**************************************************************************
Info: Windows NT Security Issues
Source: http://www.somar.com/
**************************************************************************
Lax registry permissions
NT installs by default with Everyone given write access to much of the
major problem because the registry on any machine running NT, both servers
and workstations, can be accessed remotely using Registry Editor. So a
user running on some workstation can modify the registry on any server or
Since the registry is similar to a file system, the obvious solution is
either to stop sharing the registry or else set registry permissions
currently. As far as setting permissions, this is possible in theory but
mpractical because of the complexity of the registry. It is doubtful that
anyone besides Microsoft can give guidance as to exactly which registry keys
can be made read-only for ordinary users and which must be writeable by
ordinary users. It is not acceptable to set permissions on the
HKEY_LOCAL_MACHINE root key and let those permissions be propagated to all
explicitly say so.
keys and then write a program to scan the audit log looking for changes
made by other than the admininstrator, but this seems a poor way to run a
auditing the changes and punishing users who changed files they weren't
begin with if you don't want the user changing the file or registry key.
Consider various scenarios. A malicious user changes a few registry entries
that it is obvious what has happened. The problems are not reproducible at
other sites and the sysadmin feels like a fool. If logging is enabled, the
but in reality, most sysadmins will just reinstall NT. The user might then
the conclusion that NT needs reinstallation every few months to keep things
another users account (the other user stepped out of the room without
locking their workstation, or they wrote their password down in a notebook
and the malicious user found it, etc, etc). In this case, even if the
the real culprit.
nto it.
mpractical to examine the permissions on each file using file manager.
Somar DumpAcl produces a report of permissions which groups files and
from those of the root. If all files and directories have the same
One of common ways for files to get "wrong" permissions is due to
moving a file. Copying a file causes the file to inherit permissions from
the directory into which the file is copied. Moving a file preserves
existing permissions on the file. So, a user might create a file in a
temporary directory whose initial permissions give Everyone full control.
This user then decides to add some data to the file that they don't want
other users to change. So they move the file to a directory where only they
file and then deleted the original, the file would have the same
to spot files with "wrong" permissions.
Remote procedure calls
NT programs use remote procedure calls (RPCs) to allow various system
the local computer where the program is executing). For example, the
ability to modify the registry on remote computers is implemented using
There are mechanisms in NT for the RPC server to learn the username of the
RPC client and then to limit the functions it will perform based on that
username. However, as shown too many times in this document, there is a big
many capabilities to the Everyone account or whatever, then there is a
there is really no telling how many security holes there are in this area.
Securing a shared workstation
Many users have asked how to secure a shared workstation so users cannot do
any damage to the machine. For example, a workstation in a computer lab at
a university. As described above, there is no way to secure the registry.
The file system can be secured by setting the entire drive to the following
SYSTEM full control
Administrators full control
Everyone or Users read only
SYSTEM full control
Administrators full control
CREATOR OWNER full control
Everyone or Users add permission only
These settings allow users to create a profile, but prevent them from
the section on Profiles contain sensitive information.
(C:\TEMP or whatever) as follows:
SYSTEM full control
Administrators full control
CREATOR OWNER full control
Everyone or Users add permission only
These settings allows users to use the TEMP directory, but avoid problems
nformation that were created (and never deleted) by other users. Even if
user remove files with sensitive information from the temporary directory,
there is the issue of permissions being retained when a file is moved
nstead of copied (discussed in the section on Permissions set improperly).
So the permissions on the TEMP directory should be set so initial
There are other files and directories to which users of a shared
* Some applications require write access to the application directory
to store data. cc:Mail is an example.
* Many older Windows applications require write access to the
%SYSTEMROOT% directory to store .INI files. Newer 32 bit
applications should use the user registry instead of .INI files.
* DOS graphic programs require write access to
%SYSTEMROOT%\SYSTEM32\CMOS.RAM.
* The builtin NT backup program requires write access the
%SYSTEMROOT%\SYSTEM32 directory to store temporary files.
The above list is not all-inclusive. You can enable failure auditing on all
files and then examine the audit logs after making the most of the file
can also use the Somar DumpAcl program to dump and print file permissions
Macro runs when document is opened
A WinWord document can contain a macro which runs when the file is opened.
