Modern Vulnerabilities in Microsoft
Applications
In this section, I enumerate security weaknesses in some
very commonly used Microsoft applications. Microsoft Internet Explorer
(Microsoft's Web browser, also known as MSIE), Microsoft Exchange Server (a
mail administration package), and Internet Information Server (IIS) are
three key networking applications.
Microsoft Internet Explorer
Microsoft Internet Explorer has several serious
vulnerabilities; some of them are covered briefly here. Those
vulnerabilities that are classified as either critical or severe can result
in system compromise, and are therefore of great interest to system
administrators.
The Active Setup Download Vulnerability
Microsoft Internet Explorer Version: 4.x, 5.x
Impact: Malicious Webmasters can download a .CAB file to
any disk on your box.
Class: Severe
Fix for MSIE 4.x and 5.01: http://www.microsoft.com/windows/ie/download/critical/patch8.htm
Fix for MSIE 5.5: http://www.microsoft.com/windows/ie/download/critical/patch11.htm
Additional Info: http://www.microsoft.com/technet/security/bulletin/ms00-042.asp
Credit: Unknown
A malicious Web site can download a .CAB file to any disk
on your box and then use the .CAB file to overwrite files, including system
files. This could render your machine inoperable and create a denial of
service on your box.
The Cached Web Credentials Vulnerability
Microsoft Internet Explorer Version: 4.x and 5.x prior to
version 5.5
Impact: Malicious intruders can obtain your
user ID and password to a Web site.
Class: Moderate to Severe
Fix: http://www.microsoft.com/windows/ie/download/critical/q273868.htm
Additional Info: http://www.microsoft.com/technet/security/bulletin/ms00-076.asp
Credit: ACROS Security
When you use Basic authentication to authenticate to a
secured Web page, MSIE caches your user ID and password. MSIE does this to
minimize the number of times you must authenticate to the same site.
Although MSIE should only pass your cached credentials to secured pages on
the site, it will also send them to the site's nonsecured pages. If an
attacker has control of your box's network communications when you log on
to a secured site, the attacker can spoof a request for a nonsecured page
and then collect your credentials.
The IE Script Vulnerability
Microsoft Internet Explorer Version: 4.01 SP2 and higher,
when Microsoft Access 97 or Microsoft Access 2000 is present on the machine
Impact: Permits an attacker to run code of his choice on
your box, potentially allowing the attacker to take full control of it.
Class: Extremely Severe
Fix: http://www.microsoft.com/windows/ie/download/critical/patch11.htm
or set an Administrator password for Microsoft Access
Additional Info: http://www.microsoft.com/technet/security/bulletin/ms00-049.asp
Credit: Georgi Guninski
This vulnerability enables an attacker to embed malicious
VB code into Microsoft Access via Internet Explorer. Simply visiting a
malicious Web site or previewing an e-mail that contains malicious code can
compromise your box.
The Microsoft Internet Explorer GetObject() File Disclosure
Vulnerability
Microsoft Internet Explorer Version: 5.x
Impact: If you visit a malicious Web site or read a mail
message with Active Scripting enabled, MSIE might
disclose files on your box.
Class: Moderate to Severe
Fix: Until Microsoft releases a patch to fix this problem,
you should disable Active Scripting in Internet Explorer in any zone with
untrusted hosts. If you run any other products that respect Internet
Explorer security zones, you should configure them to run VBScript in
trusted zones only. In addition, Microsoft recommends configuring Outlook
using the guidelines found at: http://www.microsoft.com/office/outlook/downloads/security.htm
Additional Info: http://www.kb.cert.org/vuls/id/800893
Credit: Georgi Guninski
Microsoft designed IE to prevent programs on Web sites
from reading files on your box without authorization. Microsoft also
designed Outlook and Outlook Express to prevent programs embedded in mail
messages from reading files on your box without authorization.
Unfortunately, a flaw in the behavior of the GetObject call in VBScript permits access to files
despite the fact that VBScript doesn't include file I/O or direct access to
the underlying operating system. This flaw can cause a malicious VBScript
to forward the contents of a document through electronic mail or back to
the Web site.
The Office HTML Script Vulnerability
Microsoft Internet Explorer Version: 4.01 SP2 or higher when Microsoft Excel 2000, Microsoft Powerpoint
2000, or Microsoft PowerPoint 97 are present on the machine
Impact: Permits an attacker to run code of his or her
choice on a victims's box, potentially allowing the
attacker to take full control of that box.
Class: Extremely Severe
Fix for Microsoft Excel 2000 and PowerPoint 2000: http://officeupdate.microsoft.com/2000/downloaddetails/Addinsec.htm
Fix for Microsoft PowerPoint 97: http://officeupdate.microsoft.com/downloaddetails/PPt97sec.htm
Additional Info: http://www.microsoft.com/technet/security/bulletin/ms00-049.asp
Credit: Unknown
This vulnerability enables a script that is stored either
on a malicious Web operator's site or in an HTML e-mail message to save an
Excel 2000, Powerpoint 2000, or Powerpoint 97 file to a victim's box. The
attacker can code this file to launch automatically. If this file
successfully launches, it could cause a macro or Visual Basic for
Applications (VBA) code to run that will potentially allow the attacker to
take full control of that box.
