Now some reader may be thinking: ďThose
are just the patron access machines - my staff workstations and file servers are still safe because they are behind locked doors.Ē Let me share my little horror story about network privilege escalation:
First local frat boy Steven becomes a local admin on a workstation using a boot disk. He then copies off the SAM and SYSTEM files for later cracking with Cain or L0phtcrack. Many folks use the same local admin passwords, allowing Steven to attack other boxes from across the network using the cracked credentials. He then installs a key catcher like WS Keylogger, or maybe something like Fake Gina on the box. Later on, one of the support staff with admin privileges to the file servers and most of the workstations on campus logs in to do some work and in the process has his user name and password saved for later retrieval by Steven. Now Steven has access to most of the boxes on the network.
How does one fight against this problem? Using NTFS helps, but it is not an absolute solution as any Linux boot CD can be used to copy off the files. Putting passwords on the BIOS and setting it to only boot from the hard drive can help, but if you are going to do that you have to go all the way and physically lock the case. Otherwise the attacker can just open up the case and pull the battery or reset the right jumper to get in. Generally the physical locking of the station causes as many problems for the support staff that have to image the system (using Ghost or a similar tool) as it causes for the attacker, but if you donít plan to nuke and rebuild the machine often then locking the case can be a very good idea. To keep attackers from easily cracking your SAM files you can disable the storage of LM hashes. Another thing to keep in mind is that if you use a password longer than fourteen characters no LM hash will be stored for it. NT hashes can also be cracked of course, but LM hashes are much more vulnerable because they are single case and broken into two easily cracked seven byte chunks. Up to date anti-virus software and regular scans for common key loggers is another good idea. Also setting up regular password expirations can help to mitigate the effects of key loggers and password cracking.
How many times have you seen someone use a dictionary word as a local Administrator password? If an attacker can gain admin on a workstation using a boot disk, or just copy off the SAM and SYSTEM files from the hard disk, itís trivial to crack dictionary passwords using the tools mentioned before, even if LM hash storage is turned off. Samdump2 and John the Ripper can be run from a single boot CD to perform the crack. Attackers can use tools like Brutus or THC-Hydra from across the network to try to crack accounts, but this much slower then a local attack.
Ensure that password policies do not allow easy-to-guess passwords and that someone is watching the event logs for signs of a brute force attack. Forced password changes for the support staff may be a good idea in some cases, but frequent password changes will cause some staff to write their password down and leave it where someone malicious could find it (a post-it note on the monitor is popular). Also avoid using Social Security Numbers as default passwords. Social Security information goes across too many desks at a university to be considered secure. Even work-study students may have access to databases of Social Security Numbers, and such information regularly makes it to recycle containers unshredded. The same thing goes for other personal information thatís easy to find or guess.
Turn off File Sharing and Unneeded Services