?: How do I protect my Windows computer?
That's a question that lots of software companies would like to sell their products around. There are many aspects to protecting your computer. First, make sure you are following good security practices, like those documented in Securing a Windows 2000 Server and Securing a Windows NT Server. To be vigilant, one also needs to monitor the event logs and IIS logs, have an intrusion detection product (like Tripwire) in place, and regularly ask the security office (or an outside security firm) to run security scans. The document Intro to Securing Your Windows Files may provide you some assistance getting oriented with Windows Security concepts. Keep your computer up to date with the latest service packs and hotfixes. You may want to consider running a personal firewall product on your computer. These products allow you to closely monitor all network activity on your computer and disallow certain types of network activity. Zone Alarms is a free personal firewall which has won many awards for it’s friendly interface and effectiveness.
Finally, the best thing you can do is to be educated about security risks and exercise care when using your computer. Most intrusions happen because the user doesn’t realize when they are placing themselves at risk. All of the above precautions can be neutralized if you don’t exercise caution. For example, there is a common trojan horse which is designed to turn off all your security software (and it knows about most of the software), then allows a remote user to do nasty things. But the trojan horse is powerless until you download it in some seemingly harmless package (maybe a game). Because it neutralizes your security software, you’d never know it was there until it was too late. So be careful!
?: How do you know what patches have been installed?
All hotfixes that have been installed register themselves in the system registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates. Microsoft also has an executable which will check this for you called Qfecheck.exe (only works for w2k), which you can find out more about at http://support.microsoft.com/support/kb/articles/Q282/7/84.ASP. Our site has a list of all recent patches. Microsoft released a new patch scanning tool called HfNetchk, after the Code Red outbreak.
There are software packages that provide centralized management of monitoring groups of computers for hotfix/service packs and distributing the fixes. St. Bernard Software has one such product.
?: What sites and/or email lists should users subscribe to for the best resources?
The Microsoft Security alert list is a must. You can get all the Microsoft security alerts (and Stanford Windows alerts) by subscribing to windows-security@lists.stanford.edu. Alternatively, you can browse the security alerts at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/notify.asp or on our site which summarizes all the security alerts that come out at http://windows.stanford.edu/news.shtml.
I'd also recommend both the CERT list and ntbugtraq. Ntbugtraq is for more serious folks who don't mind wading through a lot of stuff though.
?: Are there tools to scan a machine (or a network) for particular exploitable vulnerabilities?
Microsoft has an area with security checklists and tools at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/tools.asp.
One type of software is called intrusion detection. An example would be Tripwire. Tripwire records a known profile of your system, and then actively compares the system against this profile. Personal firewalls also perform a type of intrusion detection, but also prevent unauthorized access. Many vulnerability scan software packages also incorporate intrusion detection.
The type of software you ask about, vulnerability scan software, analyzes a computer to see if there are any known exploits or vulnerabilities. There are many such software suites with varying levels of "completeness" which you can run for yourself. Some are free, but the most complete and useful are commercial. I’ve listed the best tools according to a popular security magazine poll.
Commercial Vulnerability Scanners:
- Network Associates CyberCop Scanner
- ISS Internet Scanner (along with the rest of ISS SafeSuite)
- Cisco Secure Scanner (NetSonar)
- Axent NetRecon
- Kane Security Analyst
Free Vulnerability Scanners
- Nmap
- L0phtcrack
- Nessus
- Crack
- SAINT
- SATAN
- COPS
- TIGER
Commercial Intrusion Detection
- Network Associates CyberCop Monitor
- NFR IDS Appliance
- ISS RealSecure
- Tripwire
- Intrusion.com CMDS
Free Intrusion Detection
- SHADOW
- Tripwire (there are early versions which are free)
?: How do you know what exploit you've been affected with? If your machine has been compromised, how do you locate the backdoors?
Unless you have intrusion detection software, knowing that you’ve been compromised can be fairly difficult. Something out of the ordinary has to catch your attention. This can be the presence of odd events in your event log, unknown processes running in task manager, suspicious entries in your registry, or the presence of unknown executables on your computer. At the minimum, you should monitor your event logs periodically—especially the security log, and follow up on things that look suspicious. Getting good data in your security event log will require that you configure your system for auditing. http://windows.stanford.edu/docs/security2000.html#audit and http://windows.stanford.edu/docs/security.html#audit describe how to do this for Windows 2000 and Windows NT computers respectively.