The SSL Certificate Validation Vulnerability
Microsoft Internet Explorer Version: 4.x, 5.0, and 5.01
Note: MSIE 5.01 Service
Pack 1 and MSIE 5.5 are not affected.
Impact: Two flaws exist in MSIE that can allow a malicious
Web site to pose as a legitimate Web site. The attacker can trick users into
disclosing information (such credit card numbers or personal data) intended
for a legitimate Web site.
Class: Moderate
Fix: http://www.microsoft.com/windows/ie/download/critical/patch11.htm
or upgrade to MSIE 5.5.
Additional Info: http://www.microsoft.com/technet/security/bulletin/ms00-039.asp
Credit: ACROS Penetration Team, Slovenia
When a connection to a secure server is made through
either a frame or an image on a Web site, MSIE only verifies that the
server's Secure Sockets Layer (SSL) certificate was issued by a trusted
root, and does not verify either the server name or the expiration date of
the certificate. When you make a secure connection via any other means,
MSIE performs the expected validation. If a user establishes a new SSL
session with the same server during the same MSIE session, MSIE does not
revalidate the certificate.
The Unauthorized Cookie Access Vulnerability
Microsoft Internet Explorer Version:
4.x, 5.0, and 5.01
Note: MSIE 5.01 Service
Pack 1 and MSIE 5.5 are not affected.
Impact: This vulnerability can allow a malicious Webmaster
to obtain personal information from a user's box.
Class: Moderate
Fix: http://www.microsoft.com/windows/ie/download/critical/patch11.htm
Additional Info: http://www.microsoft.com/technet/security/bulletin/FQ00-033.asp#B.
Credit: Unknown
A malicious Web site operator could entice a user to click
a link on the operator's site that would allow the
operator to read, change, or add a cookie to that user's box.
Microsoft Exchange Server
The following sections list important vulnerabilities
in Microsoft Exchange Server 2000 and Exchange Server 5.x.
Microsoft Exchange Encapsulated SMTP Address
Vulnerability
Microsoft Exchange Server Version: 5.5
Impact: Intruder can perform mail relaying.
Class: Moderate—Denial of Service
Fix: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/PostSP2/imc-fix/
Additional Info: http://www.microsoft.com/technet/security/bulletin/fq99-027.asp
Credit: Laurent Frinking of Quark Deutschland GmbH
This vulnerability could enable an intruder to get around
the antirelaying features of an Internet-connected Exchange server. Because
encapsulated Simple Mail Transfer Protocol (SMTP) addresses are not subject
to the same antirelaying protections as nonencapsulated SMTP addresses, an
intruder can cause a server to forward an encapsulated SMTP address from
the attacker to any e-mail address he or she wants—as though the server
were the sender of the e-mail.
Microsoft Exchange Malformed Bind Request
Vulnerability
Microsoft Exchange Server Version: 5.5
Impact: An intruder can cause denial of service attacks or
can run code on the
server.
Class: Severe—Denial of Service
Fix for X86-based Exchange: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/PostSP2/DIR-fix/PSP2DIRI.EXE
Fix for Alpha-based Exchange: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/PostSP2/DIR-fix/PSP2DIRA.EXE
Additional Info: http://www.microsoft.com/technet/security/bulletin/ms99-009.asp
Credit: ISS X-Force
The Bind function has an unchecked buffer that can pose
two threats to operation: An attacker could send a malformed Bind request,
causing the Exchange Directory service to crash. A carefully constructed
Bind request can be sent by an attacker whose purpose is to cause arbitrary
code to execute on the server using a classic buffer overrun technique.
Microsoft Exchange Malformed MIME Header
Vulnerability
Microsoft Exchange Server Version: 5.5
Impact: A malicious user can cause an Exchange Server to
fail.
Class: Severe—Denial of Service
Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25443
or Exchange 5.5 SP4
Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-082.asp
Credit: Art Savelev
The Exchange Server normally checks for invalid values in
the MIME header fields. However, the Exchange service will fail if a particular type of invalid value is present in certain
MIME header fields. You can restore normal operations by restarting the
Exchange Server and then deleting the offending mail. The offending mail
will be at the front end of the queue after you restart the Exchange
service.
Microsoft Exchange NNTP Denial-of-Service
Vulnerability
Microsoft Exchange Server Versions: 5.0 and 5.5
Impact: An attacker can cause the Server
Information Store to choke.
Class: Medium—Denial of Service
Fix: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.0/Post-SP2-STORE/Exchg5.0/Post-SP2-STORE/
or install SP1 or later
Additional Info: http://www.microsoft.com/technet/security/bulletin/ms98-007.asp
Credit: Internet Security Systems, Inc.'s X-Force team
When an attacker issues a series of incorrect data, an
application error can result in the Server Information Store failing. It
also causes users to fail in their attempt to connect to their folders on the Exchange Server.
Microsoft Exchange SMTP Denial of Service
Vulnerability
Microsoft Exchange Server Versions: 5.0 and 5.5
Impact: An attacker can cause the
Internet Mail Service to choke.
