2010.09.01
When Cougar (also known as SBS 2008) was presented, one of major advantages was increased security. From those days to now – about a 2 yeas experience in deployment and management of it – i can verify, that its, as usually, bullshit not correct.
Why?
Lets see few major features:
1. Password complexity for users: Just imagine, if office users were using with passwords “1234″, and then someone tell You:
“…users must create strong passwords to meet the following minimum requirements:
- Passwords cannot contain the user’s account name or parts of the user’s full name that exceed two consecutive characters.
- Passwords must be at least six characters in length.
- Passwords must contain characters from three of the following four categories:
- English uppercase characters (A through Z).
- English lowercase characters (a through z).
- Base 10 digits (0 through 9).
- Non-alphabetic characters (for example, !, $, #, %).”
“Oh, really? Take this piece of shit out of our office, and close the door from the other side” – standard reaction. Really, google “password complexity SBS 2008″ – 10 first results – how to disable it. Usual result – Disabled, also password light 0 and no history at all.
2. OWA by default is enabled for each SBS user. Well – please have a look at my Outlook, Exchange Global address book, tasks etc.
3. RWW – require to open the following ports directly to server:
- Routers on Windows SBS 2008 must be configured to forward Internet traffic to TCP ports 80, 443, 987, and 3389
Well, why we back to year 2000 to open 3389 to server directly?Also – they say now RDP require certificate to connect to office computers. None of seen SBS 2008 not use external cert, anyone use self-signed. But that’s not the point – it can be passed by 4 clicks from any Internet computer, actually. So – another dumb protection feature?
4. SBS server was press-released as “focused on creating integrated, affordable server solutions that are optimized to meet the needs of companies with limited IT resources” – in simple words – for companies with outsource system or some home-grown-kid that know computers somehow enough to complete SBS wizards. So – actually, no one cares about Security at all – limited IT resources, remember? Basically – prepare weak platform for intrusion  No security, no logging, no pros to review it on regular basis. Evil mind’s dream, actually.
As a result? Find company with SBS, scan\detect\get mail domain, enumerate users and simple brute it up. Get valid password, use RWW to connect to PC, infect and get creds for server. 0wned. It was simple at 2003, its same simplicity at 2008, actually. Why to upgrade?
There are some more ideas, but actually not for public disclosure right now. I am still sysadmin part of time, no need in extra-hours
p.s. For information only, not for malicious purposes. Protection come from knowledge, so know Your enemy and ways it will use
2010.09.01
Few new clients, SBS 2008 as central server.
Once there was a problem to send mail to same internet domain users outside the SBS (2003) – error was something about :
#550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ##
New workaround:
Exchange Management Console – Organisation Configuration – Hub Transport – Accepted Domains – Windows SBS external Domain
Instead of Authoritative Domain choose Internal Relay Domain
2010.08.31
Well, kinda dumb task, but no way to change path to BACKUP-To-DISK-FOLDERS in Devices (NAS Name changed, all data present in different place etc.). Recommended action – delete and recreate. But – it will cause old backups problem, and anyway – lots of dumb work.
But – it’s all about Data now. So, here is the solution:
1. SQL Server Management Studio – Connect – Server\BKUPEXEC
2. Disable all BACKUPEXEC services first, except SQL
3. Go to Databases – BEDB – Tables – dbo.BackupToDiskFolders – Open Table
4. Correct Path to correct one in FolderPath, than SAVE
5. Start all services of BackupExec.
Done.
2010.08.29
Look at this book here.
Good book for Exchange pros. definitely worth reading it.
PART IV: “Securing an Exchange Server 2010 Environment”
Securing of Exchange Server authors recommend to address as two components:
- Server-level – protecting data, physically stored on server itself
- Transport level – protecting data, that passing thru server (mail flow etc.)
Statements:
“Viruses have existed in the computer world long before the first email message was sent.” p321 – is it true?
Major Security improvement in Exchange 2010 by authors: Administrative roles in Exchange 2010 separated from high Active Directory permissions.
Hardening Exchange (2010 aspecially):
1. Implement Physical Security:
- Locked server room doors, closed server case, possibly removed USB ports.
