NT & C2

[Martin Silbernagl <m . silbernagl @ interramp . com>]

Cris wrote:
>NT 3.5 w/ sp3 is the only currently certified release of NT at the C2 
level.
>NT is only C2 certified with NO networking at all.

As part of Microsoft's Resource Kit (or Pack, I don't remember) for NT 3.51 
comes a little program called  "C2 Security Manager". It allows you to 
configure the local machine for C2 compliance. Besides some checks that 
aren't required by C2, it looks for the following:

- Only NTFS must be installed.
- No other operating system must be available (i.e., no multiple-boot 
configs).
- The boot loader must be set to 0 seconds delay.
- The OS/2 subsystem must be deleted.
- The POSIX subsystem must be deleted.
- The log must be set for manual deletion of old events.
- The system must halt on an audit failure.
- Users must log on in order to shut down the computer.
- The minimum password length must be six characters.
- The "Guest" account must be disabled.
- No networking services must be installed on the system.

I find this program very interesing, not only because of its claim that C2 
does not require hiding the last user's name during the log-on sequence (is 
that really true?). It is also a good indicator on just how badly NT is 
configured for security out of the box.

Don't get me wrong. Conceptually it is a very good OS in regards to 
security. But the way it installs itself... All the time and money that 
Microsoft shelled out for designing a secure OS is lost, because the 
default access permissions are set in a way that enable anyone with a bit 
of Win32 API knowlege to compromise a host (in front of a firewall, that 
is, not behind  :-) .

Let me back this up with a few examples:

Most parts of the registry are world-readeable and some hives are even 
world-writeable. One of the writeable hives is the hive for the default 
profile, used when the administrator did not create a specific user profile 
for a user (profiles contain information on the location of the home 
directory, or the Program Manager groups of a user, preferences, anything). 
If you put an NT box on the Internet this alone makes you completely 
vulnerable: anyone who want's to execute code on that machine only needs to 
connect to your registry remotely (possible with the standard NT 3.5 
REGEDT32.EXE or Win95's REGEDIT.EXE) and modify the startup group of the 
default user profile. The next time someone without a profile logs on, your 
code is executed. Combine this with an upload facility (e.g., FTP) and you 
may have guests soon (easiest way out for all of the WWW people using NT: 
disable the NetBEUI to UDP/TCP binding and use NetBEUI over NetBios or 
EtherTalk locally).

All the services run in the system account by default, including the 
scheduler, which in turn is used by the at command. Were you ever 
interested what the SAM hive contains? All you (or, for that matter, any 
user) have to do is run the "at" command to start an instance of 
regedt32.exe in a minute from now (at 12:01 regedt32.exe). Voila. Now you 
can change whatever you want. (I think the "at" loophole was removed from 
UN*X in 1846).

There are more flaws, all of them accessible to the average joe, and there 
are some  loopholes for the more experienced (especially now with user32 
and gdi in the kernel !). But after all, this is Firewalls @
 GreatCircle .
 com 
and I don't want to be a bore. It is also much too nice out right now to 
continue this mail. I will go to Central Park now (aaah, sweet freelance 
life),

