Category: authentication

Agree with Keith Brown’s "do not display last user name" rant

Published on by paranoidmikeLeave a comment

I’m with Keith here [note: in the interests of minimizing duplication, I’ve hacked his post down to the most stinging statements. Go read it yourself if you’re interested in a good discussion of the problem.]

A security countermeasure that isn’t all that

The password that you just entered went into the user name text box of the login dialog. When you hit enter, you attempted to log into your workstation using your password as the user name and a blank password. Because this login failed it’s logged in the Event Log. Guess what’s in there? Yep, it’s your password!
So in the interest of making your machine more secure, it is actually compromised…

… As Schneier constantly reminds us, security is all about tradeoffs. What do you gain by turning on the DontDisplayLastUserName feature? Given that it only takes effect when you’re logged out, not when your workstation is simply locked, not much! There are an awful lot of people who rarely log out of their machines (me included), and rather lock their workstations instead.
… If a countermeasure makes things harder (and more risky) for legitimate users, and doesn’t provide any real impediment for an attacker, it’s a bad tradeoff.
… I’d suggest picking up a copy of Jesper & Steve’s book, which provides really practical advice for securing Windows. It’ll help prevent these sorts of mistakes in the future!

This kind of blind use of security “countermeasures” really bothers me. I used to be a blind follower of security checklists in my early career too, so I can’t say I don’t understand the impulse that drives this sort of behaviour.

Still, I can’t believe that after all these years of people publishing these checklists, and lots of other people using them and seeing the consequences of their use, they still get published and used like this – i.e. ignorant of the consequences.

I get pretty frustrated when I see people take security measures like this and end up shooting themselves in the foot. At best, they’re no further ahead overall. At worst, they’ve taken a giant leap backwards, and made it even *easier* for an attacker to escalate themselves and do some *real* damage to your computing assets.

Damn. I really want this setting to be discarded, just like I want to see the “account lockout” setting retired in favour of a more sophisticated, goal-oriented, actually-accomplishes-what-it-sets-out-to-do countermeasure. I am all in favour of more configurability in a system, to give people more options so they can accomodate special circumstances when required – BUT – when a “special purpose” setting like this actually ends up being used blindly by everyone in unsuitable circumstances, and ends up making things WORSE, well that’s when it’s time to seriously reconsider.

Creating the Saved Password

How often does “DontDisplayLastUserName” actually do something security-useful:

  1. Computer boots up
  2. Computer is Restarted
  3. User logs off

VS. times when it can potentially hurt:

  1. User locks computer
  2. User places computer on Standby (and computer is set to lock on resume)
  3. User places computer in Hibernate mode (and computer is set to lock on resume)
  4. Computer goes into Standby or Hibernate according to Power Management configuration (and computer is set to lock on resume)

I don’t have any statistics to back up the opinion I’m about to assert, so I’ll just have to use my own user behaviour as a model and let you decide how often it happens from there:

  • I rarely power down my computer:
    • perhaps once a week or so because something has leaked too many resources over time (e.g. Virtual Memory, GDI Objects, Handles) and I need to free them up
    • perhaps once every couple of weeks because I’ve installed something that includes a kernel-level driver (display, network) or because I’ve installed an update that replaces an in-use system-level file
  • I almost never log off my computer – why bother? It’s a single-user machine almost all the time:
    • My home desktop is used by my wife or houseguests maybe once a month
    • My work notebook is used almost never by anyone else, and if I let them use it, I’ll usually just fire up a fresh browser instance (or RDP client) and let them borrow it while I’m there – I just don’t let people log on to my work computer – no reason to, that I’ve found
  • I very frequently (e.g. dozen times a day or more) end up with my work notebook locked:
    • anytime I move from the house to the office, I’ll put it in Standby or Hibernate
    • I’ll pull it open for a while on the bus to or from work and then Hibernate when I walk off
    • anytime I go from my office to a meeting (usually 1-3 per day), I’ll S/H while I carry it around
    • anytime I walk away from my notebook, I’ll lock it (Windows-L was a wonderful addition to XP)

Under such circumstances, how often do you think I’d accidentally enter my password in a blanked-out username field? Thankfully, I haven’t had that setting forced on me since I forced it on the domains which I administered in my old job as a sysadmin (i.e. 6+ years ago, before I “saw the light”). So I don’t know how often that’d actually happen now – I have no immediate experience to back it up. But if a smart guy like James gets tripped up by it once in a while, then I’m sure I’m no smarter/more attentive than he is.

Exploiting the Saved Password

OK, so let’s assume that for a significant number of computers configured to not display the last username, the user’s password ends up saved in a Security Event Log entry. That log is only readable by members of BUILTIN\Administrators and any process in the LOCALSYSTEM context on Windows up to and including XP (but can be modified on Windows Server 2003, as per Eric Fitzgerald’s article here).

