Best Downloads Pgp Desktop 10.2.0 Download - Updated Edition

Symantec PGP Desktop for Windows 10.2 crack serial keygen

Symantec PGP Desktop for Windows 10.2 crack serial keygen

Serial number serial number windows Symantec Encryption Desktop Professional 10.5.0 MP1 - скачать. Serial number windows 10 free, 3474 records found, kB) PGP Desktop 10.2.1 Windows (page 10) ƒ PGP Desktop Storage includes PGP Whole Disk. The Symantec Internet Security Threat Report issued in September 2006a Network encryption limits the ability to use intrusion detection systems.

Similar video

FL STUDIO - How To Unlock FL Studio Without The Internet - Regkey File Method

Symantec PGP Desktop for Windows 10.2 crack serial keygen - very

strings wc –l 96

So we have approximately 96 entries in the zone file that contain the word “test.” This should equate to a fair number of actual test systems. These are just a few simple examples. Most intruders will slice and dice this data to zero-in on specific system types with known vulnerabilities. There are a few points that you should keep in mind. The aforementioned method only queries one name server at a time. This means that you would have to perform the same tasks for all name servers that are authoritative for the target domain. In addition, we only queried the Acme.net domain. If there were subdomains, we would have to perform the same type of query for each subdomain (for example, greenhouse.Acme.net). Finally, you may receive a message stating that you can’t list the domain or that the query was refused. This usually indicates that the server has been configured to disallow zone transfers from unauthorized users. Thus, you will not be able to perform a zone transfer from this server. However, if there are multiple DNS servers, you may be able to find one that will allow zone transfers.

Chapter 1:

Footprinting

Now that we have shown you the manual method, there are plenty of tools that speed the process, including, host, Sam Spade, axfr, and dig. The host command comes with many flavors of UNIX. Some simple ways of using host are as follows: host -l Acme.net or host -l -v -t any Acme.net

If you need just the IP addresses to feed into a shell script, you can just cut out the IP addresses from the host command: host -l acme.net -M) -S: get sharelist -P: get password policy information -G: get group and member list -L: get LSA policy information -D: dictionary crack, needs -u and -f -d: be detailed, applies to -U and -S -c: don't cancel sessions -u: specify username to use (default "") -p: specify password to use (default "") -f: specify dictfile to use (wants -D)

Enum even automates the setup and teardown of null sessions. Of particular note is the password policy enumeration switch, -P, which tells remote attackers whether they can remotely guess user account passwords (using –D, -u, and –f) until they find a weak one. We’ll talk some more about enum in the next section on enumerating NT/2000 user accounts.

Chapter 3:

Enumeration

Enumeration Countermeasures U NetBIOS Nearly all of the preceding techniques operate over the NetBIOS transports discussed so frequently by this point, so by denying access to TCP and UDP 135 through 139, none of these activities will be successful. The best way to do this is by blocking access to these ports using a router, firewall, or other network gatekeeper. For stand-alone hosts, we discussed how to disable NetBIOS over TCP/IP in the previous section on null sessions, where we also described configuring the RestrictAnonymous Registry key. This will prevent sensitive information from being downloaded over an anonymous connection. RestrictAnonymous will not block net view and nbtstat queries, however. Also, remember that Win 2000 provides some of this information via TCP/UDP 445, so it should be blocked as well.

]

NT/2000 SNMP Enumeration Popularity:

8

Simplicity:

9

Impact:

5

Risk Rating:

7.3

Even if you have tightly secured access to NetBIOS services, your NT/2000 systems may still cough up similar information if they are running the Simple Network Management Protocol (SNMP) agent accessible via default community strings like “public.” Enumerating NT users via SNMP is a cakewalk using the NTRK snmputil SNMP browser: C:\>snmputil walk 192.168.202.33 public .1.3.6.1.4.1.77.1.2.25 Variable = .iso.org.dod.internet.private.enterprises.lanmanager. lanmgr-2.server.svUserTable.svUserEntry.svUserName.5. 71.117.101.115.116 Value = OCTET STRING - Guest Variable = .iso.org.dod.internet.private.enterprises.lanmanager. lanmgr-2.server. svUserTable.svUserEntry.svUserName.13. 65.100.109.105.110.105.115.116.114.97.116.111.114 Value = OCTET STRING - Administrator End of MIB subtree.

The last variable in the preceding snmputil syntax—”.1.3.6.1.4.1.77.1.2.25”—is the object identifier (OID) that specifies a specific branch of the Microsoft enterprise Management Information Base (MIB), as defined in the SNMP protocol. The MIB is a hierarchical namespace, so walking “up” the tree (that is, using a less-specific number like .1.3.6.1.4.1.77) will dump larger and larger amounts of info. Remembering all those numbers is clunky, so

83

84

Hacking Exposed: Network Security Secrets and Solutions

an intruder will use the text string equivalent. The following table lists some segments of the MIB that yield the juicy stuff: SNMP MIB (append this to .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr2)

Enumerated Information

.server.svSvcTable.svSvcEntry.svSvcName

Running services

.server.svShareTable.svShareEntry.svShareName

Share names

.server.svShareTable.svShareEntry.svSharePath

Share paths

.server.svShareTable.svShareEntry.svShareComment

Comments on shares

.server.svUserTable.svUserEntry.svUserName

Usernames

.domain.domPrimaryDomain

Domain name

Of course, to avoid all this typing, you could just download the excellent graphical SNMP browser called IP Network Browser from http://www.solarwinds.net and see all this information displayed in living color. Figure 3-3 shows IP Network Browser examining a network for SNMP-aware systems.

SNMP Enumeration Countermeasures U NT/2000 The simplest way to prevent such activity is to remove the SNMP agent or to turn off the SNMP service in the Services Control Panel. If shutting off SNMP is not an option, at least ensure that it is properly configured with private community names (not the default “public”), or edit the Registry to permit only approved access to the SNMP Community Name and to prevent NetBIOS information from being sent. First, open regedt32 and go to HKLM\System\CurrentControlSet\Services\SNMPParameters\ValidCommunities. Choose Security fping -a 192.168.1.254 is alive 192.168.1.227 is alive 192.168.1.224 is alive … 192.168.1.3 is alive 192.168.1.2 is alive 192.168.1.1 is alive 192.168.1.190 is alive

35

36

Hacking Exposed: Network Security Secrets and Solutions

The –a option of fping will simply show systems that are alive. We can also combine it with the –d option to resolve hostnames if we choose. We prefer to use the –a option with shell scripts and the –d option when we are interested in targeting systems that have unique hostnames. Other options like –f, read from a file, may interest you when scripting ping sweeps. Type fping –h for a full listing of available options. Another utility that is highlighted throughout this book is nmap from Fyodor (www.insecure.org/nmap). While this utility is discussed in much more detail later in this chapter, it is worth noting that it does offer ping sweep capabilities with the –sP option. [tsunami] nmap –sP 192.168.1.0/24 Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ ) Host (192.168.1.0) seems to be a subnet broadcast address (returned 3 extra pings). Host (192.168.1.1) appears to be up. Host (192.168.1.10) appears to be up. Host (192.168.1.11) appears to be up. Host (192.168.1.15) appears to be up. Host (192.168.1.20) appears to be up. Host (192.168.1.50) appears to be up. Host (192.168.1.101) appears to be up. Host (192.168.1.102) appears to be up. Host (192.168.1.255) seems to be a subnet broadcast address (returned 3 extra pings). Nmap run completed -- 256 IP addresses (10 hosts up) scanned in 21 seconds

For the Windows inclined, we have found that the freeware product Pinger (see Figure 2-1) from Rhino9 (http://www.nmrc.org/files/snt/) is one of the fastest ping sweep utilities available. Like fping, Pinger sends out multiple ICMP ECHO packets in parallel and simply waits and listens for responses. Also like fping, Pinger allows you to resolve hostnames and save the output to a file. Just as fast as Pinger is the commercial product Ping Sweep from SolarWinds (www.solarwinds.net). Ping Sweep can be blazingly fast because it allows you to specify the delay time between packets sent. By setting this value to 0 or 1, you can scan an entire Class C and resolve hostnames in less than 7 seconds. Be careful with these tools, however; you can easily saturate a slow link such as a 128K ISDN or Frame Relay link (not to mention satellite or IR links). Other Windows ping sweep utilities include WS_Ping ProPack (www.ipswitch.com) and Netscan tools (www.nwpsw.com). These later tools will suffice for a small network sweep. However, they are significantly slower than Pinger and Ping Sweep. Keep in mind that while these GUI-based tools provide eye-pleasing output, they limit your ability to script and automate ping sweeps. You may be wondering what happens if ICMP is blocked by the target site. Good question. It is not uncommon to come across a security-conscious site that has blocked ICMP at the border router or firewall. While ICMP may be blocked, there are some addi-

Chapter 2:

Figure 2-1.

Scanning

Pinger from Rhino9 is one of the fastest ping sweep utilities available—and it’s free

tional tools and techniques that can be used to determine if systems are actually alive; however, they are not as accurate or as efficient as a normal ping sweep. When ICMP traffic is blocked, port scanning is the first technique to determine live hosts (port scanning is discussed in great detail later in this chapter). By scanning for common ports on every potential IP address, we can determine which hosts are alive if we can identify open or listening ports on the target system. This technique is time-consuming and is not always conclusive. One tool used for this port scanning technique is nmap. As mentioned previously, nmap does provide the capability to perform ICMP sweeps. However, it offers a more advanced option called TCP ping scan. A TCP ping scan is initiated with the –PT option and a port number such as 80. We use 80 because it is a common port that sites will allow through their border routers to systems on their demilitarized zone (DMZ), or even better, through their main firewall(s). This option will spew out TCP ACK packets to the target network and wait for RST indicating the host is alive. ACK packets are sent as they are more likely to get through a non-stateful firewall.

37

38

Hacking Exposed: Network Security Secrets and Solutions

[tsunami] nmap -sP -PT80 192.168.1.0/24 TCP probe port is 80 Starting nmap V. 2.53 Host (192.168.1.0) appears to be up. Host (192.168.1.1) appears to be up. Host shadow (192.168.1.10) appears to be up. Host (192.168.1.11) appears to be up. Host (192.168.1.15) appears to be up. Host (192.168.1.20) appears to be up. Host (192.168.1.50) appears to be up. Host (192.168.1.101) appears to be up. Host (192.168.1.102) appears to be up. Host (192.168.1.255) appears to be up. Nmap run completed (10 hosts up) scanned in 5 seconds

As you can see, this method is quite effective in determining if systems are alive even if the site blocks ICMP. It is worth trying a few iterations of this type of scan with common ports like SMTP (25), POP (110), AUTH (113), IMAP (143), or other ports that may be unique to the site. Hping from http://www.kyuzz.org/antirez/ is another TCP ping utility with additional TCP functionality beyond nmap. Hping allows the user to control specific options of the TCP packet that may allow it to pass through certain access control devices. By setting the destination port with the –p option, you can circumvent some access control devices similar to the traceroute technique mentioned in Chapter 1. Hping can be used to perform TCP ping sweeps and has the ability to fragment packets, potentially bypassing some access control devices. [tsunami] hping 192.168.1.2 –S –p 80 –f HPING 192.168.1.2 (eth0 192.168.1.2): S set, 40 data bytes 60 bytes from 192.168.1.2: flags=SA seq=0 ttl=124 id=17501 win=0 time=46.5 60 bytes from 192.168.1.2: flags=SA seq=1 ttl=124 id=18013 win=0 time=169.1

In some cases, simple access control devices cannot handle fragmented packets correctly, thus allowing our packets to pass through and determine if the target system is alive. Notice that the TCP SYN (S) flag and the TCP ACK (A) flag are returned whenever a port is open. Hping can easily be integrated into shell scripts by using the –cN packet count option where N is the number of packets to send before moving on. While this method is not as fast as some of the ICMP ping sweep methods mentioned earlier, it may be necessary, given the configuration of the target network. We discuss hping in more detail in Chapter 11. Our final tool that we will analyze is icmpenum, from Simple Nomad (http://www.nmrc.org/files/sunix/icmpenum-1.1.tgz). This utility is a handy ICMP enumeration tool that will allow you to quickly identity systems that are alive by sending the tradition ICMP ECHO packets, as well as ICMP TIME STAMP REQUEST and ICMP INFO requests. Thus, if ingress ICMP ECHO packets are dropped by a border router or firewall, it may be possible to still identify systems using an alternate ICMP type:

Chapter 2:

Scanning

[shadow] icmpenum -i2 -c 192.168.1.0 192.168.1.1 is up 192.168.1.10 is up 192.168.1.11 is up 192.168.1.15 is up 192.168.1.20 is up 192.168.1.103 is up

In this example, we enumerated the entire 192.168.1.0 class C network using an ICMP TIME STAMP REQUEST. However, the real power of icmpenum is to identify systems using spoofed packets to avoid detection. This technique is possible because icmpenum supports the ability to spoof packets with the -s option and passively listen for responses with the –p switch. To summarize, this step allows us to determine exactly what systems are alive via ICMP or through selective port scans. Out of 255 potential addresses within the class C range, we have determined that several hosts are alive and have now become our targets for subsequent interrogation. Thus, we have significantly reduced our target set, saving testing time and narrowing the focus of our activities.

Sweeps Countermeasures U Ping While ping sweeps may seem like an annoyance, it is import to detect this activity when it

happens. Depending on your security paradigm, you may also want to block ping sweeps. We explore both options next. Detection As mentioned, network mapping via ping sweeps is a proven method for performing network reconnaissance before an actual attack ensues. Thus, detecting ping sweep activity is critical to understanding when an attack may occur and by whom. The primary methods for detecting ping sweep attacks are network-based IDS programs such as Network Flight Recorder (NFR) and snort (http://www.snort.org/) or host-based mechanisms. Shown next is the NFR N Code that can be used to detect network ping sweeps. # # # # #

ICMP/Ping flood detection By Stuart McClure This will detect the use of a ping scanner on your network. You can play with the maxtime and maxcount settings to find your sweet spot.

ping_schema = library_schema:new( 1, [ "time", "ip", "ip", "ethmac", "ethmac" ], scope() ); count = 0; maxtime = 10; maxcount = 5; # a ping scan dest = 0;

# Number of seconds # Number of ICMP ECHO's or ARP REQUESTS before it's considered

39

40

Hacking Exposed: Network Security Secrets and Solutions

source ethsrc ethdst time =

= 0; = 0; = 0; 0;

filter icmp_packets icmp ( ) { if (icmp.type == 0x08) # Check for ICMP ECHO packets { if ((source == ip.src) && (dest != ip.dst)) # Found the dog! { count = count + 1; time = system.time; } else count = 1; dest = ip.dest; source = ip.src; ethsrc = eth.src; ethdst = eth.dst; } on tick = timeout ( sec: maxtime, repeat ) call checkit; } func checkit { if (count >= maxcount) { echo ("Found PING scanner dog! Time: ", time, "\n"); record system.time, source, dest, eth.src, eth.dst to the_recorder_ping; count = 0; dest = 0; } else { dest = 0; count = 0; } return; } the_recorder_ping=recorder( "bin/histogram packages/sandbox/pingscan.cfg", "ping_schema" );

From a host-based perspective, several UNIX utilities will detect and log such attacks. If you begin to see a pattern of ICMP ECHO packets from a particular system or network,

Chapter 2:

Scanning

it may indicate that someone is performing network reconnaissance on your site. Pay close attention to this activity, as a full-scale attack may be imminent. Windows host-based ping detection tools are difficult to come by; however, a shareware/freeware product worth looking at is Genius 3.1. Genius is now version 3.1—check out the review on http://softseek.com/Internet/General/Review_20507_index.html— located at http://www.indiesoft.com/. While Genius does not detect ICMP ECHO (ping) scans to a system, it will detect TCP ping scans to a particular port. The commercial solution to TCP port scanning is BlackICE from Network ICE (www.networkice.com). The product is much more than a TCP ping or port scan detector, but it can be used solely for this purpose. Table 2-1 lists additional ping detection tools that can enhance your monitoring capabilities. Prevention While detection of ping sweep activity is critical, a dose of prevention will go even further. We recommend that you carefully evaluate the type of ICMP traffic you allow into your networks or into specific systems. There are many different types of ICMP traffic—ECHO and ECHO_REPLY are only two such types. Most sites do not require all types of ICMP traffic to all systems directly connected to the Internet. While almost any firewall can filter ICMP packets, organizational needs may dictate that the firewall pass some ICMP traffic. If a true need exists, then carefully consider which types of ICMP traffic to pass. A minimalist approach may be to only allow ICMP ECHO-REPLY, HOST UNREACHABLE, and TIME EXCEEDED packets into the DMZ network. In addition, if ICMP traffic can be limited with ACLs to specific IP addresses of your ISP, you are better off. This will allow your ISP to check for connectivity, while making it more difficult to perform ICMP sweeps against systems connected directly to the Internet. While ICMP is a powerful protocol for diagnosing network problems, it is also easily abused. Allowing unrestricted ICMP traffic into your border gateway may allow attackers to mount a denial of service attack (Smurf, for example). Even worse, if attackers actually manage to

Program

Resource

Scanlogd

http://www.openwall.com/scanlogd

Courtney 1.3

http://packetstorm.securify.com/UNIX/audit/ courtney-1.3.tar.Z

Ippl 1.4.10

http://pltplp.net/ippl/

Protolog 1.0.8

http://packetstorm.securify.com/UNIX/loggers/ protolog-1.0.8.tar.gz

Table 2-1.

Some UNIX Host-Based Ping Detection Tools

41

42

Hacking Exposed: Network Security Secrets and Solutions

compromise one of your systems, they may be able to back-door the operating system and covertly tunnel data within an ICMP ECHO packet using a program such as loki. For more information on loki, check out Phrack Magazine, Volume 7, Issue 51, September 01, 1997, article 06 (http://phrack.infonexus.com/search.phtml?view&article=p51-6). Another interesting concept, which was developed by Tom Ptacek and ported to Linux by Mike Schiffman, is pingd. Pingd is a userland daemon that handles all ICMP_ECHO and ICMP_ECHOREPLY traffic at the host level. This feat is accomplished by removing support of ICMP_ECHO processing from the kernel and implementing a userland daemon with a raw ICMP socket to handle these packets. Essentially, it provides an access control mechanism for ping at the system level. Pingd is available for BSD (http://www.enteract.com/~tqbf/goodies.html) as well as Linux (http://www.2600.net/ phrack/p52-07.html).

]

ICMP Queries Popularity

2

Simplicity

9

Impact

5

Risk Rating

5

Ping sweeps (or ICMP ECHO packets) are only the tip of the iceberg when it comes to ICMP information about a system. You can gather all kinds of valuable information about a system by simply sending an ICMP packet to it. For example, with the UNIX tool icmpquery (http://packetstorm.securify.com/UNIX/scanners/icmpquery.c) - or icmpush (http://packetstorm.securify.com/UNIX/scanners/icmpush22.tgz), you can request the time on the system (to see the time zone the system is in) by sending an ICMP type 13 message (TIMESTAMP). And you can request the netmask of a particular device with the ICMP type 17 message (ADDRESS MASK REQUEST). The netmask of a network card is important because you can determine all the subnets being used. With knowledge of the subnets, you can orient your attacks to only particular subnets and avoid hitting broadcast addresses, for example. Icmpquery has both a timestamp and address mask request option: icmpquery [-B] [-f fromhost] [-d delay] [-T time] targets where is one of: -t : icmp timestamp request (default) -m : icmp address mask request The delay is in microseconds to sleep between packets. targets is a list of hostnames or addresses -T specifies the number of seconds to wait for a host to respond. The default is 5. -B specifies 'broadcast' mode. icmpquery will wait for timeout seconds and print all responses. If you're on a modem, you may wish to use a larger -d and –T

Chapter 2:

Scanning

To use icmpquery to query a router’s time, you can run this command: [tsunami] icmpquery -t 192.168.1.1 192.168.1.1 : 11:36:19

To use icmpquery to query a router’s netmask, you can run this command: [tsunami] icmpquery -m 192.168.1.1 192.168.1.1

:

0xFFFFFFE0

Not all routers/systems allow an ICMP TIMESTAMP or NETMASK response, so your mileage with icmpquery and icmpush may vary greatly from host to host.

Query Countermeasures U ICMP One of the best prevention methods is to block the ICMP types that give out information at your border routers. At minimum you should restrict TIMESTAMP (ICMP type 13) and ADDRESS MASK (ICMP type 17) packet requests from entering your network. If you deploy Cisco routers at your borders, you can restrict them from responding to these ICMP request packets with the following ACLs: access-list 101 deny icmp any any 13 access-list 101 deny icmp any any 17

! timestamp request ! address mask request

It is possible to detect this activity with a network-based intrusion detection system (NIDS) such as snort (www.snort.org). Here is a snippet of this type of activity being flagged by snort. [**] PING-ICMP Timestamp [**] 05/29-12:04:40.535502 192.168.1.10 -> 192.168.1.1 ICMP TTL:255 TOS:0x0 ID:4321 TIMESTAMP REQUEST

]

Port Scanning Popularity

10

Simplicity

9

Impact

9

Risk Rating

9

Thus far we have identified systems that are alive by using either ICMP or TCP ping sweeps and have gathered selected ICMP information. Now we are ready to begin port scanning each system. Port scanning is the process of connecting to TCP and UDP ports on the target system to determine what services are running or in a LISTENING state.

43

44

Hacking Exposed: Network Security Secrets and Solutions

Identifying listening ports is critical to determining the type of operating system and applications in use. Active services that are listening may allow an unauthorized user to gain access to systems that are misconfigured or running a version of software known to have security vulnerabilities. Port scanning tools and techniques have evolved significantly over the past few years. We will focus on several popular port scanning tools and techniques that will provide us with a wealth of information. The port scanning techniques that follow differ from those previously mentioned, when we were trying to just identify systems that were alive. For the following steps, we will assume that the systems are alive and we are now trying to determine all the listening ports or potential access points on our target. There are several objectives that we would like to accomplish when port scanning the target system(s). These include but are not limited to the following: ▼

Identifying both the TCP and UDP services running on the target system



Identifying the type of operating system of the target system



Identifying specific applications or versions of a particular service

Scan Types Before we jump into the requisite port scanning tools, we must discuss the various port scanning techniques available. One of the pioneers of implementing various port scanning techniques is Fyodor. He has incorporated numerous scanning techniques into his nmap tool. Many of the scan types we will be discussing are the direct work of Fyodor himself. ▼

TCP connect scan This type of scan connects to the target port and completes a full three-way handshake (SYN, SYN/ACK, and ACK). It is easily detected by the target system. Figure 2-2 provides a diagram of the TCP three-way handshake.



