dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1325
share rss forum feed


Kalford
Seems To Be An Rtfm Problem.
Premium,MVM
join:2001-03-20
Ontario
kudos:1

Logged out machines Vulnerable???

A thought came over me the other day (it's true I do have them) and I checked it out.

On a windows peer to peer network if you are logged out with sharing your system can still be accessed from others on the network. Also that your system can still be pinged would imply that ports are still open.

My question is this, does this also apply to NT/2000 networks?

Also if you are WIN9x or ME on your home system and simply log off, would this open your system up to hackers as your firewall would be down but your connection could still be live?

Thoughts, testings or experiences anyone?

(edit note: woops typo, I think I need Atomica )

--
There are many beautiful things you will find when you shut your mouth and open up your mind

[text was edited by author 2001-04-19 19:59:32]



Brauckmiller

join:2001-01-21
Shirley, MA

On all Windows boxes, TCP/IP has to be up before you login. How else would you login unless IP is running? The only time this would even be an issue is if you had an always on connection. If you do, you should be running a firewall. ZoneAlarm's TrueVector service starts up just after TCP/IP does. The amount of time your system is unprotected is very short. Any good firewall will run as a service and not as an app. This way, you can log off and your system will still be protected.

Yes, this applies to NT/2000 networks as well. The server does not require anyone to be logged in locally for it to authenticate uers. Would be a pretty weak security model if they required an administrator to be logged in before the server would authenticate people.

Hope that helps.

Craig



QuantumX
I Know You're Here

join:2000-11-16
Thunder Bay, ON
reply to Kalford

Your right Kalford. The vulnerability does exist. Some thing like BlackIce Defender or Tiny Firewall run as a service on NT/2K systems so there would be some protection with them when your logged out.
--
The Microsoft Vacuum Cleaner!! The only MS product that doesn't suck.



Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5
reply to Brauckmiller

said by Brauckmiller:
On all Windows boxes, TCP/IP has to be up before you login
This is not true: it's entirely possible to run a peer-to-peer network using NETBEUI or some other protocol, and use TCP/IP only for the internet. If WINS is not bound to the TCP/IP protocol, there is no way to "login" that way.

Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / steve@unixwiz.net


gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
kudos:1
reply to Kalford

On NT/2k, the attacker would have to try to crack a user account to get into the filesystem of a logged off machine. However, it's been demonstrated that a lot of users use weak passwords, and that anything short of around an 8 character strong password is fairly easy for a skilled cracker to break. First, before anything else, go to user manager, drop down permissions, and remove everyone from "log in over the network." Leave it blank, if you don't have a LAN; otherwise, click on "show users" and grant that permission by user name, not group, to the authorized users.

Also, I strongly suggest using the directory permissions and registry permissions as additional security. You paid for the feature, after all... ... it's very possible for a cracker to use the notorious "guest" account (disable it unless you use it for something!!!) to exploit the default "everyone/full control" permissions on the filesystem. I've added "network/no access" to my most personal files, and I've walked the tree, and changed "everyone/full control" to "authenticated users/full control" on virtually everything. I've also done much the same with some of the regisry trees. This is all a subject for a book, though, and beyond the scope of a reasonably sized post on this board!

Finally, there are endless possibilities for attacks other than cracking into the filesystem (again, material for a book in itself). A trojan running as a service (yikes!) can run at the permission level of the user who "installed" it (great argument, by the way, for the old Unix chestnut, "never surf root(administrator)"). Null sessions provide a vulnerability to a cracker who knows how to exploit them. The list grows every day. It is absolutely essential to have a firewall component, like ZA(?) or Tiny, that runs as a device or service, on an NT box that often sits online but logged off. Of course, with PPPoE, you may want to disconnect when you log off, too... but that's just not possible on a static IP connection.

Use a router, and set ports 135-139 as blocked at the router, as another good way of maintaining security. My own router blocks DCOM (135) and NetBios (137-139), as well as network printing (515 - not necessary for everyone, but I have one of those nifty networked printers, that has its own NIC and runs 24/7, waiting for jobs from the network... this just keeps some jerk script kiddy from doing something cuddly cute, like sending his entire portfolio of porno art to my printer while I'm out - it's been known to happen.) I also have a router filter for 1027, which is, far as I can tell, used by the scheduler service. It shows up as "possible IRC???" on most port scanners... and a cracker who connected on it thinking he was getting that would be thrilled to DEATH to find himself connected to a cron service on a remote machine!!

Another step I've taken is to set that dummy DMZ host at the router. That diverts attention from the network, and blackholes attempts "into the bitbucket" when they come in.

I've also created a few of my own little diversions, mainly geared towards ensuring that anyone who tries to fingerprint my OS by port usage and TCP/IP configuration will get confusing results. There are just sooo many things worth considering... how do we secure ourselves, but keep a rational balance between our paranoia and usability/convenience? Quite a task...

Sorry for the scatter gun approach, but just started thinking aloud, and decided to share my thoughts... VERY incompletely, granted... still, I hope they help you think out your own plan... best single bit of "quick and easy" advice? "firewall." That and, if it worries you a great deal, either disconnect the network or shut down the machine when you go away. However, with nominal security consciousness, leavng a logged off NT/2k machine should be a lot safer than a logged off 9x machine, and a LOT safer than a logged ON NT box... of course... I do it quite often, actually. Just to be a little surer, in the event someone does get past the router and finds a backdoor through the firewall...
--
Man will occasionally stumble over the truth, but most times he will pick himself up and carry on. - Sir Winston Churchill



Kalford
Seems To Be An Rtfm Problem.
Premium,MVM
join:2001-03-20
Ontario
kudos:1

Excellent and useful info Gwion, thanks. . .I Printed this one off for future reference.

Sjfriedl thanks for confirming what I believed to be correct about unbinding Netbios from TCP/IP (part of the reason I was worried about TCP/IP still running after logoff).

I am still a bit leery of what WIN9x OS's run as true services, so I will run some tests of my own to see.
(I just gotta try things for myself, hearing about it just isn't the same )

Note: I am not running an NT network as of yet (haven't even used NT workstation for 2 years). I plan on migrating up from a Win9x peer-peer within the next year or two (this years budget is gone already) so I just inundate everyone here with questions, so that I am up to speed by the time I am ready to switch over.
--
There are many beautiful things you will find when you shut your mouth and open up your mind



gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
kudos:1
reply to Kalford

Running service is only really meaningful with a system like NT or 2k. With 9x, real security is so near nonexistent that a service is just as vulnerable as any other process. All a cracker needs to do on 9x... uh... no, I'm not that silly... ...but no, they aren't "true services" or "daemons" in a 9x model. 9x is an exercise in inverted security, designed to be user friendly (read: wide open), and has an easily cracked security mechanism and no concept of permissions or audit whatsoever...
--
Man will occasionally stumble over the truth, but most times he will pick himself up and carry on. - Sir Winston Churchill