Practical Windows Security - Essay Example

Contents Introduction to windows security and vulnerabilities 2 The use of remote procedure call 4 CVE- 2003-0352 6 Mitigating Factors 8 Security solutions 9 Conclusion 10 Reference List 11 Introduction to windows security and vulnerabilities A Windows system is prone to security threats once it is used as an internet server. The typical installation of the windows NT/2000 and other vulnerabilities makes it an easy target for attackers. This way computer networks are damaged on a regular basis. Although network security has improved and strengthened over time but so have the attackers advanced with respect to the new security solutions. The main types of attacks include Denial of Service, Trojan Horse, viruses, worms and Logic Bombs. The first virus that operated on Windows 2000 was detected on 13th January 2000 (Wong 2000). It is known as the Win2000.Install or W2K.Installer virus. Although the virus could not do much damage to the new windows but it provided attackers with the concept to identify the vulnerabilities of the Windows and to invade into the systems with improved attacks in the future. A definition of security vulnerability can be regarded as the preliminary filter that is applicable to various issues. A security vulnerability can be considered as, “a flaw in a product that makes it infeasible – even when using the product properly —to prevent an attacker from usurping privileges on the user's system, regulating its operation, compromising data on it, or assuming ungranted trust” (Microsoft 2011). Microsoft publishes security bulletins when a specific security issue fulfills the criteria for the standard security definition. However this does not follow that no action is taken by Microsoft. For instance if Microsoft finds a bug that does not raise any security vulnerability, the security team nevertheless gives it importance and tries to counter it. In this case the Microsoft team does not come up with a patch or publish security bulletin; rather the team would include the solution in the product that it is going to release in the future. On the other hand, if a certain issue does fall on the criteria for security vulnerability definition, the security team first tries to establish whether the issue has breached the security policy of the product. When a product is made there is an assortment of instructions that are devised to inform the costumer about how a particular product is to be used as well as the promises that it delivers regarding the security it provides. What is CVE? Common vulnerabilities and exposures (CVE) brings together a list of common security vulnerabilities and exposures which are publically accessible. Common identifiers of CVE play a role in the exchange of data between security products and put forth a base line index point for the purpose of analyzing coverage of various products such as tools and services (CVE 2011). When Microsoft comes out with a patch for a security problem, it aims to fix whatever security vulnerability the problem has exposed. The purpose of the new patches is to protect the costumer from security threats. For example MS03-026 was released on July 16, 2003 to correct a security vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. After Microsoft had introduced this bulletin Microsoft was informed that there are yet more ports available that can be abused for the purpose of this vulnerability. Later on Microsoft added information regarding these extra ports in the security bulletin; particularly this has been integrated in the mitigating factors as well as the Workaround section in the bulletin. However later additions were made to it like the MS03-039 with an updated scanning tool which provided further advancements in the patches given in the older version as well as the original scanning tool. The use of remote procedure call The windows operating system makes use of a certain protocol which is referred as the Remote Procedure Call (RPC). RPC entails the protocol that can be used for accessing a program that is present in a remote computer (Reuvid 2004). The advantage of RPC is that it helps to locate the program without the need to comprehend the under layer network technologies. A low level transport protocol is required for the operation of a RPC and serves to carry the message data between computing programs (Javvin 2011). The RPC protocol originates from Open Software Foundation (OSF) RPC protocol; however the RPC protocol differs from its OSF originator because it contains certain extensions provided by Microsoft. However the root of the problem lies in the fact that the RPC has a vulnerability that surfaces in the exchange over TCP/IP (Kirda, Jha & Balzarotti 2009). When messages are not communicated effectively in the way required, there is a breakdown of the TCP/IP connection. The lack of effective exchange of the messages is due to their erroneous management and use. The characteristic of this vulnerability is that it has an impact on the Distributed Component Object Model (DCOM) interface connection with the RPC. The role of the DCOM is attributed to the recognition and picking up of RPC enabled ports. The DCOM acts as a protocol that allows various software components to communicate through a direct link with each other. To should be noted that it is the DCOM Activation infrastructure that suffers when the vulnerability is exploited. Elaborating more on the role of this interface connection between RPC and DCOM, one can appreciate the interface plays a crucial role in managing the DCOM object activation requests which servers receive from client machines (Microsoft 2003). MS03-026 