[Dshield] Windoze Questions...SAMBA + Windows AD Question

Al Reust areust at comcast.net
Wed Feb 25 04:42:38 GMT 2004


Hello Laurie

I saw this morning before taking the wife for surgery. She is fine and I 
have bit of time to give some kind of "value" answer. Integrated

At 10:10 AM 2/24/2004 +1000, you wrote:
>Hello Al and List,
>
>----- Original Message -----
>From: "Al Reust" <areust at comcast.net>
>To: "General DShield Discussion List" <list at dshield.org>
>Sent: Friday, February 20, 2004 1:35 PM
>Subject: Re: [Dshield] Windoze Questions...SAMBA + Windows AD Question
>
>
> > Laurie and the list
> >

<Snipped>

>Earlier on last week I sent an email to the CBL Administration Manager
>stating that 'I cannot guarantee the security of the internal network while
>XP/2000 boxes are connected to the network, until a patch is released for
>the latest exploit'. I then removed server access to all Win 2000 boxes, but
>have been overruled on blocking network access for the one XP box (that has
>not been made available for maintenance for over 6 months despite numerous
>requests (another overrule)). I have also been overruled on shutting down
>the server and firewall during the day, disconnecting them from the network,
>and re-setting passwords in the safest environment, whenever I notice the
>Server HDD lights and the cable modem lights going crazy, with nobody
>accessing them. Last Friday I tried to access the Win2000 IDS box (after a
>safe reset of the Samba server root password, and safe password reset on the
>Win2000 box/IDS) but received the message 'The Administrator has blocked
>access to this computer'. I know that the person who uses the XP box is
>incapable of administering the network. I am now on a win 98 box with
>msasn1.dll removed.

Part One:

Now as you have lead the horse to water, the job becomes to "make" it 
drink. Ceo's, Presidents etc need to see how it affects the Bottom Line! 
Your tact may not be fully understood. Thus you have to translate the co$t 
of five minutes of time.

One tact would be is to print the Security Bulletin and take with a printed 
copy of the problem (it is in black and white) that they need to resolve. 
The problem states there already is one exploit in the wild that can cause 
a Denial of Service, and explain that the means the person will be setting 
there in the middle of Critical Correspondence/Business Proposal and 
his/her computer will reboot for no explained reason. As the File is "open" 
then there may be a chance that many hours of work will be lost, 
"unrecoverable." The reason that is will be lost is because a individual 
decided that they are more important that spending the five minutes 
required to apply a patch that would prevent Lost Income. So someone really 
has to decide what is the value.

* Is the Individual that resists spending a few minutes to prevent disaster 
doing the company more harm or good?
* What happens when that critical file has a Price/Value attached with a 
value of say $500,000.00 anyones dollars?
* What is then the value of five minutes of time to prevent the loss?
* Realistically, can the Business afford to lose that or any amount of 
money because of a person that refused to protect the Business?
* What is the true value of an employee that thinks more of them self and 
being inconvenienced for a few minutes, than protecting the Business they 
work for?

Obviously they are Not a Team Player! Should they try another Team?

Simple "creative" math sez that if the lack of 5 minutes cost $500,000,000 
times 6 (to make a Full Hour) or the loss equals $3,000,000.00/hour. If the 
Machine is down! Then You continue to Lose Money! Who can afford to lose 3 
Million an hour?

It has been cited by many sources with varying Dollar values that Slammer, 
Blaster etc caused lost profits of 36+ Billion Dollars in 2003. Does the 
CBL Administration want to be included in the Lost Profits for 2004 with no 
recoup?

Obviously you need to tailor something like this to your particular 
"business model," realistically apply common sense and letting them know 
the Lo$t Dollar value of some moron (even the Boss) resisting what is 
important. Make the boss decide what the Dollar Value of the 5 minutes 
actually is. It can also be tailored to, if the XP box has to be rebuilt 
from the ground up how many weeks will he pay that non productive person to 
totally (if they can) recover what business was lost...  That is truly Lost 
Profit!

Part Two:

Depending on what you set in Local Policy for Accounts. Default "Account 
lockout duration." Unplug the network cable and wait. The default is 
roughly thirty "very long" minutes. While I am not too paranoid I lockout 
after three failed attempts and last but not least the counter resets after 
five minutes.  What this means on the 4th failed attempt the 30 minute 
counter is in effect. If the person keeps banging at the administrator 
account the 30 minute timer is running and after 5 more minutes if another 
attempt happens then the 30 minute counter is reset to countdown again 
(starting at 30 minutes). Or while the machine is under constant attack it 
will hold the administrator account locked even though the cracker could 
hit the correct password, it will be ignored..

The problem lies in that as this is an IDS you have to put up with the 
"abuse" with the ports 135  and 445 are open. The only good thing is that 
if does lock you out, it also locks further attempts at brute forcing the 
Administrator password. Auditing will tell you so. Now as you stated below 
"everything is behind the firewall" and if 135~139 and 445 are blocked 
externally, then your breakin attempts are internal. Your discussion about 
apparent lack of concern made someone a little unhappy. You could have the 
"disgruntled employee."

For safety reasons, I have "my" working administrator account besides the 
original administrator account. That gives me two avenues to attempt to get 
back in before the timer runs down.

My policy is to go remove the" waving flag" {Built-in account for 
administering the computer/domain} and then rename the account (thus the 
SID is preserved). Because this is not a public box, I add about 30+ extra 
users with the same naming convention as my normal users. For an example 
from my batch file.

net user ArtouroS C$#r3Bne69 /add
net user AtremusB D7932 at rd68 /add
net user ArthurB  Eb3eRe3r6 /add
etc...

It also adds complexity, that should someone break a password, they will be 
prompted to change it on logging in for first time. Because they have never 
logged in it would be a tattle tail to see one of those user names in 
"documents and Settings" as the profile is created. But they are only 
"Users." No I did not force NTLM V2 by making it 14+ characters. So yes it 
is vulnerable to LMHash V1.. I would love to see what dictionary they use 
to crack those passwords.. LOL..


> >
> > >All machines are patched/updated daily/as required, but it looks like the
> > >main target was the firewall console.
> >
> > Stupid question, is the Win2K Pro in a "DMZ" or the "Internal" network?
> > What you have stated is that it is visible to the outside world, thus
> > attacked. That would also bring up questions about how much more is
>visible
>  <snipped>



>Everything is on an internal network, separated from the firewall by a high
>speed switch, which is then connected to several hubs then the PC's, nothing
>is outside the firewall boundary.
>
>  <snipped>
>Regards,
>
>Laurie
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list