Ms. Talida is working as marketing executive in a mid-size biscuit manufacturing company which has several brands targeting middle income customers. Her job responsibilities include market research and development of new strategies to increase market share of the product. Presently she is working on a case study to revamp a brand and the same assignment has also been assigned to another colleague and both have to submit their separate reports on the project. After having this particular assignment from the management she noticed that whenever she return from lunch some files are displayed in “My Recent Files” of her Windows® 2000 Professional™ work station which she does not remember opening.
After being suspicious, she thought of changing password on her computer and changed the password and wrote it down on a small post-it and fixed it under her table for remembering. Two days after changing the password she again suspected that someone has used her computer and she is facing the same problem that she was facing two days ago.
Since her company is a small sized organization, not many controls are deployed on the network. She thought of sharing her observation with Bob who is the network administrator and is always short on hands and resources due to tight budget. Bob listens to her concern and first question he asks Talida is, have you written your password down anywhere for remembering it? To which she replies yes. Bob asks Talida to remove the post-it and destroy it and asks her to change the password to a complex password with alpha numeric and special characters. Talida realizes the mistake but says that she will be bugging him again and again to change her password in case she forgets it. Bob smiles and understand the problem she will be facing and counsels her on how to set a complex password which she can remember easily. He asks what is her favorite song? Talida replies “in to the sky” Bob says you can use a password combination like “Int05hesk&”. Since these keys are right above the required alphabet so you will not have any problem using it and you can use any song or movie name you like the most as your password combination and you will not forget them. Talida understands what Bob said and leaves his room to change her password.
After Talida left Bob realizes that he has not implemented any password policy due to his busy schedule with the core servers which he has to look after to insure smooth sailing of company’s IT operations and immediately decides to work on it and start noting down things which he should immediately do to increase its desktop security and bring his management in to confidence to implement these controls.
First he decided to work on password policy, he thought of implementing strict password controls on the network. He noted that all passwords on the domain should be complex passwords with Alpha Numeric with Special characters. Password should not be repeated by the user for at least 3 times with minimum 8 characters in any password to avoid intrusion and make it so difficult for the intruder incase he wants to decrypt it. Then he noted that all user accounts should get locked after 3 bad attempts for a minimum of 20 minutes and one password cannot be reused for at least 24 times by the user. Then he noted that no machine will display user name on the network once it is locked and user has to give both user name and password to login and start working. This will eliminate the possibility of anybody noting down the user name which can be used in any type of password attack. One major factor in the desktop password level security which Bob overlooked was Administrator account and Guest account; He wanted to disabled all Local Administrator accounts and Guest accounts on the network The guest account is disabled by default, but the Administrator never disables, never locks out, and has full reign over that workstation. These passwords are often left unchanged for the life of a computer. In addition, there may be service accounts with elevated privileges that never have their password changed either. Administrator or privileged accounts with passwords that never change are prime targets for an intruder, and make it easy to gain an initial foothold into a computer, company workgroup, or domain.
Then he thought of enabling auditing on the network so he could start logging activity on the network. The “Audit Policy” determines what sort of system events the computer tracks or records for administrators to determine what has actually happened over time. The events may be used to track events that an application performed, or events that a user performed. They may also indicate attempts by unauthorized network users to penetrate a computer from the user console or the network. There are a number of security related events that should be recorded, but Bob was not recording any event on the network. To check on the controls which were available he Click the Start button and navigate to Settings, and the Control Panel. Double-click “Administrative Tools”. Then double-click “Local Security Policy”. In the left pane, expand Local Policies, and click Audit Policy. To make changes, double-click one of the settings in the right pane, check or uncheck the appropriate boxes, and click OK to save the settings. They will take effect when the Local Security Policy editor is closed. Controls which were available to him were:-
Audit Account Logon Events: Success and Failure, Auditing logon events will track successful and failed logon attempts from the local console, the network, or batch or service accounts using domain logon credentials. If a user attempts to log on and fails, the only way to know will be to have this auditing enabled, and to periodically check the local machine’s Security Event Log.
Audit Account Management: Success and Failure In order to track successful and failed attempts to create new users or groups, rename users or groups, enable or disable users, or change accounts’ passwords, enable auditing for Account Management events.
Audit Directory Service Access: Not Defined No auditing of Directory Service Access is required on Windows 2000 Professional because Directory Service Access can only be audited on Windows 2000 (or later) domain controllers.
Audit Logon Events: Success and Failure Auditing logon events will track successful and failed logon attempts from the local console, the network, or batch or service accounts using local machine logon credentials. If a user attempts to log on and fails, the only way to know will be to have this auditing enabled, and to periodically check the local machine’s Security Event Log.
Audit Object Access: Failure (minimum) It is possible to track when specific users access specific files. In order to track user’s access to files, go to that file or folder, edit the security properties for that object, and enable auditing for specific users on those objects. Also, enable Audit Object Access for success or failure here, and each audit that fulfills your requirements will produce an event in the security event log. Enabling this option in the audit policy does not produce events itself, unless objects and users are actively being audited.
Audit Policy Change: Failure (minimum)If audit policies are audited, changes to User Rights, Audit Policies, or Trust Policies will produce events in the Security Event Log.
Audit Privilege Use: Failure (minimum) Auditing privilege use enables auditing for any operation that would require a user account to make use of extra privileges that it has already been assigned. If this is enabled, Events will be generated in the Security Event Log if a user or process attempts to bypass traverse checking, debug programs, create a token object, replace a process level token, or generate security audits. It will also generate events if a user or account attempts to backup or restore files or directories using the Backup or Restore user right, but only if the security option to audit backups and restores is enabled. Privilege Use is used by all user accounts on a regular basis. If success and failure events are audited, there will be a great many events in the event log reflecting such use. This is normal, and sorting through these events is part of the cost of detailed auditing.
After noting some user level security he decided on working a little more with very easy controls which he can deploy on the network and will improve desktop security. He decided to get rid off all null sessions, NULL sessions take advantage of “features” in the SMB (Server Message Block) protocol that exist primarily for trust relationships. You can establish a NULL session with a Windows host by logging on with a NULL user name and password. Using these NULL connections allows you to gather the following information from the host:
· List of users and groups
· List of machines
· List of shares
· Users and host SID' (Security Identifiers)
NULL sessions exist in windows networking to allow:
· Trusted domains to enumerate resources
· Computers outside the domain to authenticate and enumerate users
· The SYSTEM account to authenticate and enumerate resources
The NULL session vulnerability is fairly widespread; For the most part if the appropriate ports are accessible a NULL session is possible.