	-Martin

begin 600 WINMAIL.DAT
M>)\^(A<4`0:0" `$```````!``$``0>0! @
 `(````Y 0```````#H``$(@ <`
M& ```$E032Y-:6-R;W-O9G0 @
 36%I;"Y.;W1E`#$(`0V ! `"````` @
 `"``$$
MD 8`. $```$````,`````P``, ,````+``\.``````(!_P\!````40``````
M``"!*Q^DOJ,0&9UN`-T!#U0"`````$9I<F5W86QL<T!'<F5A=$-I<F-L92Y#
M3TT`4TU44 !&:7)E=V%L;'- 1W)E871#:7)C;&4N0T]-`````!X``C !````
M!0```%--5% `````'@`#, $````:````1FER97=A;&QS0$=R96%T0VER8VQE
M+D-/30````,`%0P!`````P#^#P8````>``$P`0```!P````G1FER97=A;&QS
M0$=R96%T0VER8VQE+D-/32<`` @
 $+, $````?````4TU44#I&25)%5T%,3%- 
M1U)%051#25)#3$4N0T]-```#```Y``````L`0#H!`````@'V#P$````$````
M`````PD\`02 `0`(````3E0@)B!#,@!]`0$%@ ,`# @
 ```,P'! `7`! `, `4
M``(`1 $!(( #``X```#,!P0`%P`0`# `% `"`$0!`0F `0`I````-3 U,S4T
M,C$X1C<X.#DY.#-!.41#1C$Q04-!0C!#-C,T.$9#,# P- #@" $#D 8```L`
M`!0````+`",```````,`)@``````"P`I```````#`"X```````,`- @
 ``````
M0 `Y`$"-PS16,;L!'@!P``$````(````3E0@)B!#,@`"`7$``0```!8````!
MNS%6-(^8B7BOG3H1SZRK#&-(_ `$```>`!X,`0````4```!33510`````!X`
M'PP!````&P```&TN<VEL8F5R;F%G;$!I;G1E<G)A;7 N8V]M```#``80O T0
M. ,`!Q"["@``'@`($ $```!E````0U))4U=23U1%.DY4,S57+U-0,TE35$A%
M3TY,64-54E)%3E1,64-%4E1)1DE%1%)%3$5!4T5/1DY405142$5#,DQ%5D5,
M3E1)4T].3%E#,D-%4E1)1DE%1%=)5$A.3TY%5%=/4 @
 `````"`0D0`0```(0)
M``" "0``- \``$Q:1G4[)&SP_P`*`0\"%0*D`^0%ZP*#`% 3`U0"`&-H"L!S
M971N,@8`!L,"@S(#Q0(`<,QR<1+Q$;4Q( <3`H.&,Q,+$C%S=&5M`H/V- /&
M%(5]"H (SPG9`H '"H$-L0M@;F<Q,#//%2 +"A;"`= @0P40!" 6=P- @
 %D Z
M"H4^3E00(#,N-1PP+R!S"' S(!P1=&AE(.$"(&QY(&,(<!B @
 `C";'I($D'0&
MD B09" 8H-AL96$1\!Y @
 9@>P'3"V805 'C)#$B @('8 @
 $/XN'*D<$1YS(5$?
M: /P'C!1![!/(&X2`'<%L&O]"X!G(-('0"''"OL2\AO!/26%000@);$%0""!
M36E)!0!O<R" ="<$(%(G!Y (81]@($LC\" H!06Q4 #0:RP @
 22#Z9 (@)P5 
M&* '@ ;0!)#\*2 "$ 7 '2048 6 @
 !X*^82%P(_ ?(!Y0$Y!O"<"<86T>L"5!
M']$@(B%1+P9@'L$C\!Z @
 30!P86>9!) B+BIP)2-O=P0 @
 5GD(8!X@;RQ1;A^P
M9U\(<!Y0'C(8,"W1( #!:'\+ @
 !Y0*Z(C$ @
 -P"U ',&[K'V OH$('D&D-L 0@
M**#_!X >L!Y *D >$B42'O$JT\AQ=6D8H2!B(O(J8/LIL1 @
 P;S31*Z(>,@(0
M, +')-$<EB6%+2!/'H(=(/)&!?!M=18P-D >4 N [Q8P+>,AUCE03C"P'& >
M0+D%P&]P!) @X"32<Q8C>3H'878+< M @
 `F >4"AL:2XSD"I@;C"P.A!L<Q^0
M"U!E+0;@'& PQ7.Z*3LH5!Y!/[,8,&$$@;\Z!Q'Q,)(;T!'P,-%D!""+#; +
M8'E C$]3+Q(@^'-U8CS]0[$2`#L*02+R4$3 @
 25A%+T8_0008,&\D\$(J*Z(#
M @
 74QX4DC:;\"("!R!O ?X"&1`C!S0(P_//H1P#] 'F$ @
 T$^!=63=*;%F/@$Q
M,3LH51'P$>#_ .
  @
 1*<DR!"X >8 L@/"$PH=AS:'4%0"J @
 =P .
 @'C)O,P)30 20
M0(QM"X '<'7_+; EL 00))$?X" @&E D`?E")VEX-($*P #05%%-?:PB1PI0
