Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


July 1997

NT Security Scares?


From the July 1997 Edition
of Windows IT Pro
Mark Minasi
Feature
InstantDoc #453
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

SCARE NUMBER THREE:  RedButton
RedButton is a program that a firm wrote to demonstrate a security hole in NT. (The firm's main line of business is--surprise--NT security consulting.) RedButton interrogates an NT machine via TCP port 139 and reports the name of the built-in Administrator account.

This program raises the question of whether releasing such a program without an antidote demonstrates good ethics, but what can you do? Again, use PASSPROP to make the built-in Administrator account lock out, just like other accounts.

Advice: Use either PASSPROP or a very long password for the built-in Administrator account. And, filter out TCP port 139 on your router or firewall. (For another view of RedButton, see Mark Joseph Edwards, "RedButton Reveals Bugs in NT," page 48.)

SCARE NUMBER FOUR:  The RPC/Telnet Bug
NT systems talk to one another via an inter-process communication mechanism called remote procedure calls (RPCs). When one NT machine tries to talk to another, it establishes an RPC connection. The RPC/Telnet bug exploits that connection and slows your system drastically.

Use Telnet to attach to port 135 on an NT machine. For example, if the machine's IP address is 199.34.57.7, open a command line and type

telnet 199.34.57.7 135

The Telnet screen will appear, looking like a standard dumb terminal interface. Type a few random characters, and close the Telnet window. Within a minute or two, the victim NT machine (199.34.57.7, in this case) will devote 98 percent of its CPU power to the RPCSS.EXE (Remote Procedure Call SubSystem) routine. This activity will, of course, slow anything else running on the victim machine.

When you established a link to 135 and typed some characters, you started the session setup process for the RPC system. When you broke the connection, the RPC system wasn't smart enough to figure out that interruption, and it ran around in circles trying to finish setting up the session. This bug doesn't kill a system, but it does slow it. You have to reboot to reset the system. Microsoft has a hotfix for this NT problem at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/ fixes/usa/NT40/hotfixes-postSP2/RPC-fix.

Advice: Get the hotfix (Service Pack 3--SP3--which came out as soon as I finished writing this article, includes the fix). And filter out TCP port 135 on your router or firewall.

SCARE NUMBER FIVE:  The Password Cracker
Another security consulting firm wrote a program advertised as an NT password cracker, a program that according to some accounts, can crack the Security Accounts Manager (SAM) file on an NT machine and dump all the passwords. (For more information on this scare, see Mark Joseph Edwards, "NT Passwords Compromised?" June 1997.) This boogeyman was largely bad journalism.

You see, passwords in SAM are doubly encrypted. When you give a password to a new account, or change a password in an existing account, NT does not store that password. Instead, NT runs the password through a one-way hash function, producing a one-way function (OWF) password. (For more information on how NT encrypts passwords, see "Windows NT Logons," June 1997.)

What's an OWF? The password is just a series of bits. So you can think of a password as nothing more than a very large binary number, and one that you can run through a mathematical function. Many math functions are as easy to do as to undo: For example, halving a number is as easy as doubling a number. But other math functions aren't as simple: For example, squaring a number is much easier than taking the square root of a number. In another example, multiplying two large prime numbers to get a product is much simpler than taking the resulting number and trying to figure out what its prime factors are. OWFs are designed to be much easier to do than to undo.

So suppose my password is "swordfish." Suppose also that the bad guys get my OWF password, the result of running "swordfish" through the OWF. What can they do with it? They know the OWF--Microsoft has documented it--and so they know the result of the function, the OWF password. They want to know the original value that led to the OWF result. They now do a dictionary hack. They write a program that takes every word in the English language, runs it through the OWF, and compares it to the OWF password. If the values match, then they've found the original word, "swordfish," that led to the OWF password. They know my password--unless, of course, the password isn't an English word. If that's the case, they just have to start testing every possible combination of characters from zero to 14 characters long, and then we're back to doing septillions of operations. Hmmm. Assume that a computer can do a billion operations per second. (Hey, trust me, I've heard that Merced will be really fast.) Septillions of operations (ten to the 25th, recall) would take that machine ten to the 16th seconds, or about one billion years. By then, I suspect I will have changed my password once or twice. Doesn't sound like much of a security hole to me.

But wait, this situation gets even better. To run this program, you must be physically logged on to the domain controller using an Administrator account. When last I checked, administrators could change passwords. Any administrator crooked enough to run this program is also crooked enough to just change a password or modify an object's permissions (taking ownership of any object is a built-in administrative right).

Advice: Be sure to change your passwords at least once every billion years. And don't hire crooked administrators.

And More Advice
My best advice is stop worrying and watch the passwords. Never enable the Guest account. Take some special pains with the built-in administrative account (either run PASSPROP or give Administrator some very long, random password), make all users change their passwords frequently, avoid Telnet and RSH servers, and isolate the FTP and HTTP servers and lock down their files with file and directory permissions. And be wary of people who want to panic you about NT security and then charge you money to repair the problems.

SP3 provides solutions to several of the problems I discussed here. Windows NT Magazine news editor, Mark Joseph Edwards, dubbed SP3 Security Pack 3, and he's right. Install it today.

End of Article

   Previous  1  [2]  Next  


Reader Comments
I read Mark Minasi’s July article, “NT Security Scares?” and want to thank him for bringing sanity to the NT security issue. I am an MCSE and currently travel around the country presenting NT seminars. Informal polling indicates that 75 percent of networks connected to the Internet do not have a firewall. I can already hear the “Chicken Little” hackers screaming, “The sky is falling.” Before we all join the chorus, consider the obvious. If the gaping holes in NT security were truly threatening to most networks, it would be the administrators, not the hackers, screaming for solutions. Most IS professionals I meet are looking for ways to stuff 12 hours of work into an 8-hour day. Minasi’s recommendations provide realistic security and give administrators time to focus on productivity.<br>
--Stephen Brown MCSE, MCT

Stephen Brown August 13, 1999

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 23, 2009

An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events Deep Dive into Windows Server 2008 R2 presented by John Savill

Introduction to Identity Lifecycle Manager "2"

SQL Server Security: How to Secure, Monitor & Audit Your Databases

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement