Over numerous Windows configuration review engagements that we have performed for our clients, we observed a common pattern in the configuration weaknesses that are worth highlighting here.
The 5 common misconfigurations we observed are as follows:
- Insufficient Log sizes
- Unnecessary Services
- Weak Communication Settings (LANMAN)
- Weak Password Protection
- Weak TCP/IP Configuration
In the remaining of this post we further discuss each of the observed weaknesses.
Insufficient Log Sizes
Log sizes are normally left at the default size. Though this doesn’t pose a security risk to the server, the risk of this misconfiguration becomes apparent when a compromise occurs and incident response and forensics happens.
With default log sizes and logging configurations, potentially useful information could be missed or overwritten due to insufficient space, making it harder to determine the scale of compromise.
Unnecessary Services
Windows by default has services running that are not needed or relevant to the type of server that is being configured. A good example of this is the telephony or smart card services that most servers won’t need. Unnecessary services enabled increase the attack surface of the server. If there isn’t a known vulnerability in the service at the time of deployment, it doesn’t mean that one can’t be found. Also attackers can use the service for identification purposes. An example of this is the Shylock malware that installed if it found that the smartcard service was running.
Weak Communication Settings (LANMAN)
Settings that typically fall under this configuration issue can result in compromise due to man in the middle attacks or loose permissions. These settings typically include: servers and clients digitally signed communication, allowing anonymous users to enumerate SAM accounts and shares, and allowing anonymous access to shares and named pipes. If anyone can access the shares or named pipes there typically is information stored that can be useful to gain access to either that system or another system. These settings can be found in the Group Policy Object (GPO) in the following tree:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
An example of this is administrative scripts that are run on machines which include passwords to other machines or services on those machines.
Weak Password Protection
Settings such as “require domain controller to login” or “unlock workstations and cache passwords” when left as the insecure defaults open up the server or workstation to more avenues of attack. When these settings are left as default, a server that cannot contact the domain controller to verify the password of the user and it will then check its cache. If the password hash matches the hash of the cached password the user is allowed to access the server with the permissions that they had at the time of that cache. These settings can be found in the Group Policy Object (GPO) in the following tree:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Weak TCP/IP Configuration
One of the settings seen commonly left as enabled is “MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes”. When enabled, this setting allows a remote device to update the default gateway of the host by sending an ICMP redirect message. This message can be easily forged with Scapy and trick the server into setting a malicious IP as the gateway to perform man in the middle attacks on IP addresses that are not in that subnet. These settings can be found in the Group Policy Object (GPO) in the following tree:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
The policy settings identified in this post represent areas that are commonly missed when hardening Windows servers, based on trends seen by Security Compass consultants. These settings may seem not as important as others such as the seDebugPrivilege or AutoPlay but they strength the system and aid in the protection of the system from some targeted attack vectors.
About The Guest Blogger:
Stephen Hallis a consultant at Security Compass with extensive knowledge in pen testing, vulnerability assessment and mobile application security. Stephen graduated with honors from a three year Computer Systems Technology with Co-op(CTYC) program receiving CCNA Security, CCNA, MCSA.