These macros can perform very powerful operations, including file i/o,
another, unsuspecting user to read a document the first user wrote. This
The macro copies all files from the unsuspecting user's personal
of what happened. The document may take a while to start up, but the
unsuspecting user assumes this is because the document is long. The
malicous user later deletes the WordBasic macro from the document and
notifies the unsuspecting user to replace any copy they made, so that
all potentially incriminating evidence is destroyed.
be very difficult to disassemble it and prove that it was doing something
files, the author could say this was due to a bug in the DLL. If you
you some modified source. When you pointed out that this source could not
be used to build the DLL exactly, the author could reply that the source
a perfectly reasonable explanation. By using a DLL in other words, there is
never any incriminating evidence.
There are other programs besides WinWord which can create files which
contain embedded macros which execute automatically when the file is opened
n the creating application. For example, Microsoft Access and Lotus Ami
others). Also, Postscript files, believe or not, have file i/o capability.
So if you open a postscript file in an interpretor, it might go out and
modify any files to which you have write access. Also, Windows Help files
(.HLP extension) can call DLLs (typical use is to customize the Help
So, suppose you receive a package containing a .HLP, .EXE and a .DLL file
all together. You want to browse the .HLP file to see what this package is
all about and whether you trust it enough to run the .EXE file. You assume
the .DLL is called by the .EXE only. When you open the .HLP file, the .DLL
s executed and it's too late if you decide the package is untrustworthy.
WinWord and Access both allow the user to hold down the shift key when
opening a document to prevent any macro from running. It is difficult to
therefore known to be safe.
Why authors of programs feel the need to include powerful embedded macro
languages is something I really don't understand. It is possible to
accomplish most of what embedded languages do using DDE or OLE automation.
The advantage is that the end user learns one scripting language
environment and then applies it to different applications, as opposed to
learning a new language for each application. Microsoft has decided to
nclude VBA in all of their products, which reduces the amount of learning
to some extent. But why, I ask, not just provide good OLE Automation
capabilities so we don't need embedded macro languages at all, but can
nstead use a separate Visual Basic program?
users should be allowed to set an option in the application so that they
are prompted before any macros are run (e.g. "this document contains an
embedded macro. Do you want to run this macro?"). There should be no way
for the document to override this option and the option setting should be
absolutely necessary, the application can be designed so that if the user
This is a hoax which alleged that there was a way to write a mail message
Users reading this hoax become frantic that they can no longer read any
mail without endangering their system. Actually, there is an element of
truth to this. If the mail message included an attached Word document, then
your files. These attachments can be sent using SMTP MIME or Microsoft
and other propertiary mail systems.
File sharing issues
The SMB file and print server protocol used by NT is much more resistant to
mpersonation and session hijacking than the NFS file sharing protocol used
on Unix. This is significant since NFS is one of the biggest security
a node on the same Ethernet or Token Ring as the client and/or server, then
t would probably be very difficult to perform the impersonation or
the impersonating machine instead of the true destination machine.
transmitted in the clear and so can be easily read by any computer on any
LAN over which the data passes. Remember that if you connect to a remote
network drive over the Internet or other insecure connection, you are
network drive. File manager gives the illusion of the data being local,
breaches.
This risk of eavesdropping does not exist for logons passwords, since these
are never transmitted in the clear over the network, but rather a
challenge-response protocol is used instead.
SMB protocol data passed over the network was automatically encrypted,
using a key which was randomly chosen for each NetBios session. No directly
competing operating systems have this feature and, until some do, it is
unlikely NT will. If you have a need to transmit data over an insecure
network and you want to be protected from eavesdroppers, you will need to
use some sort of encryption. For example, there are router boxess that can
encrypt all TCP data, but not the IP header which is used for routing. Put
one of these routers at two sites and configure with the same key all data
analysis, however. Traffic analysis is a concern, for example, when an
undercover spy wants to send reports back to the home office, or similar
Some users put their userid and password on the command line of the program
manager item, for example for Microsoft Mail. This way they can start mail
by just double-clicking the mail icon, without having to type in their
The local user profile is stored in %SYSTEMROOT%\SYSTEM32\CONFIG and also
on a file server share, if a named, domain-wide user profile has been
assigned for the user. Permissions on these directories should
be like:
SYSTEM full control
Administrators full control
CREATOR OWNER full control
Everyone or Users add permission only
This is how permissions are initially set on %SYSTEMROOT%\SYSTEM32\CONFIG.