TCP SYN scan This technique is called half-open scanning because a full TCP connection is not made. Instead, a SYN packet is sent to the target port. If a SYN/ACK is received from the target port, we can deduce that it is in the LISTENING state. If a RST/ACK is received, it usually indicates that the port is not listening. A RST/ACK will be sent by the system performing the port scan so that a full connection is never established. This technique has the advantage of being stealthier than a full TCP connect, and it may not be logged by the target system.



TCP FIN scan This technique sends a FIN packet to the target port. Based on RFC 793 (http://www.ietf.org/rfc/rfc0793.txt), the target system should send back an RST for all closed ports. This technique usually only works on UNIX-based TCP/IP stacks.

Chapter 2:

Figure 2-2.

Scanning

A TCP connect requires a three-way handshake: (1) sending a SYN packet, (2) receiving a SYN/ACK packet, and (3) sending an ACK packet



TCP Xmas Tree scan This technique sends a FIN, URG, and PUSH packet to the target port. Based on RFC 793, the target system should send back an RST for all closed ports.



TCP Null scan This technique turns off all flags. Based on RFC 793, the target system should send back an RST for all closed ports.



TCP ACK scan This technique is used to map out firewall rulesets. It can help determine if the firewall is a simple packet filter allowing only established connections (connections with the ACK bit set) or a stateful firewall performing advance packet filtering.



TCP Windows scan This technique may detect open as well as filtered/ non-filtered ports on some systems (for example, AIX and FreeBSD) due to an anomaly in the way the TCP windows size is reported.



TCP RPC scan This technique is specific to UNIX systems and is used to detect and identify remote procedure call (RPC) ports and their associated program and version number.



UDP scan This technique sends a UDP packet to the target port. If the target port responds with an “ICMP port unreachable” message, the port is closed. Conversely, if we don’t receive an “ICMP port unreachable” message, we can deduce the port is open. Since UDP is known as a connectionless protocol, the accuracy of this technique is highly dependent on many factors related to the utilization of network and system resources. In addition, UDP scanning is a very slow process if you are trying to scan a device that employs heavy packet filtering. If you plan on doing UDP scans over the Internet, be prepared for unreliable results.

Certain IP implementations have the unfortunate distinction of sending back RSTs for all ports scanned whether or not they are listening. Thus, your results may vary when performing these scans; however, SYN and connect ( ) scans should work against all hosts.

45

46

Hacking Exposed: Network Security Secrets and Solutions

Identifying TCP and UDP Services Running The utility of a good port scanning tool is a critical component of the footprinting process. While there are many port scanners available for both the UNIX and NT environment, we shall limit our discussion to some of the more popular and time-proven port scanners.

Strobe Strobe is a venerable TCP port scanning utility written by Julian Assange (ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/strobe-1.06.tgz). It has been around for some time and is one of the fastest and most reliable TCP scanners available. Some of strobe’s key features include the ability to optimize system and network resources and to scan the target system in an efficient manner. In addition to being efficient, strobe version 1.04 and later will actually grab the associated banner (if available) of each port that they connect to. This may help identify both the operating system and the running service. Banner grabbing is explained in more detail in Chapter 3. Strobe output lists each listening TCP port: [tsunami] strobe 192.168.1.10 strobe 1.03 © 1995 Julian Assange ([email protected]). 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10

echo discard sunrpc daytime chargen ftp exec login cmd ssh telnet smtp nfs lockd unknown unknown unknown unknown unknown

7/tcp 9/tcp 111/tcp 13/tcp 19/tcp 21/tcp 512/tcp 513/tcp 514/tcp 22/tcp 23/tcp 25/tcp 2049/tcp 4045/tcp 32772/tcp 32773/tcp 32778/tcp 32799/tcp 32804/tcp

Echo [95,JBP] Discard [94,JBP] rpcbind SUN RPC Daytime [93,JBP] ttytst source File Transfer [Control] [96,JBP] remote process execution; remote login a la telnet; shell like exec, but automatic Secure Shell Telnet [112,JBP] Simple Mail Transfer [102,JBP] networked file system unassigned unassigned unassigned unassigned unassigned

While strobe is highly reliable, it is important to keep in mind some of its limitations. Strobe is a TCP scanner only and does not provide UDP scanning capabilities. Thus, for our earlier scan, we are only looking at half the picture. In addition, strobe only employs TCP connect scanning technology when connecting to each port. While this behavior adds to strobe’s reliability, it also makes port scans easily detectable by the target system. For additional scanning techniques beyond what strobe can provide, we must dig deeper into our toolkit.

Chapter 2:

Scanning

udp_scan Since strobe only covers TCP scanning, we can use udp_scan, originally from SATAN (Security Administrator Tool for Analyzing Networks), written by Dan Farmer and Wietse Venema in 1995. While SATAN is a bit dated, its tools still work quite well. In addition, newer versions of SATAN, now called SAINT, have been released by http://wwdsilx.wwdsi.com. There are many other utilities that perform UDP scans; however, we have found that udp_scan is one of the most reliable UDP scanners available. We should point out that although udp_scan is reliable, it does have a nasty side-effect of triggering a SATAN scan message from major IDS products. Thus, it is not one of the more stealthy tools you could employ. Typically, we will look for all well-known ports below 1024 and specific high-risk ports above 1024. [tsunami] udp_scan 192.168.1.1 1-1024 42:UNKNOWN: 53:UNKNOWN: 123:UNKNOWN: 135:UNKNOWN:

netcat Another excellent utility is netcat or nc, written by Hobbit ([email protected]). This utility can perform so many tasks that we call it the Swiss army knife in our security toolkit. While we will discuss many of its advanced features throughout the book, nc will provide basic TCP and UDP port scanning capabilities. The –v and –vv options provide verbose and very verbose output, respectively. The –z option provides zero mode I/O and is used for port scanning, and the –w2 option provides a timeout value for each connection. By default, nc will use TCP ports. Therefore, we must specify the –u option for UDP scanning (as in the second example). [tsunami]

nc -v -z -w2 192.168.1.1 1-140

[192.168.1.1] [192.168.1.1] [192.168.1.1] [192.168.1.1] [192.168.1.1] [192.168.1.1] [192.168.1.1] [192.168.1.1] [192.168.1.1] [192.168.1.1] [192.168.1.1]

139 (?) open 135 (?) open 110 (pop-3) open 106 (?) open 81 (?) open 80 (http) open 79 (finger) open 53 (domain) open 42 (?) open 25 (smtp) open 21 (ftp) open

[tsunami] nc [192.168.1.1] [192.168.1.1] [192.168.1.1] [192.168.1.1]

-u -v -z -w2 192.168.1.1 1-140 135 (ntportmap) open 123 (ntp) open 53 (domain) open 42 (name) open

47

48

Hacking Exposed: Network Security Secrets and Solutions

Network Mapper (nmap) Now that we have discussed basic port scanning tools, we can move on to the premier port scanning tool available, nmap. Nmap (http://www.insecure.org/nmap) by Fyodor provides basic TCP and UDP scanning capabilities as well as incorporating the aforementioned scanning techniques. Rarely does a tool come along that provides so much utility in one package. Let’s explore some of its most useful features. [tsunami]# nmap –h nmap V. 2.53 Usage: nmap [Scan Type(s)] [Options] Some Common Scan Types ('*' options require root privileges) -sT TCP connect() port scan (default) * -sS TCP SYN stealth port scan (best all-around TCP scan) * -sU UDP port scan -sP ping scan (Find any reachable machines) * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sR/-I RPC/Identd scan (use with other scan types) Some Common Options (none are required, most can be combined): * -O Use TCP/IP fingerprinting to guess remote operating system -p ports to scan. Example range: '1-1024,1080,6666,31337' -F Only scans ports listed in nmap-services -v Verbose. Its use is recommended. Use twice for greater effect. -P0 Don't ping hosts (needed to scan www.microsoft.com and others) * -Ddecoy_host1,decoy2[,...] Hide scan using many decoys -T <Paranoid Add Value and enter the following data: Value Name: RestrictAnonymous Data Type: REG_DWORD Value: 1 (or 2 on Win2000) 3. Exit the Registry Editor and restart the computer for the change to take effect. On Windows 2000, the fix is slightly easier to implement, thanks to the \Local Policies\Security Options node within the Security Settings MMC snap-in. The Security Options tool provides a graphical interface to the many arcane security-related Registry settings like RestrictAnonymous that needed to be configured manually under NT4. Even better, these settings can be applied at the Organizational Unit (OU), site, or domain level so they can be inherited by all child objects in Active Directory if applied from a Win 2000 domain controller. This requires the Group Policy snap-in—see Chapter 6 for more information about Group Policy. To limit access to NetBIOS information for unauthenticated users using either Security Options or Group Policy, set the Additional Restrictions For Anonymous Connections policy key to the setting shown in the next illustration, No Access Without Explicit Anonymous Permissions (this is equivalent to setting RestrictAnonymous equal to 2 in the Win 2000 Registry).

75

76

Hacking Exposed: Network Security Secrets and Solutions

Interestingly, setting RestrictAnonymous does not actually block anonymous connections. However, it does prevent most of the information leaks available over the null session, primarily enumeration of user accounts and shares. Under Windows 2000, RestrictAnonymous has a third value. Set it to 2 to restrict all null connections to resources that have explicit anonymous permissions (see preceding illustration). One notable exception to this rule is sid2user (discussed later in the “NT/2000 User and Group Enumeration” section), which still functions even if RestrictAnonymous is enabled. For more information, search for Microsoft’s Knowledge Base Article Q143474 at http://search.support.microsoft.com. For more technical details, read the original thesis on hacking NetBIOS called “CIFS: Common Insecurities Fail Scrutiny” by Hobbit located at http://www.avian.org, or RFCs 1001 and 1002, which describe the NetBIOS over TCP/UDP transport specifications. We will see shortly the sensitivity of the information provided over null sessions. In most situations you do not want this information exposed, especially on a server connected to the Internet. We highly recommend setting RestrictAnonymous. Now that we’ve set the stage, let’s put these tools and techniques to work.

NT/2000 Network Resource Enumeration The first thing a remote attacker will try on a well-scouted NT/2000 network is to get a sense of what exists on the wire. We first discuss enumeration of NetBIOS resources and then talk about enumeration of TCP/IP services that are commonly offered up by NT/2000 systems.

]

NetBIOS Enumeration Popularity:

9

Simplicity:

10

Impact: Risk Rating:

7 8.6

The tools and techniques for peering along the NetBIOS wire are readily available—most are built into the OS itself! We discuss those first and then move into some third-party tools. We save discussion of countermeasures until the very end, since fixing all of this is rather simple and can be handled in one fell swoop. Enumerating NT/2000 Domains with net view The net view command is a great example of a built-in enumeration tool. It is an extraordinarily simple NT/2000 command-line utility that will list domains available on the network and then lay bare all machines in a domain. Here’s how to enumerate domains on the network using net view:

Chapter 3:

Enumeration

C:\>net view /domain Domain ------------------------------------------------------------------------------CORLEONE BARZINI_DOMAIN TATAGGLIA_DOMAIN BRAZZI The command completed successfully.

The next command will list computers in a particular domain: C:\>net view /domain:corleone Server Name Remark ------------------------------------------------------------------------------\\VITO Make him an offer he can't refuse \\MICHAEL Nothing personal \\SONNY Badda bing badda boom \\FREDO I'm smart \\CONNIE Don't forget the cannoli

Remember that we can use information from ping sweeps (see Chapter 2) to substitute IP addresses for NetBIOS names of individual machines. IP address and NetBIOS names are mostly interchangeable (for example, \\192.168.202.5 is equivalent to \\SERVER_NAME). For convenience, attackers will often add the appropriate entries to their %systemroot%\system32\drivers\etc\LMHOSTS file, appended with the #PRE syntax, and then run nbtstat –R at a command line to reload the name table cache. They are then free to use the NetBIOS name in future attacks, and it will be mapped transparently to the IP address specified in LMHOSTS. Dumping the NetBIOS Name Table with nbtstat and nbtscan Another great built-in tool is nbtstat, which calls up the NetBIOS Name Table from a remote system. The Name Table contains great information, as seen in the following example: C:\>nbtstat -A 192.168.202.33 NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------SERVR9 UNIQUE Registered SERVR9 UNIQUE Registered 9DOMAN GROUP Registered 9DOMAN GROUP Registered SERVR9 UNIQUE Registered INet~Services GROUP Registered IS~SERVR9...... UNIQUE Registered 9DOMAN UNIQUE Registered ..__MSBROWSE__. GROUP Registered ADMINISTRATOR UNIQUE Registered MAC Address = 00-A0-CC-57-8C-8A

77

78

Hacking Exposed: Network Security Secrets and Solutions

NetBIOS Code

Resource

[00]

Workstation Service

<domain name>[00]

Domain Name

[03]

Messenger Service (for messages sent to this computer)

<user name>[03]

Messenger Service (for messages sent to this user)

[20]

Server Service

<domain name>[1D]

Master Browser

<domain name>[1E]

Browser Service Elections

<domain name>[1B]

Domain Master Browser

Table 3-1.

Common NetBIOS Service Codes

As illustrated, nbtstat extracts the system name (SERVR9), the domain it’s in (9DOMAN), any logged-on users (ADMINISTRATOR), any services running (INet~Services), and the MAC address. These entities can be identified by their NetBIOS service codes (the two-digit number to the right of the name), which are partially listed in Table 3-1 above. The two main drawbacks to nbtstat are its restriction to operating on a single host at a time and its rather inscrutable output. Both of those issues are addressed by the free tool nbtscan, from Alla Bezroutchko, available at http://www.abb.aha.ru/software/ nbtscan.html. Nbtscan will “nbtstat” an entire network with blistering speed and format the output nicely: D:\Toolbox\nbtscan102>nbtscan 192.168.234.0/24 Doing NBT name scan for adresses from 192.168.234.0/24 IP address NetBIOS Name Server User MAC address -------------------------------------------------------------------192.168.234.36 WORKSTN12 <server> RSMITH 00-00-86-16-47-d6 192.168.234.110 CORP-DC <server> CORP-DC 00-c0-4f-86-80-05 192.168.234.112 WORKSTN15 <server> ADMIN 00-80-c7-0f-a5-6d 192.168.234.200 SERVR9 <server> ADMIN 00-a0-cc-57-8c-8a

Coincidentally, nbtscan is a great way to quickly flush out hosts running Windows on a network. Try running it against your favorite Class C–sized swatch of the Internet, and you’ll see what we mean. Enumerating NT/2000 Domain Controllers To dig a little deeper into the NT network structure, we’ll need to use a tool from the NT Resource Kit (NTRK). In the next example, we’ll

Chapter 3:

Enumeration

see how the NTRK tool called nltest identifies the Primary and Backup Domain Controllers (PDC and BDC, the keepers of NT network authentication credentials) in a domain: C:\> nltest /dclist:corleone List of DCs in Domain corleone \\VITO (PDC) \\MICHAEL \\SONNY The command completed successfully

To go even further, we need to first set up a null session. (Remember them? If not, go back to the beginning of this chapter.) Once a null session is set up to one of the machines in the enumerated domain, the nltest /server:<server_name> and /trusted_domains syntax can be used to learn about further NT domains related to the first. Enumerating NetBIOS Shares with net view and RK Tools With a null session established, we can also fall back on good ol’ net view to enumerate shares on remote systems: C:\>net view \\vito Shared resources at \\192.168.7.45 VITO Share name

Type

Used as

Comment

-----------------------------------------------------------------------------NETLOGON Disk Logon server share Test Disk Public access The command completed successfully.

Three other good share-enumeration tools from the NTRK are rmtshare, srvcheck, and srvinfo (using the –s switch). Rmtshare generates output similar to net view. Srvcheck displays shares and authorized users, including hidden shares, but it requires privileged access to the remote system to enumerate users and hidden shares. Srvinfo’s –s parameter lists shares along with a lot of other potentially revealing information. Enumerating NetBIOS Shares with DumpSec (Formerly DumpACL) One of the best tools for enumerating NT shares (and a whole lot more) is DumpSec (formerly DumpACL), shown in Figure 3-1. It is available free from Somarsoft (http://www.somarsoft.com). Few tools deserve their place in the NT security administrator’s toolbox more than DumpSec—it audits everything from file system permissions to services available on remote systems. Basic user information can be obtained even over an innocuous null connection, and it can be run from the command line, making for easy automation and scripting. In Figure 3-1, we show DumpSec being used to dump share information from a remote computer.

79

80

Hacking Exposed: Network Security Secrets and Solutions

Figure 3-1.

DumpSec reveals shares over a null session with the target computer

Scanning for Shares with Legion and NAT Opening null connections and using the preceding tools manually is great for directed attacks, but most hackers will commonly employ a NetBIOS scanner to check entire networks rapidly for exposed shares. One of the more popular ones is called Legion (available on many Internet archives), shown next.

Chapter 3:

Enumeration

Legion can chew through a Class C IP network and reveal all available shares in its graphical interface. Version 2.1 includes a “brute-force tool” that tries to connect to a given share by using a list of passwords supplied by the user. For more on brute-force cracking of Windows 9x and NT, see Chapters 4 and 5, respectively. Another popular Windows share scanner is the NetBIOS Auditing Tool (NAT), based on code written by Andrew Tridgell (NAT is available through the Hacking Exposed web site, http://www.hackingexposed.com). Neon Surge and Chameleon of the now-defunct Rhino9 Security Team wrote a graphical interface for NAT for the command-line challenged, as shown in Figure 3-2. NAT not only finds shares, but also attempts forced entry using user-defined username and password lists.

Miscellaneous NT/2000 Network Enumeration Tools A few other NT network information enumerators bear mention here: epdump from Microsoft (epdump can be found at http://www.ntshop.net/security/tools/def.htm), getmac and netdom (from the NTRK), and netviewx by Jesper Lauritsen (see http://www.ibt.ku.dk/jesper/NTtools/). Epdump queries the RPC endpoint mapper and shows services bound to IP addresses and port numbers (albeit in a very crude form). Using a null session, getmac displays the MAC addresses and device names of network interface cards on remote machines. This can yield useful network information to an attacker casing a system with multiple network interfaces. Netdom is more useful, enumerating key information about NT domains on a wire, including domain membership and the identities of

Figure 3-2.

The NetBIOS Auditing Tool (NAT) with graphical interface and command-line output

81

82

Hacking Exposed: Network Security Secrets and Solutions

Backup Domain Controllers. Netviewx is a similarly powerful tool for listing nodes in a domain and the services they are running. We often use netviewx to probe for the NT Remote Access Service (RAS) to get an idea of the number of dial-in servers that exist on a network, as shown in the following example. The –D syntax specifies the domain to enumerate, while the –T specifies the type of machine or service to look for. C:\>netviewx -D CORLEONE -T dialin_server VITO,4,0,500,nt%workstation%server%domain_ctrl%time_source%dialin_server% backup_browser%master_browser," Make him an offer he can't refuse "

The services running on this system are listed between the “%” characters. Netviewx is also a good tool for choosing non-domain controller targets that may be poorly secured. Winfo from Arne Vidstrom at http://www.ntsecurity.nu extracts user accounts, shares, and interdomain, server, and workstation trust accounts—it’ll even automate the creation of a null session if you want by using the –n switch. Nbtdump from David Litchfield of Cerberus Information Security (http://www .cerberus-infosec.co.uk/toolsn.shtml) creates null sessions, performs share and user account enumeration, and spits the output into a nice HTML report. The Whole Enumeration Enchilada: enum It took the Razor team from Bindview to throw just about every NetBIOS enumeration feature into one tool, and then some. They called it enum—fittingly enough for this chapter—and it’s available from http://razor .bind- view.com. The following listing of the available command-line switches for this tool demonstrates how comprehensive it is: D:\Toolbox>enum usage: enum [switches] [hostname Properties. From the System Information window we can change our workgroup\domain membership, computer name, and even our product key. We can also access the remote desktop settings, device manager, system restore, and other advanced system settings.

Figure 1.5 System Information

The Start Menu The Start Menu has undergone another redesign in an effort to provide a better user experience, and we personally think Microsoft hit the target with this change.The menu still utilizes a familiar architecture, but instead of the dropdown menu that

www.syngress.com

11

431_Vista_01.qxd

12

2/2/07

1:18 PM

Page 12

Chapter 1 • Microsoft Vista: An Overview

would often span the entire width of a user’s screen, Vista utilizes a folder-based submenu structure. Clicking Start ip] -U: get userlist -M: get machine list -N: get namelist dump (different from -U

Think, that: Symantec PGP Desktop for Windows 10.2 crack serial keygen

TuneCable Spotify Downloader Crack 1.2.3 Full | Pirate PC
Resharper 2019.3 license key Archives
Symantec PGP Desktop for Windows 10.2 crack serial keygen
Passware Kit Forensic 2021.3.1 With Crack [Latest 2021]

Symantec PGP Desktop for Windows 10.2 crack serial keygen - congratulate

Normal Permissions, and then set them to permit only approved users access. Next, navigate to HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ ExtensionAgents, delete the value that contains the “LANManagerMIB2Agent” string, and then rename the remaining entries to update the sequence. For example, if the deleted value was number 1, then rename 2, 3, and so on, until the sequence begins with 1 and ends with the total number of values in the list. Of course, if you’re using SNMP to manage your network, make sure to block access to TCP and UDP ports 161 (SNMP GET/SET) at all perimeter network access devices. As we will see later in this chapter and others, allowing internal SNMP info to leak onto public networks is a definite no-no. For more information on SNMP in general, search for the latest SNMP RFCs at http://www.rfc-editor.org.

Chapter 3:

Figure 3-3.

Enumeration

SolarWinds’ IP Network Browser expands information available on systems running SNMP agents when provided with the correct community string. The system shown here uses the default string “public”

85

86

Hacking Exposed: Network Security Secrets and Solutions

]

Win 2000 DNS Zone Transfers Popularity:

5

Simplicity:

9

Impact:

2

Risk Rating:

5

As we saw in Chapter 1, one of the primary sources of footprinting information is the Domain Name System (DNS), the Internet standard protocol for matching host IP addresses with human-friendly names like amazon.com. Since Windows 2000 Active Directory namespace is based on DNS, Microsoft has completely upgraded Win 2000’s DNS server implementation to accommodate the needs of AD and vice versa. For clients to locate Win 2000 domain services such as AD and Kerberos, Win 2000 relies on the DNS SRV record (RFC 2052), which allows servers to be located by service type (for example, LDAP, FTP, or WWW) and protocol (for example, TCP). Thus, a simple zone transfer (nslookup, ls –d <domainname>) can enumerate a lot of interesting network information, as shown in the following sample zone transfer run against the domain “labfarce.org” (edited for brevity and line-wrapped for legibility). D:\Toolbox>nslookup Default Server: corp-dc.labfarce.org Address: 192.168.234.110 > ls -d labfarce.org [[192.168.234.110]] labfarce.org. SOA corp-dc.labfarce.org admin. labfarce.org. A 192.168.234.110 labfarce.org. NS corp-dc.labfarce.org . . . _gc._tcp SRV priority=0, weight=100, port=3268, corp-dc.labfarce.org _kerberos._tcp SRV priority=0, weight=100, port=88, corp-dc.labfarce.org _kpasswd._tcp SRV priority=0, weight=100, port=464, corp-dc.labfarce.org _ldap._tcp SRV priority=0, weight=100, port=389, corp-dc.labfarce.org

Per RFC 2052, the format for SRV records is Service.Proto.Name TTL Class SRV Priority Weight Port Target

Some very simple observations an attacker could take from this file would be the location of the domain’s Global Catalog service (_gc._tcp), domain controllers using Kerberos authentication (_kerberos._tcp), LDAP servers (_ldap._tcp), and their associated port numbers (only TCP incarnations are shown here).

