If your job includes security, the Security Configuration Editor in SP4 can truly make things much easier. In this new column, an NT security expert tells what the new release can do for you.

Inside Service Pack 4

If your job includes security, the Security Configuration Editor in SP4 can truly make things much easier. In this new column, an NT security expert tells what the new release can do for you.

What’s the best server? Right—the one that’s up 24 x 7 x 365. Attention to security is one way to keep it there. As administrators, managers, integrators, developers, and trainers we’re responsible for making others aware of security issues. We don’t want to be among the 75 percent of companies that a 1997 Computer Security Institute study lists as having lost money to computer crimes. We don’t want our computer systems to be harmed by attacks this year.

That’s why MCP Magazine and I would like to welcome you to “Security Advisor,” a monthly column that explores security as it applies to your enterprise. You probably already lock your doors at night; we’ll show you how to lock your network. In coming months, we plan to look at many different aspects of security, from conducting a security audit to the special concerns and techniques of ensuring security on BackOffice products. This month, we’ll examine the increased security offered by Service Pack 4 for Windows NT 4.0.

An Awareness of Security

A lot has changed since Service Pack 3 for Windows NT 4.0 was introduced in May 1997. At that time, there were fewer NT boxes in large organizations, and fewer of us were focused on security issues. The network philosophy seemed to be, “If it ain’t broke, don’t fix it.”

With earlier releases of NT, Microsoft often appeared to be on the defensive, denying security issues while preparing fixes for only the most notable ones. With the growing acceptance of NT, that’s changed. Today, Microsoft has a Web site—www.microsoft.com/security—dedicated to security issues. When a new NT problem is reported, the company appears to move into action, rapidly verifying or reassuring, explaining, offering a hot fix, and making recommendations. You can even sign up for Microsoft security bulletins, delivered by e-mail.

While only a few of the 300 bug fixes in SP4 actually address security issues, what you will find in it is the Security Configuration Editor (SCE). Designed to be a part of NT 5.0, the SCE integrates security implementation and analysis on NT, thereby addressing a fundamental weakness of the OS. [This article is based on a beta version of SP 4.—Ed.]

Snap-in Security

I used to wonder why my students complained about the lack of NT security. They’d pose a problem and I’d answer with instructions on how to use NTFS, how to set up rights and permissions, and how to turn on auditing. Simple, from a classroom stance—and if you’re in a small domain. But more and more of my students were coming from companies implementing huge enterprises with dozens of NT servers and hundreds of NT workstations. They didn’t want to hear, “First enable file and object auditing in User Manager for Domains, then visit folders and files in Windows Explorer to turn on auditing for files and folder, then use Printers to turn on auditing for printers, then edit the NT Registry, then...” They wanted—demanded, even—something more central and less time-consuming and confusing. Some bought third-party solutions. Others just didn’t implement any security beyond logon.

The Security Configuration Editor is a Microsoft Management Console snap-in utility that lets you centrally administer security features across a Windows NT domain. It doesn’t replace the current set of utilities for adding users, establishing object permissions, and auditing; although you can do all of these tasks in the new editor, you can still use other utilities as well. SCE simplifies the implementation of security features and provides an analysis component that detects variations from the policy set. Security configuration is made in the large and implemented in the background. Analysis provides information about the compliance to policy.

Install Service Pack 4 Right the First Time
To download a copy of Service Pack 4, go to www.microsoft.com/ntserver/default.asp, click on Downloads, and select Service Pack 4.

Before Installing Service Pack 4

1. Update system Emergency Repair Disk using rdisk /s.

2. Perform a full backup including the registry.

3. Disable nonessential third-party drivers and services not required to boot the system.

4. Contact OEMs for updated drivers.

5. Install Internet Explorer 4.01 or register Protected Storage by issuing the command stores—install command.

6. Visit www.systemsoft.com for information if you’re running SystemSoft’s Cardwizard for Windows NT (support for PCMCIA) or PowerProfiler for Windows NT (support for Advanced Power Management). Your system may fail to boot if you don’t follow the specific procedures outlined at this site. Microsoft recommends that you remove . advanced power management settings, programs, utilities; make sure they’re not being used before installing the service pack.

The Actual Installation

1. Navigate to the folder containing the Service Pack file.
2. Change to the folder \I386 or \ALPHA (depending on your CPU).
3. Type UPDATE.
4. Follow the instructions.

If, while installing Service Pack 4, a Web page opens in your browser, do the following:

1. Click Windows NT Service Pack.
2. Click Install Service Pack.
3. When asked if you wish to open or save file Spsetup.bat to disk, select Open.
4. Follow the instructions on screen.

If you change or add new software or hardware components after installing Service Pack 4, you must reinstall the service pack.

