Microsoft Windows XP Networking Inside Out

20 Chapter

Microsoft Windows was originally developed as a stand-alone desktop computing environment based on MS-DOS. As such, Windows was not originally intended to function in a modern network environment; in fact, when Windows first began to gain market share, the Internet itself was barely known outside academic circles.

As Windows evolved, it eventually became able to participate in LANs, via third-party components as well as later Microsoft enhancements. Later, the Internet became more and more commonplace in both home and corporate networks, and Windows’ ability to connect to the Internet improved with every release of both the consumer and business-oriented versions of Windows.

Because the inclusion of, and later focus on, network and Internet functionality was a gradual process, Windows’ security features grew gradually as well.

In addition, Microsoft’s focus has always been on developing products that provide the maximum number of features for users. Part of this focus has traditionally resulted in Windows (and other notable Microsoft products, including Office) being installed with nearly every enhancement and feature enabled and disabling options that would increase security but decrease ease of use or limit functionality.

As Windows clients have become more and more prevalent across the Internet, this policy has become more controversial. The existence of these features, along with Windows’ traditional focus as a stand-alone operating system, has led to numerous security vulnerabilities, many of which have been exploited on large numbers of computers.

Originally, Microsoft’s policy was to continue to provide as much easy-to-use functionality as possible and to suggest that individuals running in networked environments simply disable what they didn’t need. Unfortunately, many Windows users either didn’t understand that everything was enabled in a default product installation or didn’t pay enough attention to the security vulnerabilities of some of those features; thus, they continued to be left vulnerable to many types of security exploits. To compound this problem, as security holes were discovered in Microsoft’s products, its recommendations for configuring or patching the computer to block the threats were commonly unnoticed or ignored by many users and system administrators.

With Microsoft Windows 98, Microsoft introduced Windows Update, a Web-based tool that makes it even easier for Windows users to update their operating system. At first, remembering to regularly visit this site required vigilance on the part of the user, but Microsoft eventually released components that allowed users to automatically receive notifications when critical patches became available and even to have these patches downloaded and installed automatically.

For more information about using Windows Update to patch Windows XP installations, see “Keeping Software Up to Date,” page 573.

Unfortunately, the fact remained that many installations of Windows operating systems connected to the Internet remained highly insecure. In addition, the fundamental design of many Microsoft products, as well as that of many features included with Windows, led to a large number of security flaws.

In 2002, Microsoft attempted to address these issues at every level of the company with their Trustworthy Computing Initiative. Triggered by a memo sent to all company employees by Microsoft Chairman and Chief Security Architect Bill Gates, Microsoft’s Trustworthy Computing Initiative is an attempt to improve both the security and reliability of the company’s products as well as Microsoft’s public image. The Trustworthy Computing Initiative includes a number of extremely important steps:

●Sending all Microsoft programmers to security training classes to help eliminate the introduction of low-level security vulnerabilities during the development process.

●Freezing all new product feature development until top-down security reviews, designed to discover and document security vulnerabilities, are completed and software patches for those vulnerabilities released.

●A focus on security as a critical feature of all new product development.

●An end to the practice of automatically enabling features that could potentially expose users to security risks. Those features would have to be explicitly enabled by the end user.

The first major product release to benefit from Microsoft’s Trustworthy Computing Initiative was Windows XP. Windows XP was in the latter stages of testing when the Trustworthy Computing Initiative began; however, Microsoft had already committed to making Windows XP the most secure operating system the company has ever released.

This determination shows in a number of areas. For example, Windows XP Professional includes Internet Information Services (IIS), but for the first time, IIS is not enabled by default during installation of the operating system. Additionally, Windows XP includes built-in support for automating Windows Update as well as the ability to automatically report application and system errors to Microsoft for analysis. Windows XP also includes Internet Connection Firewall (ICF), and security has been improved in both Microsoft Outlook Express and Microsoft Internet Explorer.

No operating system, however, can remain completely secure without vigilant attention from users and system administrators, and adherence to secure practices. You’ll learn all about these practices in this chapter. The next section analyzes the types of security threats that Windows XP users face.