So what’s the big deal? On systems where both (a) physical access is unavailable (e.g. servers) and (b) all patches have been been applied, the risk of a random attacker who doesn’t already have an Admin-level account of getting an admin-level account is usually pretty small (let’s hope – okay, this is probably asking too much, but let’s just assume for the moment, okay?).

However, on systems where either (a) or (b) is FALSE (e.g. (a) on a desktop or especially notebook computer – physically accessible to many classes of attacker; e.g. (b) on a computer where root-level exploits have not been patched), I caution you strongly that “Do not display last user name” may end up giving an attacker a means to retrieve the user’s logon password IN CLEARTEXT and be able to access any resources to which that user account has been granted access.

EFS/RMS Alert!

If you are using a Windows logon-based encryption technology (e.g. EFS, RMS), then you should be doing everything in your power to make it difficult for a physical attacker to discover or guess the user’s logon password – right?!? So my advice: along with all the other things that I’ve recommended in the past (and continue to recommend), I strongly urge you to NEVER set the “Interactive logon: Do not display last user name” setting on any client PC (desktop, notebook aka Windows 2000, Windows XP) where you believe Windows logon password-based encryption is being used.

Note: I am NOT trying to steer you away from these technologies. What I AM attempting to do is to (a) illustrate one cogent, real-world example of why this “Do not display last user name” setting can be more harm than good to your overall security posture, and (b) emphasize yet another way that attackers could be “assisted” in attacking EFS- or RMS-protected data – and what you can to do prevent that.

So there.

[category: general security]

Database "intrusion detection" appliance – nice thinking, hope to see more like this

Published on by paranoidmikeLeave a comment

http://www.computerworld.com/securitytopics/security/story/0,10801,105429,00.html

I am very much interested in anything that helps an organization get a handle on the kinds of “attacks” this device is intended to detect.

My first reaction when I read “The current version of the Symantec appliance does not actually block suspicious queries — it simply monitors and reports on what the database is up to — but that feature is being considered for a future version…” was – Wow, doesn’t that make this a pretty useless piece of tech then?

However, when I think back on all the customers with whom I’ve worked, I’ve found that most of them are happy enough to be able to detect unauthorized behaviour. Sure, if preventative controls cost no more (time, effort, resources, usability) than the equivalent detective control, they’d be happy to use that instead. However, most of us have had enough experience with “prevention is the only path to security” approaches to understand that preventative security can only guarantee that it’ll block some form of intended usage, and that (as Schneier so often points out) the bad guys will always find some other way to accomplish their goals, if they’re determined enough.

Such as: if you block unauthorized use through a database “intrusion prevention” appliance, the bad guys will then try other attack vectors such as:

  • escalating the privilege of an account that doesn’t start with sufficient privilege
  • finding an account that does have sufficient privilege and breaking its password
  • finding an alternate path to the database that doesn’t go through the database IP appliance
  • cracking the appliance (sure, of course it’s impregnable, but…)
  • DoS’ing the appliance (say if nothing else worked, and they’re just frustrated enough to want to do *some* harm)

Bottom line: I like the thinking that went into Symantec’s database security appliance, and I hope to see more creative ideas like this in the future. As the article said, “…enterprise users are becoming increasingly focused on data security and regulation compliance.” [emphasis mine]

Encrypting files on the server – WTF???

Published on by paranoidmike1 Comment

I can’t tell you how irritated I get when I read yet another recommendation from some well-meaning security expert that says you should use EFS to encrypt files on a Windows SERVER. I have little or no problem with EFS on a Windows CLIENT (though if you’re not using domain accounts, or you don’t use SYSKEY [shudder], you’re only keeping your files safe from grandma, not your kids), but I have to wonder how many people understand how decryption keys are protected (and by what) when they recommend using EFS on a server.

SQL Database (mdf) encryption example
Let’s take a simple case: you want to protect your SQL database files from remote attackers, so naturally you think “I’ll encrypt the data using EFS – cheap, free and easy – and then remote attackers won’t be able to access the data.” Yes, in one sense that is quite true – if a remote attacker were to try to copy the files on disk – e.g. from a buffer overflow exploit that gave them remote LocalSystem access – then NTFS would return an Access Denied error.

