15 minute security primers:

Windows Network Workstation

Security

Johnny Long
http://johnny.ihackstuff.com
The BIG Disclaimer
λ This presentation is based on the
SecurityFocus Checklist by Scott Granneman
entitled “A Home User's Security Checklist for
Windows“
λ Download:
http://www.securityfocus.com/columnists/220
λ Scott did the work. I’m here to spread the
word, keep it simple and show how it can be
abused.
λ Basic Windows security is possible, and it only
takes 15 minutes.
The little disclaimer
λ It’s hard to account for all versions of
Windows here, so I use Windows XP
Professional for the examples.
λ This presentation is for entry-level
users.
λ For most examples I will show an attack
followed by the appropriate fix.
λ In some cases I will just show a fix.
Problem: Administrative Access
λ Although it’s simpler, do not use the
Administrator account (or an
equivalent) for every-day work.
λ It’s too easy for an attacker to abuse
you machine and unless you know what
you’re doing, it’s too easy to mess
things up!
Fix: Restrict Admin Access
λ Do Not run Windows as Administrator

λ Create a user account for every day

use. Reserve the Administrator role for
system maintenance.
Problem: Accounts without passwords

λ Surprisingly enough, many users have

accounts without passwords.

λ Most users are aware that passwords

are a good thing, but do you keep track
of all user accounts on your machine?
 Problem: Accounts with bad
passwords…
“Control Panel” ->
“User Accounts”
brings up the User This is a
Account Manager. standard user
account with
no password!
All accounts
should have
strong
passwords.
Attack! Accounts without passwords

A attacker
can use
simple
commands to
browse your
machine
without a
password...
Attack! Accounts without passwords

The THC-hydra tool

from
http://www.thc.org
has many uses….
Attack! Accounts without
passwords….
…including the
discovery of user
accounts with no
password!
Attack! Dictionary Attack…
In order to pound a
password, an attacker
will create a basic
password file….
Attack! Dictionary Attack!
THChydra can
eventually find a
password, even if it’s
not simple like this
one….
Fix: Good, Strong Passwords
λ All accounts on your machine should
have strong passwords.
λ Unless you know what you’re doing,
every account should have a password
λ Strong Passwords:
λ Never appear in any dictionary
λ Contain upper and lower case characters,
numbers and special characters
Problem: Cleartext Passwords
λ Sometimes, even a strong password is
not enough protection.
λ Passwords that travel the network
under cover of weak or zero encryption
can be captured and reused.
Attack! Cleartext Passwords
Using a pilfered password…

the attacker
connects to your
computer with your
password...

then connects to your

C: drive....
Attack! Cleartext Passwords

…and rifles through

your personal stuff!!!
Fix: Only use encrypted
authentication
λ If you are unsure about the protection
of your passwords over the network, it’s
best to err on the side of caution.
λ Understand the risks of your
transactions…
Problem: Anyone can Connect
to your computer
λ Even with strong passwords, attackers
can still access services on your
machine if they
λ obtain your password
λ exploit a vulnerability on your machine
λ exploit third-party software
Attack! Pings
Without a firewall,
anyone can send a
PING or an “are you
there” message to your
computer.
Attack! Port scan
Port scanners can show
what services your
computer is running
Attack! Windows Popups

Various open ports on

your machine (like 138,
NETBIOS DGM) can be
used by attackers to
send you annoying or
dangerous popup
messages like these.
Fix: Windows Firewall
λ Windows has a built-in firewall that has
a minimum of features, but is better
than nothing
 Fix: Windows Firewall
Start Menu -->
Settings -->
Network Connections…

Right-Click your Internet

Adapter and choose
“Properties”
Fix: Windows Firewall
Click the Advanced tab to find
the option for “Internet
Connection Firewall”.
Checking this box turns on
your firewall.

Turning off the firewall

(unchecking this box)
produces a warning message.
Fix: Windows Firewall
From the Advanced Tab,
click “Settings”

The Services Tab allows

you to select which
services to allow through
the firewall. Checked
services are allowed
through. Only check
services if you know
what you’re doing…
Fix: Windows Firewall
From the Advanced Tab,
click “Settings”

The Security Logging tab

allows for various
logging options. By
default, nothing is
logged! Select “log
dropped”, “log
successful” or both to
enable logging.
 Fix: Windows Firewall
A “dropped packets” log
might look like this

This report shows information including the date,

packet type, and the IP address that sent it.
Fix: Windows Firewall
From the Advanced Tab,
click “Settings”

The “ICMP” tab blocks ICMP

messages by default. Although
ICMP (the protocol that handles
PING) is fairly benign, it can be
used my accomplished hackers
to gather info about your
computer. Keep these options
unchecked.
Fix: Test your Internet
Exposure
The “Shields up”
program allows you to
scan your machine for
vulnerabilities from the
Internet.
Problem: Out of Date
Software
λ It’s a statistical fact that older software
has more discovered security holes than
newer versions of that software.
λ The easiest way to stay on top of the
latest security fixes is windows update
Attack! Spoofing Windows
Update
λ It is possible for an accomplished attacker to
insert a bogus update into your system.
λ Ultra-paranoids should install updates
manually via
http://windowsupdate.microsoft.com
λ In addition, downloaded packages should be
manually verified before installation.
Fix: Windows Update
One way to get into
Windows Update
Settings is via right-
clicking on
“My Computer”, selecting
“Properties” and
selecting the
“Automatic Updates”
Tab.
Fix: Windows Update

Another way is
from Start -->
“Help and
Support Center”
click
“Windows
Update”
Fix: Windows Update
λ Never follow update instructions sent
via email.
λ This technique is called “phishing” and
opens the door for malicious users
Fix: Application updates
λ Always keep on top of updates for
applications you install.
λ Keep a list of apps you install and the
website for that product.
λ For example, visit
http://office.microsoft.com/officeupdate
for updates to MS Office products.
Problem: Malicious code
λ Regardless of your protection from the
network, viruses and other types of
malicious code can cause disruption or
affect the security of your computer.
Fix: Anti-Virus Programs
λ An anti-virus program should be installed
λ The software should be set to:
λ automatically scan the computer at least once a
day
λ automatically scan email messages
λ allow scanning of Instant Messaging downloads
λ automatically update virus signatures via the web
Problem: Malicious Email
λ Email is often used to propagate
malicious code
λ Depending on the configuration of your
email reader, malicious code can enter
your system without even being read
λ “Web bugs” can track your location and
your activities
Attack: Fake Email scams…

Malicious users
can pose as
respected web
sites via email. Is
this real? How can
you know?
If you trust the
site, go to the
website by typing
the URL in your
browser.
Fix: Email reader configuration
λ Turn off the preview pane
λ Always know who an email is from before you
open it
λ Disable Javascript
λ HTML-based email is nice, but Javascript in an
email message can be very dangerous
λ Go offline
λ Email tracking (web bugs) do not work in offline
mode.
Fix: Email safety
λ Never open attachments that are
programs
λ Only open attachments that you are
expecting
λ Always scan attachments for viruses,
even if you think your virus scanner is
doing it automatically.
Fix: Email safety
λ Never reply to spam, even to be
“removed” from their mailing list
λ Remember that secure web sites will
never request you to change your
password, enter your PIN, or answer
other sensitive questions via email
Problem: Browser Security
λ There are many different ways an
attacker can deliver malicious code via
your web browser.
λ Configure your web browser safely.
λ Scott wrote a terrific article entitled
“Securing Privacy“ available from
http://www.securityfocus.com/infocus/1585
Fix: Browser Security Tests
λ The Browser Security Test
λ http://bcheck.scanit.be/bcheck/
λ PC Flank’s Tests
λ http://www.pcflank.com/about.htm
λ Jason Levine’s Toolbox
λ http://www.jasons-toolbox.com/BrowserSecurity/
Problem: Spyware
λ Spyware is software designed to track
Internet users.
λ This invasion of privacy can also be
disruptive and subversive to your online
activities.
Fix: Anti-Spyware Programs
λ You should install and implement and
anti-spyware program.
λ You should keep up with updates,
automatically if the program allows it.
λ http://www.anti-spyware-review.toptenreviews.com/
lists reviews of the most popular anti-
spyware programs.
Closing
λ Be sure to download Scott’s complete
checklist for all the details.
λ http://www.securityfocus.com/columnists/220
λ This presentation can be downloaded
from my website
λ http://johnny.ihackstuff.com