Knowledge Base article Q142615 to see why the "Manage auditing and security log" privilege does not work as documented.

    2.10.5 Why doesn't all user right enabling actions show up in the log?

    Even though auditing of enabled user rights is turned on in the Policy->Auditing dialog in User Manager (for Domains), there is a bunch of user rights that are not logged. One example, which can cause a lot of confusion, is the Backup and Restore user rights. The cause for these to be excluded is that it would generate too much log entries if enabled. A new log entry would be written for each backed up or restored file. Why is that? Couldn't the backup program just take the backup right once and for all and then backup all of the files, then discard the right?

    See Securing Windows NT Installation (http://www.microsoft.com/ntserver/info/secure_NT_con.htm#a23) for a full list of privileges excluded from auditing and ways of turning auditing on for these.


    2.11 Crypto

    2.11.1 What is CryptoAPI

    CryptoAPI is a set of encryption APIs that allow developers to develop applications that work securely over non-secure networks, such as the Internet.

    CryptoAPI is shipped with NT version 4 and the Internet Explorer 3.0. Version 2.0 of CryptoAPI comes with SP3 for NT4.

    To get more information on the CryptoAPI, see


    2.11.2 Is strong cryptography available outside the U.S.?

    Yes, of course. There is Eric Young's various crypto implementations at ftp://ftp.psy.uq.oz.au/pub/Crypto/ . An RC4 implementation called arcfour can be found in the SSH distribution.

    As pointed out by Paul Ashton in a posting to the NT Security list, you can even use the same functions that Microsoft them self uses:

    Looking at the functions exported by advapi32.dll, you will notice that SystemFunction032() is accompanied with 32 more functions named like that, SystemFunction001 through SystemFunction033. Known today is that they include code for the following:

    2.12 E-mail security

    See also

    2.13 Security related patches

    It's always great fun to read the README.TXT's for the service packs. They reveal problems that you weren't aware of directly, but can serve as a clue to other problems you have encountered.


    2.13.1 Security enhancements in SP3 for NT 4

    See Windows NT 4.0 Service Pack 3 Security Enhancements (http://www.microsoft.com/ntserver/info/secenhance.htm) and depending on your current browser/proxy location on the globe <sigh>.

    Includes things like:


    2.14 Passwords

    For starters, do read Alan Ramsbottom's <acr@als.co.uk> excellent NT Cryptographic Password Attacks & Defences FAQ (http://www.ntbugtraq.com/samfaq.htm).

    Note that passwords are stored in the registry in two formats, the NT way (MD4) and the old LANman way (three DES encryptions of magic constant using different parts of the password). These are password equivalents in the sense that they are the only thing that is needed for a successfull authentication. This means that you don't have to crack them (using dictionary or brute force) to use them for authentication.

    Also, note that the SAM database is backed up to an ordinary file %SystemRoot%\repair\sam._ whenever a repair disk is created with the rdisk.exe program.


    2.14.1 Where is the password that I configure a service to start with stored?

    From a posting by Paul Ashton <paul@argo.demon.co.uk> on NTBugtraq:

    The lsadump program by Paul Ashton can be used to retrieve the plaintext service password.


    2.14.2 How do I enforce strong passwords?

    See $$$: Q151082 - HOWTO: Password Change Filtering & Notification in Windows NT .

    3.0 NT based security tools and products

    3.1 Tools for checking and tightening NT security

    To secure a system, one good idea is to use automatic tools that checks the system for misconfigurations, vulnerabilities, break-ins, etc.


    3.1.1 KSA

    Intrusion Detection Inc. have a product called Kane Security Analyst that checks your Windows NT system for vulnerabilities.


    3.1.2 OmniGuard

    Axent has a series of tools called OmniGuard that includes single sign on, intruder detection, access control, etc.


    3.1.3 SomarSoft's DumpACL, DumpEvt and DumpReq

    Somarsoft have a suit of tools for dumping information from NTs databases and logs.


    3.1.4 Andy Baron's Password Cracker

    ScanNT is a dictionary based password cracker that check your NT machine for weak passwords.

    A demo version is available from the URL above.


    3.1.5 ISS

    Internet Security Systems, ISS, have a suite of tools for network security testings that are available on the NT platform.