is a buffer overrun vulnerability. A buffer overrun attack is commonly used by hackers. Such attacks are regarded to employ poor coding practices in C and C++ code coupled with the effective management of string functions. The cause of the vulnerability is as follows: there is no defined input of pStr and the string copy is not protected or safe. The property of a buffer overrun comes into play at this point. This manifests itself when the string pStr is more than 10 characters; at this point the “buffer (pBuff) starts to bleed into nCount and the method foo. The buffer overrun property exploited would allow for the execution of foo by manipulation of the application input” (Microsoft 2003). If an attacker finds out about this vulnerability he can successfully use it to his advantage. On the system that he has hacked the attacker gains the rights to run a code by using Local system privileges (Schnoll 2004). An attacker can gain complete control over a remote computer once he exploits this vulnerability with the power to take any action on the server that he wants. The attacker gains the liberty to perform any action that he wishes to on the system. Such actions include a range of functions that are normally the individual and confidential privileges of the user. For example if an attacker gains entry into the affected system, he can perform acts such as installation of programs, modification or deletion of data and the creation of new accounts where the attacker has complete privileges (Microsoft 2003). Moreover he can edit web pages, reformat of hard disks or add new users to the local administrators group. The characteristic of this vulnerability is that the attacker can execute a code of his choice. The malformed message sent across by the attacker causes the target system to breakdown which allows for the execution of the arbitrary code (Microsoft 2003). The vulnerability is able to surface itself because under certain conditions, the Windows RPCSS service fails to regulate some message inputs (Symantec 2003). This provides a loophole for the attacker to exploit. The attacker is able to create a connection in this way and the malformed message that he sends results in a disturbance in the core Distributed Component Object Model (DCOM) process present on the remote system; this disturbance causes the DCOM to collapse in such a fashion that the arbitrary code can be executed. Besides the option of sending a malformed message, there is another way through which the attacker can exploit this vulnerability. The affected component can also be accessed by other routes such as one where a logging onto the system interactively is done, or by the usage of another application which sent parameters to the vulnerable aspect, be it locally or remotely. The vulnerability can be manipulated to the advantage of any attacker who is able to deliver a malformed message to the RPCSS Service of a system that is vulnerable. The RPCSS Service is present on every Windows, hence there is a tendency for exploitation by the attacker if a connection can be formed. In this regard, Microsoft comes up with a patch. The principle of the patch is to provide a solution for the vulnerability by changing the DCOM in such a way that it becomes more apt at checking and regulating the information that is provided to it (Microsoft 2003). CVE- 2003-0352 In the CVE- 2003-0352, buffer overflow can occur in the Microsoft Windows NT 4.0, 2000, XP, and Server 2003 (Computing Facilities 2003). The vulnerability was exploited by Blaster/MSblast/LovSAN and Nachi/Welchia worms (Security Space 2011). The severity of vulnerability is regarded as medium (Manzuik, Pfeil,Gold & Gatford 2006). The impact of the exploited vulnerability was CVSS severity (version 2.0 incomplete approximation). The exploitability subscore is equal to 10.0. In such buffer errors, the program tries to load more data than the buffer can contain (National Vulnerability Database 2008). The W32.Blaster.Worm was known by a number of names as mentioned above like MSblast etc. the Blaster Worm was not identified by the Microsoft for a long period of time because it did was almost forgotten to be included in the protocol. The vulnerability was considered ever-present in the computing systems all over the world: the MSRPC Endpoint Mapper (Scambray & McClure 2007). It was announced by Microsoft that the MS03-026 would be an effective patch that would prevent the virus from infecting the systems. The Blaster worm was identified to be capable of scanning a range of IP for vulnerable points. These vulnerable points included the TCP port 135. The actual vulnerability lay in the DCOM interface present within the RPC process (Scambray & McClure 2007). The worm tries to exploit the DCOM RPC vulnerability which was patched by the MS03-026 (Seacord 2006). The worm sends an exploit code to the system, as discussed above. The exploit code the further downloads and executes a file by the name of MSBLAST.EXE from the remote system through the TFTP (Trivial File Transfer Protocol) (Schultz 2003). After the worm has been run, the worm is able to make a register key. One of the main symptoms of the infection is that the system reboots after a few minutes although there has been no input from the user (Tech Republic 2011). After the Microsoft published the report regarding the vulnerability, a number of security research groups started working on the concept. Many of them were able to release a “proof-of-conduct code” to use the buffer overflow to their advantage (Scambray & McClure 2007). In the process, an automated worm was released which was able to infect more than 400,000 systems that were not