Air connection under Windows NT / 2000
Release Date: 2002-03-28
Abstract:
Date: 2002-03-11
Author: Joe Finamore
Overview
Riddle: "When is NULL instead of null?"
Answer: "When it is an empty connection."
Empty connection is a session established with the server without trust, this article will discuss in NT4.0 and Windows
Empty connection issues under 2000 will study the use and weaknesses of the connection, and how to control and eliminate these weaknesses.
point.
Lanman session in NT 4.0
Before we start discussing an empty connection, we need to know what is connected, there is a very good about NTLM verification.
Discussion in URL:
Http: // www. [m $] .com / msj / defaultframe.asp?
Page = / msj / 0299 / security / security0299.htm
& nav = / msj / 0299 / newnav.htm
Security / security0299.htm & nav = / msj / 0299 / newnav.htm
Windows NT 4.0 uses the challenge response protocol and the remote machine suggest a session, this session is a security tunnel
Road, through the machines that participate in the tunnel, can communicate with information, the order of this event is as follows:
1) Session Requests (Customers) Send a packet for session receiver (servers), requiring safety tunnel construction
Stand up.
2) The server produces a random 64-bit (challenge) transfer back to customers.
3) The customer gets the 64-bit number generated by the server, and disrescribes it with the password that tries to establish an account.
Returns to the server (response).
4) Server accepts response to local security verification (LSA), LSA confirms the requester's identity by using users
The authentication is verified. If the requester's account is the local account of the server, verify local; if request
The account is a domain account, and the response is transmitted to the domain controller to verify. When the response to the challenge is correct, one
An access token is generated and then transmitted to the customer. Customers use this access token to connect to resources on the server until
The recommended session is terminated.
Lanman session under Windows 2000 - Kerberos Verification
Windows 2000 uses Kerberos to build a session "Admission Voucher", which is under the RFC document for Kerberos V5
Finding address:
http://www.ietf.org/rfc/rfc1510.txt
The order of the incident is as follows:
1) The customer transmits a request to the KDC (Key Distribution Center) for a TGT (Bill Authorization Bill).
The pre-verification data encrypted with the user password algorithm is included, and this pre-verified data is also finally included.
The timestamp of the TGT is not intercepted. KDC is running on a domain controller that admits admission tickets.
2) KDC extracts the hash of the user ID from its database, with it to decrypt the pre-verification data, if the decryption is
A very close timestamp, the process continues.
3) The server generates a TGT, which contains some other matter, such as a session with a user hash password
Key, which also contains the security identifier (SID) identifies the user and the group.
4) The user uses the user password to decrypt the session key.
5) The customer uses the resource on the server to access the server, and the customer is now verified, and a session is established.
Admission coupons generated in this way include the following unencrypted information: the domain name of the Windows 2000 domain issued
Admission voucher identity name
Admission tickets also include the following encrypted information:
Admission ticket "Mark"
Session encryption key
The domain name containing user accounts that are posted invited
The main name of the user who invited the ticket
Session start time
End of session: When the admission is expired, the admission ticket has a limited life period.
The address of the client machine
Verification information that contains customers to access information
What is a empty connection?
Now we understand what is connected, the connection to the access to the validation information of the resource, we can open it
The mysterious veil is connected. An empty connection is established with a server connection, no user verification execution. change
In order to say it is an anonymous access to the server. No trustful username and mouth when establishing a connection
make. Access token ("Verification Data" on Windows 2000) contains SIDs for users' "S-1-5-7", one
"Anonymous Logon" username, this access token contains the following groups:
EVERYONE
NetWork
Under the restrictions on security policies, this will authorize all information accessible to the above two groups.
How to create an empty connection
From a user point, a connection to the server is established or logged in, or in any other need to access the service.
When the server resources are resource. For example, a user named "bob" wants to access the sharing on the server named "Datastore"
Some files named "DATA", he did not verify before, he will release the following command:
Net use * // datastore / data * / user: bob
He will prompt to enter his password, the relevant verification method will be removed, assume that he is verified, he will produce a "visit
Token "or" Admission ", use this, he will be able to connect to the hope.