Class: Medium—Denial of Service
Fix: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.0/post-sp2-ims/
or install SPI or later
Additional Info: http://www.microsoft.com/technet/security/bulletin/ms98-007.asp
Credit: Internet Security Systems, Inc.'s X-Force team
When an attacker issues a series of incorrect data, an
application error can result in the Internet Mail Service failing.
Microsoft Exchange Error Message
Vulnerability
Microsoft Exchange Server Versions: 5.0 and 5.5
Impact: An intruder might be able to
recover encrypted data from your network.
Class: Moderate to Severe
Fix: Download the latest version of Schannel.dll. Check
out this URL for information on where to obtain the latest version http://support.microsoft.com/support/kb/articles/q148/4/27.asp
Additional Info: http://www.microsoft.com/technet/security/bulletin/ms98-002.asp
Credit: Daniel Bleichenbacher
An intruder, running a sniffer on your network, might be
able to observe an SSL-encrypted session, interrogate the server involved
in that session, recover the session key used in that
session, and then recover the encrypted data from that session.
Microsoft Exchange User Account Vulnerability
Microsoft Exchange Server Version: 2000
Impact: An intruder can remotely log on to an Exchange
2000 Server and possibly onto other servers in the
affected Exchange Server's network.
Class: Moderate to Severe
Fix: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25866
Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-088.asp
Credit: Unknown
A malicious user can log on to Exchange by using an
account with a known username (EUSR_EXSTOREEVENT) and a password that
Exchange creates during the setup process. Normally this account has only
local user rights, meaning that the account is neither a privileged account
nor can it gain access to Exchange 2000 data. However, when you install Exchange
2000 on a domain controller, the system automatically gives Domain User
privileges to the account, and so it can gain access to other resources on
the affected domain. Microsoft recommends that you disable or delete this
account after the setup process has completed.
IIS (Internet Information Server)
IIS is a very popular Internet server package and like
most server packages, it has vulnerabilities. IIS is covered here in detail. However, please note that the list of
vulnerabilities discussed is not exhaustive. Other vulnerabilities of
lesser severity exist.
The IIS Cross-Site Scripting Vulnerabilities
IIS Version: 4.0 and 5.0
Impact: An attacker can run code on your machine
masquerading as a third-party Web site.
Class: Severe
Fix for IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25534
Fix for IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25533
Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-060.asp
Credit: Peter Grundl of Defcom
When a malicious user runs code masquerading as a
third-party Web site, that code can take any action on your box that the
third-party Web site is permitted to take. If you designate that Web site
as a trusted site, the attacker's code could take advantage of the
increased privileges. The attacker can make the code persistent, so that if
you return to that Web site in the future, the code will begin to run again.
The IIS Malformed Web Form Submission
Vulnerability
IIS Version: 4.0 and 5.0
Impact: An attacker can prevent a Web server from
providing service.
Class: Severe—Denial of Service
Fix for IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26704
Fix for IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26277
Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-100.asp
Credit: eEye Digital Security
FrontPage Server Extensions ship with IIS 4.0 and IIS 5.0
and provide browse-time support functions. A vulnerability exists in some
of these functions that allows an attacker to levy a malformed form
submission to an IIS server that would cause the IIS service to fail. In
IIS 4.0, you have to restart the service manually. In IIS 5.0, the IIS
service will restart by itself.
The IIS New Variant of File Fragment Reading
via .HTR Vulnerability
IIS Version: 4.0 and 5.0
Impact: An attacker can read fragments of files from a Web
server.
Class: Moderate
Fix for IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27492
Fix for IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=27491
Additional Info: http://www.microsoft.com/technet/security/bulletin/MS01-004.asp
Credit: Unknown
An attacker can cause a requested file to be processed by
the .HTR ISAPI extension in such a way as to cause fragments of server-side
files, such as .ASP files, to be sent to the attacker.
The IIS Session ID Cookie Marking
Vulnerability
IIS Version: 4.0 and 5.0
Impact: A malicious user can hijack another user's secure
Web session.
Class: Critical
Fix for IIS 4.0 x86 platforms: http://www.microsoft.com/ntserver/nts/downloads/critical/q274149
Fix for IIS 4.0 Alpha platforms: Available from Microsoft
Product Support Services
Fix for IIS 5.0: http://www.microsoft.com/Windows2000/downloads/critical/q274149
Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-080.asp
Credit: ACROS Security and Ron Sires and C. Conrad Cady of
Healinx
IIS uses the same Session ID for both secure and nonsecure
pages on the same Web site. What this means to you is that when you
initiate a session with a secure Web page, the Session ID cookie is
protected by SSL. If you subsequently visit a nonsecure page on the same
site, that same Session ID cookie is exchanged, only this time in
plaintext. If a malicious user has control over the communications channel
of your box, she could then read the plaintext Session ID cookie and use it
to take any action on the secure page that you can.
The IIS Web Server File Request Parsing
Vulnerability
IIS Version: 4.0 and 5.0
Impact: Remote users can run operating system commands on
a Web server.