  • when you encrypt a file that is to be accessible to a Service (such as the “MS SQL Server” service that mounts the SQL database files), you are in reality required to encrypt the file in the context of the Service account in which the service runs.
  • In this example, you’d have to encrypt in the MSSQLServer service’s account context – and if you’ve been reading your SQL Server security guidance, you’ll already have created a service account and downgraded MSSQLServer from the default LocalSystem service account context.
  • This means that only the service account (e.g. you’ve created a local account named SERVER\SQLServiceAcct) can decrypt the files.
  • What happens when the service starts? The service “logs on” with the SQLServiceAcct (actually the Service Control Manager calls CreateProcessAsUser() or similar API and runs the new process in the context of the user account specified as the Service Account in the service’s configuration).
  • How does the Service Control Manager “authenticate” the service? The service account name is stored in cleartext in the Registry, and the service account password is stored as an LSA Secret elsewhere in the Registry.
  • LSA Secrets are ACL’d so they are not readable by any user except the LocalSystem, and they are further encrypted with the System Key (aka SYSKEY), so that only the LSA process (which has the ability to use the SYSKEY decryption key) could access the LSA Secrets.
  • [AFAIK] The Service Control Manager requests that the LSA decrypt the service account password and pass it to the Service Control Manager for use in the CreateProcessAsUser() API call.
  • Once the MSSQLServer service is running in the correct user context, then the EFS driver in NTFS will decrypt the encrypted database files for the MSSQLServer process, and SQL Server will be able to mount the now-decrypted database files.
  • Any process running in any other user context will not be able to supply the correct RSA private key for EFS to be able to decrypt the files. In our example, if the attacker could remotely run a script in the LocalSystem context that tried to copy the database files,NTFS will return an Access Denied message to the script process that tried to access the encrypted database files.

However, if that same remote attacker were really interested in getting access to that encrypted file, they could quite easily grant themselves access:

  • Anyone with LocalSystem access (or local Administrators membership as well) could grant themselves the SeDebugPrivilege, and then run any number of “hacker” tools that could dump the LSA Secrets from memory into cleartext form.
  • e.g. the family of lsadump*.exe tools attach to the LSASS.EXE process (via the Debug privilege) and dump out all the decrypted LSA Secrets.
  • Once you have the decrypted LSA Secrets, you can quickly find the SQLServiceAcct password, which then gives you the ability to logon as that user account.
  • Once you can authenticate as the SQLServiceAcct user account, you’ll have access to all the RSA decryption keys stored in that user’s profile. Then any attempts to read/copy files encrypted by that user will be automatically decrypted by EFS.

This is an unavoidable consequence of the scenario. Services must be able to start automatically (at least, on all Windows servers for which I’ve had to recommend security measures), which means that the Service Control Manager must be able to read the password from LSA Secrets without user intervention.

[This also usually means that SYSKEY boot passphrases or boot floppies won’t be used, since the use of an “off-system SYSKEY” means the server will never boot without an administrator intervening, which makes remote management a heckuva lot harder. Unless you have some of those fancy Remote Insight boards AND a sysadmin who doesn’t mind getting paged every time the server has to reboot.]

My conclusion: EFS-encrypting files for processes that start without user intervention provides very little protection against remote attackers who can gain LocalSystem or Administrators access to your server. This means *any* Service, whether on a server or a client (e.g. the ol’ ArcServ backup agent that runs on every Windows server and client, and [at least used to] “require” a Domain Admin account as the service account. That’s another hairy security implementation for another day’s rant, lemme tell you…).

[Note: Netscape web server had this same “problem” back in the days when I still administered Netscape-on-Windows. If you had an SSL certificate configured for the site, and you didn’t want to have to stand at the keyboard every time you wanted to start the web server, you’d have to store the private key’s decryption password in a plaintext file on the server. Kinda ruled out any *real* security that you could claim for that private key, but whatever – SSL was just there to encrypt the session key anyway, and very few SSL sessions lasted long enough for the fabled “sniff the SSL session on the wire” attacks anyway.]

SQL Database dump file example
“But wait Mike – what if the MSSQLServer service was always running? Doesn’t SQL have an exclusive lock on all its database files while the service is running?” Yes, absolutely. This brings to mind a couple of different thoughts:

  • how do you make sure the service is always running – prevent it being shut down, or ensure that the server reboots as soon as the service is no longer running?
  • if the files are already exclusively locked, doesn’t that mean the remote attacker won’t be able to read or copy the files off the filesystem? Why bother encrypting if the service *never* doesn’t run?

Also note: the “exclusive lock” principle obviously won’t apply to scheduled database dump files – the files are written once, then unlocked by the scheduled dump process/thread. This should make you think twice/thrice about encrypting the database dump files on disk – the files will be unlocked, waiting on the filesystem for that same LocalSystem/Admin attacker to logon as the dump user context and copy the files at their leisure. [It would also mean that any remote process to read or copy the dump files – e.g. an enterprise backup system running on a central server – would have to be able to decrypt the files remotely. This requires “Trusted for Delegation” configuration for the server where the dump files are held, which is a security headache that warrants careful thought before implementing.]

My best advice for protecting the database dumps from remote attackers?

  • Don’t ever dump to the local filesystem of the server – stream your database backups over the network, either to a remote file share that wouldn’t be accessible to the remote attackers, or directly to a backup device that writes the files to backup media; OR,
  • Minimize the amount of time that the database dumps are stored on a locally-accessible filesystem. Have the files copied off-device as soon as possible, and if possible wipe the free space after you’ve deleted the files (if you’re concerned about the remote attackers undeleting the files).