Systems Engineering and RDBMS

Archive for the ‘Security’ Category

Microsoft Admits to New DNS Security Flaw

Posted by decipherinfosys on April 17, 2007

Microsoft published a security advisory (935964) last week warning of a newly discovered vulnerability in the DNS Server Service. The company has not released any fix or patch information, indicating that a patch may be rolled out on the next scheduled date, which is the second Tuesday of every month (in this case May 8).

The affected products are:

  • Windows 2000 Server SP4
  • Windows 2003 Server SP1
  • Windows 2003 Server SP2

*Windows XP SP2 is not affected.

Details are still sketchy, but initial reports indicate that a successful exploit of this vulnerability could allow an attacker to run malicious code under the security context of the Domain System Server Service, which runs under Local SYSTEM. This can result in a stack-based buffer overrun in the DNS Server’s Remote Procedure Call (RPC) interface.

Microsoft has suggested some preventative measures that can be taken:

  1. Block unsolicited inbound traffic on ports 1024-5000 using IPSec or a Firewall.
  2. Implement advanced TCP/IP filtering options on the network interfaces of the DNS server.
  3. Disable the DNS remote management over RPC feature, which is done by editing the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters

Note: Always take a backup of your existing registry settings prior to making any changes.

– Once you have navigated to the key, select Edit -> New -> DWORD Value

– Double-click on the newly created value and change the data to the number 4

– Close the registry and restart the DNS service.

Additional information regarding this vulnerability can be found at Microsoft: http://www.microsoft.com/technet/security/advisory/935964.mspx

         

Posted in Security, Windows | Leave a Comment »

What is Microsoft Forefront?

Posted by decipherinfosys on February 27, 2007

Microsoft Forefront is a complete line of business security products that encompasses security for all aspects of an organization’s infrastructure. The goal of Forefront is to bundle security features into one comprehensive package that provides ease of use through central administration. Forefront can be integrated with existing third-party security solutions.

Most organizations today have security measures in place for their information technology infrastructure, including anti-virus, firewalls, intrusion detection, spam filters, etc. Unfortunately, administration of theses measures is often disbursed, and can even be the responsibility of completely different groups. So, this essentially means that an organization’s security is only as effective as how well these different groups interact. Ensuring that various security solutions are administered effectively can be a headache in even the smallest of organizations, and with Forefront, Microsoft hopes to ease this pain.

Forefront is divided up into 3 realms: Server Security, Client Security, and what Microsoft calls Edge Security. Server Security includes protection for Exchange and SharePoint, Client Security provides malware protection for laptops and desktop PCs, and Edge Security revolves around Microsoft’s Integrated Security and Acceleration (ISA) Server, which provides network security along with VPN capabilities for remote client access. The Forefront product line breaks down as follows:

  • Client Security
  • Forefront Security for Exchange Server
  • Forefront Security for SharePoint
  • Forefront Security for Office Communications Server
  • Internet Security and Acceleration (ISA) Server 2006
  • Intelligent Application Gateway(IAG) 2007

Client, Server, and Edge Security solutions can be trial downloaded separately directly from the Microsoft Forefront homepage: http://www.microsoft.com/forefront/default.mspx

Is a bundled security solution like Forefront too good to be true? Perhaps. Past experience has shown most administrators that separate, dedicated security solutions are much better at what they do than a solution that offers multiple security functionality. However, if one looks more closely at the Forefront solution, one realizes that it is comprised of many components that have previously been available as separate standalone solutions. Microsoft’s attempt to combine these components under one administrative umbrella would certainly be a welcome improvement.

Posted in Security, Windows | Leave a Comment »

Securing Web Applications

Posted by decipherinfosys on February 1, 2007

It used to be that an organization’s network-layer infrastructure was the target of most exploits and attacks. Due to the growing popularity of web and web services applications, however, organizations are faced with a whole new realm that requires protection. These complex and often times much exposed web-based solutions have become an essential part of any e-Business infrastructure. The importance of security for these solutions is obvious, but how can it be done effectively? 

 

Common Attacks

Buffer Overflow – This is an input validation attack that overflows a buffer with excessive data. If a buffer overflow attack is successful, a cracker can gain privileges on a system that are identical to those required to run the applications on that system. Two well-known examples of this type of attack are Code Red and Nimda. 

SQL Injection – This is also an input validation attack, which sends SQL commands to a web application. These commands are then relayed the application’s database. Once a cracker has established access to sensitive information in your database the potential damage can be excessive. 

Cross-Site Scripting – This is an attack where an end-user accidentally, and unknowingly, executes malicious code created by a cracker to gain elevated privileges to a secure web application. Successful cross-site scripting attacks often result in the identity theft of the end-user, and often times the end-user is unaware of the theft for long period of time.

Protect the Infrastructure and Users

Total security requires protection of all aspects of an application’s infrastructure, including operating systems, databases, as well as the application itself. Unfortunately, security requirements are often not comprehensively defined. For instance, some organizations implement one firewall and a few intrusion detection devices on their network and think they are safe. That is about as far from the truth as one can get. Each individual machine, every email, and any other piece of the application infrastructure needs to have some kind of security measures assigned to it. Also, one of the most important yet often the most overlooked item is the human factor. An organization’s users must be educated to be security-aware each and every day. Users need to understand how important their knowledge is to the organization.

