NT Security and integrity
07 March 2002, 02:48 PM
#1
Scooby Regular
Thread Starter
Join Date: Oct 2000
Posts: 806
Likes: 0
Received 0 Likes
on
0 Posts
does any body know the name of some software that can stop people on the network using Key loggers and other hacking tool's?
it is to be Used on NT Server 4.0
I run a network full of little kids(The eldest being 18 year old's!!..FEMALE and Male!!)...
it is to be Used on NT Server 4.0
I run a network full of little kids(The eldest being 18 year old's!!..FEMALE and Male!!)...
07 March 2002, 03:15 PM
#4
Scooby Regular
Join Date: Sep 2001
Location: Kingston ( Surrey, not Jamaica )
Posts: 4,670
Likes: 0
Received 0 Likes
on
0 Posts
Trending Topics
07 March 2002, 09:31 PM
#8
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
Use strong encryption on the sam for a start... run the utility mshfnetchk.exe and ensure that you are hotfixed properly... remove applications from the DC's that dont need to be there... IIS...
Dont bother securing floppy drives... remove them... Remove the com ports... or disable them in the bios as you can get in via them.. Run the Network Monitor agent only where absolutely necessary.
I had the following info on lophtcrack... (ensure you are on sp4>
I would hope you are otherwise it's pointless anyway... Becareful if you use windows 95 / 98 Clients.
L0phtCrack has a built-in SMB session network sniffer. The sniffer allows an individual to collect LANMAN challenge/response pairs without needing administrator rights.
Windows NT supports two types of challenge/response authentications, LanManager (LM) challenge/response, and Windows NT challenge/response. LM is the weaker of the two challenge/response methods.
Apply a registry parameter to the following registry key which must be configured on both the Windows NT server and workstation:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\contro l\LSA
Value: LMCompatibilityLevel
Value Type: REG_DWORD
Valid Range: 0,1,2
Default: 0
The valid range parameters specify the type of authentication to be used as follows:
Level 0 Send LanManager and Windows NT authentication (default).
Level 1 Send Windows NT authentication and LM authentication only if the server requests it.
Level 2 Never send LM authentication.
If the range on Windows NT is level 2, the NT client cannot connect to servers that support only LanManager authentication, such as Windows 95 and Windows for Workgroups. NOTE: If the last password change came from a Windows for Workgroups or MS-DOS LanManager 2.x or earlier client, the data needed for Windows NT authentication will not be available on the domain controller. Therefore, a client selecting level 2 will not be able to connect to Windows NT-based servers.
also Pagefile.sys
Windows NT uses PAGEFILE.SYS when swapping pages of memory to disk. This file contains clear text data from applications and system processes. When Windows NT is operating, PAGEFILE.SYS is opened only by Windows NT. However, when Windows NT is powered off, the system can be booted by another operating system (in a dual-boot environment), by a bootable floppy diskette, or even from a multiple-boot hard disk partition. This is a concern as utilities such as NTFSDOS are available that allow an individual to read or download information found on a NTFS partition, including PAGEFILE.SYS. Also, in an environment running under Novell NetWare this problem is of even greater concern. NetWare writes user names and passwords to this file in plain text. Windows NT can be instructed to fill all inactive memory pages in the page file with zeros. No data will be left in the file when it is no longer in use by Windows NT. The memory pages that are active by Windows NT (may be used by the system) processes will not be overwritten. Note that this method will only work if the Windows NT system was shut down properly. Also, ensure your server is properly physically secure. The key is as follows:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SessionManager\MemoryManagement
Value: ClearPageFileAtShutdown
Type: REG_DWORD
Data: 1 (0 to disable)
And theres more...
David
Dont bother securing floppy drives... remove them... Remove the com ports... or disable them in the bios as you can get in via them.. Run the Network Monitor agent only where absolutely necessary.
I had the following info on lophtcrack... (ensure you are on sp4>
I would hope you are otherwise it's pointless anyway... Becareful if you use windows 95 / 98 Clients.L0phtCrack has a built-in SMB session network sniffer. The sniffer allows an individual to collect LANMAN challenge/response pairs without needing administrator rights.
Windows NT supports two types of challenge/response authentications, LanManager (LM) challenge/response, and Windows NT challenge/response. LM is the weaker of the two challenge/response methods.
Apply a registry parameter to the following registry key which must be configured on both the Windows NT server and workstation:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\contro l\LSA
Value: LMCompatibilityLevel
Value Type: REG_DWORD
Valid Range: 0,1,2
Default: 0
The valid range parameters specify the type of authentication to be used as follows:
Level 0 Send LanManager and Windows NT authentication (default).
Level 1 Send Windows NT authentication and LM authentication only if the server requests it.
Level 2 Never send LM authentication.