Win 2000 DNS Zone Transfers U Blocking Fortunately, Win 2000’s DNS implementation also allows easy restriction of zone transfer, as shown in the following illustration. This screen is available when the Properties option

Chapter 3:

Enumeration

for a forward lookup zone (in this case, labfarce.org) is selected from within the “Computer Management” Microsoft Management Console (MMC) snap-in, under \Services and Applications\ DNS\[server_name]\Forward Lookup Zones\[zone_name] wc –l 96

So we have approximately 96 entries in the zone file that contain the word “test.” This should equate to a fair number of actual test systems. These are just a few simple examples. Most intruders will slice and dice this data to zero-in on specific system types with known vulnerabilities. There are a few points that you should keep in mind. The aforementioned method only queries one name server at a time. This means that you would have to perform the same tasks for all name servers that are authoritative for the target domain. In addition, we only queried the Acme.net domain. If there were subdomains, we would have to perform the same type of query for each subdomain (for example, greenhouse.Acme.net). Finally, you may receive a message stating that you can’t list the domain or that the query was refused. This usually indicates that the server has been configured to disallow zone transfers from unauthorized users. Thus, you will not be able to perform a zone transfer from this server. However, if there are multiple DNS servers, you may be able to find one that will allow zone transfers.

Chapter 1:

Footprinting

Now that we have shown you the manual method, there are plenty of tools that speed the process, including, host, Sam Spade, axfr, and dig. The host command comes with many flavors of UNIX. Some simple ways of using host are as follows: host -l Acme.net or host -l -v -t any Acme.net

If you need just the IP addresses to feed into a shell script, you can just cut out the IP addresses from the host command: host -l acme.net tr -s : :

Microsoft Vista for IT Security Professionals

431_Vista_TOC.qxd 2/5/07 10:30 AM Page xiii Contents Foreword. . . . . . . . . . . . . . . . . . . . . . . . . . . ...

Author: Anthony Piltzecker


5 downloads 654 Views 19MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!

Report copyright / DMCA form

431_Vista_TOC.qxd

2/5/07

10:30 AM

Page xiii

Contents Foreword. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv About the CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii Chapter 1 Microsoft Vista: An Overview . . . . . . . . . . . . 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 The User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 The Welcome Center . . . . . . . . . . . . . . . . . . . . . . . . . .10 The Start Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Internet Explorer 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Internet Explorer 7 Features . . . . . . . . . . . . . . . . . . . . .15 RSS Feeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Pop-up Blocker . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Phishing Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .23 Chapter 2 Microsoft Vista: The Battle Against Malware Lives On . . . . . . . . . . . . . . . . . . . . . . . 25 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Malware Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 Viruses, Worms, and Trojan Horses . . . . . . . . . . . . . . . .28 Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 Trojan Horses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 Spyware and Adware . . . . . . . . . . . . . . . . . . . . . . . . . . .37 Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Prevention and Response . . . . . . . . . . . . . . . . . . . . . . .39 Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . .41 Microsoft Vista and Security . . . . . . . . . . . . . . . . . . . . .42 Windows Service Hardening (WSH) . . . . . . . . . . . . .43 Network Access Protection (NAP) . . . . . . . . . . . . . .45 Improvements in Internet Explorer 7 . . . . . . . . . . . . . . . . . .45 Basic Browser Behavior . . . . . . . . . . . . . . . . . . . . . . . .46 xiii

431_Vista_TOC.qxd

xiv

2/5/07

10:30 AM

Page xiv

Contents

Browser Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Web Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Configuring Internet Explorer Securely . . . . . . . . . . . .47 Protected Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 ActiveX Opt-In . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Fix My Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 Security Status Bar . . . . . . . . . . . . . . . . . . . . . . . . . .50 Windows Defender . . . . . . . . . . . . . . . . . . . . . . . . .50 Setting Internet Zones . . . . . . . . . . . . . . . . . . . . . . .50 Configuring Privacy . . . . . . . . . . . . . . . . . . . . . . . . .52 Advanced Security Settings . . . . . . . . . . . . . . . . . . .55 Configuring the Microsoft Phishing Filter . . . . . . . . . .56 Windows Security Center . . . . . . . . . . . . . . . . . . . . . . . . . .59 Configuring a Firewall . . . . . . . . . . . . . . . . . . . . . . . . . .60 Using Windows Update . . . . . . . . . . . . . . . . . . . . . . . .63 Using the Malicious Software Removal Tool . . . . . . .65 Configuring Malware Protection . . . . . . . . . . . . . . . . .65 Other Security Settings . . . . . . . . . . . . . . . . . . . . . . . .69 User Account Control . . . . . . . . . . . . . . . . . . . . . . .69 Windows Defender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71 Using Windows Defender . . . . . . . . . . . . . . . . . . . . . .72 How to Use the Windows Defender Software Explorer 75 Using Software Explorer . . . . . . . . . . . . . . . . . . . . . .76 Other Related Tools . . . . . . . . . . . . . . . . . . . . . . . . . . .76 Using Microsoft SpyNet . . . . . . . . . . . . . . . . . . . . .77 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .83 Chapter 3 Microsoft Vista: Securing User Access . . . . . 87 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88 Access Control Fundamentals . . . . . . . . . . . . . . . . . . . . . . .88 Limiting Exposure . . . . . . . . . . . . . . . . . . . . . . . . . . . .89 Understanding Attacks . . . . . . . . . . . . . . . . . . . . . . . . . .90 Password Cracking . . . . . . . . . . . . . . . . . . . . . . . . .90 Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92 Using Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92

431_Vista_TOC.qxd

2/5/07

10:30 AM

Page xv

Contents

Secure Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94 Authentication Devices . . . . . . . . . . . . . . . . . . . . . . . . .94 Smart Card Authentication . . . . . . . . . . . . . . . . . . . .95 Biometrics Authentication . . . . . . . . . . . . . . . . . . . . .96 Keeping Workstations Secure . . . . . . . . . . . . . . . . . . . . .97 Improving the Logon Architecture . . . . . . . . . . . . . . . . . . . .98 Session 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100 User Account Control . . . . . . . . . . . . . . . . . . . . . . . . . . . .102 Using User Access Control . . . . . . . . . . . . . . . . . . . . .103 Marking an Application . . . . . . . . . . . . . . . . . . . . . .104 Using the Local Security Policy to Configure UAC 105 Disabling UAC When Installing Applications . . . . .107 Changing the Prompt for UAC . . . . . . . . . . . . . . . .107 Remote Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 Using Remote Assistance . . . . . . . . . . . . . . . . . . . . . .111 Sending an Invitation . . . . . . . . . . . . . . . . . . . . . . .112 Network Access Protection . . . . . . . . . . . . . . . . . . . . . . . .113 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .119 Chapter 4 Microsoft Vista: Trusted Platform Module Services . . . . . . . . . . . . . . . . . . . . . . 123 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124 Understanding the TPM . . . . . . . . . . . . . . . . . . . . . . . . . .124 Trusted Platform Features . . . . . . . . . . . . . . . . . . . . . .127 Trusted Platform Architecture . . . . . . . . . . . . . . . . . . .128 The TCG Trusted Platform . . . . . . . . . . . . . . . . . . .128 Your Windows Vista PC . . . . . . . . . . . . . . . . . . . . .133 The Role of the TBS . . . . . . . . . . . . . . . . . . . . . . .138 Configuring and Managing the TPM on a Stand-Alone System . . . . . . . . . . . . . . . . . . . . .139 Configuring BIOS Settings . . . . . . . . . . . . . . . . . . . . .141 Using the TPM Microsoft Management Console . . . . .142 Initializing the TPM . . . . . . . . . . . . . . . . . . . . . . . .143 Turning the TPM On . . . . . . . . . . . . . . . . . . . . . . .145

xv

431_Vista_TOC.qxd

xvi

2/5/07

10:30 AM

Page xvi

Contents

Turning the TPM Off . . . . . . . . . . . . . . . . . . . . . . .148 Clearing the TPM . . . . . . . . . . . . . . . . . . . . . . . . .149 Changing the Owner Password . . . . . . . . . . . . . . . .153 Blocking and Allowing Commands . . . . . . . . . . . . .155 Configuring and Managing the TPM in an Enterprise Environment . . . . . . . . . . . . . . . . .163 Using GPOs and Active Directory . . . . . . . . . . . . . . . .165 Preparing Your Pre-Longhorn Domain Controllers . . . .165 Preparing Your Longhorn Domain Controllers . . . . . . .170 Blocking Commands . . . . . . . . . . . . . . . . . . . . . . . . . .171 Deploying TPM-Equipped Devices with Scripting . . . .173 Your TPM WMI Primer . . . . . . . . . . . . . . . . . . . . .173 Scripting the TPM Deployment . . . . . . . . . . . . . . .175 TPM Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178 Digital Rights Management . . . . . . . . . . . . . . . . . . . . .178 Microsoft Applications . . . . . . . . . . . . . . . . . . . . . . . . .179 Third-Party Applications . . . . . . . . . . . . . . . . . . . . . . .180 Understanding the Security Implications of the TPM . . . . .181 Encryption as a Countermeasure . . . . . . . . . . . . . . . . .181 Can I Really Trust These People? . . . . . . . . . . . . . . . . .185 The TPM Only Enables Technical Security Controls . . .186 Existing Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .192 Chapter 5 Microsoft Vista: Data Protection . . . . . . . . 195 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196 USB Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196 ReadyBoost: Plug In to Speed . . . . . . . . . . . . . . . . . . .197 USB Group Policy Settings . . . . . . . . . . . . . . . . . . . . .198 Controlling Device Installation . . . . . . . . . . . . . . . .199 A Real-World Scenario of Device Installation . . . . .203 Controlling Device Use . . . . . . . . . . . . . . . . . . . . .206 Real-World Usage: Our Road Warrior Returns . . . .209 Rights Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209 Rights Management Is Bad—No, Good—No, Bad… . .210 Rights Management Is Doomed to Failure . . . . . . . . . .211

431_Vista_TOC.qxd

2/5/07

10:30 AM

Page xvii

Contents

Rights Management Can Only Succeed . . . . . . . . . . . .211 Encrypting File System . . . . . . . . . . . . . . . . . . . . . . . . . . .214 A Little Crypto Theory . . . . . . . . . . . . . . . . . . . . . . . .214 Ancient History: What You Should Already Know . . . .215 Enabling Encryption on a File or Folder . . . . . . . . .216 Exporting Your EFS Encryption Keys . . . . . . . . . . .219 Adding Users to EFS-Protected Files . . . . . . . . . . . .220 Creating a Nondefault EFS Policy . . . . . . . . . . . . . .220 Exporting and Deleting EFS Private Keys . . . . . . . .223 Recovering EFS-Protected Files . . . . . . . . . . . . . . .225 New EFS Features with Windows Vista . . . . . . . . . .227 Whole-Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . . . .227 It’s Been a While Coming . . . . . . . . . . . . . . . . . . . . . .229 Preparing a New Installation of Vista for BitLocker 232 Preparing an Upgrade of Vista for BitLocker . . . . . .234 Preparing an Existing Installation of Vista for BitLocker:The Hard Way . .234 Preparing an Existing Installation of Vista for BitLocker:The Easy Way . . .236 Enabling BitLocker to Protect Your Laptop’s Data in Case of Loss . . . . . . . .236 Using manage-bde.wsf to Protect Volumes other Than the Boot Volume . . .243 Recovering a BitLocker System after Losing Your Startup Key or PIN . . . . . .248 Removing BitLocker Protection Temporarily to Install a BIOS or System Update . . .249 BitLocker with TPM: What Does It Give You? . . . . . . .251 BitLocker with EFS: Does It Make Sense? . . . . . . . . . .252 BitLocker for Servers . . . . . . . . . . . . . . . . . . . . . . . . . .253 Using BitLocker to Decommission a System . . . . . . . . .253 PatchGuard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254 What Is PatchGuard? . . . . . . . . . . . . . . . . . . . . . . . . . .255 Why Only 64-Bit? . . . . . . . . . . . . . . . . . . . . . . . . .257 Why Third-Party Security Companies Don’t Want to Use PatchGuard . . . . . . . . .257

xvii

431_Vista_TOC.qxd

xviii

2/5/07

10:30 AM

Page xviii

Contents

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .263 Chapter 6 Microsoft Vista: Networking Essentials . . . 267 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268 Not Your Father’s TCP/IP Stack . . . . . . . . . . . . . . . . . . . .268 Limitations of IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . .269 Limited Address Space . . . . . . . . . . . . . . . . . . . . . . .269 Security and Quality of Service . . . . . . . . . . . . . . .273 Host and Router Configuration . . . . . . . . . . . . . . .274 Introduction to IPv6 and Dual Layer . . . . . . . . . . . . . .274 Increased Address Space . . . . . . . . . . . . . . . . . . . . .275 Built-in Security and QoS . . . . . . . . . . . . . . . . . . .276 Windows Vista Support for IPv6 . . . . . . . . . . . . . . .276 Understanding the Dual-Layer Architecture . . . . . . .277 Configuring IPv6 Using the GUI . . . . . . . . . . . . . .278 Configuring IPv6 from the Command Line . . . . . . .281 Using the Network and Sharing Center . . . . . . . . . . . . . . .282 Working with Network Sharing and Discovery . . . . . .283 Network Discovery . . . . . . . . . . . . . . . . . . . . . . . .283 Working with File and Printer Sharing . . . . . . . . . .286 Introducing Public Folder Sharing . . . . . . . . . . . . . .287 Password-Protected Sharing . . . . . . . . . . . . . . . . . . .288 Media Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . .289 Working with Network Locations . . . . . . . . . . . . . . . .289 Using the Network Map . . . . . . . . . . . . . . . . . . . . . . . . . .291 Troubleshooting with the Network Map . . . . . . . . . . .292 Working with the Windows Firewall . . . . . . . . . . . . . . . . .295 Configuring the Windows Firewall . . . . . . . . . . . . . . .296 Working with Built-In Firewall Exceptions . . . . . . .299 Creating Manual Firewall Exceptions . . . . . . . . . . . .302 Advanced Configuration of the Windows Firewall . . . .305 Modifying IPSec Defaults . . . . . . . . . . . . . . . . . . . .309 Creating Connection Security Rules . . . . . . . . . . . .317 Creating Firewall Rules . . . . . . . . . . . . . . . . . . . . . .325 Monitoring the Windows Firewall . . . . . . . . . . . . . .338

431_Vista_TOC.qxd

2/5/07

10:30 AM

Page xix

Contents

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .342 Chapter 7 Microsoft Vista: Wireless World . . . . . . . . . 345 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .346 What’s New with Wireless in Vista? . . . . . . . . . . . . . . . . . .346 Native Wireless Architecture . . . . . . . . . . . . . . . . . . . .347 UI Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . .348 Wireless Group Policy . . . . . . . . . . . . . . . . . . . . . . . . .350 Wireless Auto Configuration . . . . . . . . . . . . . . . . . . . .350 WPA2 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353 Integration with NAP When Using 802.1x . . . . . . . . .353 EAP Host Infrastructure . . . . . . . . . . . . . . . . . . . . . . .354 Microsoft Vista Network Diagnostics Framework . . . . .354 Command-Line Support . . . . . . . . . . . . . . . . . . . . . . .356 Network Location Awareness and Profiles . . . . . . . . . . .358 Next-Generation TCP/IP Stack . . . . . . . . . . . . . . . . . .358 Single Sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358 Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .358 Wireless Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359 Why We Need Security . . . . . . . . . . . . . . . . . . . . . . . .360 The Two Main Security Threats: Access and Privacy . . .360 Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361 Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .368 WPA and WPA2 Modes . . . . . . . . . . . . . . . . . . . . .372 Attacks against WPA . . . . . . . . . . . . . . . . . . . . . . .374 Rogue Access Points . . . . . . . . . . . . . . . . . . . . . . . . . .375 Detecting and Protecting against Rogue Access Points 376 Security Enhancements Using 802.1x/EAP . . . . . . . . .378 EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379 Network Group Policy Enhancements . . . . . . . . . . . . . . . .380 Mixed Security Mode . . . . . . . . . . . . . . . . . . . . . . . . .381 Allow and Deny Lists for Wireless Networks . . . . . . . .381 Extensibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382 Wired LAN Settings . . . . . . . . . . . . . . . . . . . . . . . . . .383

xix

431_Vista_TOC.qxd

xx

2/5/07

10:30 AM

Page xx

Contents

Network Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . .383 Error Messages and Troubleshooting Improvements . . . .383 Configuring Wireless Security in Vista . . . . . . . . . . . . . . .384 Configuring Wireless Security Using the Connect to a Network Dialog Box . . . . . . . .385 Configuring Wireless Security from the Command Line 391 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .396 Chapter 8 Microsoft Vista: Windows Mail. . . . . . . . . . 399 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .400 Comparing WindowsMail with Outlook Express . . . . . . . .400 Database Architecture . . . . . . . . . . . . . . . . . . . . . . . . .402 Loss Prevention and Identities . . . . . . . . . . . . . . . . .405 Phishing Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .414 Scanning from the Start . . . . . . . . . . . . . . . . . . . . . . . .415 Working with Filtered Mail . . . . . . . . . . . . . . . . . . .417 Junk Mail Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422 SmartScreen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422 Configuring Junk E-Mail Options . . . . . . . . . . . . .423 Instant Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .429 Basic Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . .430 Searching from within Instant Mail . . . . . . . . . . . . .432 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .439 Chapter 9 Microsoft Vista: Update and Monitoring Services . . . . . . . . . . . . . . . . . . . . . . . 441 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .442 Using Windows Update . . . . . . . . . . . . . . . . . . . . . . . . . .444 Windows Update Settings . . . . . . . . . . . . . . . . . . . . . .445 Installing Updates Automatically . . . . . . . . . . . . . . .447 Choosing Whether to Install Downloaded Updates 448 Checking for Updates but Choosing Whether to Download and Install Them . . . . . . . . .449 Never Checking for Updates . . . . . . . . . . . . . . . . .450 Using Microsoft Update . . . . . . . . . . . . . . . . . . . . . . .451

431_Vista_TOC.qxd

2/5/07

10:30 AM

Page xxi

Contents

Installing Microsoft Update . . . . . . . . . . . . . . . . . . .451 Enabling and Disabling Microsoft Update . . . . . . . .452 Managing Updates . . . . . . . . . . . . . . . . . . . . . . . . . . .452 Checking for Updates . . . . . . . . . . . . . . . . . . . . . . .452 Installing Updates . . . . . . . . . . . . . . . . . . . . . . . . . .453 Viewing the Update History . . . . . . . . . . . . . . . . . .455 Restoring Hidden Updates . . . . . . . . . . . . . . . . . . .456 Uninstalling Updates . . . . . . . . . . . . . . . . . . . . . . . .457 Scripting Windows Update Settings . . . . . . . . . . . . . . .460 Enabling and Scheduling Automatic Updates . . . . . .461 Opt-In to Microsoft Update . . . . . . . . . . . . . . . . . .463 Using Windows Server Update Services (WSUS) and Vista 463 Windows Server Update Services 2 . . . . . . . . . . . . . . .464 WSUS 2 Stand-Alone Installation . . . . . . . . . . . . . .466 WSUS 2 Active Directory Integration . . . . . . . . . . .472 Administering WSUS . . . . . . . . . . . . . . . . . . . . . . .473 Windows Server Update Services 3 . . . . . . . . . . . . . . .481 WSUS 3 Stand-Alone and Active Directory Installations . . . . . . . . . . . . . . . . . .481 WSUS 3 MMC 3.0 Administrative Interface . . . . . .481 Using Systems Management Server and Vista . . . . . . . . . . .491 SMS 2003 and Vista . . . . . . . . . . . . . . . . . . . . . . . . . .491 System Center Configuration Manager 2007 Beta 1 and Vista . . . . . . . . . . . . . . . . . .492 Using Microsoft Operations Manager and Vista . . . . . . . . .493 System Center Operations Manager 2007 RC2 . . . . . .494 Monitoring Clients and Servers . . . . . . . . . . . . . . . .495 System Center Essentials 2007 Beta 2 . . . . . . . . . . . . . .497 Using Third-Party Tools with Vista . . . . . . . . . . . . . . . . . .497 Altiris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .498 Installing the Altiris Client Management Suite . . . . .499 Managing Vista Clients . . . . . . . . . . . . . . . . . . . . . .500 Software Delivery Methods . . . . . . . . . . . . . . . . . . .504 Managing Software Updates . . . . . . . . . . . . . . . . . .505 Other Third-Party Tools . . . . . . . . . . . . . . . . . . . . . . . .506 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .508 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .510

xxi

431_Vista_TOC.qxd

xxii

2/5/07

10:30 AM

Page xxii

Contents

Chapter 10 Disaster Recovery with Exchange Server 2007 . . . . . . . . . . . . . . . . . . . . . 513 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .514 Backing Up Exchange 2007 Using Windows 2003 Backup 514 Backing Up an Exchange 2007 Mailbox Server . . . . . .514 Backing Up an Exchange 2007 Hub Transport Server . .518 Backing Up an Exchange 2007 Client Access Server . . .519 Backing Up an Exchange 2007 Unified Messaging Server . . . . . . . . . . . . . . . . . .522 Backing Up an Exchange 2007 Edge Transport Server 523 Restoring Exchange 2007 Storage Groups and Databases Using Windows 2003 Backup . . . . .523 Repairing a Corrupt or Damaged Exchange 2007 Database Using Eseutil . . . . . . . . . . . . . . .527 Restoring Mailbox Data Using the Recovery Storage Group Feature . . . . . . . . . . . . . .533 Managing Recovery Storage Groups Using the Exchange Troubleshooting Assistant . . . . . . .534 Managing Recovery Storage Groups Using the Exchange Management Shell . . . . . . . . . . . .543 Recovering an Exchange 2007 Server Using the RecoverServer Switch . . . . . . . . . . . . . . .547 Restoring and Configuring the Operating System . . . .548 Installing Exchange 2007 Using the RecoverServer Switch . . . . . . . . . . . . . . . . .549 Recovering an Exchange 2007 Cluster Using the RecoverCMS Switch . . . . . . . . . . . . . . .551 Restoring Mailbox Databases Using the Improved Database Portability Feature . . . . .552 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .556 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .556 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .560 Appendix A Microsoft Vista: The International Community . . . . . . . . . . . . . . . . . . . 563 Microsoft vs.The World: What’s the Issue? . . . . . . . . . . . . .564 Microsoft Vista:The EU Fixes . . . . . . . . . . . . . . . . . . . . . .564