Class: Critical
Fix for IIS 4.0: http://www.microsoft.com/ntserver/nts/downloads/critical/q277873
Fix for IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25547
Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-086.asp
Credit: NSFocus
An attacker can execute operating system commands that
would enable her to take any action that any interactively logged-on user
could take. This would enable her to add, delete, or change files on the
server; modify Web pages; reformat the hard drive; run existing code on the
server; or upload code onto the server and then run it.
The Invalid URL Vulnerability
IIS Version: 4.0
Impact: Attacker can cause IIS service to fail.
Class: Severe—Denial of Service
Fix for NT 4.0 Workstation, Server and Server Enterprise
Editions: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24403
Credit: Peter Grundl of VIGILANTe
An attacker can send an invalid URL to the server which,
through a sequence of events, could result in an invalid memory request
that would cause the IIS service to fail. Microsoft
engineers believe that the underlying problem actually exists within
Windows NT 4.0 itself.
The Myriad Escaped Characters Vulnerability
IIS Version: 4.0 and 5.0
Impact: An attacker can slow an IIS server's response or
prevent it from providing service.
Class: Medium to Severe—Denial of Service
Fix for IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20292
Fix for IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20286
Credit: Vanja Hrustic of the Relay Group
By sending a malformed URL with an extremely large number
of escape characters, an attacker can consume large quantities of CPU time
and thus slow down or prevent the IIS server from providing service for a
period of time.
The Web Server Folder Traversal Vulnerability
IIS Version: 4.0 and 5.0
Impact: An attacker can take destructive actions against a
Web server.
Class: Critical
Fix: http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp
Additional Info: http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
Credit: Rain Forest Puppy
An attacker can change or delete files or Web pages, run
existing code on the Web server, upload new code and run it, format the
hard disk, or take any number of other destructive
actions.
Tools
After you establish your Windows NT 4.0 or Windows 2000
server, you can obtain several indispensable tools that will help you keep
it secure. No Windows NT 4.0 or Windows 2000 administrator should be caught
without these tools.
Administrator Assistant Tool Kit
Administrator Assistant Tool Kit is an application
suite that contains utilities to streamline system administration on
Windows NT boxes.
Aelita Software
3978 North Hampton Drive
Powell, OH 43065
800-263-0036
Windows Version: Windows NT 4.0 or Windows NT 3.51
Email: Services@aelita.com
URL: http://www.aelita.net/products/AdminAssist.htm
Administrator's Pak
The Administrator's Pak includes a
variety of tools for recovering crashed Windows 2000 and Windows NT 4.0
systems. This bundle includes the NT Locksmith, NTRecover, Remote Recover,
and NTFSDOS Pro tools, just to name a few. The Administrator's Pak bundle
is a great value for tools that will help with recovering your Windows 2000
and Windows NT boxes.
Winternals Software LP
3101 Bee Caves Road, Suite 150
Austin, TX 78746
512-330-9130
Windows Version: Windows 2000 or Windows NT 4.0
Email: info@winternals.com
URL: http://www.winternals.com/
AntiSniff 1.021
AntiSniff 1.021 is a proactive security monitoring tool that searches for computers that are in promiscuous
mode. This product help administrators and security teams detect who is
watching traffic at their site.
Security Software Technologies, Inc.
Windows Version: Windows NT 4.0 or Windows 9x. SST expects
to release the Windows 2000 version soon.
Email: sst@securitysoftwaretech.com
URL: http://www.securitysoftwaretech.com/antisniff/index.html/
FileAdmin
FileAdmin is an advanced tool for manipulating
file permissions on large Windows NT-based networks. This utility can save
you many hours of work.
Aelita Software
3978 North Hampton Drive
Powell, OH 43065
800-263-0036
Windows Version: Windows NT 4.0 or Windows NT 3.51
Email: Services@aelita.com
URL: http://www.aelita.net/products/FileAdmin.htm
Kane Security Analyst 5.0
Kane Security Analyst provides real-time intrusion
detection for Windows NT 4.0 and Windows 2000. This utility monitors and
reports security violations and is very configurable. It assesses six
critical security areas: access control, data confidentiality, data
integrity, password strength, system monitoring, and user account
restrictions.
Intrusion.com, Inc.—USA
1101 East Arapaho Rd, Suite 100
Richardson, TX 75081
888-637-7770
Windows Version: Windows 2000, Windows NT, or Windows 9x
Email: info@intrusion.com
URL: http://www.intrusion.com/Products/analystnt.shtml
L0phtCrack 3.0
L0phtCrack is a tool that audits Windows 2000 and Windows NT passwords. L0phtCrack is a powerful tool
that really needs to be part of every administrator's toolkit. You can
display various information about the password tests, including how long it
took to crack each password, the cracked passwords, and encrypted password
hashes.
Security Software Technologies, Inc.