    3.1.6 TCP/IP Portscan

    There is a shareware program called NTPortscan that scans the net for open TCP ports.


    3.1.7 The NetBIOS Auditing Tool

    Secure Networks Inc. has released a tool called NetBIOS Auditing Tool that will check file shares, password integrity, extract information, etc, from a remote host.

    The tool is free of charge and released with source code and distributed under the GNU public license.

    Check out Secure Networks' NAT web page (http://www.secnet.com/ntinfo/ntaudit.html) or download the


    3.2 NT based firewalls

    For details and descriptions on how, what and why on firewalls, check out Marcus's firewalls FAQ.

    The National Computer Security Association has certified a number of firewalls for all types of platforms. Check out their web page that lists those firewalls and give detailed information on each product.

    For a more complete listing of firewall products, visit Cathy Fulmer's firewalls product list.


    3.2.1 Raptor Eagle

    Raptor has a version of it's Eagle firewall available for the Windows NT platform.

    Click here to get their product information.


    3.2.2 Firewall-1

    Checkpoint Software has a version of it's Firewall-1 firewall available for the Windows NT platform.


    3.2.3 The Catapult Microsoft proxy server

    The Catapult is a proxy program, which is somewhat different from a pure firewall.

    For more information on Catapult, check out


    3.2.4 Digital Altavista Firewall for Windows NT

    Digital Equipment Corp. has a version of it's Altavista firewall for Windows NT.

    They also have


    3.2.5 TIS Gauntlet Firewall for Windows NT

    In December 1996 Trusted Information Systems, TIS, released their well known Gauntlet firewall for Windows NT. It runs on WNT 4.0 Advanced Server.

    For more information


    3.3 Secure network sessions


    3.3.1 Secure Shell, SSH

    SSH is a software package originally developed by a finish student named Tatu Ylönen to secure network communication between different hosts.

    There are currently a beta version out for an windows client.

    You can find more information on SSH on Datafellows web server.There is a SSH homepage and a SSH FAQ.


    3.3.2 Kerberos 4 client

    Kerberos gives you secure authentication and an encrypted network session.

    To run Kerberos, you have to have at least one Kerberos server available to hold the kerberos tickets. For more information on Kerberos, consult the Kerberos FAQ.

    There is a Kerberos v. 4 client, currently in beta, available for Windows NT. You can check it out on this ftp server. Unfortunately, there are only UNIX Kerberos server sides available here


    3.3.3 SecurID

    SecurID is a token based one-time password system that gives you a secure authentication. There is Windows NT and Windows NT RAS clients available from the vendor, Security Dynamics

    Security Dynamics have a some security resources on-line, such as FAQs,white papers, etc

    Be aware that there have been alot of controversy lately since a posting of a white paper describing some weaknesses of the product.


    3.3.4 S/KEY

    Bellcore's S/Key User Authentication System with One-Time Passwords are available both as a client program and should be available as a server program for Windows NT by the time you read this. S/key are available for a number of UNIX platforms, Windows 3.11, 95, NT 3.51 and 4.0.

    Check out


    3.4 Logging and auditing tools and products

    3.4.1 seNTry

    The product SeNTry is used for centralized event log viewing and management. This product is not to be confused with Soft Winters disk encryption tool named SENTRY 2020 .

    Check it out on http://www.pss.ch/SENTRY.htm

    See 2.10.1 for information on different tools to get the syslog


    3.4.2 EventSLog

    EventSLog from Adiscon, Inc extracts entries from the NT event log and sends them to a syslog server using the syslog protocol.

    See http://www.adiscon.com/tools/evntslog/default.htm .


    3.5 File encryption and electronic mail

    3.5.1 Pretty Good Privacy, PGP

    There are a number of good PGP resources out on the net. The list below is just a short selection A program called PgpEudra to integrate the Eudora mail handling program with PGP.


    3.5.2 MIMEsweeper

    There is a product called MIMEsweeper from Integralis that checks e-mail for viruses. Integralis have both a product description page and a FAQ on MIMEsweeper available on the net.

    3.5.3 SENTRY 2020 (former Shade) disk/file encryption

    Soft Winter Corporation, located in Israel, does have a product for disk encryption on Windows NT.