431_Vista_TOC.qxd

2/5/07

10:30 AM

Page xxiii

Contents

The 2004 Ruling . . . . . . . . . . . . . . . . . . . . . . . . . . . .564 August 2003: A Preliminary Decision . . . . . . . . . . . .565 March 2004:The Ruling . . . . . . . . . . . . . . . . . . . . .565 March 2004:The Punishment . . . . . . . . . . . . . . . . .569 The March 2004 Ruling in Practice . . . . . . . . . . . .570 Vista . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .572 Problems Begin . . . . . . . . . . . . . . . . . . . . . . . . . . .572 Threats and a Response . . . . . . . . . . . . . . . . . . . . .574 Four Areas of Concern . . . . . . . . . . . . . . . . . . . . . .574 October 2006: Microsoft’s Concessions . . . . . . . . . .576 Immediate Results of the October Press Conference 578 Putting Out Fire with Gasoline . . . . . . . . . . . . . . . .579 Initial Release of the PatchGuard APIs . . . . . . . . . . .581 Microsoft and Japan . . . . . . . . . . . . . . . . . . . . . . . . . . . . .581 The Raid in Tokyo . . . . . . . . . . . . . . . . . . . . . . . . . . .582 The JFTC’s Recommendation and Microsoft’s Response . . . . . . . . . . . . . . . . . . . . . . .582 Microsoft Vista:The Korean Fixes . . . . . . . . . . . . . . . . . . .583 The Complaint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .583 The KFTC’s Decision . . . . . . . . . . . . . . . . . . . . . . . . .584 Two Versions of XP . . . . . . . . . . . . . . . . . . . . . . . . . . .584 Two Versions of Vista . . . . . . . . . . . . . . . . . . . . . . . . . .584 Notes and Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .585 Microsoft Vista:The EU Fixes . . . . . . . . . . . . . . . . . . .585 The March 2004 Ruling . . . . . . . . . . . . . . . . . . . .585 Vista . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .586 The October Concessions . . . . . . . . . . . . . . . . . . . .587 Squabbling over Security . . . . . . . . . . . . . . . . . . . . .587 Microsoft and Japan . . . . . . . . . . . . . . . . . . . . . . . . . . .589 Microsoft Vista:The Korean Fixes . . . . . . . . . . . . . . . .589 Changes to XP . . . . . . . . . . . . . . . . . . . . . . . . . . . .590 Vista . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .590 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .591 Appendix B Microsoft Vista: The EULA . . . . . . . . . . . . 593 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .594 Criticism and Change . . . . . . . . . . . . . . . . . . . . . . . . . . . .594

xxiii

431_Vista_TOC.qxd

xxiv

2/5/07

10:30 AM

Page xxiv

Contents

Benchmark Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .595 Rigging the Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . .596 Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597 Virtualization Controls . . . . . . . . . . . . . . . . . . . . . . . .598 DRM and Virtualization . . . . . . . . . . . . . . . . . . . . . . .600 Notes and Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .601 EULA Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . .601 Benchmarking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .601 Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .602 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .602 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603

431_Vista_Fore.qxd

2/5/07

10:06 AM

Page xxv

Foreword

In 2001, the IT community was celebrating the long-awaited release of Microsoft’s Windows XP.The release of Windows XP was a major milestone for Microsoft because it was the first time that the company had created an NT kernel-based operating system intended for both businesses and consumers. Windows XP was designed to render DOS-based operating systems such as Windows 9x and Windows ME obsolete forever. Sadly, the celebration was short-lived, though, as it became apparent that Windows XP and Internet Explorer were both plagued with security problems. At first these security problems were mostly a concern for businesses. It wasn’t long, however, before consumers began to feel the consequences of these security holes as well. Nuisances such as Trojans, spyware, pop-ups, and browser hijackers quickly went from existing in relative obscurity to becoming an almost overnight epidemic. In 2003, Microsoft was hard at work on Service Pack 2 for Windows XP, which was originally intended to consist of a set of critical security patches and hotfixes that had been rolled up into a service pack. But everything changed when the Slammer worm hit. The development team in Redmond was already hard at work on a new desktop operating system, code-named Longhorn (now known as Windows Vista). Longhorn was slated to include code that would prevent Slammer-type worms from being effective, but the new operating system was still years away from being ready to be released. Fearing another Slammer-type attack, Microsoft Vice President Jim Allchin made the decision to halt the development of Longhorn and mandated that much of the Longhorn code be adapted to Windows XP and included in Service Pack 2. xxv

431_Vista_Fore.qxd

xxvi

2/5/07

10:06 AM

Page xxvi

Foreword

Service Pack 2 was released on August 6, 2004. However, the service pack didn’t fix all of Windows XP’s security problems, although it did help to some extent. In retrospect it was probably good that Microsoft created Service Pack 2 from Longhorn code.This strategy gave the company the chance to see that the code was not completely secure, thus providing Microsoft with a chance to rewrite the code prior to Vista’s release. All this hard work apparently has paid off, though.Windows Vista is the first desktop operating system released under Microsoft’s Trustworthy Computing Initiative, and it is without a doubt the most secure OS that Microsoft has released to date. Even so,Vista isn’t completely secure right out of the box. Like every previous Windows operating system,Vista is highly customizable, and the settings that you configure Vista to use play a role in how secure the operating system really is. For example, there will undoubtedly be security updates released for Vista as new security threats are discovered. If Vista isn’t configured to receive these updates, though, then it will be less secure than an updated version of Vista. That’s where Microsoft Vista for IT Security Professionals is helpful.This book discusses all of the enhanced security mechanisms that are present in Vista. It also shows you how to configure these mechanisms for optimal security. —Brien M. Posey Vice President of Research and Development, Relevant Technologies www.relevanttechnologies.com

www.syngress.com

431_Vista_Fore.qxd

2/5/07

10:06 AM

Page xxvii

About the CD

About the CD

The CD icon that appears beside certain sections of the chapters in this book indicates that this material is available on the CD.The CD also includes scripts and other adjunct material.We hope this material is helpful to you.

xxvii

431_Vista_Fore.qxd

2/5/07

10:06 AM

Page xxviii

431_Vista_01.qxd

2/2/07

1:18 PM

Page 1

Chapter 1

Microsoft Vista: An Overview

Solutions in this chapter: ■

The User Interface



Internet Explorer 7

 Summary  Solutions Fast Track  Frequently Asked Questions 1

431_Vista_01.qxd

2

2/2/07

1:18 PM

Page 2

Chapter 1 • Microsoft Vista: An Overview

Introduction The long-anticipated successor to Windows XP is just now making its debut to the world. Windows Vista has spent the last five years in development and has undergone many feature additions, deletions, and changes. Vista features a heavily altered core, and to many users, it will look and feel entirely different.The fact is that Vista is still built on the now mature and robust Windows NT kernel. Vista is intended to improve reliability, security, and manageability. It also was designed to provide an improved user experience. The reliability factor has long been an issue to most Windows users, and as sys admins we all have stories of failed systems and frequent BSODs. As sys admins we also understand that a truly effective operating system (OS) doesn’t need to be rebooted, or rebuilt on a regular basis; an effective OS provides a great user experience and wide application support, as well as a stable base on which to run those applications.The Windows NT kernel and its iterations, Windows 2000, Windows XP, and Windows 2003, have focused on improving the reliability of the OS with each release and with each service pack. Windows Vista again takes a much-needed step forward in reliability. Microsoft has built the code for Vista on top of Windows Server 2003 Service Pack (SP) 1.This design not only helps with reliability but also brings with it all the security improvements brought about by the Windows 2003 Server line of operating systems. The recent focus of most electronic systems vendors has been security, security, security, and there is good reason for this push toward effective security controls for everything from electronic voting machines to home computers.The hacker is not a new enemy to computer systems, but the fact that electronic systems are now in use throughout our society makes available a host of new, poorly protected systems.The availability of high-speed Internet access is also a contributing factor. Previously, when people were connected to the Internet only via a slow dial-up connection for a couple hours each night, hackers had a very small window of opportunity to attack home systems. Now with ubiquitous always-on broadband connections, hackers have ample opportunity to attack home systems that rarely have strong security controls in place. Windows Vista continues the efforts of the developers of Windows XP SP 2 and Windows Server 2003 SP 1. Vista includes an updated host-based firewall, User Account Control (UAC), Internet Explorer 7, and Windows Defender. Vista code also underwent an intensive code security audit process by Microsoft, and independent hackers in the security community were invited by Microsoft to attack Vista and make recommendations on how security could be improved. From these thirdparty suggestions came features such as, Address Space Layout Randomization www.syngress.com

431_Vista_01.qxd

2/2/07

1:18 PM

Page 3

Microsoft Vista: An Overview • Chapter 1

(ASLR), which helps protect systems from buffer overflow attacks by randomizing the memory location where system files are loaded.This isn’t a new feature to operating systems in general; it has been used in Linux and BSD for some time now, but it is new to the Windows line of operating systems. Manageability is another important subject related to administering Windows machines. Applying application and system patches is one of the main areas of concern when it comes to managing any OS. In previous versions of Windows, most application or system updates required a reboot of the entire system. With Vista, however, Microsoft has added the Restart Manager, which is called by the installer to look at a particular application or portion of the system and determine whether the update can be applied without rebooting the entire OS.The Restart Manager also helps in the event of a required reboot by taking a snapshot of the system and applications open on the machine. After the reboot the applications and any file resources that were in use by the system are reopened and presented to the user as if the machine were never shutdown. By separating user-mode and kernel-mode code and improving the isolation between the two, the developers of Vista have also changed the responsibility of third-party vendors. Much concern has been expressed by the community as a whole about the requirements to run Vista. If you are wondering whether your system meets the requirements,Table 1.1 lists the Microsoft’s recommendations.You can also go to www.microsoft.com/windowsvista/getready/upgradeadvisor/default.mspx and the upgrade advisor will analyze your current system specs. Any new software will have a few bugs, and we did experience bugs when upgrading a current system from XP to Vista, but our fresh installation with Vista went very smoothly. We have installed Vista on several different systems and only experienced a few problems during the process.The only issue that we found was on an AMD system with an NVIDIA 7300 graphics card installed. Vista was unable to properly allocate system resources for the graphics card, resulting in a 4-bit default display. A quick search revealed that others were experiencing the same issue with Vista and this particular graphics processor. Unfortunately, no fix was currently available. Minimum supported requirements for running Vista include an 800MHz 32-bit (x86) or 64-bit (x64) processor; 512 MB of system memory; an SVGA (800 x 600) GPU; a 20 GB HDD with 15 GB of free space; and a CD-ROM optical drive.Table 1.1 lists the requirements that Microsoft recommends for new Vista installations and upgrades.

www.syngress.com

3

431_Vista_01.qxd

4

2/2/07

1:18 PM

Page 4

Chapter 1 • Microsoft Vista: An Overview

Table 1.1 Microsoft-Recommended Requirements for Running Vista

Processor

Windows VistaCapable PC

Windows Vista Premium Ready

At least 800 MHz

1GHz 32-bit (x86) or 64-bit (x64) 1 GB DirectX 9-capable 128 MB 40 GB > 15 GB DVD-ROM

System memory 512 MB GPU DirectX 9-capable Graphics memory HDD HDD free space Optical drive

For more information, visit the Vista Tech Center site at http://technet. microsoft.com/en-us/windowsvista/aa905075.aspx.

NOTE We were able to successfully run the 32-bit version of Vista on a machine with 10 GB of disk space and 512 MB of memory. The performance wasn’t ideal, but it was still usable, and we experienced no issues with installation or operation.

Microsoft offers six different versions of Vista for consumers and business users (see Table 1.2).The Home versions will fit into the same niche that Windows XP Home edition fit into; unfortunately, they both lack some of the higher end features that power users desire. For example, the Home Basic version is intended for people who just want to surf the Web, have e-mail access, and create documents, whereas the Home Premium version includes features for users who are interested in using the system for video, music, and mobile computing.The Vista Business edition is more centered on typical business use. It lacks the media center features of the Home premium edition. Windows Ultimate edition is for power users who require all the features.The unfortunate reality of this highly diverse field of editions is that most users will end up either missing out on features they desire or simply shelling out more money for the Ultimate edition. For example, Home premium doesn’t include Remote Desktop, the lowest cost edition to support remote desktop is the Business edition, which doesn’t include the media center features.To have both features users will need to get the Ultimate edition. Another example is the lack of www.syngress.com

431_Vista_01.qxd

2/2/07

1:18 PM

Page 5

Microsoft Vista: An Overview • Chapter 1

BitLocker drive encryption in the Business edition, a feature that you would expect to see in the purported “business” edition of a product. Vista also comes in an Enterprise edition, which is available to large enterprise customers through the volume licensing program.The Enterprise edition includes support for things such as BitLocker drive encryption, OS deployment features, and advanced application compatibility. It also includes the right to run four virtual operating system sessions without the need to purchase more licenses from Microsoft. Table 1.3 lists the retail and upgrade prices of the different versions of Vista.

Table 1.2 Vista Features

Features

Vista Home Basic

Windows Defender x and Windows Firewall Instant Search and x Windows Internet Explorer 7 Elegant Windows Aero desktop experience with Windows Flip 3D navigation Windows Mobility Center and Tablet PC support Windows Meeting Space Windows Media Center Windows Media Center output on TVs, Xbox 360, and other devices Advanced business backup features Business networking and Remote Desktop Windows BitLocker Drive Encryption

Vista Home Premium

Vista Business

Vista Ultimate

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x x

www.syngress.com

5

431_Vista_01.qxd

6

2/2/07

1:18 PM

Page 6

Chapter 1 • Microsoft Vista: An Overview

TIP Choosing an edition for your personal needs will be somewhat difficult, but using the information in Table 1.2 and in the comparison chart located at www.microsoft.com/windows/products/windowsvista/editions/choose. mspx will help you in the process. If you are a home user who needs only basic Web, e-mail capability, then the Home basic edition is probably right for you. On the other hand, if you are an amateur film guru you will probably want the Home Premium or Ultimate editions.

Table 1.3 Vista Pricing Vista Edition

x64 Version

Vista Starter

No

Vista Home Basic Vista Home Premium Vista Business Vista Enterprise Vista Ultimate

Licensing Available

Retail Price

Upgrade Price

N/A

N/A

Yes

Select countries only, with new PC purchase Retail

$199

$99.95

Yes

Retail

$239

$159

Yes Yes

Retail $299 Volume N/A license only Retail $399

$199 N/A

Yes

$259

Whether to upgrade is a big question that everyone will be asking this year.To answer that question, first you need to make sure your computer has the recommended hardware to run Vista; if it doesn’t, you will need to upgrade or purchase a new computer. If your computer runs fine on its current OS, you could find it difficult to justify switching to Vista. It may be a good idea to wait and see how Vista fares in the community before considering an upgrade. Microsoft is shipping 32- and 64-bit versions of Vista, and consequently, there are a few things to remember. In the long term, the 64-bit version of Vista will help

www.syngress.com

431_Vista_01.qxd

2/2/07

1:18 PM

Page 7

Microsoft Vista: An Overview • Chapter 1

move companies and vendors to the next generation of computer hardware. But if you move to a 64-bit version now, you need to be sure all the applications and hardware you need to run have 64-bit support.There also is no support in the 64-bit version for 16-bit DOS and Windows applications.

The User Interface The new user interface, Vista Aero, is much different from the current XP interface. The new interface implements the functionality of currently available 3D graphics accelerators, thereby enabling Vista to provide the following features: ■

Translucent window frames



Live previews of documents



Live previews of windows



Scalable icons

Figure 1.1 displays the main logon window that appears when Vista starts. Users of current Linux distributions will find this interface familiar. From this screen you can enter your password and press Enter or click the right-facing Arrow button to log on.This screen also enables you to shut down, restart, or put the computer to sleep by using the red button at the bottom of the screen.

Figure 1.1 Main Logon Screen

www.syngress.com

7

431_Vista_01.qxd

8

2/2/07

1:18 PM

Page 8

Chapter 1 • Microsoft Vista: An Overview

One of the main issues with Vista is the new logon process. Many users and sys admins are not happy with having to relearn or reeducate users on how to log in. Another problem with the logon screen, when the system is a member of a domain, is the extra button presses required to login as a different user. In previous versions of Windows logging in as a different user was as simple as typing in that user name, entering the password, and pressing enter. Now the user must click the Switch User button and choose Other User, at which point the user will be allowed to enter a new username (Figure 1.2). The next area of concern is related to the new log-on process.To log in to the local machine instead of the domain, users have to enter their usernames in the machine\username format. Many sys admins have expressed concern over having to remember and correctly type the machine name of each computer under their control.

TIP Yes a shortcut does exist for the aforementioned problem. To log in as a user on the local machine, simply type .\ and the username. The dot is simply a shortcut specifying the local machine. See Figure 1.2 for an example of this step.

The button at the bottom left of the screen takes you to the Ease of Access Center, where you can select various options to make your computer easier to use (see Figure 1.3).These options include the familiar, sticky keys, filter keys, and highcontrast settings. Another option is the Narrator, which will read screen text, user input, and system messages allowed.

www.syngress.com

431_Vista_01.qxd

2/2/07

1:18 PM

Page 9

Microsoft Vista: An Overview • Chapter 1

Figure 1.2 Log On under Different User by Using the Dot-Slash Trick

Figure 1.3 Ease of Access Center

www.syngress.com

9

431_Vista_01.qxd

10

2/2/07

1:18 PM

Page 10

Chapter 1 • Microsoft Vista: An Overview

The Welcome Center After you have successfully logged in, you are taken to the Welcome Center, shown in Figure 1.4.The Welcome Center is new with Vista, and it provides a quick view of the computer’s hardware, as well as quick access to many of the initial functions most users will want to perform after installing a new system. At the bottom of the Welcome Screen, you can deselect the option to have the Welcome Center start at startup.

Figure 1.4 The Welcome Center

With this new interface, Microsoft has been able to put useful information into places where users can find it quickly and easily. Everyone knows that sometimes it can be frustrating trying to find the information you are looking for in Windows XP. But it appears that Microsoft listened to its customers when deciding how to build Vista.This also aids in the migration to Vista, since a lot of the standard functions users are used to performing a certain way have changed significantly with Vista. For example, setting up a network connection is wildly different from any previous version of Windows, and Microsoft hopes to make it easier to perform using the Welcome Center. A useful function is the Files and Settings transfer wizard.

www.syngress.com

431_Vista_01.qxd

2/2/07

1:18 PM

Page 11

Microsoft Vista: An Overview • Chapter 1

Other new functions are available for changing display settings and viewing the hardware installed on the system. Figure 1.5 shows the basic information concerning our computer. We were able to access this information quickly and easily by clicking on the Show more details arrow in the top right of the Welcome Center.The information in Figure 1.5 represents what most users need to know concerning their hardware and software.This information is the same data that one would access in Windows XP by going to System in the Control Panel or by right clicking on My Computer Aggressive Normal All Programs shows you the familiar list of programs available in the current start menu but without drawing extra dropdown menus across the user’s screen (see Figure 1.6). From this list you can select an available program to run or you can click on a subfolder such as Accessories, which brings up the list of programs available under the Accessories folder. Moving the start menu away from submenus and toward a simple and familiar folder-based layout makes it much easier for new users to grasp, but this new feature might cause a bit of confusion for existing users who will need to relearn the structure once again.

Figure 1.6 The Start Menu

TIP Remember that after you click on a folder within the Start menu, you can just click the Back button at the bottom of the screen to move back one level.

www.syngress.com

431_Vista_01.qxd

2/2/07

1:18 PM

Page 13

Microsoft Vista: An Overview • Chapter 1

User Accounts Selecting the user icon at the top right of the Start menu (refer to Figure 1.6) will take you to the User Accounts screen (see Figure 1.7).This screen provides the user with quick access to account management in Vista without having to go into the Control Panel. From this screen the user can add or delete users, change passwords, change user pictures, and manage account permissions. UAC can also be enabled or disabled from this screen.

Figure 1.7 User Accounts Screen

This screen will differ depending on whether your system is a member of a domain or in a simple workgroup. Figure 1.7 shows the User Account screen when the system is a joined to a domain.To change a password the user will need to press Ctrl+Alt+Del and select Change a Password.To change advanced user settings, click Manage User Accounts, which will launch the User Accounts property page (Figure 1.8). From this page we can add and remove local users, change group membership, reset passwords, turn the “press ctrl+atl+del to logon” feature on or off, and launch the Local User Management Console. The Local User Management Console is the familiar user management interface that most sys admins will want to use to control local accounts (Figure 1.9). From this interface you can quickly alter user settings, create new users, reset passwords, change group membership, and create new groups.This console is a Microsoft Management Console (MMC) 3.0 snap-in. MMC 3.0 is available for download for Windows XP or Windows Server 2003. It also is included in Windows Server 2003 R2, Windows Vista, and Windows Server Longhorn by default.

www.syngress.com

13

431_Vista_01.qxd

14

2/2/07

1:18 PM

Page 14

Chapter 1 • Microsoft Vista: An Overview

Figure 1.8 User Accounts Property Page

Figure 1.9 Local User Management Console

www.syngress.com

431_Vista_01.qxd

2/2/07

1:18 PM

Page 15

Microsoft Vista: An Overview • Chapter 1

Internet Explorer 7 Microsoft recently released another long-awaited software package, Internet Explorer (IE) 7. IE 7 is available through Windows Update for Windows XP, and Windows Server 2003 and Windows Vista will ship with the new version of Internet Explorer, Symantec PGP Desktop for Windows 10.2 crack serial keygen. Microsoft has improved Internet Explorer with new features and options in Adobe Illustrator CC 2021 25.1.0.90 Serial Key Full (Cracked) latest version. Internet Explorer 6 was plagued by security issues, and sys admins have been just as focused on the security of IE 7 as they have been on Vista’s security. Some of the security features included in IE 7 are an improved pop-up blocker and the antiphishing filter.There have also been changes in the way IE asks users for input when a suspect digital certificate is encountered or an ActiveX control needs to be installed.These changes all aim to increase the overall security of IE 7 Edraw Max 9.4.1 torrent Archives well as the systems running the browser.

Internet Explorer 7 Features Symantec PGP Desktop for Windows 10.2 crack serial keygen Explorer 7 also aims to improve the user’s experience. Microsoft has been pushing for a change in its basic user interface by eliminating the standard menu system present at the top of program windows.The familiar menus (File, Symantec PGP Desktop for Windows 10.2 crack serial keygen, Edit, View, etc.) have been cast aside for context- and task-oriented systems.The first program to make these changes was Windows Media Player 10, but IE 7 and Office 2007 have quickly followed suit.The change is quite a departure from the way users are used to navigating and interacting with programs in Windows, and it will be interesting to see if the community can adapt. Internet Explorer 7 also introduces tabbed browsing, a feature that will be familiar to users of Firefox and Opera.Tabbed browsing consolidates newly opened pages into a single main window.