Windows Version: Windows 2000 or Windows NT 4.0
Email: sst@securitysoftwaretech.com
URL: http://www.securitysoftwaretech.com/l0phtcrack/
LANguard Internet Access Control
Internet Access Control not only enables you to monitor and control Internet usage on your network, it
also monitors network traffic to detect break-ins from outside your
network. With Internet Access Control, you use keywords to block access to
unwanted sites (such as IRC). You can also use keywords to block searches
for objectionable material at search engine sites without blocking the
entire search engine. With the network monitor, you can watch for
suspicious incoming traffic to a specific server that shouldn't be
accessible to outside traffic.
GFI Fax & Voice USA
105 Towerview Court
Cary, NC 27513
888-2GFIFAX
Windows Version: Windows 2000 or Windows NT 4.0
Email: sales@gfi.com
URL: http://www.gfi.com/
LANguard Security Reporter
Security Reporter collects data about your Windows NT 4.0 or Windows 2000 network, such as user
rights, users having administrative rights, and resource permissions, among
others. This information is stored in a central database. You use the
information in this database to generate reports that help you to identify
and fix potential security problems.
GFI Fax & Voice USA
105 Towerview Court
Cary, NC 27513
888-2GFIFAX
Windows Version: Windows 2000 or Windows NT 4.0
Email: sales@gfi.com
URL: http://www.gfi.com/
NT Crack
NT Crack is a tool that audits Windows
NT passwords. This is the functional equivalent of Crack for UNIX.
Secure Networks, Inc.
Suite 330 1201 5th Street S.W.
Calgary, Alberta Canada T2R-0Y6
Windows Version: Windows NT (all versions)
URL: http://www.system7.org/archive/Nt-Hacking/windows.html
NT Locksmith
NT Locksmith will access a Windows NT box without a password. It is a recovery utility that allows
you to set a new admin password.
Winternals Software LP
3101 Bee Caves Road, Suite 150
Austin, TX 78746
512-330-9130
Windows Version: Windows 2000 or Windows NT 4.0
Email: info@winternals.com
URL: http://www.winternals.com/
NTFSDOS Pro
NTFSDOS Pro allows you to copy and rename permissions on Windows 2000 and Windows NT 4.0 from a DOS
diskette. This is a great tool to keep around for emergencies (for example,
when you lose that Administrator password).
Winternals Software LP
3101 Bee Caves Road, Suite 150
Austin, TX 78746
512-330-9130
Windows Version: Windows 2000 or Windows NT 4.0
Email: info@winternals.com
URL: http://www.winternals.com/
NTHandle
NTHandle identifies open processes in Windows NT and thus allows you to keep an eye on your users.
NT Internals—Mark Russinovich
Windows Version: Windows 9x/Me, Windows NT 4.0, Windows
2000, or Whistler Beta 1
Email: mark@sysinternals.com
URL: http://www.sysinternals.com
NTRecover
NTRecover is a salvage program. It allows you to access dead Windows NT drives via serial lines—now is
that cool or what? NTRecover uses a serial cable to access files and
volumes on a dead NT box. You use the serial cable connection to make the
disks on the dead box seem as though they are mounted on your own system.
Winternals Software LP
3101 Bee Caves Road, Suite 150
Austin, TX 78746
512-330-9130
Windows Version: Windows 2000 or Windows NT 4.0
Email: info@winternals.com
URL: http://www.winternals.com/
PC Firewall ASaP
PC Firewall ASaP is a bi-directional packet filter suite for Windows 9x/Me and Windows NT 4.0 clients.
myCIO.com (Network Associates, Inc.)
3965 Freedom Circle
Santa Clara, CA 95054
877-796-9246
Windows Version: Windows 9x/Me or Windows NT 4.0
Email: support@mycio.com
URL: http://www.mycio.com/
RedButton
RedButton is a tool for testing
remote vulnerabilities of a publicly accessible Registry. Download
Rbutton.zip.
Midwestern Commerce, Inc.
1601 West Fifth Avenue, Suite 207
Columbus, OH 43212
Windows Version: Windows NT (all versions)
URL: http://www.system7.org/archive/Nt-Hacking/windows.html
RegAdmin
RegAdmin is an advanced tool for manipulating Registry entries on large networks, which is a big timesaver.
Aelita Software
3978 North Hampton Drive
Powell, OH 43065
800-263-0036
Windows Version: Windows NT 4.0 or Windows NT 3.51
Email: Services@box.omna.com
URL: http://www.aelita.net/products/RegAdmin.htm
Remote Recover
Remote Recover acts in the same way as NTRecover.
The difference is that it treats remote drives as though they were locally
installed. It allows you to access and modify drives on unbootable or new
boxes using the network and a bootable floppy.
Winternals Software LP
3101 Bee Caves Road, Suite 150
Austin, TX 78746
512-330-9130
Windows Version: Windows 2000 or Windows NT 4.0
Email: info@winternals.com
URL: http://www.winternals.com/
ScanNT Plus
ScanNT Plus is a dictionary password attack utility. Test your NT passwords.
Midwestern Commerce, Inc. (Ntsecurity.com)
1601 West Fifth Avenue Suite 207
Columbus, OH 43212
Windows Version: Windows NT 4.0
Email: Services@box.omna.com
URL: http://hotfiles.zdnet.com/cgi-bin/texis/swlib/hotfiles/info.html?b=pcm&fcode=000H36
Sniffer Basic
Sniffer Basic (formerly named NetXRay Analyzer) is a powerful protocol analyzer (sniffer) and network
monitoring tool for Windows NT. It is probably the most comprehensive NT
sniffer available.