Deploy Web Application Firewalls

As previously stated, many organizations feel secure after implementing a few intrusion detection systems throughout their network. A network IDS solution is very limited in the protection it can offer, which is basically inspecting IP packets for proper configuration and validating that the headers contain the appropriate information. These devices are incapable of analyzing the HTML data payload, and it is this capability that would be necessary to effectively defend web applications from being compromised. To properly secure a web-based application an organization should implement what are known as web firewalls. Unlike IDS systems, which work at the network-layer, web firewalls operate at the application layer. These firewalls have the ability to take apart the HTML data payload, and inspect the actual HTML communication involving client requests and application responses. This protects the actual web application from falling victim to things like malicious scripts being embedded within the HTML code, something that a network-layer IDS of firewall has no prayer of detecting.

Protect the SSL

It is ironic that, considering its secure and protective intentions, that the Secure Sockets Layer (SSL) has become a tool for crackers to avoid detection. SSL is the ubiquitous security mechanism for e-Commerce web sites, and its widespread user and acceptance only complicates the security issue even more. These days the most novice cracker has the ability to establish an SSL session with a web application, and this secure session provides the cracker a tunnel through which to launch attacks against the application. These attacks will not only go completely unnoticed, but since it is also encrypted, the malicious SSL traffic will be forwarded by firewalls and IDS systems with no questions asked. Analyzing SSL traffic for security purposes is only possible if the data is decrypted.

Hide the Application’s Information

Many malicious attacks are customized to exploit known security vulnerabilities in operating systems and applications. An attacker’s life is made much easier if it is possible to gather information about an organization’s application infrastructure prior to launching the attack. This allows the attacker to target specific assets of the organization, which keeps the footprint of the attack as small as possible, thereby reducing the chances of the attack being detected.

There are steps that can be taken to minimize or “hide” a web application’s information. The more pieces of the puzzle that remain a mystery to the cracker the better: 

  • Remove as many server response headers as possible. This will make it more difficult to determine the type of web server being used.
  • Encrypt as much information as possible. For example, cookies and URLs
  • Remove HTML comments. I know, I know, this goes completely against what developers have always been told – to document as much as possible. However, many comments in application code can be dead giveaways about the application, and even worse, may contain sensitive information such as database connection details. Keep comments to a minimum within the HTML, and keep the details in a separate document.

These are just some of a number of things administrators, developers, and end-users can do to protect their organization’s data. E-Commerce applications and web services are becoming increasingly complex, and organizations are becoming so dependent on the technologies that a single failure within the infrastructure could spell disaster. It is essential for companies to remain informed of the latest threats and security solutions, and they should be willing to make the necessary investments to implement a comprehensive, multi-layered, security solution.

Posted in Security | Leave a Comment »

DNS Poisoning

Posted by decipherinfosys on January 19, 2007

What is DNS Poisoning? 

DNS poisoning, also known as DNS cache poisoning, is when a DNS server receives false update information the server believes to be correct. The server or cache is altered so that hostnames resolve to an incorrect IP address.

The end result of this poisoning is that requests by a browser for a legitimate website results are redirected to one or many malicious websites. These fake websites often ‘spoof’ the original site in look and feel, which causes the user to believe they are on the legitimate webpage. Unfortunately, the user has actually been redirected to a site who’s only purpose is to cause problems, either by uploading spyware to the user’s machine, or collecting personal information about the user by collecting data that the user enters on the fake website. For example, if a user performs online banking, and is redirected to a malicious site that actually looks like the login to an actual bank, the user will naturally try to log in. These keystrokes are recorded on the other end, and the hackers running the malicious website instantly have someone’s username and password to secure financial information.

 

Preventing DNS Poisoning 

Windows 2000 SP3 and higher, as well as Windows 2003 have measures built in to prevent poisoning.

On Windows servers running DNS you can verify that DNS poisoning protection is enabled from the DNS console. After opening the console select a server from the list. Right-click on it, select Properties, Advanced tab, and make sure that the “Secure Cache Against Pollution” check box is selected. This DNS cache protection is enabled by default. With this feature enabled, the DNS server validates that the DNS responses it receives were from valid sources.

Another way to verify your Windows server is protected against poisoning is to look at the registry in the following location:

 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters.

 

The key name is ‘SecureResponses’. On the more recent versions of Windows mentioned above, this key should not even exist. It can either be deleted, or the value of the key can be set to 1. Windows servers prior to 2000 SP3 need to have this key, and the value should be set to 1 as well.

 

Note: Please remember to always back up your registry before making any changes!

 

Another preventive measure includes DNSSEC, which is a secure version of DNS that uses digital signatures signed with a trusted certificate to verify the authenticity of DNS data. DNSSEC is rarely used, so the majority of DNS records are not secured against spoofing.

 

Using the secure version of HTTP, HTTPS, can also be leveraged to mitigate the risk of web browsers reaching spoofed websites. HTTPS allows users to check whether or not the web server’s certificate is valid and belongs to the website’s true owner.

 

Finally, and most importantly, the best method to ensure that your servers and workstations are protected from malicious attacks, such as DNS poisoning, is to keep them up to date with the latest patches and hotfixes.

Posted in Security | Leave a Comment »