TIP To turn the menu bar on for quick access to the File, Edit, View, Favorites, Tools, and Help menu, simply press the Alt key. Press the Alt key again to hide the bar. If you wish to turn the menu bar on by default simply click Tools and select Menu Bar. See Figure Symantec PGP Desktop for Windows 10.2 crack serial keygen www.syngress.com

15

431_Vista_01.qxd

16

2/2/07

1:18 PM

Page 16

Chapter 1 • Microsoft Vista: An Overview

Figure 1.10 Internet Explorer 7

RSS Feeds RSS feeds allow Web sites and users to subscribe to content on the Web that is of interest to them. Many news sites and blogs offer this feature so that users download ableton live free trial Archives - keygenfile receive updated stories and content as soon as it is posted to the feed.This technology is also employed by many news aggregators that offer quick views of the top stories from many different news sites. Internet Explorer 7 provides new features to support RSS feeds from your favorite sites.The RSS Feed feature in IE 7 is simply just an addition to the Favorites bookmark feature in IE. Feeds are separated from your standard bookmarks, and as the content in the feed is updated, the link to that feed is also updated, Symantec PGP Desktop for Windows 10.2 crack serial keygen. In Figure 1.11 we have navigated to www.digg.com, a popular news ptgui pro torrent Archives that aggregates news stories from many different sources on its main page. As you can see the RSS Feed icon, the icon sandwiched between the Home Page and Printer icons, is no longer grayed out as in Figure 1.10.This means there is an RSS feed, or multiple RSS feeds, available on this page.

www.syngress.com

431_Vista_01.qxd

2/2/07

1:18 PM

Page 17

Microsoft Vista: An Overview • Chapter 1

Figure 1.11 RSS Feed Icon

Clicking the RSS Feed icon will take you directly to the RSS feed Web page (Figure 1.12). If you aren’t subscribed to this feed, you can select Subscribe to this Feed, which will bring up the Subscribe to this Feed dialog box (Figure 1.13). From the Subscribe to this Feed dialog box, you can assign a Symantec PGP Desktop for Windows 10.2 crack serial keygen name to the feed and choose where to file the feed under the Feeds section of your Favorites Center. To subscribe to this feed click Subscribe, and the feed will be added to your Favorites Center. After you subscribe to feeds, IE 7 will monitor these feeds for changes and provide notification of updated content by showing the feed in bold text in the Favorites Center (Figure 1.14).

www.syngress.com

17

431_Vista_01.qxd

18

2/2/07

1:18 PM

Page 18

Chapter 1 Symantec PGP Desktop for Windows 10.2 crack serial keygen Microsoft Vista: An Overview

Figure 1.12 RSS Feed from a Web Page

Figure 1.13 Adding an RSS Feed

www.syngress.com

431_Vista_01.qxd

2/2/07

1:18 PM

Page 19

Microsoft Vista: An Overview • Chapter 1

Figure 1.14 Viewing RSS Feeds

If you right-click on the RSS feed in your Favorites and select Properties, Symantec PGP Desktop for Windows 10.2 crack serial keygen, you will see the box shown in Figure 1.15, which lists the RSS feed properties for that Web page. From this page, you can select when and how many times the RSS feed should be updated throughout the day.This feature will help those RSS feed junkies who have hundreds of feeds.You can also select how many items from each feed you want to remain archived AVG Driver Updater 2.7 Crack 2021 With Key Full Version Free Download your system.

Figure 1.15 RSS Feed Properties

www.syngress.com

19

431_Vista_01.qxd

20

2/2/07

1:18 PM

Page 20

Chapter 1 • Microsoft Vista: An Overview

Pop-up Blocker A Pop-up Blocker comes with Internet Explorer 7 to help you with all of those nasty pop-ups you’re prone to getting when you surf the Web. Within Internet Explorer 7, you can control the Pop-up Blocker by going to the Tools setting on the far right of Internet Explorer 7 and selecting Pop-up Blocker Settings, Symantec PGP Desktop for Windows 10.2 crack serial keygen. From here, you can change how the Pop-up Blocker works on certain sites (see Figure 1.16).

Figure 1.16 Pop-up Blocker Settings

Phishing Filter Also new with Internet Explorer 7 is a Phishing Filter that helps you understand which Web sites are safe to visit and which are trying to steal information from you. Phishing is an attempt by hackers to obtain sensitive user information such as passwords and credit card information while masquerading as a trustworthy person or business. The Phishing Filter in Internet Explorer 7 is turned on by default, but you can turn it off from the Tools setting on the far right of the Internet Explorer screen. Figure 1.17 shows the icon you will see at the top of Internet Explore 7 if there Symantec PGP Desktop for Windows 10.2 crack serial keygen a problem with a Web site you’re visiting. Figure 1.18 shows different icons that you might see while surfing with the Phishing Filter turned on.

www.syngress.com

431_Vista_01.qxd

2/2/07

1:18 PM

Page 21

Microsoft Vista: An Overview • Chapter 1

Figure 1.17 The Phishing Filter Indicating that There Is a Problem with This Web Site

Figure 1.18 Phishing Filter Icons

www.syngress.com

21

431_Vista_01.qxd

22

2/2/07

1:18 PM

Page 22

Chapter 1 • Microsoft Vista: An Overview

Summary Windows Vista represents Microsoft’s view of the future of computing. With Vista Microsoft wants to improve the user’s experience, as well as change the minds of the public about the insecurity and reliability of Windows operating systems. Microsoft has taken a hard stance on security through an improved code Adobe acrobat dc.0 professional keygen,serial,crack process and the employment of third-party individuals to scrutinize its software.The implementation of innovative security controls such as ASLR and a layered approach to total system security has also helped Microsoft produce a much more secure OS, Symantec PGP Desktop for Windows 10.2 crack serial keygen. Microsoft is also seeing the benefit of having a code base that is now maturing and becoming more robust with each release and service pack. Vista also includes several mature add-on products such as Internet Explorer 7 and Windows Media Player 11. IE 7 offers users improved security and a much more efficient user interface with features such as tabbed browsing and the phishing filter. Are these new features enough to warrant an upgrade in the home or office, though? This is the battle that Microsoft must now fight. Wide adoption of Vista will be slow at first, and the main source of new Vista machines will not be users upgrading their current systems. Most new Vista machines will be from OEMs such as Dell and Gateway. Another factor will be the fact that DirectX (DX) 10 will not be available for Windows XP. Symantec PGP Desktop for Windows 10.2 crack serial keygen will need to upgrade their systems with new graphics cards as well as Vista to support DX 10 and the new games coming out that will take advantage of DX 10. The next year will be interesting for Microsoft and the IT world in general. Most sys admins will choose to wait before fully adopting Vista as their platform of choice. What happens in the first year, Symantec PGP Desktop for Windows 10.2 crack serial keygen, how many security flaws and bugs are found, and how Microsoft responds to those issues will greatly affect the choices of many IT departments.

Solutions Fast Track The User Interface  The new Aero user interface in Windows Vista is nice to work with and

provides useful system information at your fingertips.  The new tree-like menu in the Start menu works well and eliminates the

old problem of clicking on the wrong program or file.

www.syngress.com

431_Vista_01.qxd

2/2/07

1:18 PM

Page 23

Microsoft Vista: An Overview • Chapter 1

 The Ease of Access Center is where you can select various options to make

your computer easier to use.

Internet Explorer 7  Microsoft has updated Internet Explorer with a Phishing Filter and a Pop-

up Blocker to help users secure their surfing on the Internet.  Tabbed browsing allows you to surf the Web with multiple tabs open, but

within one Internet Explorer application.  The new RSS Feeder is a great feature for people who are on the go and

like to get their news automatically Symantec PGP Desktop for Windows 10.2 crack serial keygen to their computers.

Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.

Q: How can I determine whether upgrading to Windows Vista is right for me? A: First, you need to make sure your computer has the recommended hardware to run Vista; if it doesn’t, you will need to upgrade your computer or purchase a new computer, Symantec PGP Desktop for Windows 10.2 crack serial keygen. If your computer runs fine on its current OS, you could find it difficult to justify switching to Vista. It may be a good idea to wait until some of the bugs are worked out of Vista before considering an upgrade.

Q: Do I need to upgrade my computer to the specifications that Microsoft has published, or will Vista crash on me?

A: You should always go by the hardware requirements put forward by the vendor. This will ensure that the software will operate correctly when installed on the computer.

Q: I really don’t like Internet Explorer 7. Will Firefox run on Vista? A: Yes, it will, and we have been using it on our test box with no problems so Symantec PGP Desktop for Windows 10.2 crack serial keygen www.syngress.com

23

431_Vista_01.qxd

24

2/2/07

1:18 PM

Page 24

Chapter 1 • Microsoft Vista: An Overview

Q: Is it better for me to go with a 64-bit or a 32-bit version of Vista? A: We recommend the 32-bit version for now because there are still many programs and hardware devices that are not supported on 64-bit Windows. If you have researched what programs and hardware devices are supported and feel comfortable going with the 64-bit version, then the 64-bit version may be right for you.

Q: Can I Category Archives: Editing Software any glitches when upgrading from XP to Vista? A: We experienced only a few when we upgraded to Vista in our lab, Symantec PGP Desktop for Windows 10.2 crack serial keygen. When we did a fresh install, we had no problems.

Q: I was told that Vista is a memory hog and that it would crash computers with less than 1 GB of RAM. Is this true?

A: We ran Vista on a machine with only 600 MB of RAM and it ran okay, but remember, when you add more programs, you need more RAM.

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 25

Chapter 2

Microsoft Vista: The Battle Against Malware Lives On Solutions in this chapter: ■

Malware Fundamentals



Improvements in Internet Explorer 7



Windows Security Center



Windows Defender

 Summary  Solutions Fast Track  Frequently Asked Questions 25

431_Vista_02.qxd

26

2/2/07

1:21 PM

Page 26

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

Introduction Microsoft’s Vista is by far the most secure version of its client-based operating system (OS) to date. Living by its motto of “Trustworthy Computing,” Microsoft has taken many steps to ensure new levels of security to the Windows Vista base OS. Along with other tools and programs, Symantec PGP Desktop for Windows 10.2 crack serial keygen has released Internet Explorer 7, which is the most secure version of the famous browser released to date. Microsoft has also updated and released a plethora of documentation on the company’s main Web site and on TechNet in coordination with the Vista release, to help you harden and prepare your system for use on the Internet or on a corporate network. With all of these tools, documentation updates, and newly developed forms of technology and security you should PM Kisan Helpline Number - Customer Care Number State wise wondering why we still have to deal with so many computer-related issues.The fact is that every time we browse the Internet, we open our doors to danger. It’s also a fact that we may never catch up to quell the growing threat. In the world of IT, the playing field is constantly changing, so as Symantec PGP Desktop for Windows 10.2 crack serial keygen code becomes more bloated and newer features are added, consequently more exploits are added. Newly made software and software that has been updated will always have issues that will be resolved only through update installations, hotfixes, service packs (SPs), and/or complete OS or program upgrades. As this chapter’s title implies, the battle against malware does in fact live on.You do have an option to protect Symantec PGP Desktop for Windows 10.2 crack serial keygen, though. Security is not only a practice, it’s also a mindset.Those of you who leave your front doors open and unlocked invite danger.This doesn’t mean you will inevitably be a target; it just means you are making it easier to become a target. It’s always better to make sure your assets are secure before inviting danger.You can apply the same way of thinking to your Internet surfing habits. Knowing that you could be a victim every time you venture onto the Web will help you develop a mindset to make sure your doors are locked before you do. By preparing for risk, you will ultimately be more secure.To lessen the risk of attack, you would want to ensure that your OS is secure and hardened and that the Web browser you use will not invite danger.You will also want to make sure you aren’t surfing sites where you may be an even bigger target, such as downloadable warez sites, pornographic content sites, and Symantec PGP Desktop for Windows 10.2 crack serial keygen download sites.These are generally havens for unwanted malware. With Microsoft’s new tools and more secure software, you are definitely going to be able to lock your doors at night and feel better about your security posture. If you also apply common-sense browsing skills to your Web surfing, you could very well keep your OS malware-free for a long period of time. With the release of Microsoft’s Vista OS, security has once again been brought to a new level. When Microsoft started to take security extremely seriously (after its www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 27

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

federal antitrust case), the biggest area that needed work was its Web browser. From its inception, Internet Explorer has been the target of many exploits. Due to its widespread deployment (it came with the base OS and was one of the first browsers available for use), Internet Explorer became the biggest target of exploit writers. Because of its flawed code and many bugs, exploit writers had no problem creating one exploit after another, with no end in sight.Tie in that the Internet is the main catalyst in an ever-changing world of technology and you can clearly see why Internet Explorer has had so many problems to date.This would YouTube Music Downloader v2.3 explain why other browsers had not seen as many exploits as Internet Explorer did.They just weren’t as big a target and, to some extent, may have been programmed better. Ever since Microsoft invested considerable time, money, and resources into securing Symantec PGP Desktop for Windows 10.2 crack serial keygen software, each release had gotten better and Symantec PGP Desktop for Windows 10.2 crack serial keygen susceptible to attack and exploit.This obviously doesn’t stop the ongoing plague of exploits that surface each month; it only helps to “stem the tide.” Because malicious software (malware) is an ongoing problem and one that is growing each year, Microsoft has stepped up to the challenge once again with its newest releases of Vista and Internet Explorer Version 7. In this chapter, we will look at how Vista and Internet Explorer make for a safer browsing experience, and how Microsoft is combating problems with malware.

NOTE When you connect to the Internet, you are connecting to one of the biggest networks in use today, aside from the public telephone system. Millions of people use the Internet each day. Therefore, you need to take securing your computer, your data, and your identity seriously. To remain secure you should constantly stay abreast of threats by keeping your system updated with antivirus definitions and other updates, and exercise due diligence by making sure you do not visit questionable sites. Stay vigilant, because all you need to do is let your guard down once and you could infect your system with so much malware that you may have to completely reinstall your OS.

Malware Fundamentals Intruders, hackers, or attackers who access networks and systems without authorization and with malicious motives can plant various types of programs to cause damage to the network, your system, and your data.These programs—often lumped www.syngress.com

27

431_Vista_02.qxd

28

2/2/07

1:21 PM

Page 28

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

together under the general term viruses—perform many different functions and are classified under different categories. In this section, we will look at how granular the term malware can actually be. It’s important to have a general understanding of the different classifications of malware, and it’s equally important to understand their general behavior. Malware is any software product or program that has been created with an intent to cause damage or harm.The word malice is a legal term used to define the intention of one party to harm or cause injury to another party. When applied to computer technology, the word holds equal meaning. A malicious party creates software to cause havoc on any host that downloads and installs it, whether knowingly or unknowingly. When discussing malware, it’s important to classify it.The term malware is generally used to describe a broad spectrum of different types of software, such as computer viruses,Trojans, worms, adware, and spyware. Just about any form of hostile, intrusive, Symantec PGP Desktop for Windows 10.2 crack serial keygen, or annoying software or program code can be classified as malware.

NOTE You should not confuse malware with defective software, which is software that has a legitimate purpose but contains bugs that cause the program not to work as advertised. Malware is intended. A software bug is not intended.

Viruses, Worms, and Trojan Horses Many of the original MS-DOS-based viruses and other types of malware were written as experiments intended to be either harmless or destructive, and many were created as simple and harmless pranks, Symantec PGP Desktop for Windows 10.2 crack serial keygen. As time went on, the level of skill used to create such malware grew by leaps and bounds, and the severity of each payload grew exponentially as well.This inevitably caused many software programmers to stop coding, learn security fundamentals, and start coding again while applying those fundamentals. Because it appeared that the exploit writers were outpacing the software developers, this practice became “mandatory” within Microsoft’s own camp.

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 29

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

Notes from the Underground… Vista Is Still Susceptible to Older Malware Since its release, Microsoft Windows Vista has already been reported to be affected by old malware. In particular, Vista has been found to be susceptible to three common malware exploits: ■

Stratio-Zip W32/Stratio-Zip is a family of Zip files containing worms in the Stration family.



Netsky-D W32/Netsky-D is a worm that spreads via e-mail. When e-mailing itself the worm can spoof the sender’s e-mail address.



MyDoom-O W32/MyDoom-O is an e-mail worm that creates a file named services.exe in the Windows or Temp folder, and then runs the file. Services.exe is a backdoor component. The worm then searches the hard disk’s e-mail addresses.

When deploying Vista, be aware that although malware defense has been fortified, it still has its faults. For more information on this subject, visit www.sophos.com/pressoffice/news/articles/2006/11/toptennov.html and http://news.zdnet.co.uk/security/0,1000000189,39284939,00.htm.

Young, inexperienced software programmers and script kiddies learning about viruses and the techniques used to write them were getting more advanced as the tools they created or had at their disposal expanded in number. Some of these malware attacks proved to hurt a global economy that now thrived on the use of the Internet. As time went on, a chase seemed to ensue, and it appeared as though the exploit writers were outpacing the product’s legitimate software development teams. As the use of the Internet exploded, it seemed as though malware grew more and more destructive on a daily basis. Newer exploits were coming out rapidly that were designed to destroy files on a hard disk or to corrupt the file system so that it could not be used. Viruses were created to cause traffic flooding to legitimate Web servers, putting them out of business.The list goes on and on. It wasn’t until malware became extremely destructive that action was taken on a grand scale. In 1999, Melissa (a well-known computer virus) really showed us how fast (and far) a virus could spread. It also showed us how vulnerable our systems were to attacks that could hurt a company’s bottom line. Melissa was the first virus

www.syngress.com

29

431_Vista_02.qxd

30

2/2/07

1:21 PM

Page 30

Chapter 2 • Microsoft Vista: 3dMark serial key Archives Battle Against Malware Lives On

to be widely disseminated via e-mail. It is a macro virus, written in Visual Basic for Applications (VBA), and it was embedded in a Microsoft Word 97/2000 document. When the infected document was opened, the macro ran (unless Word was set not to run macros), sending itself to the first 50 entries in every Microsoft Outlook MAPI address book it could find.These included mailing list addresses, which resulted in very rapid propagation of the virus.The virus also made changes to the Normal.dot template, which caused newly created Word documents to be infected. Because of the huge volume of mail it produced, the virus caused a denial of service (DoS) attack on infected e-mail servers.

Are You Owned? Script Kiddies and DoS Attacks A script kiddie is an inexperienced hacker who uses already developed tools and methods to exploit a system or penetrate a system’s defenses, instead of creating those tools and methods on his own. Advanced hackers and code programmers are generally considered to be elite. These experienced individuals can create a rootkit, whereas a script kiddie will only obtain and execute it. A DoS attack is an attack on a network or system that is designed to tie up the system’s or network’s resources so that legitimate requests for service cannot be answered. For all known DoS attacks, there are software fixes that system administrators can install to limit the damage caused by the attacks, and steps they can take to attempt to prevent the attacks. Since 2003, the majority of widespread viruses and worms have been designed to take control of users’ computers for use in DoS attacks to hide the identity of the true attacker. Infected computer system hosts (called zombies) are used to send large amounts of data, Symantec PGP Desktop for Windows 10.2 crack serial keygen, spam, pornography, and other random data to legitimate hosts. A DoS attack is usually sourced from one or multiple locations to attack a single location. A distributed denial of service (DDOS) attack is the “distributed” form of the same attack, using multiple zombie hosts to perform a larger-scale attack more quickly.

Viruses A virus is a malicious program that is commonly installed on a target host with the intent to cause harm or damage. A virus (just like the medical version of the term) infects the host, usually by being installed by the end user of the target Symantec PGP Desktop for Windows 10.2 crack serial keygen. A virus

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 31

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

is almost always executed by the end user without him knowing the true intention of the malware. Viruses are made to perform undesirable actions. Viruses are also created to replicate themselves, infecting other systems by writing themselves to any disk Symantec PGP Desktop for Windows 10.2 crack serial keygen is used in the computer or sending themselves across a network when activated, Symantec PGP Desktop for Windows 10.2 crack serial keygen. Viruses are often distributed as attachments to e-mail or as macros in word processing documents easily sent via e-mail and opened by unsuspecting e-mail users. Some viruses activate immediately on installation, and others lay dormant until a specific date or time, or until a particular system event triggers their payload. Viruses come in literally thousands of varieties.They can do anything from sending a pop-up message on your desktop to scare you (which is considered a prank), to erasing the entire contents of a computer’s hard disk (which is considered destructive and harmful).The proliferation of computer viruses has also led to the phenomenon of the virus hoax, which is a warning—generally circulated via e-mail or Web sites—about a virus that does not exist or that does not do what the warning claims it will do.The same malicious effect takes place because through the hoax, the end user can cause the same damage to the target system without creating a software tool using programming languages. In the past, some of these hoaxes have prompted computer users to manually delete needed system files, either because they sounded malicious or because the icon image they used by default looked malicious. Real viruses, on the other hand, present a real threat to your network. Companies such as Symantec and McAfee make antivirus software that is aimed at detecting and removing virus programs, and is updated daily to thwart newly created ones, which seem to also come out on a daily basis.

TIP Because new viruses are created constantly, it is very important to download new Freemake Video Converter 4.1.13.83 Crack Incl License Key [2021] definition files regularly. These updates contain information required to detect each virus type, to ensure that your virus protection stays up-to–date, and to take action when certain parameters are tripped.

Although viruses come in many varieties, they can be classified into four general categories: e-mail-based, boot sector-based, application-based, and macro-based.The common thread that holds these types together is that they need to be executed on the target host.

www.syngress.com

31

431_Vista_02.qxd

32

2/2/07

1:21 PM

Page 32

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On ■

E-mail viruses E-mail viruses are transmitted via e-mail and contain a payload that is activated when the end user is provoked to activate it, or when something in the e-mail client and how it reads e-mail (and scripts) activates the payload upon delivery or viewing, without opening the e-mail (such as with an automatic reading pane found in most e-mail clients).



Boot sector viruses Boot sector viruses are often transmitted via disk. The virus is written to the master boot record on the hard disk, from which it is loaded into the computer’s memory every time the system boots.



Application or program viruses Application viruses are executable programs that, when run, infect your system. Viruses can also be attached to other, harmless programs and installed at the same time the desirable program is installed.



Macro viruses Macro viruses are embedded in documents (such as Microsoft Word documents) that can use macros, which are small applications or “applets” that automate the performance of some task or sequence. Although Microsoft Office documents are not executable files, they can contain macros.Thus, Office documents should be treated as though they are executables, unless the ability to run macros is disabled in the Office program.