Uninstalling Service Pack 4

1. Open Control Panel.
2. Click on Add/Remove Programs.
3. Select Service Pack 4.
4. Click the Add/Remove button.

Note: samsrv.dll and winlogon.exe aren’t overwritten. Service Pack 4 changes the Security Account Manager Database, and older versions will no longer recognize the structure. If you reapply earlier service packs after uninstalling Service Pack 4, answer “no” to the “Confirm File Replace” dialog boxes for these two files. Otherwise, you won’t be able to log onto the system.

Roberta Bragg, MCSE, MCT

Installing SCE

Installation of SCE is straightforward. After installing Service Pack 4, follow these steps.

1. Run the Microsoft Management Console. (Click Start | Run and type “mmc”, then press Enter.)
2. From the Console menu, click Add/Remove Snap-Ins.
3. Click Add.
4. Select Security Configuration Editor.
5. Click OK.

Security Configuration Areas are subdivisions of system-wide security configurations. Table 1 shows the currently defined areas.

Table 1. Security Configuration Areas  
Security area Interface items Function
System Security Policy Password Policy, Lockout Policy, Audit Policy, User Rights Assignment, Security Options Set access policy, password policy, overall object security, audit settings.
Rights and Privileges User Groups
Not present in early beta.
Local and Domain security policy attributes.
Restricted Groups Restricted Groups Assign group memberships, privileges, and rights.
System Services System Service Group membership for sensitive groups such as administrators, power users, print operators, server operators, and domain administrators.
System Registry Registry Configure services including TCP/IP, NetBIOS, file sharing, and printing.
System Store File System Set Access Control Lists on Registry Keys.
Directory Objects
Not present in early beta.
Directory Objects Set security for file volumes and directory trees. Active Directory (with NT 5.0)

SCE was developed to support additional elements. Because configuration information is stored in a standard .INF file format, it can easily be modified by those who understand this format. For instance, software vendors who write services can extend the “system services” component to include their own. Security can thus be configured on an ISV’s service, and the ISV can be sure that any analysis performed will included its own service.

A Simple Interface

The SCE’s Explorer-like user interface is simple to navigate (see Figure 1).

Figure 1. The Security Configuration Editor. The left pane holds configuration and inspection folders; the right pane shows objects to be kept secure or actual attributes of an object’s security configuration.

The left pane includes top-level folders for Configuration/Inspection Templates and Last Configuration/Inspection.

You can expand these folders to show greater detail on each template and security area. The right pane exposes the objects , and when you view an analysis, it also exposes departures from the security policy.

Context menus are available to perform configuration assignment; security analysis; and for identification of and making changes to objects, rights, privileges, and services.

The SCE includes sample templates for defining your security policy. You can modify the existing templates or, as I’ve mentioned, define your own (through the .INF files). You can make Security Configuration Area settings on your domain by selecting a template in the tree view under “Configuration /Inspection Templates” and then right-clicking on the template and selecting “Assign Configuration” from the context menu.

When you’ve selected and assigned a template, its security configuration becomes the security configuration for the local machines as well as for some parts of the domain (system services and restricted groups). For example, members of the Administrators group who aren’t identified in the policy are removed from the Administrators group and logged to the configuration log.

Changing template configurations to get the policy that is right for you is as simple as pointing and clicking. Double-clicking on an object exposes dialog boxes that allow you to view and edit the current configuration. Most boxes appear to be exact replicas of the more familiar tools such as “Add Users and Groups” or easily discernable variations like “Maximum Password Age.” If you’re already familiar with current configuration tools, you’ll have no trouble with SCE’s interface.

Security Analysis

To analyze security, right-click on the Last Configuration/ Inspection and Click Perform Analysis. A pop-up window tracks your progress. When the analysis is complete, you can view the results in both a log (see Figure 2) and by traversing the “Last Configuration/Analysis” branch.

Figure 2. A fragment of the text log for an analysis of user rights.

Another nice feature that SCE provides is an Analysis Viewer that shows each template recommendation next to current settings. It also highlights problem areas with different fonts and colors. You can correct problems in the view by changing the recommended settings. If you do correct problems in this way and then select the “reconfiguration” option, the correction will be made to the object. The Analysis Viewer is more than a way to “view” problems. Problems can be fixed without leaving the viewer.

Not All Is Perfect…

Hold on, though. SCE isn’t necessarily the final solution. Imagine this scenario. Administrator A gets tired of repeated demands from User1 for more permission on the system, so she makes User1 a member of the Administrators group. Administrator B, who is the Auditor, runs a security analysis and discovers that this unknown Administrator, User1, exists. Administrator B removes this administrator from the Administrators group and makes a note to chastise Administrator A. Meanwhile User1 can’t install the latest whiz-bang utility and hollers at Administrator A, who puts him back in the Administrators group. You can only imagine the NT Administrator privilege war that would develop as each Administrator tries to gain control. The bottom line: If authority is distributed, maybe you shouldn’t install SCE.