Chapter 20

20 Chapter

There are two major categories of security threats that Windows XP users need to protect themselves from:

●Network-initiated threats in which remote hackers attempt to take advantage of security flaws in software installed on network systems across WANs such as the Internet

●Local threats initiated by software running on local client computers

The line between these types of threats is often blurred; for instance, some Internet worms are triggered by being executed on a local e-mail application such as Microsoft Outlook Express, but can also attempt to exploit remote computers over a computer’s network connection. Another example is remote Web content that takes advantage of flaws in Microsoft Internet Explorer to attack a user’s computer. However, these two categories are still useful when trying to understand the types of threats Windows XP users need to address.

the Ping of Death, where an Internet Control Message Protocol (ICMP) ping packet is sent with a gigantic packet size. Many IP stacks on several operating systems share a bug that causes the computer to crash when this packet is received.

●Attackers can flood a computer with so much traffic that it has no CPU time left for normal tasks, effectively making it unable to perform any other tasks. Some systems or services can even crash due to this overload. If properly executed, a traffic overload can flood the target computer’s entire network.

●Attackers can transmit the packets required to initiate a connection to a protocol or application without completing the connection. This consumes a limited resource on the target system, and if repeated enough times, can slow the computer to a halt.

DoS attacks launched against individual computers were once a popular form of network attack. However, many of the flaws in the IP protocol (as well as in other application protocols) that left computers vulnerable to simple DoS attacks (such as those launched by one originator against one target) have been fixed. Additionally, network administrators are familiar with normal DoS attack signatures and can easily block traffic from individual computers or networks launching an attack.

Today, DoS attacks are more commonly launched by multiple computers located across the Internet in what is called a distributed denial-of-service (DDoS) attack. To maximize the effect of such an attack, hackers take over computers across the Internet (using techniques that will be discussed later in this chapter), and then use all of these hacked computers to launch DoS attacks on a target computer or network. Because the traffic comes from multiple sources, it can quickly overload a network’s routers and computers; for the same reason, blocking the attack can be extremely difficult.

Exploiting Insecure Resources

Disrupting target computers and networks is not the only potential goal of a hacker, however. A hacker might want to gain control of a target computer for other purposes. This section discusses how a hacker can gain control of a computer by exploiting vulnerabilities in services on target systems.

These exploits typically begin with a hacker probing a system to determine its vulnerabilities. This probing usually takes the form of a port scan in which the hacker’s computer attempts to connect to ports on the target computer to build a list of IP ports that are listening for connections. This can either be done by sweeping all numerical IP ports or through a more targeted scan of certain well-known IP ports used by applications known to be vulnerable to attack.

Chapter 20

5: Advanced Networking

20 Chapter

Part 5: Advanced Networking

Once the port scan is complete, the hacker can use the list of available ports on the target computer to determine which attacks to launch. Often, simply knowing which ports are listening (such as port 80, the common HTTP port used by Web servers) tells the hacker something about what programs are running on the target computer. These ports can also be probed in more detail by connecting to them manually to see what responses are returned from the target computer. These responses can be used to identify the services and the operating system more specifically. For instance, in the case of a Web server, a manual connection to the HTTP port normally returns the name and version number of the Web server as well as the underlying operating system. With this information, the hacker can then refine his or her attack on the system and perhaps attempt to take advantage of known vulnerabilities in the specific Web server or search for other commonly used services on the target operating system.

What, then, are the vulnerabilities that can be exploited? There are many different kinds in many different types of software; however, most fall into one of the following categories.

●Buffer overruns. Most operating systems (as well as network services that run on them) are written in some derivative of the C or C++ programming language, or even assembly language. These languages are used because of their high levels of performance, which is critical for both operating systems and network services that are intended to handle heavy loads. However, these languages can require programmers to manually manage buffers of memory for many tasks including the input and output of data. Many (if not most) programmers using these languages simply place input data directly into these buffers without performing more than perfunctory checks for the validity of the data including its length and contents. This practice leaves these applications extremely vulnerable to being hijacked by a malicious user. For instance, if input gathered by an IP application is not checked

for length, a hacker can perform a buffer overrun attack, in which a large amount of data is transmitted to a vulnerable IP application, thus overrunning (exceeding the size of) its input buffer. If the buffer is sufficiently overrun with machine instructions of the hacker’s choosing, the target computer can be induced to run those instructions, thereby hijacking the system’s normal processing. These machine instructions can perform any task on the target system that the target application has rights to perform. For applications such as IIS, which runs by default with System-level permissions, such an attack can be truly disastrous. The hacker can gain complete control over the target computer.