Since CREATOR OWNER has full control, each user will have full control of
their own profile. Since Everyone and Users have only add permission, they
n keyboard macros (so the user can use F12 or whatever to initiate the
entire logon sequence). These macros may be stored in the user profile or
a file. If a file, users should be warned to make sure the directory where
this file is stored is not world-readable. This is primarily a concern on
consisting of a mixture of upper and lower case letters and punctuation,
never write it down, and change it often (but not so often you feel the
need to write it down). This is all well-known, but so important that it is
the lowest-tech way to break into a system, but unfortunately also the
most common.
Special shares
NT shares the %SYSTEMROOT%\SYSTEM32\REPL\EXPORT\SCRIPTS directory, so that
users can read their login script during login. Normally, all of the
nstalled services, such as SNA server or SMS. Use Somar DumpAcl to dump
a list of shares and their permissions. And examine the permissions on the
careful you don't unintentionally completely remove access.
Win32 services default to running under SYSTEM account
Many of the internet Unix breakins occurred when someone discovered a bug
n a TCP/IP service and took advantage of this bug to break into the
nput. Obviously, you should try to only run services which do not have
bugs. However, the danger if there is a bug is greatly reduced if the
nstead of under the SYSTEM account (which corresponds to the Unix root
account). So, for example, run your SMTP service under an smtpuser account,
and give this account limited privileges, instead of running it under the
SYSTEM account.
Viruses
eradicate, provided you never boot with a floppy in the drive, since NT
Data on disk not encrypted
Anyone who has physical access to a machine can read file system data by
either reinstalling NT (the installer can pick the initial Administrator's
and reading raw sectors using a low level disk utility. In both cases, the
user would need access to the floppy drive. On many machines, the floppy
can be disabled via the BIOS. There are two ways to get around a disabled
floppy:
* Resetting the BIOS. Typically this is done by setting a jumper which
causes a slow discharge of the battery needed to preserve the BIOS settings
n CMOS. Discharge might take several hours, or several minutes, depending
on your motherboard. Don't trust manufacturer's specs, since this is not
* Moving the hard drive to another machine and reading it there.
These techniques require opening the computer case, so there should be no
mmediately noticed.
There are various products which allow you to do this, with varying degress
of user-friendliness and transparency. (Any manufacturers who would like me
to list there product and add hypertext links to their Web pages, just drop
me a note).
any file that is stored unencrypted in memory can be written to the paging
file. So software encryption products will not be sufficient in this case.
What you need instead is a disk controller which encrypts data on the fly
as it is transferred between memory and disk. Typically, the user would be
examples of where military grade security is needed is a embassy which
contains secret data on PCs. These PCs might fall into the hands of a
from the fragments of data in the paging file. For most users, such
military grade security is not really necessary.
Backup/Restore user rights allow reading/writing all files
s trivial to write a program in C which takes advantage of the backup right
to read any file in the system. So be careful of who you give the backup
logged in the Audit log. Users who have both backup and restore rights can
of the restore right can be logged. User Manager is used to assign rights
to users and enable auditing of the use of user rights.
Data on backup tapes not encrypted
The NT backup program does not encrypt data on tape. So anyone who has a
tape can read it on another machine on which the user has restore
FTP/Telnet passwords
Microsoft does a good job of warning people about the fact that FTP
to the Internet, it is probably best to allow only anonymous FTP, so that
no one ever attempts to transmit a password to your machine over the
nternet. If you FTP or Telnet from your machine to another machine on the
nternet, the same warning applies: any password you enter or any
FTP service directory
The home directory you specify for the FTP service is only the initial
current directory. Ftp users can change their current directory. So if you
change to any subdirectories under c:\. Normal NTFS permissions will apply,
of course, to whatever account the ftp user is running under. If you don't
configure ftp so that it can only read and/or write to that partition.
Application software issues
The really valuable data on a computer system is what is produced by
applications and stored in file and databases. It is very important to
account and allows unprivileged users to submit requests that give them
access to the entire file system.
Send comments and questions to info@somar.com
All material Copyright © 1995 Somar Software. Last updated 3 June 1995.