    Check out the product on http://www.softwinter.com/


    3.6 Other types of security products


    3.6.1 CA-UniCenter


    3.6.2 Steel-belt RADIUS server for Windows NT

    Funk Software have developed a Radius server for Windows NT and NetWare.

    For more information see the Steel-Belted Radius for Windows NT Data Sheet


    4.0 Where can I find on-line information on NT security

    4.1 Mailing lists

    4.1.1 NT Security Mailing list

    There is a NT security mailing list maintained by the good folks at ISS. You subscribe to it by sending a mail to majordomo@iss.net with the body containing the string "subscribe ntsecurity your email".

    The mailing list have some traffic and on-going discussion, and some people might prefer to subscribe to the digest version instead to reduce their incoming mail. The digest is available by sending mail to the same address but with the text "subscribe ntsecurity-digest your email".

    The mailing list is archived with a web interface at http://www.iss.net/lists. It is also available for anonymous FTP from ftp://ftp.iss.net/pub/lists/ntsecurity-digest.archive.


    4.1.2 NTBugTraq

    The NTBugTraq is the Windows NT counterpart of the BugTraq mailing list that is mainly for UNIX related bugs with impact on security. It was started by Russ Cooper <Russ.Cooper@rc.on.ca> in the end of January, 1997. It is a moderated list.

    Subscribe by sending a mail to listserv@listserv.ntbugtraq.com. For help with this, have a look at http://www.ntbugtraq.com/ntbugfaq.htm

    The NTBugtraq archives are at http://listserv.ntbugtraq.com/archives/ntbugtraq.html


    4.2 Web pages and white papers

    4.2.1 Microsoft

    Microsoft has some information on-line. It might be contained in the Knowledge Base archive, it might be in product white papers. Lately, Microsoft has been moving a lot of information inside some sort of protected area, called MSDN Online . To register as a member, which for now is free, you unfortunately have to enable JavaScript and/or Java in your WEB browser. Once registered you can disable Java, but a lot of things are depending on JavaScript, such as the find button at $$$: http://support.microsoft.com/support/. You should be able to follow the links in this FAQ without enabling either of the two, but for the links denoted with $$$ , such as the one above, you have to be registered as a MSDN Online member. A selection of interesting information from www.microsoft.com

    4.2.2 NT Research

    There is a good white paper available from NT Research


    4.2.4 SomarSoft

    Frank Ramos at SomarSoft have both some information and some tools available on-line. There are demo versions of the tools for downloading.


    4.2.5 OMNA

    Andy Baron has some nice information on-line at his site. Some of the information is related to Microsoft's web server IIS


    4.2.6 ISS Vulnerability database

    Internet Security Systems, ISS (http://www.iss.net), have a NT specific area (http://www.iss.net/vd/vuln/nt) in their vulnerability database.


    4.2.8 NT Shop's NT Security pages

    At NT Shop they have a collection of NT related security information such as exploits and white papers on security issues and concerns.

    Visit the NT Security web pages (http://www.ntshop.com/security)


    4.3 What books on NT security are available?

    Microsoft Press have a book entitled "Microsoft NT 3.5 Guidelines for Security, Audit, and Control." ISBN 1-55615-814-9.

    Trusted Systems have a book entitled "Windows NT Security" (http://www.trustedsystems.com/NTBook.html)

    Tom Sheldon (tsheldon@msn.com) has written a book entitled "The Windows NT Security Handbook". It is scheduled for publication in October, 1996.

    Charlie Rutstein (Charlie_Rutstein@notes.pw.com) has an upcoming book on NT Security. Click here (http://ourworld.compuserve.com/homepages/cbr/toc.html) to see a table of content of the book.

    Mark Joseph Edwards, Peter Cardin and Andy Baron has written a book entitled "Windows NT Internet Security". "Windows NT Security Handbook - Everything you need to know to protect your network". Unfortunately, in our opinion, it does not live up to its claim to provide all knowledge you need. It have shortcomings in several areas, such as details in file system security.

    Another problem is the rapid development in the software area. Microsoft have released a number of new products and technologies and renamed some major and several minor subsystems.


    5.0 Widely known exploits, security holes and their counter measures


    Copyright © 1996, 1997 Robert Malmgren. All rights reserved.