patched. The worm was referred to as the LOVESAN worm. The worm worked in such a way that it launched a distributed denial of service (DDos) attack against the windowsupdate.com domain. However out of chance, the Microsoft was able to counter the issue by merely removing the DNS records for the infected domain (Scambray & McClure 2007). Mitigating Factors In order to exploit the aforementioned vulnerability, there are certain prerequisites that the attacker has to meet. Firstly, the attacker should have the access or the capability to send a special request that he has created to ports 135, 139, 445 or 593 (Schperberg 2005); however the targeted ports can be any specifically configured RPC port which falls under the control of the remote machine. In the case of an intranet environment, the ports can readily be accessed. In contrast to that, the ports on machines that are connected via the Internet are normally not easy to access. This difficulty in accessing can be attributed to the fact that there is a firewall installed that does not let the attacker to access these ports. It should be noted that where the systems are not connected via the Internet, or where the ports are not denied access and in an intranet connection, there are no supplementary privileges which the attacker is required to possess (Microsoft 2003). Security solutions In order to protect the system from security threats there are certain recommended practices that need to be followed. These recommended practices encompass denying access into all TCP/IP ports which are not being put into use often. Moreover it is observed that most of the firewalls that are installed such as the Windows Internet Connection Firewall (ICF) barricade these ports from being accessed by attackers by default. Due to this factor Microsoft (2003) has proposed that most of the systems that are connected to the Internet should focus on blocking RPC over TCP or UDP. A filter such as the DCOM.IPSEC can be used to block the affected ports (Tech Support Guy 2003). RPC should not be deployed over TCP or UDP particularly when the environment is not favorable such as over the internet. Instead more advanced and stronger protocols are used over RPC like HTTP, for such environments (Microsoft 2003). Besides the solutions that are mentioned above there are two other ways that the system user can use to protect from attackers. One of these solutions encompasses using the /GS compile option that generates a cookie which disconnects the stack overruns and the return address. The consequence of this action is that the stock layout is modified; this is a huge factor that contributes to the avoidance of buffer overruns. The second option pertains to the usage of the library. The purpose of this library is to provide an array of buffer overrun functions which play a significant role in detecting buffer overflows (Waddleton 2004). Microsoft (2003) advises that the patch that was released in response to the vulnerability should be put into effect as soon as possible. Conclusion Thus, the discussion above generates a conclusion that it is important to research on the vulnerabilities of the software etc. The reason why the Blaster worms and other viruses were able to infect the systems was because there was a connection in the interface that could be exploited. With newer versions of the patches being released as research progresses, there is an increased need that users consistently update their antivirus software in order to protect themselves from security threats. Reference List Computing Facilities 2003, Windows RPC/DCOM vulnerability, Carnegie Mellon School of Computer, viewed on 19 January, 2011, Kirda, E, Jha, S & Balzarotti, D 2009, Recent Advances in Intrusion Detection: 12th International Symposium, RAID 2009, Saint-Malo, France, September 23-25, 2009, Proceedings Springer. Manzuik, S, Pfeil, K, Gold, A & Gatford, C 2006, Network Security Assessment: From Vulnerability to Patch, Syngress. Microsoft 2003, Microsoft Security Bulletin MS03-026, Microsoft, viewed on 19 January, 2011, National Vulnerability Database 2008, Vulnerability Summary for CVE-2003-0352, National Institute of Standards and Technology, viewed on 19 January, 2011, Reuvid 2004, The Secure online business handbook: e-Commerce, IT functionality, & business continuity, 2nd edn, Kogan Page Publishers. Scambray & McClure 2007, Hacking exposed Windows: Windows security secrets & solutions, 3rd edn, McGraw-Hill Professional. Schnoll, S 2004, Microsoft Exchange Server 2003 Distilled, Addison-Wesley. Schperberg, R 2005, Cybercrime: incident response and digital forensics, ISACA. Schultz, EE 2003, ‘The MSBlaster worm: going from bad to worse’, Network Security, vol. 10, pp. 4-8. Seacord, RC 2006, Secure Coding in C and C++, Pearson Education India. Security Space 2011, CVE-2003-0352, E-Soft Inc., viewed on 19 January, 2011, Symantec 2003, Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability, Symantec Corporation, viewed on 19 January, 2011, Tech Republic 2011, Microsoft Security Update MS03-026 (Windows), CBS Interactive Inc., viewed on 19 January, 2011, Tech Support Guy 2003, DCOM Vulnerabilities IPSec Mitigation Tools: Sep 10, TechGuy, Inc., viewed on 19 January, 2011, Waddleton, D 2004, What is a buffer overrun? A Blog for Graymad, viewed on 19 January, 2011, Wong, W 2000, Windows 2000 virus detected, cnet News, viewed on 19 January, 2011, Microsoft 2011, Definition of a Security Vulnerability, Microsoft, viewed on 19 January, 2011, CVE 2011, The Mitre Corporation, viewed on 19 January, 2011, Javvin 2011, RPC: Remote Procedure Call Protocol, Javvin Technologies Inc., viewed on 19 January, 2011, Read More