Safeguarding your Business Safeguarding your Business Assets through Understanding of Assets through Understanding of

the Win32 APIthe Win32 API

Introduction

• David J. Goldman– CSA, Velosecure LLC– Managing the Windows Security Practice of

PricewaterhouseCoopers’ Global Risk Management Solutions

– david.goldman@us.pwcglobal.com– 212-596-5682

Introduction

• Todd M Feinman– Candidate for MBA at Harvard Business

School, 2002– CEO, Velosecure LLC– Manager within PricewaterhouseCoopers’

Global Risk Management Solutions– security@feinman.net– 212-596-7299

Objective

• Explain some of the vulnerabilities inherent to the Win32 API

• Talk through some examples of how these could affect real companies

• Discuss how to protect against such security breaches

Windows Management

• User– Users, groups, account policy…

• Resource– File, directory, service permissions…

• System– Services, registry, hotfixes…

• Network– Shares, trusts, remote access…

• Auditing– Audit policy, event logs, directory auditing…

Security Assertions

• Confidentiality– Sensitive information will not be read by unauthorized

individuals

• Integrity– Reliable information will not be modified by

unauthorized individuals

• Availability– Information will be accessible by authorized

individuals in a timely manner.

A Malicious Plan of Attack

• Can I connect with NULL – Yes? Procure any and all information

• Connect to shares, get a username, guess a password, run brute force attacks…

• Can I connect with Guest or User access – Yes? Get Service information, Registry access,

exploit daemons.• Connect to service control manager, HKLM, ftp or

web...

Case 1: Enterprise-Wide Employee Directory

• Background:– Pharmaceuticals company– 60,000 employees’ information defined within a directory– Two dozen domains

• Concerns:– Primary: Availability– Secondary: Confidentiality and Integrity

• Why:– Numerous directors and managers require access– Complex hierarchical corporate authority

Primary Assessment

• To ensure that:– All domain controllers available for

authentication (not using random sample)– Users can search directory for information

about each other, including office number and email address

– No one is trying to compromise availability of the servers

– Printers accessible by doctors and researchers

User Security Methodology

• List all Users and their properties– NetUserEnum NetUserGetInfo

• List all Groups, their properties, and members– NetGroupEnum NetGroupGetInfo

NetGroupGetUsers– NetLocalGroupEnum

NetLocalGroupGetMembers

Resource Security Methodology

• List all Printers and their properties

• Retrieve the permissions for each printer– EnumPrinters GetNamedSecurityInfo

System Security Methodology

• Retrieve the network information– NetWkstaGetInfo– NetWkstaTransportEnum

• Determine it’s domain membership– LsaQueryInformationPolicy

• Retrieve OS level and other Windows information– NetServerGetInfo

Network Security Methodology

• Enumerate the trusts between domain– Trusting

• NetUserEnum(FILTER_INTERDOMAIN_TRUST_ACCOUNT) NetUserGetInfo

– Trusted• LsaEnumerateTrustedDomains

Network Security Methodology

• Enumerate the trusts between domain– Trusting

• NetUserEnum(FILTER_INTERDOMAIN_TRUST_ACCOUNT) NetUserGetInfo

– Trusted• LsaEnumerateTrustedDomains

Auditing Security Methodology

• Event Log Settings– Registry Data

• HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security

• Event Log Data– ReadEventLog (529, 539, 531, 517, 612)

Null Credentials

• NetUserEnum• NetUserGetInfo• NetGroupEnum• NetGroupGetInfo• NetGroupGetUsers• NetLocalGroupEnum• NetLocalGroupGetMembers• NetWkstaGetInfo (not in NT4)• NetWkstaTransportEnum• NetServerGetInfo

Case 2: Data Warehouse Security

• Background:– Yellow Page Publishing company– 100,000 customers’ account information and data– Over 100 file servers nationally

• Concerns:– Primary: Confidentiality– Secondary: Integrity and Availability

• Why:– Customers’ advertisements are competitive advantage– Need for authorized direct modification of data 24x7

Primary Assessment

• To ensure that:– File Server directory access controls are appropriate

(using random sample)

– Agents can update only their authorized companies’ data and only authorized projects within such companies.

– Unauthorized reading of other companies’ information is prohibited

– Raw data files are not accessible by anyone but programs

User Security Methodology

• Enumerate each individual’s user rights and access privileges– LsaEnumerateAccountsWithUserRight

Resource Security Methodology

• Retrieve the permissions for directories

• Retrieve the permissions for file executables that run as a service (localSystem)

• Retrieve the permissions for services– GetNamedSecurityInfo, GetAce,

LookupAccountSid

System Security Methodology

• Enumerate scheduled jobs (backups)– NetScheduleJobEnum

Network Security Methodology

• Retrieve list of shares– NetShareEnum

• Check permissions on shares

• Check permissions on directories that are shared– GetNamedSecurityInfo, GetAce,

LookupAccountSid

Auditing Security Methodology

• Retrieve Directory Auditing Lists (SACLs)– GetNamedSecurityInfo, GetAce,

LookupAccountSid

Null Credentials

• NetShareEnum

Case 3: Securities Trading

• Background:– Company trading securities on the Internet– Multiple vendor network segments + Internet customers– Entry points on dozens of servers

• Concerns:– Primary: Integrity– Secondary: Confidentiality and Availability

• Why:– Transactions must be accurate, timely, and complete– Non-repudiation

Primary Assessment

• To ensure that:– No one can modify the data on machines used

for trading securities– Services cannot be exploited to compromise the

domain or local machine– A brute force attack will not succeed or go

undetected

User Security Methodology

• Identify the parameters used for the password restrictions and account lockout– NetUserModalsGet

• Grab the password hashes and perform strength assessment– samdump

Resource Security Methodology

• Retrieve the information for each drive and ensure NTFS is running– GetVolInfo

System Security Methodology

• Enumerate registry values and permissions– RegConnectRegistry RegOpenKeyEx

RegQueryInfoKey RegEnumKey RegEnumValue

– RegGetKeySecurity GetSecurityDescriptorDacl

• Enumerate Services and Device Drivers– EnumServicesStatus QueryServiceStatus

QueryServiceConfig

Network Security Methodology

• Check if the built-in administrator can be locked out remotely– LsaOpenPolicy LsaQueryInformationPolicy

SamConnect SamOpenDomain SamQueryInformationDomain

• Assess dial-in settings– RasAdminPortEnum RasAdminPortGetInfo

Auditing Security Methodology

• Retrieve Audit Policy Information– OpenPolicy LsaQueryInformationPolicy

Null Credentials

• NetUserModalsGet