Great Circle Associates Firewalls
(June 1996)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: RE: NT Backoffice "Catapult" firewall certified?
From: Russ <Russ . Cooper @ RC . Toronto . on . ca>
Date: Sun, 30 Jun 1996 20:25:47 -0400
To: "'johnb @ aztec . co . za'" <johnb @ aztec . co . za>
Cc: "'Firewalls'" <firewalls @ GreatCircle . COM>

Sorry, but there are so many inaccuracies in this message it makes my head 
spin.

NT 3.51 comes with the Guest account disabled. The Guest account has 
limited access to the system, although all NT systems are installed with 
very lax security out of the box. It should be blatantly obvious to anyone 
that if you are trying to use NT in a secure environment, then some effort 
is going to be required to secure it.

Read/Write access to the registry is, first of all, restricted to members 
of the domain which the NT box is installed in. If you enabled the Guest 
account, then yes, it would have access to a sub-section of the registry on 
the NT box, but it certainly does not permit you read/write access to the 
Security Access Manager (the user/password encrypted database). If fact, 
no-one, not even the Administrator, has read/write access to the SAM. The 
Administrator can gain access to the SAM, but it must do so by first taking 
ownership, then granting permission. Both of these actions are recorded in 
the Event Log.

	"However, even if guest has a passowrd, any other user on that NT box 
could edit the registry."

Editing the registry is a very broad and sweeping term that can either have 
no security implications or tremendous security implications. By default, 
any user can add information into the registry about their application. 
Since application information is stored in a common sub-section of the 
registry, its possible that one application could write to the keys of 
another application, thereby installing a Trojan. This Trojan, however, is 
limited to installable applications, and does not include things such as 
the logon process.

	"There are a few things one can do to sorta secure NT, but there are so 
many, one starts to think the only way to make NT secure is to disconnect 
it from the network... or put it behind its own firewall (which stiill 
makes it vunerable to people who have access to it...)"

So, there are a few things, but those few things are so many its difficult 
to understand?? Come on, there are a number of things you do to secure NT, 
its not rocket science, its like any other environment, you have to learn 
that environment.

	"Global Internet (Gi.net) have a firewall, and a TNT package for NT, which 
can secure NT from tcp/ip networks, but merely by making it a wrapper, 
which basically acts like a tcpwrapper under unix, which only allows access 
to it to hosts which are specified."

Just to clarify, the firewall is not merely a wrapper, its a fully 
NT-specifically coded version of Gauntlet.

	"I unfortuneatly have not had the time to evaluate these packages 
extensively, or any of the competing packages, for that matter..."

And you could have added that you haven't had much time to understand NT 
security either. Certainly you don't think that spending three weeks on the 
NTSecurity list qualifies you as an NT Security (or NT InSecurity) expert??

I've been securing Windows NT for almost 5 years now, and while there are 
some environments which I admit are almost impossible to properly secure 
(access to NT through WinDD, Citrix, or some other terminal-emulation-like 
server-based environment...thanks to Pete Da Silva) today, the vast 
majority of NT installations can be *reasonably* secured with the tools 
that come with NT itself. There are a number of tools which can improve 
NT's security environment, as they do in Unix environments. SecureID, 
eNTrust, TNT, and other authentication mechanisms are just one example.

	"Because NT has even more security holes than Irix *duck*, I wont list 
them here,"

Its interesting that you should say this. Bill Stout put a very good list 
together, but a number of those issues can be addressed if you can accept 
the inconvenience it adds to the environment (as is often the case with any 
environment you are trying to *completely* secure). I would suggest that 
you are merely echoing someone else's claims, and not stating anything that 
you have personal knowledge of.

There are some *holes* in NT. The biggest one that I am personally aware of 
is the fact that you can attempt to change the Administrator's password as 
many times as you want without the account ever locking you out. Since its 
not currently possible to limit the number of unsuccessful login attempts 
to the Administrator account, there is no way to prevent this hack. Of 
course this is a brute force attack, but since its possible to do this from 
across a network, it represents the most significant flaw in NT's security 
model that I am aware of.

NT 4.0 addresses some problems, and will probably address more by the time 
its released. Currently, however, NT 4.0 has not yet addressed the issue of 
locking out the Administrator account. There is, however, a basic packet 
filter which allows you to shut down specific ports on your machine. It 
does not, however, allow you to specify IP addresses or NT Machine names to 
selectively allow connections through closed ports. Since Catapult can be 
run together with other NT Server applications, its possible that it might 
make a very logical addition to any NT Server that is meant to be secure 
(it will depend on its cost, and its ability).

The Kane Security Analyst, well-known in the Novell environment, have 
completed their NT product which can provide a pretty comprehensive 
analysis of your NT environment. It's not intended to show every potential 
security risk, as no program could, but it does a very good job of showing 
and documenting issues which need to be considered.

Its important to point out that some of the NT Firewall products do not 
rely on NT's Security Reference Monitor (or NT's security mechanisms) to 
provide their security. Depending on how the Firewall has been implemented, 
it may, for example, use drivers to intercept packets prior to those 
packets entering NT's networking components. By doing so, they are better 
able to control how those packets interact with NT, in some cases, 
eliminating access to NT core components in order to verify what the packet 
can do. Most also disable various NT services which pose security risks to 
the Firewall. These two actions could be considered similar to stripping 
down an OS in order to harden it. Some people have previously said that 
hardening NT was not possible, but most of these Firewall products have 
shown that it is.

Cheers,
Russ



Indexed By Date Previous: Re: NT Backoffice "Catapult" firewall certified?
From: Michael Dillon <michael @ memra . com>
Next: Re: FW: Web server updates and secure ac
From: Ng Pheng Siong <ngps @ pacific . net . sg>
Indexed By Thread Previous: Re: NT Backoffice "Catapult" firewall certified?
From: Michael Dillon <michael @ memra . com>
Next: source routing and Ascend P50
From: Full Name Field <wall @ readybox . com>

Google
 
Search Internet Search www.greatcircle.com