Sniffer Technologies
3965 Freedom Circle
Santa Clara, CA 95054
800-SNIFFER
Windows Version: Windows NT (all versions) or Windows 98
Note: Sniffer
Technologies released Sniffer Pro 4.5 for laptop platforms in January,
2001. This version includes support for Windows 2000.
Email: bcahillane@nai.com
URL: http://www.sniffer.com/products/sniffer-basic/default.asp?A=2
Somarsoft DumpSec
Somarsoft DumpSec dumps permissions for the
Windows NT file system in the Registry, including shares and printers. It
offers a bird's-eye view of permissions, which are normally hard to gather
on large networks.
SystemTools LLP
P.O. Box 1209
La Vernia, TX 78121
877-797-8665
Windows Version: Windows NT (all versions)
Email: sales@systemtools.com
URL: http://www.somarsoft.com/
Somarsoft DumpEvt
Somarsoft DumpEvt dumps Event Log information for importation into a database for analysis.
SystemTools LLP
P.O. Box 1209
La Vernia, TX 78121
877-797-8665
Windows Version: Windows 2000 or Windows NT (all versions)
Email: sales@systemtools.com
URL: http://www.somarsoft.com/
Somarsoft DumpReg
Somarsoft DumpReg dumps Registry information for analysis. It also allows incisive searching and
matching of keys.
SystemTools LLP
P.O. Box 1209
La Vernia, TX 78121
877-797-8665
Windows Version: Windows NT (all versions) or Windows 98
Email: info@somarsoft.com
URL: http://www.somarsoft.com/
Virtuosity
Virtuosity is a wide-scale management and Windows NT rollouts tool. (Good for heavy-duty rollouts.)
Raxco, Ltd.
Orchard House
Narborough Wood Park
Enderby, Leicester, UK LE9 5XT
+44 (0)116 239-5888
Windows Version: Windows NT 4.0 or Windows NT 3.51
URL: http://www.domainmigration.com/fp_virtuosity.html
Access Control Software
The following section introduces several good packages for adding access control
to Windows 2000, Windows NT, and Windows 9x/Me.
Cetus StormWindow
Cetus Software, Inc.
P.O. Box 1450
Marshfield, MA 02050
781-834-4411
Windows Version: Windows 2000, Windows NT 4.0 or Windows
9x/Me
Email: cetussoft@aol.com
URL: http://www.cetussoft.com/
Cetus StormWindow allows you to incisively hide and
protect almost anything within the system environment, including the following:
·
Links and folders
·
Drives and directories
·
Networked devices and printers
In all, Cetus StormWindow offers very comprehensive access
control. (This product will also intercept most alternate boot requests,
such as warm boots, Ctrl+Alt+Delete, and function keys.)
Clasp2000
Clasp2000
4 Grand Banks Circle
Marlton, NJ 08053
FAX: 810-821-6250
Windows Version: Windows 2000 or Windows 9x
Email: service@claspnow.com
URL: http://www.cyberenet.net/~ryan/
Clasp2000 offers strong password protection, disables
access to Windows 95 and Windows 98, and intercepts warm boot
Ctrl+Alt+Delete sequences.
ConfigSafe Complete Recovery v4 by imagine
LAN, Inc.
imagine LAN, Inc.
74 Northeastern Blvd. Suite 12
Nashua, NH 03062
800-372-9776
Windows Version: Windows 2000, Windows 4.0 or Windows
9x/Me
Email: feedback@imagelan.com
URL: http://www.configsafe.com
ConfigSafe Complete Recovery v4 records changes and
updates made to the Registry, system files, drivers, directory structures,
DLL files, and system hardware. You can instantly restore a system to a
previously working configuration with
ConfigSafe.
DECROS Security Card by DECROS, Ltd.
DECROS, Ltd.
J. S. Baara 40
370 01 Ceske Budejovice Czech Republic
420-38-731 2808
Windows Version: Windows 2000, Windows NT 4.0 or Windows
9x/Me
Email: info@decros.cz
URL: http://www.decros.com/security_division/p_list_hw.htm
DECROS Security Card provides C2-level access control
using physical security in the form of a card key. Without that card, no
one will gain access to the system.
Desktop Surveillance Enterprise and Personal
Editions
Omniquad, Ltd.
Hanovia House
28/29 Eastman Road
London W3 7YG, UK
+44 (0) 181 743 8093
Windows Version: Windows NT 4.0 or Windows 9x
Email: support@omniquad.com
URL: http://www.omniquad.com/
Desktop Surveillance is a full-fledged investigation and
access control utility. (This product has strong logging and audit capabilities.)
HDD-Protect 2.5c
Gottfried Siehs
Tiergartenstrasse 99
A-6020 Innsbruck, Austria / Europe
Windows Version: Windows 98 or Windows 95
Email: g.siehs@tirol.com
URL: http://www.geocities.com/SiliconValley/Lakes/8753/
HDD-Protect has hardware-level access control and actually
restricts access to the hard disk drive.