WARNING A virus can be programmed to mutate into something else, and can be written with defense mechanisms to protect itself from detection and/or deletion. One type of virus that can avoid detection is called a polymorphic virus. Polymorphic viruses are written to use encryption routines that constantly change to avoid detection.

Worms Worms are ugly, regardless of whether they are dangling from a fish hook or taking down your public Internet connection. Worms can also be very destructive. History has shown us that since its inception, the worm has consistently transferred itself over networks to infect target hosts, whereas common viruses typically infect a single target host only.The worm is then transferred via e-mail or floppy disk to other www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 33

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

hosts in hopes that they become infected as well. A worm is written to propagate quickly, and to infect as many target hosts via propagation as possible, thereby causing as much turmoil as possible. Although the line between malware terms such as worm and virus is sometimes blurred, this is the major distinction between the two. A worm is programmed to “scan” the network from the infected host to find other hosts with open and vulnerable services and ports. As an example, a worm may infect a target host via a network port and then find 30 hosts on the connected subnet with the same open port. Once this criterion is met, the worm then propagates to those 30 hosts, and so on. Examples of this come in the CorelDRAW X4 Serial + activation code crack serial keygen of the Sasser and Slammer worms.The Sasser worm exploited Transmission Control Protocol (TCP) port 5554.The Slammer worm exploited a known SQL Server vulnerability by sending a single packet Symantec PGP Desktop for Windows 10.2 crack serial keygen User Datagram Protocol (UDP) port 1434.

TIP Although most ports are programmable, many well-known services operate on designated ports such as domain name system (DNS), which operates on TCP and UDP ports 53. For a complete list of these default port assignments, visit the IANA Web site, www.iana.org/assignments/port-numbers.

The worm first surfaced at the turn of the century. In 2001, worms such as Code Red started to pop up at an alarming rate.This self-propagating worm began to infect Microsoft-based Web servers running Internet Information Server (IIS), and because so many such servers were in use, the virus spread extremely quickly. On various trigger dates, the infected machines would try to connect to Как установить Viber на компьютер? port 80 (used for Web services) on computers with randomly selected Internet Protocol (IP) addresses. When successful, the worm attempted to infect any remote system it could find and connect to. Some variations of the worm also defaced Web pages stored on the server as a form of digital graffiti. On other dates, the infected machine would launch a DoS attack against a specific IP address embedded in the code. CERT (www.cert.org) reported that Code Red infected more than 250,000 systems over the course of nine hours on July 19, 2001. Then came Nimda—a newly created worm used to take advantage of known flaws within the Microsoft OS. In late summer 2001, the Nimda worm infected numerous computers running Windows 95/98/ME, NT, and 2000.The worm made changes to Web documents and executable files on the infected systems and created

www.syngress.com

33

431_Vista_02.qxd

34

2/2/07

1:21 PM

Page 34

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

multiple copies of itself. Nimda spread via e-mail, Symantec PGP Desktop for Windows 10.2 crack serial keygen, across network shares, and via infected Web sites. It also exploited vulnerabilities in IIS versions 4 and 5 and spread from client machines to Web servers through the backdoors left by the Code Red II worm. Nimda allowed attackers to then execute arbitrary commands on IIS machines that had not been patched, and denials of service were caused by the worm’s programmed payload. As the IT community repaired systems at a feverish rate to recover from Code Red and Nimda, Klez reared its ugly head. In late 2001 and early 2002, Symantec PGP Desktop for Windows 10.2 crack serial keygen, the Klez worm spread throughout the Internet, primarily via e-mail. It propagated through email mass mailings and exploited vulnerabilities in the unpatched versions of Outlook and Outlook Express mail clients, attempting to run when the message containing it was viewed or previewed in the preview pane. When Klez runs, it copies itself to the System or System32 folder in the system root directory, and modifies a Registry key to cause it to be executed when Windows is started. It also tries to disable any virus scanners and sends copies of itself to addresses in the Windows address book, in the form of a random filename with a double extension (for example, file.doc.exe). As though this wasn’t harmful enough, the worm had a secret payload, which executed on the thirteenth day of every other month, starting with January, resulting in files on local and mapped drives being set to 0 bytes in length. Worm outbreaks have become a cyclical plague for both home users and businesses, Symantec PGP Desktop for Windows 10.2 crack serial keygen, and have been eclipsed only recently in terms of damage by spyware. As they were from inception, today most worms are commonly written for the Windows OS, although a small number are also written for Linux and UNIX systems, such as 2005’s Lupper, Symantec PGP Desktop for Windows 10.2 crack serial keygen, which was aimed at the growing use of Linux Web servers in the marketplace.

NOTE The words virus and worm are often used interchangeably. Today some draw the distinction between viruses and worms by saying that a virus requires user intervention to spread, whereas a worm spreads automatically. Using this distinction, infections transmitted by e-mail or Microsoft Word documents, which rely on the recipient opening a file to infect the system, would be classified as viruses, not worms.

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 35

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

Trojan Horses For a malicious program to accomplish its goals, it must be able to do so without being shut down by the user or administrator of the computer on which it’s running. Concealment is a major goal of a malware creator. When a malicious program is disguised as something innocuous or desirable, users may be tempted to install it without knowing what it does. When reflecting on history, the documented first use of the Trojan horse was when the Greeks gave their enemies (the Trojans) a gift during the Trojan War.The gift (a gigantic wooden horse) was given in peace so that the Trojans would bring it into Symantec PGP Desktop for Windows 10.2 crack serial keygen stronghold, but at night, when the city slept, the Greek soldiers snuck out of the back of the horse and attacked and then captured the city of Troy. This is how the Trojan horse exploit performs.The Trojan horse will appear harmless enough for the recipient to install, because it hides its true intention, which is based on malicious activity.The Trojan horse conceals a harmful or malicious payload within its seemingly harmless shell.The Symantec PGP Desktop for Windows 10.2 crack serial keygen may take effect immediately and can lead to many undesirable effects, such as deleting all of the user’s files, or more commonly, installing further harmful software on the user’s system for future payloads.

Tools and Traps… Rootkits, Backdoors, and Keyloggers Malware can be very nasty, especially when it and its payload are concealed. For instance, consider the use Symantec PGP Desktop for Windows 10.2 crack serial keygen rootkits, backdoors, and keyloggers: ■

Rootkits A rootkit is a form of malware that hides its presence on the target host. Now used as a general term, its original meaning was to define a set of tools installed by an attacker on a UNIX system, Symantec PGP Desktop for Windows 10.2 crack serial keygen, where the attacker had gained administrator (root) access. Today rootkit is used as a general term to describe any concealed malware on any type of system, such as UNIX or Windows. Rootkits act by modifying the host OS so that the malware is hidden from the user. Rootkits will remain undetected and can prevent a malicious process from being reported in the process table. Continued

www.syngress.com

35

431_Vista_02.qxd

36

2/2/07

1:21 PM

Page 36

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On



Backdoors A backdoor is a routine used to sidestep the normal authentication procedure found on most systems to keep them secure. Backdoors are just as dangerous as rootkits. Generally, backdoors are network-aware programs that allow access from an attacker into the target system without the target system’s user knowing about it. A backdoor is a method of bypassing normal authentication procedures. Many software manufacturers preinstall backdoors on their products to provide technical support for customers. The malware version performs the same function, but is definitely not used to provide you with any Honestech VHS to DVD 2.0 crack serial keygen

Keyloggers A keylogger is a form of malicious software that monitors what a user types on his keyboard. This will generally lead to the compromise of sensitive information, such as user credentials (usernames and passwords) and other sensitive data. Sometimes keyloggers are also implemented in hardware connected to the back of a PC or server without the user’s knowledge.

Trojans can be very cleverly disguised as innocuous programs, utilities, or screensavers. A Trojan can also be installed by an executable script (JavaScript, a Java applet, ActiveX control, etc.) on a Web site. Accessing the site can initiate the program’s installation if the Web browser is configured to allow scripts to run automatically. Trojans can use the default behavior of Windows to disguise their true nature. Because the file extension (the characters that appear after the last dot in a filename) are hidden by default, a hacker can name a file something such as harmless.jpg.exe and it will appear in Windows Explorer as harmless.jpg, seeming to be an innocent graphics file, when it is really an executable program. Of course, double-clicking it to open the “harmless picture” will run the program.Trojans that are designed to allow hackers ConsoleAct [3.0] Windows and Office Activator Free Download gain unauthorized access across a network, such as Back Orifice and NetBus, are sometimes called remote access Trojans (RATs). Back Orifice, Back Orifice 2000, NetBus, and SubSeven were the most commonly used Trojans of their time, although literally hundreds exist. Newer Trojan horses, such as Xombe and DloaderL, both of which arrive as an executable attachment in spam e-mail messages claiming to come from [email protected], are meant to wreak havoc by fooling you into thinking that the attachment legitimately came from Microsoft. Because the spoofed e-mail address “seemed” legitimate, many were fooled into executing the attachment, which can be thought of as any system administrator’s nightmare.

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 37

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

NOTE Hackers typically use backdoors to secure remote access to a computer, while attempting to remain hidden from casual inspection. To install backdoors hackers use either a Trojan horse or a computer Symantec PGP Desktop for Windows 10.2 crack serial keygen, with the payload being the backdoor routine.

Trojan horses known as droppers are used to initiate a worm outbreak, by injecting the worm into users’ local networks. Spyware is commonly distributed as a Trojan horse, bundled with a piece of desirable software that the user downloads from the Web, or from a peer-to-peer file-sharing network such as LimeWire (www.limewire.com). When the user installs the software, the spyware is installed alongside it. Spyware authors who attempt to act legally may include an End User License Agreement (EULA) which states the behavior of the spyware in loose terms, but with the knowledge that users are unlikely to read or understand it.

Spyware and Adware Somewhere along the malware timeline, virus and exploit writers started to shift gears from attacking with a purpose, such as harm and damage, to just getting paid. Spyware and adware have become lucrative business ventures for those who have tried it and were successful at it. Spyware programs are designed to monitor users’ Web browsing habits and then market relevant advertisements to these users based on their browsing history. Some spyware programs display unsolicited advertisements and then trick or force the user to click on them. Some are even self-activated. Other forms of spyware are intelligent enough to redirect affiliated marketing revenues to the spyware creator. Spyware programs do not spread like viruses do; they are generally installed by exploiting known security holes or are packaged with software that the end user downloads and installs onto the target host. Spyware programs Symantec PGP Desktop for Windows 10.2 crack serial keygen usually installed as Trojan horses, meaning you believe you are installing software that does a specific function, but in the background, other functions are taking place. Spyware differs from standard viruses in that their creators present themselves openly as businesses, whether legitimate or not. Spyware exploits are also used to obtain user information. Similar to how cookies help to aid your browsing experience, spyware does the same by analyzing what sites you go to and what your browsing habits are. However, Symantec PGP Desktop for Windows 10.2 crack serial keygen, it then invades your privacy further by not only using that information to market products to you, www.syngress.com

37

431_Vista_02.qxd

38

2/2/07

1:21 PM

Page 38

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

but also avoiding deletion or removal so that you cannot remove it. A cookie, on the other hand, is generally pretty easy to deny or delete, especially with Internet Explorer 7.

NOTE A cookie is a very small text file that a Web server hosting a site deposits on your computer when you visit that site. A cookie contains information about the user, such as user IDs, preferences, and browsing history.

Some spyware can trick you by changing your search engine results to paid advertisements that benefit the spyware creator. Others change the affiliate marking codes so that all revenue goes to the spyware creator instead of to you.This is sometimes called stealware. You can use spyware detection programs such as third-party vendor tools (e.g., Ad-Aware; www.lavasoftusa.com), or you can use Microsoft Defender in conjunction with SpyNet to help Substance Painter 2019.3.3.3713 Crack Full License Key [Latest] Archives your spyware woes. Similar to antivirus software, spyware removal programs compare a list of known spyware with files on your computer and then remove any that it detects, Symantec PGP Desktop for Windows 10.2 crack serial keygen. Antispyware programs can combat spyware from being installed, but the best strategy is to carefully examine and analyze what you choose to download and install.

WARNING Most spyware programs present the user with a EULA that purportedly protects the creator from prosecution under computer contaminant laws, Symantec PGP Desktop for Windows 10.2 crack serial keygen. However, spyware EULAs have not yet been upheld in court. Stanford (http://cyberlaw.stanford.edu/packets003459.shtml) and Yale (http://research.yale.edu/lawmeme/modules.php?name=News&file=arti cle&sid=1652) have both released data on how EULAs and law hold up when malware is a concern.

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 39

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

Botnets Much like the DDoS attack, the botnet is a program that will facilitate an attack from coordinated systems. Software robots (or bots, for short) are controlled via a botnet. In a botnet, the malware logs on to an Internet Relay Chat (IRC) channel or other chat-based system.The attacker can then give instructions to all the infected systems simultaneously. Botnets can also be used to push upgraded malware to the infected systems, keeping them resistant to antivirus and antispyware software or other security measures.

TIP Attackers are using IRC as a main transport for their malware. IRC robots (bots) are used to execute commands unsuspectingly on host systems using IRC. IRC is a large-scale network of text channels used for communication. To learn more about botnets, IRC, and other malicious code, visit the forums at www.ryan1918.com and www.irchelp.org.

Prevention and Response Before we get into how Microsoft’s new products can Symantec PGP Desktop for Windows 10.2 crack serial keygen you reduce the threat of malware, it makes sense to discuss prevention and response first. As mentioned earlier, staying secure is a two-step dance.You need good software that protects you, and the mindset to protect your surfing habits. Protecting systems and networks from the damage caused by Trojans, viruses, and worms is mostly a matter of common sense. It’s up to you to prevent harm by being aware of it, and then being able to respond to it and make the systems (or network) operational without any downtime, if possible. Although there are many ways to protect yourself and your system using Microsoft’s tools, it always helps to practice some of the following general security practices as well: ■

Periodically update every piece of software you install on your system, as well as the OS itself, which also needs to be updated periodically.You can do this by installing the latest updates, hotfixes, security patches, and SPs that are available for your software. Keep on top of when new patches come out, and try to test and then install the current patches to keep your system at its best. www.syngress.com

39

431_Vista_02.qxd

40

2/2/07

1:21 PM

Page 40

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On ■

When you are using your e-mail client, pay close attention to “who” is sending you e-mail and “where” the e-mail originates. Because e-mail can be spoofed, you may not always be able to do this, but in most cases, a spam filter can quickly identify unspoofed e-mail and send it right to the trash or automatically remove it.



If you receive files from sources that you do not recognize, it’s wise not to execute them. Instead, delete them. In other words, if someone sends you a file such as harmless.jpg.exe, it’s a good idea to delete the file and not execute it because it seems to fall into the characteristic of a typical malware hoax intended on getting you to launch it.



When using your e-mail client, make sure you turn off any preview pane functionality so that you do not open and, therefore, execute any attached scripts simply by opening your Inbox.



To prevent macro viruses, ensure that macro security is enabled in Office so that if you open a Word document, you won’t necessarily run a malicious script that may also be contained within it.



Do not use floppy disks from untrusted sources. Also, pay attention to any file that enters your system from any source, whether it is a CD or DVDROM, USB flash device, or something similar.



Use host-based instruction detection/prevention (IDS/IPS) software if possible, as well as Symantec PGP Desktop for Windows 10.2 crack serial keygen software, antivirus software, and spyware removal software such as Microsoft Defender.



Harden your systems and disable unneeded or unwanted services.



Use a strong password policy. If malware does attempt to try to steal your credentials, having a strong password policy in place will help you if your system does become infected.



Configure your Web browser (such as Internet Explorer 7) to ignore or warn for cookies, and disable JavaScript and ActiveX, two commonly exploited scripting languages. Keep a close eye on sites that are not trusted and try to block sites that you know are malware-infected.

You may also want to make sure your network is also secure. Some more advanced practices include the following: ■

Configure your routers, switches, and other adjoining network hardware to be secure, which means locking down services, keeping the router or switch OS updated, and applying any security measures such as disabling

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 41

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

broadcasts on certain interfaces, applying access control lists (ACLs), and so on. ■

Disable the Simple Network Management Protocol (SNMP) and any other services that you do not need.



Make sure any e-mail relays in use are protected and aren’t being used to send spam.



Use application gateway firewalls to protect against large-scale attacks.



Apply defense in depth. Using a firewall alone is almost meaningless.You need to ensure that you have multiple levels of security in place, such as desktop policies, a firewall, and an IDS.



Use a security policy and keep it updated. Security is upheld only when it’s supposed to be, so make sure your company has a policy in place that dictates what needs to be secured and how it needs to be secured.



Make sure you have an incident response plan ready, with detailed steps and a team that can carry it out.Your goal should be to prevent a crisis if you can, but your real responsibility when dealing with incident response concerns the response; in other words, taking care of the issue either while it is happening or after it has happened.

TIP Creating backups of your important data is one place to start. Incident prevention and risk mitigation begin with your proactive planning. A great response to an attack that destroys your company’s important data is data backup that restores that data to its original state.

Incident Response Recognizing the presence of malicious code should be your first response step if the system does get infected. Administrators and users need to be on the alert for common indications that a virus might be present, such as missing files or programs; unexplained changes to the system’s configuration; unexpected and unexplained displays, messages, or sounds; new files or programs that suddenly appear with no explanation; memory “leaks” (less available system memory than normal) or unexplained

www.syngress.com

41

431_Vista_02.qxd

42

2/2/07

1:21 PM

Page 42

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

use of disk space; and any other odd behavior of programs or the OS. If a virus is suspected, a good antivirus program should be installed and run to scan the system for viruses and attempt to remove or quarantine any that are found. Finally, all mission-critical or irreplaceable data should be backed up on a regular basis in case all of these measures fail. Remember that virus writers are a creative and persistent bunch and will continue to come up with new ways to do the “impossible,” so computer users should never assume that any particular file type or OS is immune to malicious code.There is only one way to completely protect yourself against a virus, and that is to power down the computer and leave it turned off entirely.

TIP You may want to consider creating an incident response plan as well as an incident response team for your future incident endeavors. You should also review “Creating a Computer Security Incident Response Team: A Process for Getting Started,” released by CERT (www.cert.org/csirts/Creating-A-CSIRT.html).

Microsoft Vista and Security The battle for malware wages on, but new weapons have been pushed to the front line. For Windows Vista, many new security features (as well as some updated ones) help to protect computer systems from past, present, and future malware threats of any class. Vista includes many new features that help to thwart malware threats. Behind the actual making of the software was a major plan to shift the way Microsoft does business in the security sector. Now, making a secure, private, and reliable computing experience has become the company’s top priority and has been dubbed “Trustworthy Computing.”To preserve data confidentiality, integrity, Symantec PGP Desktop for Windows 10.2 crack serial keygen, and availability (CIA), Windows Vista brings a new level of confidence to computing through improved security, reliability, and management. It achieves this by establishing innovative engineering, applying best practices, and creating a system where the OS can be updated and maintained consistently to avoid intrusion or exploitation. New features include:

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 43

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2 ■

Windows Service Hardening (WSH) Windows Service Hardening limits the amount of damage an attacker can do if a service is compromised.



Network Access Protection (NAP) Network Access Protection is used to prevent clients from connecting to the network if they are infected with malware.



Internet Explorer 7 Internet Explorer 7 comes with Windows Vista by default as the built-in Web browser. It includes many security enhancements that protect users from malware attacks such as phishing and spoofing, and it uses a new mode, called Protected Mode, to further secure the user’s browsing experience.



Updated Windows Firewall The new outbound filtering feature in the personal firewall helps to apply more granular control over traffic traversing it.



User Account Control (UAC) This feature will allow a user to change computer settings while Home Designer Pro 2022 23.1.0.38 Crack Plus Serial Key Latest Download as a standard user, instead of requiring administrator privileges to perform most tasks.



Windows Defender The Windows Defender utility detects malware on your system and, when used in conjunction with SpyNet, can help to eliminate most spyware attacks and exploits.

Other features within Vista help to secure the system; however, these relate to the battle against malware.

Windows Service Eviews crack serial keygen (WSH) For a long time, malware seemed to be connected to Windows-based services. Because Windows services have always been an open door for malware creators, Microsoft took steps to ensure that this doesn’t continue to be a problem. In the past, there has been a major issue with the number of critical services running as System, which basically gave an open door to anyone who could bypass the minimal security in place.The Sasser, Blaster, Slammer, and Code Red exploits targeted unprotected and easily exploited services. WSH is a new service released with Ashampoo Driver Updater 1.5.0.0 With Crack [ Latest Version ] Vista that allows you to harden the security posture of your host system. It’s not realistic to leave a PC powered down and not in use, because this goes against what a computer was originally designed to do, which is to help you be more productive.The computer was not meant to act Need For Speed Shift 2 Unleashed crack serial keygen a 150-pound paperweight. Microsoft has raised the bar on system service hardening by releasing WSH.

www.syngress.com

43

431_Vista_02.qxd

44

2/2/07

1:21 PM

Page 44

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

A system service is normally a background process that runs to support specific functions, such as the Messenger service that is used to send and receive messages throughout the system. In the past, services have been able to be exploited because once they were breached they basically opened the door to the system for the malware creator. Now, WSH focuses on using the least-privileged account—for example, LocalService.To further understand how this works consider that the hardened service would be protected via service SID access via ACLs.The service would use an SID, an ACL, and a “write-restricted token” to further harden and protect the system from exploitation. Microsoft’s system services have been the base for many attacks because of the high level of privileges these services run with. If exploited, some services can give unfettered access to the entire system.The malware can then run with the highest possible system privileges, or LocalSystem privileges. Once the system has been exploited, the attacker can run exploits on the system with administrator privileges. Worms such as Slammer exploited known system service holes, Symantec PGP Desktop for Windows 10.2 crack serial keygen. System services are kept secure with Windows Vista through the use of restricted services.This is done by running the services used with the “least privilege” needed, which reduces the risk of a threat. Using restricted services minimizes the number of exploitable services that are running and helps to secure the ones that do run. Windows services are run under service profiles that help to classify the service further so that the Vista OS has full control over its own services, further limiting malware exploitation. Used in conjunction with the newly updated Windows Firewall, inbound and outbound network ports that the services are allowed to use are now under Vista’s control. If a system service attempts to send and receive network data on a specific port, Symantec PGP Desktop for Windows 10.2 crack serial keygen, the firewall will block access.The commonly exploited Remote Procedure Call (RPC) service is an example. When RPC is needed, it will be loaded and “restricted” to doing only certain things. No longer can it be used to replace system files and other data, modify the system Registry, and so on. WSH is important Symantec PGP Desktop for Windows 10.2 crack serial keygen Vista’s overall security because even if you cannot prevent your system from being infected by malware, at least now you have a good feeling that if the system does get infected, the payload will not be as extreme as it used to be with older versions of the Windows OS. WSH also opens the door for independent software vendors (ISVs) to develop components and programs that are secure and will not cause issues for Windows Vista. WSH (in conjunction with other new security features) provides an additional layer of protection which builds on the defense in depth principle. Defense in depth is a general security term that means applying many levels of security to enhance your security posture. Do not rely on one form of security, such as a firewall, to protect you. Incorporate other forms of security so that you do not have all your eggs www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 45

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

in one basket. With WSH, Vista adds another layer of security to the system, which can help thwart future attacks and exploits even further.