On the other hand, if the empty connection allows, "DATA" sharing as a "empty share", he only needs to enter:
Net use * // datastore / data "" / user: ""
This will connect Bob as an anonymous user to "Data" sharing, no need to provide username or password ... a hacker
dream!
Empty connection can also be built on the API conversation through the language, and a Win32 API is built.
under:
http://www.securityfocus.com/cgi-bin/vulns-item.pl
? section = expedition & id = 494
Empty connections can be used to establish a connection to "empty connection naming pipe" if the server is so configured. A "tube
The road is a convenience that allows the process to communicate with other different systems on a system. Empty connection
Usually established a sharing, including the system sharing, such as // servername / IPC $, IPC $ is a special hidden total
Enjoy it allows communication between the two processes on the same system (internal process conveyed), IPC $ sharing is on the machine
A partial interface of the server process, which also associates a pipe so it can be accessed remotely.
Why create an empty connection?
This problem is logically said: "Why [M $] provides support for air connection?" In [M $], NT and Windows are touched in [M $]
When 2000 is safe, is there more or less verified safe?
In the general feel, "Yes", the empty connection tends to destroy the safety structure of the lower layer of the operating system. However, there is a mandatory reason to merge them into the [M $] network, and the original purpose of the empty connection is to allow unfounded machines from the server.
Have a list of browsing. It should be remembered that NT and Windows 2000 are as "domain" in the machine in the group, and the domain is shared.
A collection of borders, that is, they share the same users and machine account databases, including connectivity
Passwords to each other. A user password usually verifies a user in the domain, a machine password usually goes maintenance machine
The safety channel between the domain controller is between. On these two, passwords are usually between machines / users and domain servers
Establish a trust size.
If all communications are in the domain, the empty connection will be unnecessary, this is not a problem, however, often requires the domain
Danger connection to perform the following tasks:
Get your browse list from a server in a different domain
Verify users in different domains
This issue is partially completed by the concept of trust relationships between domains, and trust relationship is a consequence between two different domains.
Relationship, through a domain agreed to trust security integrity in other domains, so the letter is allowed between two domains
Smay stream. The password is negotiated when establishing trust relationship, basically, trust relationship is a verification point between two domains.
system.
The problem is that the trust relationship does not solve all the problems connected to the internal connection on a site. For example, first, establish trust
Process of relationship, if "Domain1" wants to build trust with "Domain2", it needs to contact the PDC of that domain
For a password for the safety tunnel, in order to achieve this, it needs to list the machine in the domain, determine the "Domain2" PDC
Name, there are many ways to find names (subsequent, address), including WINS, DNS, LMHOSTS, AD (Event
Catalog), etc. Empty connection makes this process easier because it allows very few from a non-verified machine.
Priority knowledge directly lists machines and resources in the domain.
There are other plots benefited from empty connections, for example, considering administrators on multiple domain sites, for some reason,
There is no trust relationship between some domains. During an administrator's work, often needs to be connected in all domains
The resources, empty connections make users, machines, and resources more easily.
Another situation, it also needs to be empty, that is, the lmhosts.sam file uses the "Include" label environment, package
Sharing points with include files must be installed as empty connection sharing, and article on this point can be found in the following sites
:
Http:// support. [m $] .com / default.aspx?
SCID = Kb; EN-US; Q121281
There are some earlier articles, which was originally released in 1994, but at 8/8/2001 updated, it should be commented away.
In the template of NT 4.0 and Windows 2000, many Lanman are in many lants.sam files.
The Windows 2000 is retained.
It should also be mentioned here that there are many sellers advocated use in their software hollow connection, about these aspects
Some interesting articles are:
http://www.dcs.ed.ac.uk/home/archives/bugtraq/msg00784.html
This article quotes a seller's installation process, which creates an empty connection on the server to perform its task,
It can be imagined to be more dangerous for the server, and the administrator is not realized.
Under the last empty connection is useful, one service is running under the local "System" account, you need to access certain resources, this is only accessible if resources are accessible through an air connection, in this [M $] Aspect
chapter:
Http:// support. [m $] .com / default.aspx?