Omniquad Detective 2.1
Hanovia House
28/29 Eastman Road
London W3 7YG, UK
+44 (0) 181 743 8093
Windows Version: Windows NT 4.0 or Windows 9x
Email: support@omniquad.com
URL: http://www.omniquad.com/
The Detective is a simple but powerful tool for monitoring
system processes. Omniquad Detective enables you to monitor computer usage,
reconstruct activities that have occurred on a workstation or server,
identify intruders who try to cover their tracks, perform content analysis,
and define user search patterns. In all, this very comprehensive tool is
tailor-made to catch someone in
the act, and is probably suitable for investigating computer-assisted crime
in the workplace.
Secure4U 5.0
Sandbox Security AG
Lilienthalstr. 1
82178 Puchheim
Germany
+49 (0) 89 800 70 0
Windows Version: Windows 2000, Windows NT 4.0 or Windows
9x/Me
Email: sales@SandboxSecurity.com
URL: http://www.sandboxsecurity.com/main.htm
Secure4U provides powerful filtering and access control.
It specifically targets ActiveX, Java, and other embedded-text plug-ins and
languages from flowing into your network.
StopLock Suite by Conclusive Logic, Inc.
Conclusive Logic, Inc.
800 W. El Camino Real
Suite 180
Mountain View, CA 94040 USA
650-943-2359
Windows Version: Windows 2000, Windows 4.0 or Windows 9x
Email: info@conclusive.com
URL: http://www.conclusive.com/
StopLock provides access control. The package also
includes boot control, auditing functionality, and logging tools.
TrueFace
eTrue, Inc.
144 Turnpike Rd.
Suite 100
Southboro, MA 01772
508-303-9901
Windows Version: Windows 32-bit platforms
URL: http://www.miros.com/solutions/face.htm
TrueFace is a face recognition program. The software
recognizes only those faces that are registered in its face database. The
machine actually looks at you to determine whether you are an authorized
user. The company claims that the technology on which TrueFace is based is
neural net technology.
Windows Task-Lock by Posum LLC
Posum LLC
P.O. Box 21015
Huntsville, AL 35824
256-895-9857
Windows Version: Windows 2000, Windows 4.0, or Windows
9x/Me
Email: support@posum.com
URL: http://posum.com/
Windows Task-Lock 6.0 provides a simple, inexpensive, and
effective way to password-protect specified applications no matter how you
(or someone else) execute them. It is easy to configure and requires little
to no modifications to your
current system configuration. Optional Sound events, stealth mode, and
password timeout are also included.
WP WinSafe
PBNSoft
Windows Version: Windows NT or Windows 9x
Email: info@pnbsoft.com
URL: http://www.pbnsoft.com/
WinSafe, a promising utility, allows you to encrypt your
files using strong cryptography algorithms such as Blowfish and CAST. With
WinSafe you can choose from among 28 different algorithms. Other tools
included with this package are File Wiping and Merge Files. File Wiping
will rewrite deleted files with random trash for the number of times that
you specify. Merge Files enables you to merge two files so that you can
hide one file into another.
Caution
The documentation suggests that using the Windows Policy
editor to set the real-mode DOS settings could potentially conflict with
WinSafe.
SafeGuard Easy
Utimaco Safeware, Inc.
2 Chestnut Place
Suite 310
22 Elm Street
Worcester, MA 01608 USA
508-799-4333
Windows Version: Windows 2000, Windows NT 4.0, Windows 9x,
or MS-DOS
Email: info.us@utimaco.de
URL: http://www.utimaco.de/newpage/indexmain.html
SafeGuard Easy offers hard disk drive encryption,
protection against booting from a floppy, password aging, and password
authentication for Windows operating systems. SafeGuard supports several
strong encryption algorithms, including both DES and International Data
Encryption Algorithm (IDEA). The SafeGuard line of products includes
SafeGuard VPN, SafeGuard LAN Crypt, and SafeGuard Personal FireWall. Of
special interest is that these products can be installed over a network
(thereby obviating the need to
make separate installations).
Secure Shell
F-Secure, Inc.
5007 Lincoln Avenue, Suite 310
Lisle, IL 60532 USA
630-810-8901
Windows Version: Windows 2000, Windows NT 4.0, Windows 9x,
or Windows 3x
Email: Chicago@F-secure.com
URL: http://www.f-secure.com/products/network_security/
Secure Shell (SSH) provides safe, encrypted communication
over the Internet or other untrusted networks. SSH is an excellent
replacement for Telnet or rlogin. SSH uses IDEA and Rivest-Shamir-Adelman
(RSA) encryption and is therefore extremely secure. It is reported that the
keys are discarded and new keys are made once an hour. SSH completely
eliminates the possibility of third parties capturing your communication
(for example, passwords that might otherwise be passed in clear text). SSH
sessions cannot be overtaken or hijacked, nor can they be sniffed. The only
real drawback is that for you to use SSH, the other end must also be using
it. Although you might think such encrypted communication would be dread fully slow, it isn't.