Network Access Protection (NAP) NAP is used to prevent clients from connecting to the network if they are infected with malware. NAP is a policy enforcement platform incorporated into Windows Vista as well as Windows Server 2007 (codenamed Longhorn). By enforcing compliance with very specific system health requirements, Vista is able to help prevent malware from accessing the rest of the network and attached systems. NAP can help verify that each computer connected to the network is malwarefree; if it is not, it will not be allowed to connect to the network and further infect other systems. Until the system checks out as malware-free, it will not be allowed to use the network or its services.

WARNING Vista supports NAP with limited functionality. You will need to use Windows Server 2007 to provide full network access protection because this is used as the NAP policy server.

Improvements in Internet Explorer 7 With the release of Windows Vista, you can expect to use the newest and most secure version of Microsoft’s Web browser to date. New features in Internet Explorer 7 help to prevent the inception and spread of malware.To help protect a user’s personal information and the security of Vista in general, Internet Explorer 7 comes with many new advances in security and tools to help prevent or limit damage from an attack. One simple change is with the Secure Sockets Layer (SSL) protection offered when using the browser. Commonly, a padlock icon will show up in the bottom of the browser indicating that you are entering a “secure” site that uses encryption technologies. Now, the new security status bar helps by showing you in clearer terms that a site you are visiting is safe.The padlock also appears closer to the top of the browser and is highlight blue when safe.This is but one very simple example of things that have changed to make your browsing experience easier and safer.

www.syngress.com

45

431_Vista_02.qxd

46

2/2/07

1:21 PM

Page 46

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

Symantec PGP Desktop for Windows 10.2 crack serial keygen Browser Behavior When surfing the Internet, it’s easy to visit sites that you think are safe, Symantec PGP Desktop for Windows 10.2 crack serial keygen, Adobe After Effects Crack 2020 v17.0.5.16 Full Version Free Download are not. These sites can introduce malware when you click on the site itself, when you download a file from the site manually and install it, Symantec PGP Desktop for Windows 10.2 crack serial keygen, or worse, when you are conned into believing that the site you’re visiting is a real site, but in fact is nothing more than a fake used to garner your personal information.

Browser Exploits Web browsers are client Symantec PGP Desktop for Windows 10.2 crack serial keygen programs, such as Internet Explorer, Netscape, and Opera, that connect to servers running Web server software (such as IIS or Apache) and request Web pages via a URL, which is a “friendly” address that represents an IP address and particular files on the server at that address.The browser receives files that are encoded (usually in Hypertext Markup Language [HTML]) and must interpret the code or “markup” that determines how the page will be displayed on the user’s monitor. Browsers are open to a number of attack types.The embedded scripts (and even some of the markup language) can be used to exploit your browser. With Internet Explorer 7, new tools such as the Phishing Filter help to thwart these attacks. Early browser programs were fairly simple and could be exploited by using minimal techniques.Today’s browsers are highly complex, signaling the need to secure them even further.These newer browsers are capable of not only displaying text and graphics, Symantec PGP Desktop for Windows 10.2 crack serial keygen, but also playing sound files and movies and running executable code.The browser software also usually stores information about the computer on which it is installed, as well as the user (via data stored as cookies on the local hard disk), which can be uploaded to Web servers—either deliberately by the user, or in response to code on a Web site.These characteristics serve useful purposes. Support for running code (as “active content” such as Java, JavaScript, and ActiveX) allows Web designers to create pages that interact with users in sophisticated ways. Cookies allow users to set preferences on sites that will be retained the next time they visit the site. However, hackers and attackers can exploit these characteristics in many ways. For example, an attacker can program a Web site to run code that transfers a virus to the client computer through the browser, erases key system files, or plants a “backdoor” program that then allows the hacker to take control of the user’s system.

Web Spoofing Web spoofing is a means by which an attacker is able to see and even make changes to Web Symantec PGP Desktop for Windows 10.2 crack serial keygen that are transmitted to or from another computer (the target www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 47

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

machine).These pages include confidential information such as credit card numbers entered into online commerce forms and passwords that are used to access restricted Web sites. JavaScript can be used to route Web pages and information through the attacker’s computer, which impersonates the destination Web server.The attacker can send e-mail to the victim that contains a link to the forged page, or put a link into a popular search engine. SSL doesn’t necessarily prevent this sort of “man in the middle” attack; the connection appears to the victim to be secure, because it is secure.The problem is that the secure connection is to a different site than the one the victim thinks he is connecting to. Hyperlink spoofing exploits the fact that SSL doesn’t verify hyperlinks that the user follows, so if a user gets to a site by following a link, he can be sent to a spoofed site that appears to be legitimate. Web spoofing is a high-tech form of con artistry.The point of the scam is to fool the user into giving confidential information such as credit card numbers, bank account numbers, or Social Security numbers (SSNs) to an entity that the user thinks is legitimate, and then using that information for criminal purposes such as identity theft or credit card fraud.The only difference between this and the “realworld” con artist who knocks on a victim’s door and pretends to be from the bank, requiring account information, is in the technology used to pull it off. Certain clues may tip off an observant victim that a Web site is not what it appears to be, such as the URL or status line of the browser.You may think you are going to a Web site simply because it’s listed in the URL field, while in another location on the browser, it’s indicated that you are going to a different URL, Symantec PGP Desktop for Windows 10.2 crack serial keygen. An attacker can also use JavaScript to cover his or her tracks by modifying these elements from your view. An attacker can even go so far as to use JavaScript to replace the browser’s menu bar with one that looks the same but replaces functions that provide clues to the invalidity of the page, such as display of the page’s source code. Later versions of browser software have been modified to make Web spoofing more difficult. Older browsers are highly vulnerable to this type of attack. Improvements in Internet Explorer thwart spoofing attacks, because now you can check the validity of each site you visit.

Configuring Internet Explorer Securely Now that you have a clear understanding of the types of malware in existence and the steps Microsoft has taken to prevent you from being exploited, let’s discuss how to configure and use these tools and settings. With Internet Explorer 7, there are many ways to improve security. Internet Explorer 7 in Windows Vista represents a major step forward in browser security and privacy protection. All of Internet Explorer 7’s security features revolve around making your computer and Web browsing experience all that it can—and should—be. www.syngress.com

47

431_Vista_02.qxd

48

2/2/07

1:21 PM

Page 48

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

Protected Mode Internet Explorer 7 has a new mode, called Protected Mode. When in Protected Mode, the browser will run without fear of malware taking over with elevated privileges. In addition to providing a more secure architecture in which to work, Protected Mode also assists with handling and verifying any scripted or automated action that would move data around Symantec PGP Desktop for Windows 10.2 crack serial keygen system, such as from the Temporary Internet Files folder, a haven for malware. Figure 2.1 shows the browser with Protected Mode enabled (or on) by default.

Figure 2.1 Internet Explorer’s Protected Mode

ActiveX Opt-In Internet Explorer 7 allows for tighter control and security when working with ActiveX components. Many attacks have exploited ActiveX in the past. ActiveX components can handle file download and installation for the computer user. Although this is handy, Symantec PGP Desktop for Windows 10.2 crack serial keygen, malware takes full advantage of it whenever it can. ActiveX runs only on Microsoft-based systems, as it is made and updated by Microsoft in Symantec PGP Desktop for Windows 10.2 crack serial keygen proprietary fashion. A new feature called ActiveX Opt-In will disable all ActiveX controls that haven’t been prescreened. In other words, if an ISV does not preset the control to work with Vista and Internet Explorer 7, it will not work. In fact, the security status information bar in Internet Explorer 7 will give you the option to work with each ActiveX control on a case-by-case basis.This allows the user to know exactly what each control is doing, what’s being installed, and so on.

NOTE ActiveX is a software technology developed by Microsoft that enables Internet Explorer to download applets and other tools and programs to be used with the browser to display pictures and video as examples. These programs are similar to Java applets, although Java is not constrained to using Microsoft-based products only.

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 49

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

Fix My Settings Nothing could be easier than pressing one button to accomplish multiple tasks. Toward that end, Internet Explorer 7 has a new feature called Fix My Settings, which allows you to adjust the browser’s default settings with just a single click. Used with the Security Status Bar, Fix My Settings helps users quickly determine whether a Web site is authentic and whether changes to their settings by a site are appropriate, and will even suggest settings for the user. Figure 2.2 shows the Fix My Settings feature in action. If you visit a Web site that is questionable and Internet Explorer believes you may be at risk, the Security Status Bar will warn you of danger and give you options to fix or avert the danger. Here, you can see the Fix Settings for Me option, which will walk you through adjusting your settings so that you are not exploited.

Figure 2.2 Internet Explorer’s Fix My Settings Feature

If you have issues with your browser, you can always reset it from within the Internet Options settings found in Internet Explorer, by going to the Tools menu and selecting either the Security tab (which will allow you to reset the zone directly) or the Advanced tab (where you can choose the Restore advanced settings option).Then, you can turn your browser back to the manufacturer’s settings, as shown in Figure 2.3.

Figure 2.3 Internet Explorer’s Restore Advanced Settings Option

www.syngress.com

49

431_Vista_02.qxd

50

2/2/07

1:21 PM

Page 50

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

Security Status Bar As mentioned earlier, the new Security Status Bar used with Internet Explorer 7 keeps an eye out for you as you browse, and makes suggestions based on your browsing habits. In other words, Symantec PGP Desktop for Windows 10.2 crack serial keygen, if Internet Explorer feels you are at risk, it will warn you and suggest a way to protect yourself from the possible threat.The Security Symantec PGP Desktop for Windows 10.2 crack serial keygen Bar operates by alerting you to issues that it believes may harm your system, and gives you options to help you navigate a potential issue. Users can now very quickly be warned about Web sites that are either authentic or spoofed/malicious in nature. By enhancing access to digital certificate information, which in turn helps validate the trustworthiness of e-commerce Web sites, you can now shop online with more confidence.

Windows Defender Windows Defender enhances security and privacy protections when used with Internet Explorer 7. Although we will cover Windows Defender in more depth later in this chapter, it’s important to know how it works with Internet Explorer 7 to secure your browsing experience. Windows Defender is Microsoft’s new spyware destroyer. Popular - Jogos Torrents used with Internet Explorer 7, Windows Defender can help to scan all data traversing the browser for malware signatures. If it finds such a signature, it will work with Internet Explorer 7 and help you rid yourself of it. Defender will also keep an eye on spyware that is attached to (piggybacking onto) legitimate software which tries to install without your knowledge.

NOTE Windows Defender is a powerful new tool and we will cover it later in this chapter. Be aware, Symantec PGP Desktop for Windows 10.2 crack serial keygen, however, of how it ties into Internet Explorer to provide security against malware threats.

Setting Internet Zones One of the most important features of Internet Explorer 7 is the ability to configure zones. When you open Internet Explorer’s properties, you will find the Security tab, Symantec PGP Desktop for Windows 10.2 crack serial keygen, which houses the Internet, Local intranet, Trusted sites, and Restricted sites zones (see Figure 2.4).You can configure these zones to allow for tighter security, or www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 51

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

less-restrictive security, based on your browsing habits. For example, if you access the Internet and your local intranet simultaneously, you may need to configure security differently in each zone.

Figure 2.4 Setting Security Zones

As you can see in Figure 2.4, you can set each zone to the specific level of security you need. For instance, you may want to set the Internet zone to a very high level to avoid malware attacks (for the most part), even though it will reduce your browsing functionality severely, or you may want to set the Internet zone to a very low level so that you can do anything you want crack the forest multiplayer Archives do with your browser.You also can enable Protected Mode within this dialog. If you need to configure more granular security, you can click on the Custom level button, which will open the Security Settings dialog for the zone you have selected. So, if you want to configure more granular levels of security on the Internet zone, select that zone and select Custom level, which will open the settings for that particular zone. Figure 2.5 shows advanced settings in which you can adjust for the Internet zone to include advanced cookies.

www.syngress.com

51

431_Vista_02.qxd

52

2/2/07

1:21 PM

Page 52

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

Figure 2.5 Setting Advanced Settings in the Internet Zone

Configuring Privacy The next tab you can configure within Internet Options is your privacy level. In the Internet Options dialog box, select the Privacy tab. In the Privacy tab, you will find many settings to help secure your browser further. For example, you can select privacy settings based on a specific zone. In Figure 2.6, you can see privacy settings for the Internet zone. When configured correctly, you can either raise or lower the privacy settings you want based on your browsing habits. In Figure 2.6, the Internet zone is configured with a medium privacy rating.This makes sure that all third-party cookies are blocked from doing things you may not want them to do. You can also select the Sites button, which will allow you to configure specific sites that you will either allow or not allow to use cookies, regardless of the privacy policy you ProtonVPN Crack 2021 With License Key Full Version Free Download. In Figure 2.7, Symantec PGP Desktop for Windows 10.2 crack serial keygen can see that Internet Explorer 7 is always set to “allow” cookies from www.syngress.com. Although the privacy settings may disallow cookies altogether, this setting allows you to manually override Internet Explorer’s privacy settings to allow any site you feel is not a threat.

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 53

Microsoft Vista: The Battle Against Windows 7 Ultimate Service Pack 1 build 7601 OEM:SLP crack keygen Lives On • Chapter 2

Figure 2.6 Configuring the Privacy Tab

Figure 2.7 Setting per Site Privacy Actions

www.syngress.com

53

431_Vista_02.qxd

54

2/2/07

1:21 PM

Page 54

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

You can also use the Advanced button on the Privacy tab to specify how cookies should be handled in a particular zone. For the Internet zone, you can configure to override automatic cookie handling, and specify more granular settings, as shown in Figure 2.8.

Figure 2.8 Configuring Automatic Cookie Handling

Internet Explorer 7 also provides settings that octane render maya crack Archives you to control your security. On the bottom of the Privacy tab dialog you will find the Pop-up Blocker. Here, you can enable the Pop-up Blocker Auslogics Registry Cleaner Pro 9.0.0.4 + Crack With License Key Full Latest Version Free Download 20 block any pop up (or warn of a pop up) whenever you surf the Internet. By clicking on the Settings button, you can further control the Pop-up Blocker.You also can specify sites from which you will allow pop ups without the need to be prompted (see Figure 2.9), Symantec PGP Desktop for Windows 10.2 crack serial keygen, in case you visit sites often that have pop ups which are generally benign in nature.

Figure 2.9 Configuring the Pop-up Blocker

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 55

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

Other settings include a filter level, Symantec PGP Desktop for Windows 10.2 crack serial keygen, which can help you select a filtering level that makes sense for your browsing habits, as well as information bar settings and notifications such as sounds that will play when a problem occurs.

Advanced Security Settings The last tab in the Internet Options dialog is the Advanced tab, as seen in Figure 2.10. Within this tab, you will find more than 100 settings that you can adjust.The best way to see what you can do is to scroll through all the options and read them one at a time, as they are very self-explanatory. In Figure 2.10, you can see a few settings that are crucial to applying security to Internet Explorer 7 and should not be overlooked. For example, Symantec PGP Desktop for Windows 10.2 crack serial keygen, you can set more advanced security settings within the Security branch of the Advanced tab. Here you can adjust Internet Explorer’s behavior HUAWEI mobile connect crack serial keygen further controlling what it can and cannot do. For example, you can select to Allow software to run or install, even if the signature is invalid. Obviously, you would want to leave this unchecked because an invalid signature could lead to an exploited browser, depending on the nature of the site visited.

Figure 2.10 Setting Advanced Security Features

www.syngress.com

55

431_Vista_02.qxd

56

2/2/07

1:21 PM

Page 56

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

Figure 2.11 specifies more settings you can adjust to control Internet Explorer 7. Here you can adjust how the Phishing Filter behaves, Symantec PGP Desktop for Windows 10.2 crack serial keygen, as well as use of the SSL and Transport Layer Security (TLS) protocols.

Figure 2.11 Setting More Advanced Security Features

Once you have completed setting your Advanced security options, click on OK to close the dialog box. Some changes may require you to restart Internet Explorer. Simply close the ccleaner pro 2020 full version and reopen it to continue working with your new settings.

Configuring the Microsoft Phishing Filter The Microsoft Phishing Filter is new to Internet Explorer 7. It protects you from phishing attacks while you’re surfing the Symantec PGP Desktop for Windows 10.2 crack serial keygen. Phishing is a technique that attackers use to trick you into giving up personal data, credentials, or other information by posing as legitimate businesses or operations. Phishing attacks are not new. For example, Symantec PGP Desktop for Windows 10.2 crack serial keygen, clever attackers in the past have spammed AOL users with spoofed email purporting to be AOL. Many users were tricked into giving up their account information because they had no idea that a Web site operator could trick them into doing so with nothing but a similar-looking Web site that claimed to be something it wasn’t. It wasn’t until the end-user community started learning about spoofed Web sites and other ways attackers were getting people’s personal information (sometimes www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 57

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

without them even knowing about it) that AOL began to warn users against giving up their personal account information to anybody other than AOL, and to practice due diligence in checking for signs of phishing attacks by examining the URL to ensure that they were being approached by AOL and not by a spoofed site.

NOTE Social engineering attacks are similar to phishing. With social engineering, an attacker will call someone on the phone, for instance, and trick her into giving up secure information by pretending to be someone he is not.

Phishing is the exploit hackers use to obtain personal information from unsuspecting users. It continues today, and you can find examples on the wildly popular site MySpace (www.myspace.com). MySpace has suffered from the same issues AOL worked through—malicious Web site operators pretended they were from MySpace when they were really gathering legitimate users’ credentials and, inevitability, their personal information. MySpace owners posted the same RealVNC Crack Archives of warnings that AOL did years ago. To take the security responsibility out of end users’ hands, Microsoft designed and implemented the Phishing Filter into Internet Explorer 7. Now, if the end user wants to stay secure and not have to worry about checking his browser for clues that the site he is visiting is the real deal, he can simply turn on the Phishing Filter and it will ensure through verification steps that the site the end user is visiting is, in fact, legitimate. When the Phishing Filter is turned on, it performs a few steps every time you visit a Web site. First, it verifies against a locally stored list that the Web sites you are MorphVOX Pro 4.4.80 Build 21255 Full Crack to visit are not fraudulent. It will also analyze visited sites for suspicious behavior that is commonly associated with Phishing Web sites.Then, it will connect to an online service that constantly updates it with phishing attack Symantec PGP Desktop for Windows 10.2 crack serial keygen that have been found and blacklisted.

TIP By using the opt-in online service, you can update the Phishing Filter in Internet Explorer 7 to a more secure level.

www.syngress.com

57

431_Vista_02.qxd

58

2/2/07

1:21 PM

Page 58

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

You can adjust the Phishing Filter’s settings from within Internet Explorer. When you open Internet Explorer 7, click on Tools and then Phishing Filter. Here you can turn the filter on or off (see Figure 2.12). Microsoft recommends that you used the filter at all times, as this will provide you with the highest level of security.

Figure 2.12 Using the Microsoft Phishing Filter

WARNING You will notice that your Web surfing will become painfully slow as your browser verifies every site you visit. As always with security, you have to consider the trade-off between usability and security and find a happy medium. If you find that your surfing habits consist of visiting sites that are commonly spoofed, you may want to wait the few seconds it takes to verify that sites you are visiting are safe to visit.

To see the Phishing Filter at work, you can manually run a check on a suspicious Web site.To verify the validity of a site, click on Tools, then Phishing Filter, and then Check This Website. If the site is safe and legitimate, as in Figure 2.13, the Phishing Filter will report as such.

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 59

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

Figure 2.13 The Phishing Filter Reporting a Safe Site

Internet Explorer 7 is the most secure version of the browser to date, and strides in programming to make it safer have been successful. In the next section, we will take a look at the Windows Security Center (WSC), which is used to keep your system’s security centralized.

Windows Security Center The Windows Security Center (WSC) is the brain and nervous system for Vista when it comes to security.The WSC, which debuted in Windows XP SP2, has been updated with new features, new tools, and more functionality.Through the WSC (see Figure 2.14), you can make sure that the four security essentials—the firewall, automatic updating, malware protection, and other security settings—are enabled to keep the system secure.

Figure 2.14 Viewing the Windows Security Center in Vista

www.syngress.com

59

431_Vista_02.qxd

60

2/2/07

1:21 PM

Page 60

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

You can reach the WSC in several ways when you first load Windows Vista. By default, the Welcome Center will load when Vista first boots. In the Welcome Center, you can select Control Panel in the Get started with Windows section. Or you can open the Control Panel from the Start menu. In the Control Panel, you can select Security and then Security Center, or if you’re in Classic View, you can select the Security Center Control Panel applet. Once you open the WSC, you will be given options to configure Windows Firewall settings, Windows Update settings, malware protection, and advanced Internet Explorer settings. In Figure 2.14, Windows Vista is operating Symantec PGP Desktop for Windows 10.2 crack serial keygen a configured firewall, is configured for automatic updates, is running spyware software, and is using an updated antivirus software product. Any issues within any of these areas will result in the WSC alerting you to the issue, as well as recommending a possible solution.

Configuring a Firewall To configure the firewall to allow or disallow specified traffic, first open the Windows Firewall settings by going to the Control Panel, selecting Network and Internet, and then clicking on Windows Firewall. Here, you can turn the firewall on or off, as shown in Figure 2.15. It’s recommend that you leave it on, especially if you do not have a third-party firewall application you would like to use in its place. Having multiple firewall products on one system is usually more of a configuration headache than it’s worth.To further configure the Windows Firewall, click on the Change settings link within the Windows Firewall dialog box.

Figure 2.15 Configuring Windows Firewall

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 61

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

Here, you can adjust other settings, such as allowing or disallowing applicationspecific traffic to and from intended sources and destinations. In Figure 2.16, the General tab is selected. From here, you can turn the firewall on or off, as well as block all incoming connections if needed.

Figure 2.16 The General Tab in the Windows Firewall

Click on the Exceptions tab, and you can configure how programs will communicate through the Windows Firewall. As shown in Figure 2.17, you can select a program that you want to block or unblock by its name or port number designation. Click on Add program to add a specific program you want to control access to, or use Add port to specify the application’s port number. For instance, you could allow Secure Shell (SSH) and not Telnet for remote access.You can also specify the program (SSH or Telnet) or specify what ports to use (which in this case would be 22 and 21, respectively).