●Unsecured network services. Many network services were developed with little or no concern for security. A number of these services predate the modern Internet environment with its constant security threats, whereas others were intended to rely on other security features (such as firewalls)

Chapter 20: Maintaining Network Security

provided by the network administrator. When installed and configured by default, these protocols provide no security whatsoever or have security settings turned down or disabled completely. One example of such a protocol is Simple Network Management Protocol (SNMP). SNMP provides the capability to both query and manage a vast array of configuration settings on network devices such as computers and routers, and it does not provide a facility for logon authorization. It simply specifies community names, so any computer in a specified community can perform SNMP tasks on other systems in that community. SNMP traffic can be blocked by host name or IP, but this feature is also disabled by default. Also, many devices and applications, such as residential gateways, network-enabled printers, and even Microsoft SQL Server 2000, provide default administrator accounts with standard or blank passwords that provide full control over those

devices or programs.

●Insecure network protocols. Many common Internet applications in their default configurations transmit all data across the network as clear text, meaning that no encryption is used to protect the data from being intercepted and read by an unauthorized third party. One example of such a protocol is Telnet. When making a Telnet connection, all data, including your user name and password, is transmitted in the clear. HTTP, the communications protocol used by Web browsers and Web servers, also transmits all information in the clear by default, although an encrypted version of the protocol, Secure Hypertext Transfer Protocol (HTTPS) is available. Clear-text information can be intercepted in a number of ways. Because most modern networks use a shared broadcast medium for communication, a hacker normally only needs to take over some kind of device on that network, install an application known as a packet sniffer to listen to all traffic on the network, and then scavenge for user name and password pairs. In fact, in a worst-case scenario, that same hacker might be able to scavenge even more critical information, such as credit card numbers, personal identification data, or proprietary company data.

●Brute-force attacks. Brute-force attacks use the automation power of computers to attack secure systems, either by trying all possible combinations of a logon password or by attempting to perform cryptographic analysis on protected network traffic. These techniques require extreme computational power and are unlikely to work on properly encrypted data and secure systems. For example, decrypting a data packet that has been protected with 128-bit encryption could take a standard desktop PC literally millions of years of constant computation. However, flaws in encryption mechanisms or system logon routines can be relatively easily exposed using these bruteforce techniques.

5: Advanced Networking

Chapter 20

20 Chapter

caution Even well-crafted encryption mechanisms are not sufficient to protect network traffic from interception and eavesdropping. If the communication channel between two systems is not properly authenticated, an attacker could perform a man-in-the- middle attack, in which the attacker poses as the remote communication partner for an encrypted data exchange to both the client and server. This enables the attacker to negotiate encryption channels with both partners and watch all the traffic being exchanged between them. For this reason, secure protocols such as HTTPS rely on signed certificates that are verified by a trusted third party (such as Thawte or VeriSign) to represent the identity of the remote communication partner.

These are only samples of the types of network attacks that can be initiated by a remote attacker. It should be clear that protecting a computer against these attacks is critical. However, only protecting against network-initiated attacks is not enough to truly ensure the security of your Windows XP computer.

Understanding Local Security Threats

Using the term local to refer to the threats categorized in this section can be misleading. For the most part, these threats do not have their true origin on the local computer. Computer viruses normally arrive on the local computer via an infected disk or file, and most often, the file is downloaded over the Internet. However, because these threats primarily do their damage by running software on the end user’s computer,

the designation of local remains apt.

Local security threats also tend to rely on design flaws and vulnerabilities in operating system software and applications, but they equally tend to rely on how people use their computers. This section examines the different types of local threats that Windows XP users face.

Viruses

Perhaps the most commonly known form of malicious software is the computer virus. Computer viruses are named after their biological equivalent because, like the viruses that make humans and animals sick, they take advantage of their hosts to propagate from target to target and cause damage.

Computer viruses are transmitted from system to system via mechanisms built into the operating systems or applications that they infect. Although many viruses are harmless, developed as exercises in software development by their authors, many others carry destructive payloads designed to alter or destroy user data or operating system installations (or in some rare cases, computer hardware).