Along with ease of implementation and administration in NT, there’s definitely a need for policy control and maintenance. In environments where authority is distributed, SCE shouldn’t be installed—or contentious issues should be excluded from analysis (unless you’ve already resolved them).

Security-Related Bug Fixes in Service Pack 4
Fixes in Service Pack 4 correct the security-related problems outlined below. For additional information on a specific fix, check out Knowledge Base articles available from Microsoft’s TechNet site (www.technet.microsoft.com) or on the Knowledge Base CD that’s part of a TechNet subscription.

Q129457 Restrict Anonymous
Service Pack 3 introduced the capability to control anonymous access to system information. If Service Pack 3 is installed and RestrictAnonymous is enabled, anonymous connections can obtain the password policy.

Q142047 Access Violation DNS
A modified DNS query has the AnswerCount field greater than 0. This means that the data from the question should be present, but it isn’t. As a result, an access violation occurs and stops the DNS service.

Q143478 Out of Band Data
Senders set the URGENT bit flag in the TCP header to an incorrect size. The flag indicates where urgent data ends and normal data begins. If no normal data follows this pointer, Windows NT may crash. The OOB data attack (as it has been called) was addressed in Service Pack 3; however, this updated fix handles variations of the original attack.

Q143484 Large IIS Request
Microsoft Internet Information Server 2.0 and 3.0 service stops if it receives a request (URL or header) of four to eight kilobytes of data from a browser.

Q146945 and Q171777 GetAdmin
A normal user can be granted administrative rights if this program is run from the PDC or workstation.

Q154460 Denial of Service-Simple TCP/IP
If simple TCP/IP services is installed, a flood of UDP datagrams sent to the subnet broadcast address port 19 (chargen-character generator) generates a response to each broadcast. The result is a flood of UDP datagrams, increased bandwidth utilization, and decreased performance.

Q165005 Land Attack
SYN packets with the same source and destination address are sent to a host. These packets look like they were sent by the host to itself. The host will slow down temporarily while it tries to respond to itself.

Q167629 DNS Predictable Query
Cache pollution (saving the incorrect IP of a query in the DNS cache) is accomplished by knowledge of the series of IDs used in recursive queries. The attacker spoofs responses to DNS queries, filling up the cache with incorrect responses, for example, responding that microsoft.com is IP

Q169461 Malicious Telnet Attack
A flood of characters is directed at the DNS service port, causing DNS to stop. This interrupts name resolution services. It’s caused by a telnet session.

Q173059 Security Events Not Logged During Audit
User and Group Management events should be logged if audit policies are set. Some event IDs (for example, Event ID 640: General Database Change—a change made to the SAM database, Event ID 629: User Account Disabled) weren’t recorded.

Q174551 TCP/IP Advanced Security
The Advanced Security option of TCP/IP properties on the RAS server clears automatically after RAS clients dial into the Windows NT RAS server. Thus, advanced security options aren’t in effect.

Q179129 Modified TearDrop
Service Pack 3 provided a solution to the TearDrop Attack. A modified version of the TearDrop attack sends IP fragments that, when reassembled, form an invalid datagram. The second packet overwrites data in the UDP header. The datagram is incomplete. Kernel memory is allocated and, if enough invalid datagrams are received, the system may crash.

Q180963 Denial of Service
An incorrectly formulated Server Message Block (SMB) logon request can cause memory corruption, OS hang, or restart. The logon request at fault here has the incorrect data size indicated.

Q182918 Account Lockout
An account is locked out at the domain controller if a user’s incorrect password attempt reaches the Bad Logon Attempts limit. If the workstation has enabled auditing, an account lockout event is generated at the workstation but not at the domain controller. This fix will generate an audit event at the domain controller that handled the logon request.

Roberta Bragg

The Master at Managing Security

Is Service Pack 4 really a Security Pack 4? In some ways, yes. It has many elements that you can use to improve Windows NT 4.0 security. Can is the key word here. Bug fixes, security editors, and analyzers won’t work if you don’t know how to use them. Will Service Pack 4 solve all your problems? Nope. Will it create some new ones? No doubt. Do I recommend installing it? You bet! It takes the pain out of downloading, understanding, and applying numerous hot fixes, and it has created an answer to one of my most compelling annoyances: managing security in NT. SCE centralizes many of the more meddlesome aspects of security maintenance and shows promise of more to come.

comments powered by Disqus
Most   Popular