Self-education is key to being familiar with what is normal and suspicious. You can help educate yourself by keeping apprised of the Windows security alerts on the windows-security@lists.stanford.edu mailing list, and reading the documents on this website. If you are unsure of something that looks suspicious, ask either the folks at the security office or the Windows Systems group.
The presence of the following files may indicate that someone has compromised your computer. There may be a legitimate reason for these files, but be aware that these are commonly known executables used for exploits. This list is not intended to be a comprehensive list.
misc.exe, meminfo.exe, ntalert.exe, sysloged.exe, tapi.exe, 20.exe, 21.exe, 25.exe, 80.exe, 139.exe, 1433.exe, 1520.exe, 26405.exe, i.exe, lomscan.exe, mslom.exe, lsaprivs.exe, pwdump.exe, serv.exe, smmsniff.exe, umgr32.exe, bo2kgui.exe. editor.exe, libupdate.exe.
Once you’ve determined that your computer has been compromised, you should contact the security office immediately. They are experts, and can assist you. Depending on what alerted you to the compromise, try to educate yourself on the exploit by searching the web. The ISS Xforce Vulnerability database for Windows may be of assistance in this. It’s important to not destroy files that the intruder may have left behind, because they may help the security office.
?: Does Microsoft have any security support services?
Yes. Send email to secure@microsoft.com for more information.
?; What is an ACL or access-control list?
?: What is an ACE or
access-control entry?
?: What is the LSA? What does it do?
The LSA is the Local Security Authority. This subsystem manages user authentication and security policy. Contrary to the name, the LSA can interact with domain authentication services on behalf of the user.
?: What is the SAM?
The SAM is the Security Account Manager, but is sometimes used to refer to the database of security principles that the SAM maintains. This security database is stored in the registry under HKLM\SAM, and helps the LSA by translating a username into a SID.
Possible other questions:
2.1.1 Where do I get patches, or, what is a Service Pack?
2.1.2 What is impersonation?
2.1.4 What are privileges (user rights)?
2.1.10 What is a secure channel?
2.1.11 How does the logon process work?
2.1.12 What is an access token?
2.1.13 What about passwords?
2.2 Host security
2.2.1 Are there any NT based viruses, or can NT be susceptible for other viruses?
2.2.2 How do I get my computer C2-level secure, or, what is c2config?
2.2.3 Are there any known problems with the screen saver / screen lock program?
2.2.4 How can I secure my client computers against my users?
2.2.5 Can my pagefile hold sensitive data?
2.3 File System
2.3.1 I Just installed a service pack. Why is my file permissions changed?
2.3.2 Why can users without permissions delete files?
2.3.3 Is it possible to read data on a NTFS disk from another OS?
2.4 Registry
2.4.1 Why does the HKEY_LOCAL_MACHINE key drop its settings?
2.4.2 Is the registry accessible over the network?
2.4.3 Are there any especially interesting keys to watch?
2.5 User security
2.5.1 Administrator account
2.5.2 Guest account
2.6 Network security
2.6.1 Is NT susceptible to SYN flood attacks?
2.6.2 Is it possible to use packet filters on an NT machine?
2.6.3 What ports must I enable to let NBT (NetBios over TCP/IP) through my firewall?
2.6.4 What is Authenticode?
2.6.5 What should I think about when using SNMP?
2.6.6 Is there any known problems with SNA?
2.6.7 What servers have TCP ports opened on my NT system? Or: Is netstat broken?
2.6.8 What are giant packets? Or, is Windows NT susceptible to the PING attack?
2.6.9 What about the denial-of-service problem with RPC?
2.6.11 Chargen flooding?
2.6.12 WINS denial of service?
2.6.13 Dynamic Host Configuration Protocol, DHCP
2.6.14 How do I enumerate all listening named pipes?
2.6.15 What is the OOB (Out of Band) attack?
2.6.16 How does NT deal with fragmented IP packets?
2.7 File sharing security
2.7.1 What is CIFS?
2.7.2 Is it possible to turn off the default sharing?
2.7.3 Are there any known bugs for File sharing?
2.7.4 What is a NULL session?
2.8 Application and subsystem security
2.8.1 Web server security
2.8.2 Frontpage
2.8.3 FTP server security
2.8.4 Internet Explorer
2.8.5 Rollback
2.8.6 Shutdown.exe
2.8.7 Exchange
2.8.8 Microsoft SNA
2.8.9 cc:Mail
2.8.10 NT Spooler Service
2.8.11 ODBC Security
Last modified by barkills at 8/23/2001 2:36 PM
©2000 Trustees of the Leland Stanford Junior University