Chapter 20: Maintaining Network Security

There are several types of viruses, for example:

●Executable viruses. Executable viruses alter an application’s executable files with their own machine instructions, causing their payload to be loaded into memory the next time the user launches the program.

●Boot sector viruses. Boot sector viruses install instructions onto the boot sector of a floppy disk or hard disk. These instructions can then load the virus’s payload into memory when the system next starts up.

●Macro viruses. Macro viruses take advantage of the macro scripting facilities built into popular productivity applications such as Microsoft Office. In earlier versions of these applications, macros were automatically triggered when the files were loaded into the applications, causing the payload contained within the macro scripts to be executed. More recent versions, such as Microsoft Office XP, require explicit user permission to enable macros, but if the user chooses to enable the macros and the macros contain viruses, the viruses will still be executed and do their damage.

In each case, once the payload is executed, it can have its desired effect. Some viruses simply patch copies of themselves onto other applications or files (or disks, in the case of boot sector viruses). Others alter or delete files, damage the target operating system, or alter a hardware device’s firmware to render it unusable.

Because of the expansion of scripting facilities into e-mail applications such as Microsoft Outlook and Outlook Express, macro viruses have expanded beyond the initial annoyance of a periodic infected Microsoft Word document. Infected e-mail messages can automatically send copies of themselves from the infected user’s computer to the user’s address book contacts, thus propagating across the Internet like wildfire. Viruses that propagate from computer to computer without any form of user intervention are more properly referred to as worms because of their ability to crawl across the network from computer to computer.

Trojan Horses

Chapter 20

20 Chapter

Web browsers, like Internet Explorer, include a number of features, such as JavaScript, Java run-time environments, and ActiveX, that allow Web sites to include executable scripts and code to enhance Web-based applications. Unfortunately, many of these features have security vulnerabilities that allow hackers to develop Web sites that can take control of, damage, or install spyware on computers that visit them.

Web sites can also use cookies as spyware. Cookies can be installed by remote Web sites, and then later detected by other Web sites, allowing any Web site to track which sites a user has visited.

Of course, applications downloaded from a Web site can also be a threat because they can be Trojan horse programs or be infected with viruses.

the Internet, the firewall opens the necessary port to receive that information (such as TCP port 80 to receive a Web page). Once the information is received, the port is

closed. Because ports do not remain open for long periods of time, a hacker has a difficult time finding an IP port on the computer that he or she can access.

Network Address Translation (NAT)

NAT is often used in firewall solutions, especially in hardware-based residential gateways. NAT translates the local network’s entire range of internal client IP addresses into a single external IP address in a different subnet, which is then used for Internet access. Any attacks launched against the external IP address will simply be ignored by the residential gateway’s network router, which cannot be affected by many types of attacks that can affect computers, and the attacks will not be able to pass through the residential gateway and reach the computers, where it could do damage.

Tables

Some firewalls, known as stateful firewalls, use tables to track outbound data requests against inbound data transmissions that arrive at the firewall. For example, if a user makes a request for the URL www.microsoft.com, the firewall table records the request. When data arrives back from www.microsoft.com at the firewall, the firewall checks its table to see if data was requested from that URL. When an entry is found in the table, the data is allowed in and forwarded to the specific computer or network that initiated the request. On the other hand, any outside data that has not been explicitly requested by an internal computer is not allowed to pass through the firewall.

Rules

A number of firewall products use a rules-based approach. Rules can get complicated and confusing, but they are effective. Microsoft ISA Server and a number of third-party software products use rules that administrators create. The rules determine the kinds of TCP/IP traffic that are allowed into the network by defining which Web sites and IP addresses are allowed or not allowed. Rules enable you to create a configuration that works best for your environment and allow you to override default rules settings for particular users. For example, trusted sites can be granted extra access privileges, and troublesome sites (or unknown sites) can be shut out entirely.

Intrusion Detection

Some higher-end software applications, including ISA Server, and some dedicated intrusion-detection hardware devices can detect an attack from the Internet by watching inbound connections for the common signatures of IP-based network attacks. When an attack is detected, the intrusion-detection system can either close the port through which the attack is being initiated, stop all Internet traffic, notify an administrator, or perform

Chapter 20