M%C B(-!C!:#^=0(P2)@$`#XR.QPD:5%1_G8H8 >1.A]/8AXR//0AUO\EA2J 
M'[!#<!XA'!$M5B&@_G(>H N 5%$ST1I0/M)/4G\>D2M0+= Z("!C(_ $(&/_
M"V$ML#4#(5$JH >18F(UQ7]/$#/P)-(Q<R! !4!C,7)W*.$O0#1A9 AQ9A8M
M<"W_3($1\#7@"? I<3Z -.48H-,E01Z @
 ='(*4#] <"^R[QP1!T HH"RQ9S<`
M'^! @
 0>\H8"# @
 !;%,@6I.XS @-D#_0= YDQWR,-<?X"NB0S$NQ*\(8"@#'C(&
MX'A?+40JL_\O8%H!'E <01I0+Z (4#-Q_P4P2^$>D2FQ:O)A1&N31.#[4E(8
MH&<+$1X14P$NI3.A^U-!'C)W0^!S4SJD!"!CH?D @
 $&8N>! 4<"50'B,?D/\T
M80!P'^ $8"1@:B$U$BA7_U,1(!!>$U-!*Z(T`3$0`P#_).)NY$3"'?(8,!8P
M*F!B]O\>,@VQ3]!/05FA!Y GL020_U5 @
 !!!,<2RA,4%"HE)A+,#_=K(U`PGP
M/C,`<#!@,F$CXZTLP&(IL2"!5PN ,Q(@U$%0*H!K/O!W(" O8/\PE#,@`V$$
M`#W!;/$Z,3Z _P .
  @
 `U%9\2"!+, ?L!B @
 =K#_)5 J8#4#! !B1"M0,D$N(>PZ
M+2N 7RU,<<1M0"I *6!T=7""1F8'T65XZRV@/W%S.&U-A7(GTB*A_V_4=.$$
M`&I 'J" $B213/#^+6G1#;"!E1_ @
 -$,R0"&@_W_T32*/!1Q (_"/LR^ @
  .
 7#_
M(&-V<Y(&D)4>!9"B-T=^9O\M41^P(" J8&,Q(\$>0%.D_T'056* .
  @
 6PS3_ ?
MX&)B!0"O(# 60'Q"/&!C'Z%C9L/OE @
 8KDRS F@,HEA5MXP&0_U)A"X KH0# 
M3&13I#&R3&:_E(,T4D_P&*!7\ 6P>2I @
 _3=E4"UE+R5K@ - @
 BM"-L_^;%"I@
M$Y -P&'1,W&'H8'A_V"!&E!JDB"0,&)4,4^2'2'[<#%>1DEALB1A8'0'0((2
M?0# :P>1,&(S`TE1'I%V[S\P)& MD#Y!.H'7;0!VH?\","CA,*&+L"ZAF2$%
MH VP_UY$(.$R%AYS)& )@'5#,-'_)&!7\#"2,&$%P(Y'*P$<8?\>D9N *) `
MD#Y"(^->@P&0#T-P"Q$KU0?P14=%1,)4 @
 V N15A%G\*#,<PY-2CBL5))5+'"
M*X#[>21/\&9YHK C`""*T:%#OV^V?F::"B^ @
 02(D8'@@\?]XXC1"@A9O @
 BS 
MFE9*<2*B_RI @
 K:.JPQP1JD4[$'*!!M#_,E)@@X)4`Z"*T$&R4"&9H!\LX:[Q
M,Y!R8"I @
 1E10_[-T,&(`P!Z @
 $<"4X3$ @
 65'_-"),@;X`($ (D#HQ=K)[-OLE
M06^V5\*0?T$\4"TA.B _)-(=(*C06J4>(P? =$(,154J @
 #"A5410+_A40U""
ML6OQ).)@46,R?<2F;V%1Q)-,<"*A!<!%_3P"5 = BF QLQZ00'<G-O]X95RG
M:E!20UZ(69<V47YE_S:A,W *0&7W!/ >0&>0("#_HC&6\"A@)!#+L @
 AP4D&*
ML6^6LC91ET,_XFT#@;N!5_]AT3!3(9$%P&&E26&6X2#EF%-!392TG"5S/WA#
M_S!B*>$J8#=4JV,"0*(B@>'_9L,K @
 +^#,*$JH!WRRW(>,OXB( .
 !9 @
 -%E4N .
 T
MDD^2.I/O:0(@@73A"8!TL:&J08"$7U5AJH(#4C[A!^ H(.$Q.#(Z,!1 @
 VWIJ
MD59O_SX1+Z [P ? @
 IT,#D1&Q&E"_J4*9$<=B,&*IHB^ @
 *,4![S)!BF+9!3;Q
M<&T`KX(@0(^N<R&@;I'=$E5 .
 *D? @
 X5)A,3 @
 T-LEN02$Q0?^ $ @
 1@,4$:(3 P
MHQ'!]\QS_W\1KV,PH9=#85$O46R @
 9-#_HQ)@8N:6-$/C!S<XYQ.+L/\\80B0
M,W$?X+X`F7-I\]U2[R/C9M*#87DB9T_PRZ:G`-NEX0,@(6J1=C)A`8 \(1>&
M]1P1'!%&AK5S0$?]F/)#- @
 !CX# .
 0+&%Y$RJ&_ZFB,)(]LD%14(%JNETPSY&?
M,*!;T5SA;W,%$&=H!4#_W5(PI#RA"E! @
 = # `Q OH>\CT7AA:Y PDD,?`2V0
M`R#O*B DL-U%_"!H*F #X G@/TM1"=$:,2EQ+."+<"DLWSA\#((Y0"\@'X%N
M)849P0(``# #`! 0``````,`$1 `````0 `',) !S"=+,;L!0 `(,$"-PS16
=,;L!'@`]``$````!``````````,`#33]-P``?,@!
`
end