If the range on Windows NT is level 2, the NT client cannot connect to servers that support only LanManager authentication, such as Windows 95 and Windows for Workgroups. NOTE: If the last password change came from a Windows for Workgroups or MS-DOS LanManager 2.x or earlier client, the data needed for Windows NT authentication will not be available on the domain controller. Therefore, a client selecting level 2 will not be able to connect to Windows NT-based servers.
also Pagefile.sys
Windows NT uses PAGEFILE.SYS when swapping pages of memory to disk. This file contains clear text data from applications and system processes. When Windows NT is operating, PAGEFILE.SYS is opened only by Windows NT. However, when Windows NT is powered off, the system can be booted by another operating system (in a dual-boot environment), by a bootable floppy diskette, or even from a multiple-boot hard disk partition. This is a concern as utilities such as NTFSDOS are available that allow an individual to read or download information found on a NTFS partition, including PAGEFILE.SYS. Also, in an environment running under Novell NetWare this problem is of even greater concern. NetWare writes user names and passwords to this file in plain text. Windows NT can be instructed to fill all inactive memory pages in the page file with zeros. No data will be left in the file when it is no longer in use by Windows NT. The memory pages that are active by Windows NT (may be used by the system) processes will not be overwritten. Note that this method will only work if the Windows NT system was shut down properly. Also, ensure your server is properly physically secure. The key is as follows:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SessionManager\MemoryManagement
Value: ClearPageFileAtShutdown
Type: REG_DWORD
Data: 1 (0 to disable)
And theres more...
David
07 March 2002, 09:43 PM
#9
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
I meant to also say dont under estimate little kids.. I was a bast@rd at 15... and could hack into school networks and did...
David
David
08 March 2002, 06:36 AM
#10
Scooby Regular
Join Date: Dec 2001
Posts: 436
Likes: 0
Received 0 Likes
on
0 Posts
Simple,..
If they have physical access to the machine(s) your're f##cked..
No amount of auditing/monitoring/sniffers/IDS is going to safeguard any machine if it is within the public domain..
Your only hope is to somehow hide the system unit and practice good security rules - ie never log on interactively to these machines with a admin account, screw down the reg, prevent any caching of profiles or credentiails etc etc..
There used to be a good joke that the only way NT could be C2 classified is if it was not connected to a network and it was switched off.... funny how humour reflects reality sometimes..
cheerio
If they have physical access to the machine(s) your're f##cked..
No amount of auditing/monitoring/sniffers/IDS is going to safeguard any machine if it is within the public domain..
Your only hope is to somehow hide the system unit and practice good security rules - ie never log on interactively to these machines with a admin account, screw down the reg, prevent any caching of profiles or credentiails etc etc..
There used to be a good joke that the only way NT could be C2 classified is if it was not connected to a network and it was switched off.... funny how humour reflects reality sometimes..
cheerio
08 March 2002, 10:28 AM
#11
Scooby Regular
Join Date: Nov 2001
Posts: 2,342
Likes: 0
Received 0 Likes
on
0 Posts
First step is to harden these machines and set acl's on critical files (e.g. cmd.exe). Hardening scripts are available from all over the net - I put my own one together as you don't want to compromise too much functionality.
Secondly, give these kids accounts with restricted access rights - i.e. they shouldn't really need to install software etc.
And remember...security is a process, so you may need to create an awareness plan - e.g. get these students to follow policies and and breach will lead to the cane or whatever.
Secondly, give these kids accounts with restricted access rights - i.e. they shouldn't really need to install software etc.
And remember...security is a process, so you may need to create an awareness plan - e.g. get these students to follow policies and and breach will lead to the cane or whatever.
08 March 2002, 03:03 PM
#12
Scooby Regular
Thread Starter
Join Date: Oct 2000
Posts: 806
Likes: 0
Received 0 Likes
on
0 Posts
wow...what a response...the last time security was breached was using a key logger!!..that was before my time
MR wallis I was supposed to mail you today..but got caught up in traffic!!(of the network kind!!)
will be in contact on monday..
cheers chaps
MR wallis I was supposed to mail you today..but got caught up in traffic!!(of the network kind!!)
will be in contact on monday..
cheers chaps
08 March 2002, 03:06 PM
#13
Scooby Regular
Thread Starter
Join Date: Oct 2000
Posts: 806
Likes: 0
Received 0 Likes
on
0 Posts
the server's are going to be in a secure room during the easter hol's
at the moment they are sitting in a class room!!(The most secure environment ever!.
I will start doing what has been said...
at the moment they are sitting in a class room!!(The most secure environment ever!.
I will start doing what has been said...
10 March 2002, 10:10 AM
#16
Scooby Regular
Join Date: Dec 2001
Posts: 436
Likes: 0
Received 0 Likes
on
0 Posts
Get hold of the NSA docs on System security, will indicate what is best practice and will also indicate what should be locked down by acl/reg/services etc etc..
Weighty reading but worth it..
cheerio
Weighty reading but worth it..
cheerio
Thread
Thread Starter
Forum
Replies
Last Post
The Joshua Tree
Computer & Technology Related
30
28 September 2015 02:43 PM