SCID = Kb; EN-US; Q124184
About this problem, [M $] does not recommend opening an empty connection, however, they recommend using user-specific accounts to run
service.
What is an air connection weakness?
Now we have a better understanding of the session and empty connections, usually, especially if it is empty, exhibit
Some weaknesses? There are several reasons why they may cause safety attention, just as we have no doubt, visit control
List (ACL), a list of a series of ACEs, controlled in NT or Windows 2000 domain
Access to the resource. An ACE specifies a user / group via the SID, enumeration of permissions that the user / group allowed or denied.
The problem is authorized to authorize the embedded group "Everyone", with NT, "Everyone" means literal
Everyone, if the "Everyone" group has the right to access a resource through the ACE, it means that you can access that
Source, such as pipeline or sharing, also open to "Everyone", then resource is anonymous to anyone.
Then, what kind of thing is included? If you execute an NT4.0 OUT-OF-the-Box installation, you will pay attention
To many things are accessible to "Everyone", especially the root of the system disk (usually C: /), a significant
Open to "Everyone" is a folder containing repair information:
% SystemRoot% / Repair (usually: "c: / winnt / repair")
A pair of more sensitive documents, such as "Sam._", there is a more restrictive security requirement, but most of the files are readable
The location for some reason, if a shared point's parent folder is available, sharing is an empty connection, this file
It is easy to use any anonymous intruders. You will also notice that many areas of registration are visible to "Everyone".
Ask, this makes an IPC $ ipc $ of a server becomes a possibility, run the registry editor
(Regedt32.exe) Go to view and even change some registry values ... from anonymous convenience.
In addition, the weak point exposed through the empty connection is a list of user accounts in the domain. Why is this a problem? Because it moves
I have gone half of the barrier that invaders a domain account, for someone else, you need two parts:
username
password
Once you know the username, it is just a guess or destroying the password. If you have a domain
Named administrator's account (you must have renamed the administrator account, isn't it?) If this is exposed, then this
Weakness also reached its vertices. Intruders only need to connect an empty space, then enumerate users looking for SIDs 500
User can. You can find an example code that you can complete this task at the site:
http://www.securityfocus.com/cgi-bin/vulns-item.pl
? section = expedition & id = 494 This weakness is a very important part of the famous "red code attack", which is solved in the NT4.0 SP3
Decided.
The enumeration of the machine or resources in a domain also makes someone break into the domain, if an anonymous is available in the domain
Have the name of the machine, then list the resource sharing on these machines, this becomes a very simple thing, try our best.
Try all resources until a for "Everyone" is open. By default, the root pair of system disks
"Everyone" is open, default shared level security application to a newly created shared authorization "full access"
"Everyone", this problem is obvious.
How to protect against attack?
The best blocking method is that all the range may not allow empty connections, in order to do this, the attack evaluation is a
Good start, "Dumpsec" tool lists the sharing on the system, and also provides a security constraint for each, it also pays attention
Registry authority performs other useful security audit tasks, Dumpsec can be obtained from the following:
http://www.systemtools.com/somarsoft/
There is a pair of related registry keys:
HKLM / System / CurrentControlSet / Control / LSA
/ Restrictanonymous
"HKLM" reference configuration unit "hkey_local_machine", if set to "1", anonymous connection is limited, one
Anonymous users can still connect to IPC $ sharing, but restrictions on this connection, "1" value limits anonymity
Users list SAM accounts and sharing; add "2" in Windows 2000, limit all anonymous access unless special
Authorization.
Others should check the keys:
HKLM / System / CurrentControlSet / Services /
LanmanServer / parameters / nullsessionshares
with:
HKLM / System / CurrentControlSet / Services /
LanmanServer / parameters / nullsessionpipes
These are MULTI_SZ (multi-threaded) registration parameters, which lists sharing and pipes, and opens empty connections. Such as
If you don't want to open, confirm that there is no sharing and pipeline open. It is also not easy to confirm on these keys.
Change, confirm that only "System" and "Administrators" have access to these keys.