Good Online Sources of Information
This section contains many good Windows resource
links. Most are dynamic and house material that is routinely updated.
The Windows NT Security FAQ
If you are new to Windows NT security, the Windows NT Security Frequently Asked Questions document
is an absolute must. I would wager that better than half of the questions
you have about NT security are answered in this document.
http://www.it.kth.se/~rom/ntsec.html
NTBugTraq
NTBugTraq is an excellent resource
provided by Russ Cooper of RC Consulting. The site includes a database of Windows
NT vulnerabilities, plus the archived and searchable versions of the
NTBugTraq mailing list.
http://www.ntbugtraq.com
NTSECURITY.COM
for Windows 2000 and Windows NT
This site is hosted by Aelita Software
Group division of Midwestern Commerce, Inc., a well-known development firm
that designs security applications for Windows 2000 and Windows NT, among
other things.
http://www.ntsecurity.com/default.htm
Expert Answers for Windows 2000, Windows NT,
and Windows 9x/Me
This is a forum in which advanced Windows 2000, Windows NT, and Windows 9x/Me issues are discussed. It is
a good place to find possible solutions to very
obscure and configuration-specific problems. Regulars post clear, concise
questions and answers along the lines of "I have a PPRO II w/ NT 4.0
and IIS 3 running MS Exchange 5.0, with SP3 for NT and SP1 for Exchange.
So, why is my mail server dying?"
http://community.zdnet.com/cgi-bin/podium/show?ROOT=331&MSG=331&T=index
Windows IT Security (Formerly NTSecurity.net)
The Windows IT Security site, hosted by Windows 2000 Magazine, is full
of information about the latest in security. You can subscribe to
discussion lists about advanced vulnerabilities in the Windows 2000 and
Windows NT operating systems. You can find it at the following URL:
http://www.ntsecurity.net/
"An Introduction to the Windows 2000
Public Key Infrastructure"
"An Introduction to the Windows 2000 Public Key
Infrastructure" is an article written by Microsoft Press. It presents
and introduction to one of Windows 2000 new security features, PKI.
http://www.microsoft.com/WINDOWS2000/library/howitworks/security/pkiintro.asp
Windows 2000 Magazine Online
I know what you're thinking—that commercial
magazines are probably not very good sources for security information. I am
happy to report that this site is an exception. Some very valuable articles
and editorials about Windows NT 2000 and Windows NT
4.0 appear here.
http://www.winntmag.com/
Securing Windows NT Installation
Securing Windows NT Installation
is an incredibly detailed document from Microsoft on
establishing a secure Windows NT server. You can find it at this site:
http://www.microsoft.com/ntserver/security/exec/overview/Secure_NTInstall.asp
Checklist for Upgrading to Windows 2000
Server
Microsoft lists the steps necessary to
upgrade to Windows 2000. They include how to check whether your hardware
and software is compatible with Windows 2000 and how to choose a file
system. You can find it here:
http://www.microsoft.com/TechNet/win2000/srvchk.asp
The University of Texas at Austin Computation
Center NT Archive
This site contains a wide (and
sometimes eclectic) range of tools and fixes for Windows NT. (A good
example is a fully-functional Curses library for use on
NT.)
ftp://microlib.cc.utexas.edu:/microlib/nt/
Books on Windows 2000 and Windows NT Security
The following titles are assorted treatments
on Windows 2000 and NT security.
Securing
Windows NT/2000 Servers for the Internet. Stefan Norberg, Deborah
Russell. O'Reilly & Associates. 1-56592-768-0. 2000.
Windows 2000 Security.
Roberta Bragg. New Riders Publishing. 0-73570-991-2. 2000.
Windows 2000 Security:
Little Black Book. Ian McLean. The Coriolis Group. 1-57610-387-0.
2000.
Configuring Windows 2000
Server Security. Thomas W. Shinder and D. Lynn White. Syngress
Media, Inc. 1-92899-402-4. 1999.
Microsoft Windows 2000
Security Technical Reference. Internet Security Systems, Inc. Micro
soft Press. 0-73560-858-X. 2000.
Microsoft Windows 2000
Security Handbook. Jeff Schmidt. Que. 0-78971-999-1. 2000.
Microsoft Windows NT 4.0
Security, Audit, and Control (Microsoft Technical Reference). James
G. Jumes. Microsoft Press. 1-57231-818-X. 1998.
NT 4 Network Security.
Matthew Strebe. Sybex. 0-78212-425-9. 1999.
Windows NT/2000 Network
Security (Circle Series). E. Eugene Schultz. New Riders Publishing.
1-57870-253-4. 2000.
Windows 2000 Security
Handbook. Phillip Cox. McGraw-Hill Professional Publishing.
0-07212-433-4. 2000.
Windows NT Server Security
Guide (Prentice Hall Series on Microsoft Technologies). Marcus
Goncalves. Prentice Hall Computer Books. 0-13679-903-5. 1998.
Windows NT Security
Handbook. Thomas Sheldon. Osborne McGraw-Hill. 0-07882-240-8. 1996.
|