- Disable via BIOS boot from CD\USB\Network as part of boot plan.
- Password protect BIOS changes.
2. Correct user policy – only admins are able to logon locally.
3. Audit – configure Audit policies, perform audit logging and review logs!
4. Keep minimum services enabled – Disable all unneeded Exchange services to narrow attack field
5. Use FileSystem capabilities to increase data stored on server (NTFS permissions, Encryption etc)
6. Use MBSA to analyse server frequently!
7. Implement NIST and NSA standarts and best practices [link?]
8. Use Security Configuration Wizard (SCW) on server 2008 to improve security (use templates for Exchange server 2010 available from website).
9. Patch and Update in time and regularly!
10. Establish and enforce corporate security policy, including email policy (personal usage, expectaion of privacy, monitoring, prohibited content and data confidentiality, email retention and point of contact).
Administrative Templates can be used for server Hardening:
1. Administrator and Operator users should not have mailboxes – since most evil arrived via mail executed with rights of authenticated user, it prevent granting the evil code administrator rights by default.
2. Grant permission to groups, not users – prevet user mess and permission errors within heavy loaded env.
3. Use strong password policy
4. Require authentication and encryption for all incoming\outgoing connections.
5. Use global policies
In addition:
1. Configure authenticated personal only be able to send mail messages to large distribution lists inside the organisation (Message delivery restrictions).
2. Use Email Disclaimers for inforcing legal policies.
3. Use integrated Exchange 2010 features for increasing security: antispam\antifishing capabilities,URL\Link replacement in mails, Email Postmark tech (Exch 2010 & Office 2k7 and up), connection filtering, IMF as content filter, regular AntiSPAM updates, all “exclusive” Microsoft reputation services: IP, Sender etc.
4. Use blacklist of third-party organisations
5. Protect from viruses (both stored and flowed data), use AV software, Forefront server.
Protecting transport level of Exchange server:
1. Encrypt communications with Exchange server: both Client\Server and Server\Server communications (TLS\SSL, PKI, S\MIME, ).
2. Secure SMTP connectors (both Sending and Receiving)
3. Set message delivery limits to prevent DOS situation.
4. Separately secure NIC’s for Internal and External connections (on Edge Transport Server Role) – for externalrecommended open only port 25, for Internal – 25\TCP (SMTP), 50389\TCP and 50636\UDP (LDAP communication), 3389\TCP (for RDP)
5. For Edge Transport Server Role, on Stand-alone server: make sure default “Administrator” account disabled and use another account with non-standart username and complex password.
One of major recommendations is: “Although it is possible to manually secure the server, the SCW automates the process and applies Microsoft recommended best practices to lock the server down by utilizing a role-based metaphor to determine what services are needed on a particular server.” (p364)
2010.08.24
You can look at book Here
Actually, book is about GP by guy with good sense of humour for IT guy But it can be used for our purposes – hardening, security and anti-forensics. Definitely recommended for GP geeks, nice “before-bed” reading for Windows Sysadmins.
To picture style of book: “Imagine what happens when a bunch of GPOs are inadvertently deleted. Let’s just say that the users are suddenly happy because they can do stuff they couldn’t normally do, and you’re not happy because now they’re happy. Ironic, isn’t it?” (p135)
GP – hardening by Jeremy Moskowitz.
In Windows systems GP is important part of daily corp enforcements, including security etc. But, few points should be pointed to security admins:
1. GP updates itself on regular, but not-such-frequent basis (once a 90-120 mins for incremental review of policies, once about 16 hours) (p166)
2. Each GP update can be overruded by direct registry change for long enough time period (up to 16 hours), For example, refresh time period for security settings:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval
3. List of applied GP, it structure and content can be viewed by reviewing Resultant Set of Policies console: rsop.msc
4. Slow link network cause abort of processing less-important parts GP. What slow link is?
- Speed up to 500 Kbps by Windows 2k\XP\2k3, detection by ICMP protocol – pinging the DC.
- Vista and W7 use Network Location Awareness 2 (NLA2) mechanism for detection speed (p169 for more details).
What to do to prevent malicious user cheating with GP:
1. Do not provide Your users with Local Adminstrator rights – it prevent them to modify registry, change FW settings etc, or at least will require previlage escalation.
2. Use GP itself to enforce some changes.
Under User configuration -Policies -Admnistrative Templates -System – Group policy:
- Group policy refresh interval for users – change it according to speed of Your LAN to decrease refresh time
- Group Policy slow link detection – apply Your criteria to
Under Computer configuration -Policies -Admnistrative Templates -System – Group policy:
- Disallow Interactive Users from Generating Resultant Set of Policy Data – change to enabled, to prevent using rsop.msc as point for gathering gp info.
Computer settings, the preferred location: HKLM\Software\Policies
Computer settings, an alternative location: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies
User settings, the preferred location: HKCU\Software\Policies
User settings, an alternative location: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
2010.08.24
You can look at it here
In my opinion, one of books You should read if You want to be security professional working with Dark Side of Force. At least to understand way of thinking Notes I did – just to review one small chapter that I am currently interested – Anti-Forensics:
Just for start:
P 494:
“Sometimes the goal is to make forensic analysis prohibitively expensive; which is to say that raising the bar high enough can do the trick. After all, the analysts of the real world are often constrained by budgets and billable hours.”
Antiforensisc tacktics:
- Data destruction;
- Data hiding
- Data transformation
- Data contraception
- Data fabrication
- File system attacks
Questions to review on antiforensics:
- How change policy of XP\Vista\7 to prevent as much logging as possible (events, services, debug, crushes etc.)
Tools recommended by author : logger.exe – Debugging tools set from MS – log all API calls
Good (relatively) news for those who have something to hide – from Vista and up when new file writed to cluster, all slack (empty space after physical end of file) rewrited with zeroes. It’s suck if You save there Your data for hiding it, and good if you prefer Your data wiped as many times as possible.
Interesting Idea about rooting manager’s and highrank stuff devices as point for hidden activity and vault for data:
1. usually less-experienced, but “high-ego” user
2. Administrative rights on PC
3. Lot’s of default-config devices around (smartphones\pda\etc).
4. Limited access to machine for network stuff
5. Less-strict policies
Well – heaven for intruder
2010.08.24
Wow… It was a long trip Lots of pics, lots of experience, gigs of photos and many new books reviewed:) Going update blog soon
2010.08.09
Well, its complicated.
Sometimes somehow SBS 2003 was installed without Exchange support. Anyway, to migrate it to SBS 2008, You’ll have to:
1. Perform all preparations for Exchange installation (Domain\Forest level, SMTP\NNTP services UP etc)
2. Install Exchange on Source server (Add\Remove Programs – Windows Small Business Server – Exchange install)
3. Apply Exchange SP2 on fresh installation of Exchange, and them make sure server is healthy
4. Use SBS 2003 BPA and fix all Exchange-related issues
5. Then – BACK Your server UP! – Use Imaging software – Acronis Trial for example. It will save a lot of Your health.
6. Run Preparation tool
2010.08.04
Just for me, and others, review how to manage devices via console port from linux:
You’ll require: minicom – linux application
From Red Hat:
]#yum install minicom
From Debian-based systems:
]$sudo apt-get install minicom
After installed – as root run
]#minicom -s
Then configure device – Go to Serial port setup and for COM ports enter /dev/ttyS0 (or whatever Your COM is, use dmesg)
Then choose proper config and in main screen choose Save setup as dfl
After this – terminal window available. Connect cable, if it’s still not and startup the device. Have fun
*. using dmesg:
]$dmesg | grep ttyS
See what ports available. Usually its /dev/ttyS0 (for 1 COM port PC\LAP)
2010.07.26
There is no ntbackup in Windows Server 2008, SBS 2008 and Win7 systems. RIP. Only strange backup feature. But – as always – some CLI programmer did his work pretty well.
Use wbadmin.exe tool to create scripts (.bat files is ok).
Google for more info, as point to start: – MS
Example:
C:\Windows\System32\wbadmin.exe start backup -include:c:,d: -backupTarget:\\192.168.0.5\backups\server\Monday -quiet
|