In the Windows 2000, the security policy is safe, the policy setting passes the related embedded MMC ([M $]
Treat console). On a domain controller (DC), from the "Management Tool" in the Delt-pull menu "Domain Security Policy" MMC
Board, on non-DC, drop-down menu "Local Security Policy" MMC panel, you will find an entry:
"Additional limitations for anonymous connections"
In 3 possible values:
"None. Depending on the default license privilege"
"Do not allow SAM accounts and sharing"
"There is no explicit anonymous permission, you can't access"
The last value is the safest, it is equivalent to "2" in the registry value:
HKLM / System / CurrentControlSet / Control /
LSA / Restrictanonymous
As discussed above, it is aware of the "effective setting", which can affect "effective setting" at other levels of policy settings. Other sensible steps are to limit the access of the registry, and only manages only in Windows 2000 and later.
Reporters and backup operators have the right network to access the registry, it is a good idea, check the remote on your server
Registry Access settings can be done by confirming security permissions in the following registration keys:
HKLM / System / CurrentControlSet / Control /
SecurePipeServers / WinReg
When a user attempts to connect to the registry of the remote computer, check the above on the "Server" service on the target machine.
(WinReg) button, if this button does not exist, the user allows the user to connect to the registry of the target machine, if the key
Presented, the ACL on the key is checked, and if the ACL reads or writes access to the user, the user can connect to the registry. One
Once the user allows remotely to the registry, the ACL on a separate key will take effect. For example, if in a given key
Safe setting to "read" access to "Everyone", access to the registration table by empty connection anonymous "Read" access to the registration list
, Not a good idea! It will make people worry and dangerous, remove from all registration keys to "Everyone"
Remote security, so the best idea is not allowed to access access unless a specific account and group. There are several values in the "WinReg" key
Also applied, these values are in NT4.0:
HKLM / Man./ WinReg / AllowedPaths / Machine
HKLM / Man./ WinReg / ALLOWEDPATHS / USERS
These two values are multiple_sz types, under Windows 2000, the default does not have the "User" value, these keys separately
Which registration keys are open to machine and user remote access. They can override the security on the "WinReg" key.
Machines may need to access some of the services such as directory replication and spool printing, there are two articles on this aspect.
Including the details of remote registry access:
Http: // support. [m $] .com / Directory /
Article.asp? id = kb; EN-US; Q186433
Http: // support. [m $] .com / Directory /
Article.asp? id = kb; EN-US; Q153183
This is a good idea, after installing the software on the server, confirm that the installation process does not open any empty connection sharing
And pipelines, in fact, testing on a test machine before installing on a "real" server is always a good master
In particular, if this server is placed in a DMZ region or an external LAN. Anonymous access to a public online or halfway
The device will be a heavy loss.
It also needs to be remembered that it contains two preset group "Everyone" and "NetWork" for an empty connection security token. You can
To position the specific location of the file on the volume, protect it by changing the permissions. Of course, these volumes must be NTFS. except
Non you really need an empty connection to access resources, otherwise replacing the built-in group "Authenticated User"
"Everyone" group. XCACLS or a third party access control management software can complete this task. However, doing this
The operation must be careful, especially when used for subfolders. When using XCACLS, be sure to open the "/ e" option to
Confirm is to edit ACLs instead of replace them. In all discovered "Everyone" groups, remove them while adding the same permissions to the "Authenticated User" group. Also, each time you create a sharing, you must
The "Everyone" group is removed from the ACL, and on behalf of "Authenticated Users" or the appropriate user or group.
The last step can be used to set the strategy pair:
"Accessing your computer on your network"
If the "Everyone" group enjoys this privilege, remove from the group, ensure that the addition is to be added from "Everyone".
This privilege gives the corresponding users and groups. Under NT4.0, if you pass the User Manager on a non-DC machine
", Implement the" Domain User Manager "on a domain controller. By the Windows 2000, by the corresponding MMC security
The policy management unit changes the policy under the "User Power Assassination".
Conclude
Empty connection creation is to facilitate internal platform communication, especially in service level, however, using empty connections is also possible
Anonymous users who endanger system security expose information. If possible, completely eliminate empty connections from your system,
If it is impossible for other reasons, all possible precautions should be taken to ensure that you want to expose information.
If there is no, the empty connection provides a convenient entrance to enter your system, which can lead to security.