NOTE The Vista version of the Windows Firewall is better than the Windows XP SP2 version because now you can set access control bidirectionally.

www.syngress.com

61

431_Vista_02.qxd

62

2/2/07

1:21 PM

Page 62

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

Figure 2.17 The Exceptions Tab in the Windows Firewall

The Advanced tab gives you options for selecting to which network connections you want to apply the firewall’s security. It’s recommended that if you are going to use a firewall, you protect all possible entry points into the system. Figure 2.18 shows how you can select a local area connection as well as a wireless network connection.

Figure 2.18 The Advanced Tab in the Windows Firewall

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 63

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

You can also set the Windows Firewall back to its default settings, by clicking on the Restore Defaults button. Once your firewall is configured, you need to update it only if you want to restrict or allow access to new programs, or if you want to change settings. Otherwise, your firewall will alert you if any issues arise, and the WSC will alert you if there are any issues with your firewall.

WARNING You need a security policy in place. Otherwise, Symantec PGP Desktop for Windows 10.2 crack serial keygen, your investment in security could be for naught. A security policy, as the term is used here, refers to a written document that defines an organization’s approach to security or a specific security area. The policy is used to specify a set of rules to be followed in implementing the organization’s security philosophy. Organizations may establish both written and unwritten rules pertaining to security matters, and may issue a number of different types of documents dealing with these issues.

Using Windows Update Windows Update has been evolving every year since the late 1990s. When Microsoft first released its software offerings many hotfixes and service packs followed. At one time, Symantec PGP Desktop for Windows 10.2 crack serial keygen, you had to visit Microsoft’s Web site, find the download you needed from the Downloads section, and then install it. Now, a centralized Web service hosted by Microsoft will work as the server-side function listening for the client Symantec PGP Desktop for Windows 10.2 crack serial keygen to contact it with its needs. Updating Microsoft Windows and many other Microsoft programs (such as Microsoft Office products, Internet Explorer, and so on) is now quick and almost seamless. Also, now you don’t have to visit Microsoft’s Web site to get downloads, because once you turn on Automatic Updates, updates will be downloaded to your client at a specified time and will be ready for you to confirm and install the next time you are at your PC. You can turn on Automatic Updates in the WSC or in the Control Panel. Once enabled, Automatic Updates will find and install updates for all of the Microsoft products you have installed.

www.syngress.com

63

431_Vista_02.qxd

64

2/2/07

1:21 PM

Page 64

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

TIP You should add (and keep) Microsoft Update on your list of trusted Web sites within Internet Explorer.

To run Windows Update, click on the Windows Update link in the WSC on the top left-hand side of the dialog box. By clicking on this link, you will open the Windows Update Wizard seen in Figure 2.19. Once launched, the wizard will quickly scan your system’s logs to verify what you have installed and what you currently need. Internet Explorer will work with Windows Update at Microsoft.com to produce a list of what you need to install and guide you through the install process.

Figure 2.19 Using Windows Update

Figure 2.20 shows the available updates you can install on Vista. Here you can see the updates specific to Windows Vista (such as drivers, etc.) as well as the applications, such as Windows Defender. Click on Install to install the updates you would like to install.You can uncheck any update you do not want to install. www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 65

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

Figure 2.20 Viewing Available Updates for Your Computer

Using the Malicious Software Removal Tool When running Windows Update, you will commonly find a download for the Malicious Software Removal Tool.This is a tool that will help to remove malware from your OS. Since January 2005, this tool has been run more than 3.2 billion times, on more than 270 million computers each month, to combat the spread and flood of malicious software over the Internet. Every month, Microsoft releases a new version of the tool through Microsoft Update, Windows Update, and the Microsoft Download Center. The Malicious Software Removal Tool will also verify that your system is malware-free before you upgrade from, say, Windows XP to Windows Vista.

Configuring Malware Protection When working within the WSC, you can configure Malware Protection so that Advanced Installer Architect 16 Crack 16.8.1 Full 2020 PC proactively looks out for exploits against which it is currently configured to guard.The WSC will periodically check to ensure that your system is kept updated.

www.syngress.com

65

431_Vista_02.qxd

66

2/2/07

1:21 PM

Page 66

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

It does this by checking that your antivirus software is on, is not damaged, and is updated with signatures and definitions, and by checking your spyware software to make sure is it updated and in working order as well. If nothing is installed, you will be warned that this is not recommended. Figure 2.21 shows the WSC indicating that it couldn’t find a valid antivirus application located on the system. Because this will most likely lead to infection or exploitation, it is flagged as an issue for you to resolve.The Check settings indicator Symantec PGP Desktop for Windows 10.2 crack serial keygen colored yellow) indicates that no program is installed and/or that it is damaged.

Figure 2.21 Viewing Malware Protection within the WSC

Be aware that if your antivirus software is installed but is out-of-date, you will be given a different indicator.You will still be asked to Check settings, but the indicator will be colored red (see Figure 2.22). www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 67

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

Figure 2.22 Viewing Out-of-Date Definitions in the WSC

It is imperative that you keep your antivirus signatures, definitions, and engine updated; if you don’t, the WSC will report a problem. In Figure 2.23, the WSC is reporting that malware protection is on and up-to-date. Once you resolve all issues, the Malware Protection section of the WSC will return to its green indication status.This means your system is now ready to do battle with malware because it is completely updated and healthy, and is running optimally, Symantec PGP Desktop for Windows 10.2 crack serial keygen. Microsoft Windows Vista is a brand-new product on the market so its important to consider your older software applications may not run on it at first.,Third party vendor software generally do not have full version releases of heir software tested and ready to go, so its important to do some research on what is supported before you upgrade to Windows Vista.

www.syngress.com

67

431_Vista_02.qxd

68

2/2/07

1:21 PM

Page 68

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

Figure 2.23 The WSC Reporting That Malware Protection On and Updated

TIP Most software applications and drivers written for Windows XP may also work with Windows Vista. You should always check regardless. Older programs may operate poorly or not at all. You Symantec PGP Desktop for Windows 10.2 crack serial keygen use the Program Compatibility Wizard to fix this problem. Open the Program Compatibility Wizard by clicking the Start button => clicking and opening the Control Panel => clicking Programs => clicking Use an older program with this version of Symantec PGP Desktop for Windows 10.2 crack serial keygen. The Windows Vista Hardware Compatibility List (also known as the Serato DJ Pro 2.5.6 Crack With Activation Key Free Download 2021 is a hardware product list that has been verified by Microsoft. These products have passed a set of hardware compatibility tests that prove that the software installed works with genuine Windows products such as Vista. If hardware is purchased and not listed within the HCL, it is not guaranteed to work. For software support: http://windowshelp.microsoft.com/Windows/en-US/programs.mspx For hardware support: www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 69

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

www.microsoft.com/technet/windowsvista/evaluate/hardware/defa ult.mspx. The Microsoft HCL: www.microsoft.com/hcl/

Other Security Settings In the WSC, you have a fourth area of configuration, Symantec PGP Desktop for Windows 10.2 crack serial keygen, called Other security settings. Here, you can check Internet Explorer’s security settings, as well as use User Account Control (UAC).

User Account Control User Account Control (UAC) UAC is a new tool used with Windows Vista for preventing unauthorized changes. UAC is another level of security applied to the defense in depth model. UAC (known in earlier Windows versions as Least-Privilege User Account [LUA]) is responsible for warning you whenever Windows needs your permission to continue with the use of a program or other application. LUA followed the concept that if the LUA account was jeopardized, it would not cause a serious issue because it did not have administrator privileges. If the account was compromised, there wasn’t much you could do with it. When a user now logs on to a Windows Vista computer, she is logged on by default as a standard user. If she needs to perform a task in which administrator privileges are required, Vista (with the help of UAC) will prompt her for specific permission to perform the task.This helps to make sure that malware cannot manipulate her account if jeopardized. When an administrator needs to use her administrator privileges, Symantec PGP Desktop for Windows 10.2 crack serial keygen, she doesn’t have to use Run As, because Windows Vista can automatically prompt her for the required credentials, as shown in Figure 2.24. In the past, accounts for standard users contained too many available permissions. Now, standard user accounts are locked down to allow for only the privileges that are needed; anything that requires administrator privileges (such as installing software on the system) will require that the user log on with an administrator account. Because UAC is enabled by default, it will be invoked whenever administrator logon is required. In past versions of Windows, such as XP, you needed to use Run As to log on with administrator rights, although if the user account had been jeopardized, Symantec PGP Desktop for Windows 10.2 crack serial keygen, it wouldn’t matter anyway. UAC is a major development in terms of giving only those privileges that users need to do their jobs. As a result, if their accounts are compromised, the risk is lessened. www.syngress.com

69

431_Vista_02.qxd

70

2/2/07

1:21 PM

Page 70

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

Figure 2.24 UAC Asking Powerdvd torrent Archives Permission to Continue

Windows Vista automatically prompts you for administrator credentials when an application requests them.This way, another level of security is implemented to help ensure that the user isn’t manipulated or that malware running silently doesn’t infiltrate the system.

Tools & Traps… Using the MBSA The Microsoft Baseline Security Analyzer (MBSA) is a freely downloadable tool from Microsoft designed for IT professionals who need to check the security settings on host computers. With Windows Vista, you can still download and use this valuable tool. Figure 2.25 shows the MBSA in action. The MBSA will check your computer locally (or a remote computer) for basic security settings and updates, report on their state, and make recommendations as to what you should do for specific issues. For example, if your system’s updates are out-of-date, your passwords do not meet a minimum password length, and so on, you will receive a report on each section’s status and what you need to do to ensure that your system is secure. Continued

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 71

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

Figure 2.25 Using the Microsoft Baseline Security Analyzer

You can download the security/tools/mbsahome.mspx.

tool

at

www.microsoft.com/technet/

Windows Defender In December 2004, Microsoft acquired the Windows Defender security technology from GIANT Company Software, Inc. Windows Defender provides continuous security against malware, and if it detects anything suspicious, it will alert you of what it finds. It does this by using three specific tools: ■

Internet agents Internet agents are used to monitor changes to Internet access settings, as well as to stop unauthorized connection attempts via the network.



System agents System agents are used to monitor changes to your system’s settings, such as passwords and permissions.



Application agents Application agents are used to monitor changes to applications installed on your OS, such as Internet Explorer being modified by downloadable toolbar applications. www.syngress.com

71

431_Vista_02.qxd

72

2/2/07

1:21 PM

Page 72

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

NOTE Windows Defender is used locally to protect an end user’s Web browsing experience, Symantec PGP Desktop for Windows 10.2 crack serial keygen. Windows Defender does not include enterprise management tools.

Windows Defender protects against and removes malware as well as provides control over modifications to software installed on the system. Windows Defender provides real-time monitoring functionality, which means it will always run and keep you protected while you’re using your Windows Vista system.The Windows Vista version of Windows Defender features an updated scanning engine, simplified alerting functionality, multiple-language support, and other enhancements. Windows Defender provides top-notch spyware detection and removal, and it is connected to an online service that will keep it updated and on top of the latest threat trends. Because malware constantly evolves, so does Windows Defender and its support team.

Using Windows Defender You can find Windows Defender by opening the WSC and selecting the Windows Defender link.This will invoke the Windows Defender application, as shown in Figure 2.26. If your system is already up-to-date, Windows Defender will report that there is no harmful or unwanted software on your system and that your computer is running normally. If you have not run a scan yet, or your last scan was a while ago, you will be prompted with scan options. Select the scan option that best suits what you want to do. If you want to perform a quick scan of the most common areas within your system affected by malware, check the Quick scan radio button. If you want to check your entire system, check the Full system scan radio button (note that a full system scan will take far longer to perform than a quick scan).You can also specify which drives or areas of your system you want Windows Defender to scan. Figure 2.27 Symantec PGP Desktop for Windows 10.2 crack serial keygen Windows Defender prompting you to begin a scan. Click on Scan Now to begin the scan.

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 73

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

Figure 2.26 Using Windows Defender

Figure 2.27 Starting a Scan with Windows Defender

www.syngress.com

73

431_Vista_02.qxd

74

2/2/07

1:21 PM

Page 74

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

Once the scan is complete, you can view the report. If anything malicious is found, you will be asked how you want to handle it. Figure 2.28 shows Windows Defender completing a quick scan and not finding any malware on the system. (Because this was a quick scan, there still may Symantec PGP Desktop for Windows 10.2 crack serial keygen an issue with this system, however; a full system scan should be run to verify that the system is in fact free of malicious software.)

Figure 2.28 Viewing Windows Defender Reporting a Quick Scan Completed

By clicking on Tools on top of the Windows Defender dialog box, you can adjust the settings for Windows Defender and select other tools to further secure your system. As shown in Figure 2.29, Symantec PGP Desktop for Windows 10.2 crack serial keygen, once you open the Tools and Settings configuration within Windows Defender, you can change the settings, Symantec PGP Desktop for Windows 10.2 crack serial keygen, use Microsoft SpyNet, view quarantined items, use the Windows Defender Software Explorer, set allowed items, and visit and use the Microsoft Windows Defender public Web site.

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 75

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

Figure 2.29 Setting Windows Defender Options

How to Use the Windows Defender Software Explorer One of the newest and most helpful tools Microsoft has added to Vista and Windows Defender is Software Explorer. Software Explorer provides you with an unfettered view of the software that is currently running on your computer, along with details of each piece. It also helps you monitor programs that are set to start when the computer boots, programs that run in the background or as background processes, and programs that are used to perform low-level network functions (i.e., Winsock service providers).

NOTE To use some Software Explorer options, Symantec PGP Desktop for Windows 10.2 crack serial keygen, you must be logged on as Administrator or be a member of the Administrators group.

www.syngress.com

75

431_Vista_02.qxd

76

2/2/07

1:21 PM

Page 76

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

Using Software Explorer Changing how a program runs on your computer, such as blocking Internet or network connections and ending processes, can cause problems with Windows and other programs that you use. Use Software Explorer to change how a program runs on your computer only if you are certain the program is causing a problem. Once you open Software Explorer, you can select which category of programs you want to view or adjust. For example, in Figure 2.30, you can see Software Explorer in use. Here, the Startup Programs category is shown but blurred out to protect the identity of the system in use.

Figure 2.30 Using Software Explorer

Other Related Tools In the Tools and Settings dialog of Microsoft Defender, you can find links to more tools and settings. Here you will find SpyNet, a very useful Web site that helps you find information on malware as well as information on combating it and protecting yourself and your system from its threat of damage.

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 77

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

Using Microsoft SpyNet Microsoft SpyNet is the network of Windows Defender users that Symantec PGP Desktop for Windows 10.2 crack serial keygen determine which programs are classified as spyware, Symantec PGP Desktop for Windows 10.2 crack serial keygen. Because the face of malware constantly evolves, so does SpyNet and its hardworking team of security enthusiasts. SpyNet works to build known signature files for commonly seen malware and to find malware that is new to the scene. It is recommended that you visit SpyNet to get acclimated with the site and the benefits it offers, and that you check back often for updates. If you commonly surf the Internet and are worried about the effects of malware on your system, Symantec PGP Desktop for Windows 10.2 crack serial keygen, visiting SpyNet can give you an advantage, as you will be better educated on what can happen to your system, what is currently happening to others, and how Symantec PGP Desktop for Windows 10.2 crack serial keygen can support and better secure your OS, your browser, your identity, and your personal data.

www.syngress.com

77

431_Vista_02.qxd

78

2/2/07

1:21 PM

Page 78

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

Summary Malware is a threat to computer systems, networks, and the public Internet. With the release of Windows Vista, Microsoft has developed new weapons in the battle against malware. Windows Vista, Internet Explorer 7, Symantec PGP Desktop for Windows 10.2 crack serial keygen, and associated software are hardened and ready for war. Malware is any software product or program created with an intent to cause damage or harm.The most common forms of malware are viruses,Trojans, and worms. Viruses are malicious programs that are commonly installed on a target host with the intent to cause harm or damage. Common virus types include e-mail viruses, Symantec PGP Desktop for Windows 10.2 crack serial keygen, boot sector viruses, application viruses, and macro viruses. Worms are a form of malware that will propagate from host to host in order to spread and replicate across a network. A Trojan will appear harmless to the recipient, but actually contains a malicious payload.Trojans that contain a virus as a payload are called droppers. Spyware is the biggest malware issue to date. Spyware exploits include malicious scripts that do everything from rewriting browsers to perform malicious functions, to forcing payment for legitimate revenue streams to a secondary source (usually that of the attacker). Windows Vista and Internet Explorer 7 were developed to thwart many common exploits and build a foundation in which new ones can be mitigated. New to Vista and Internet Explorer 7 is an updated Windows Firewall.The new outbound filtering feature in the personal firewall helps to apply more granular control over traffic traversing it, and is more flexible than previous versions.The new Phishing Filter is used to verify the validity of the sites you visit so that your personal information and data are not compromised. User Account Control (UAC) allows a user to change computer settings while running as a standard user, instead of requiring administrator privileges to perform most tasks.The updated Windows Defender utility detects malware on your system and, when used in conjunction with SpyNet, can help to eliminate most spyware attacks and exploits.The new Windows Security Center (WSC) is full of configurable options and tools to help you build a strong security posture so that you can safely surf the Internet without constantly worrying about your system. As you can see, there are many ways you can apply defense in depth for a more secure infrastructure. Malware is definitely a threat, but these new tools and features help to provide a more secure experience. Microsoft Vista takes steps to ensure that the base OS is not jeopardized, and Internet Explorer 7 provides a secure framework in which to operate. Although the battle against malware continues, at least with Vista and Internet Explorer 7 you are well armed to fight that battle.

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 79

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

Solutions Fast Track Malware Fundamentals  Malware is any software product or program created with the intent to

cause damage or harm.The most common types of malware are viruses, Trojans, and worms.  A virus is a malicious program that is commonly installed on a target host

with the intent to cause harm or damage. A virus (just like the medical version of the term) infects the host, usually by being installed by the end user of the target host. A virus is almost always executed by the end user without him knowing the true intention of the malware.  An e-mail virus is transmitted via e-mail and contains a payload that is

activated when the end user is Video Downloader Archives - All Latest Crack Software Free Download to activate it, or when something in the e-mail client and how it reads e-mail (and scripts) activates the payload upon delivery or viewing, without opening the e-mail (such as with an automatic reading pane found in most e-mail clients).  Boot sector viruses are often transmitted via disk and are written to the

master boot record on the hard disk, Symantec PGP Desktop for Windows 10.2 crack serial keygen. Application viruses are executable programs that infect your system when you run them, and macro viruses are commonly embedded in documents (such as Microsoft Word documents).  Worms will propagate.They are programmed to “scan” the network from

the infected target host to find other hosts with open and vulnerable services and ports.  A Trojan horse will appear harmless enough for the recipient to install, but

it contains a secret payload that usually is a virus or other form of malware.  Malware can be very nasty, especially when it and its payload are concealed.

For instance, consider the use of rootkits, backdoors, and keyloggers, all of which are secretly placed on your system for a future attack, Symantec PGP Desktop for Windows 10.2 crack serial keygen.  Spyware exploits are also used to obtain user information. Spyware analyzes

what sites you visit and what your browsing habits are, and then invades your privacy further by using that information to iScreenKit Crack 1.3.1 Full Version Download | Pirate PC products to you, as well as by preventing you from removing the spyware.

www.syngress.com

79

431_Vista_02.qxd

80

2/2/07

1:21 PM

Page 80

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

 You should periodically update every piece of software you install on your

system.You can do this by installing the latest updates, Symantec PGP Desktop for Windows 10.2 crack serial keygen, hotfixes, security patches, and service packs. Keep on top of when new patches come out, and try to test and install them to keep your system at its best.  Windows Service Hardening (WSH) limits the amount of damage an

attacker can aurora hdr windows Archives if a service is compromised.  Network Access Protection (NAP) is used to prevent clients from

connecting to the network if they are infected with malware.

Improvements in Internet Explorer 7  Internet Explorer 7 comes with Windows Vista by default as the built-in

Web browser. New features in Internet Explorer 7 help to prevent the inception and spread of malware.To help protect a user’s personal information and the security of Vista in general, Internet Explorer 7 comes with many advances in security, as well as tools that protect users from such malware attacks as phishing and spoofing. It also includes a new Protected Mode to further secure a user’s browsing experience, Symantec PGP Desktop for Windows 10.2 crack serial keygen.  The new outbound filtering feature in the Windows Firewall helps users to

apply more granular control over traffic traversing the firewall.  User Account Control allows a user to change computer settings while

running as a standard user.  The Windows Defender utility detects malware on your system and, when

used in conjunction with SpyNet, can help to eliminate most spyware attacks and exploits.  Phishing is the exploit that hackers use to obtain personal information from

unsuspecting users.The Microsoft Phishing Filter is new to Internet Explorer 7. It protects you from phishing attacks while you surf the Internet.

Windows Security Center  The Windows Security Center (WSC) is the brain and nervous system for

Vista when it comes to security. Here, you can configure most (if not all) security functionality for the client system. In addition, it monitors your

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 81

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

running systems and recommends ways to help mitigate risk and solve security-related issues.  The WSC, which debuted in Windows XP SP2, has been updated with

new features, tools, and functionality, Symantec PGP Desktop for Windows 10.2 crack serial keygen. With it, you can centrally control a personal firewall application, and make sure the OS and your antivirus software are up-to-date.  In the WSC, you can configure four main security areas: the Windows

Firewall, Automatic Updates, Windows malware protection, and other security settings, including Internet Explorer security settings.  The updated Windows Firewall now scans traffic bidirectionally. Previous

versions scanned in only a single direction.  Once your firewall is configured, you need to update it only if you want to

restrict or allow access to new programs, or if you want to change settings.  You can turn on automatic updating in the WSC, which will allow

Windows to monitor and download updates for you.  The Malicious Software Removal Tool can help you to remove malware

from your OS and is usually downloaded via Windows Update.  User Account Control prevents unauthorized changes from taking place.

Another level of security applied to the defense in depth model, UAC will warn you whenever Windows needs your permission to continue with the use of a program or other application.  The Microsoft Baseline Security Analyzer (MBSA) is a freely downloadable

tool from Microsoft. It is designed for IT professionals who need to check the security settings on host computers.

Windows Defender  Windows Defender provides continuous security against malware. If it

detects anything suspicious, it will alert you of what it finds.  Windows Defender is composed of three separate agents. Internet agents

are used to monitor changes to Internet access settings, as well as to stop unauthorized connection attempts via the network. System agents are used to monitor changes to your system’s settings, Symantec PGP Desktop for Windows 10.2 crack serial keygen, such as passwords and permissions. Application agents are used to monitor changes to applications

www.syngress.com

81

431_Vista_02.qxd

82

2/2/07

1:21 PM

Page 82

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

installed on your OS, such as Internet Explorer being modified by downloadable toolbar applications.  Windows Defender is used locally to protect an end user’s Web browsing

experience. Windows Defender does not include enterprise management tools.  Windows Defender features an updated scanning engine, simplified alerting

functionality, multiple-language support, and other enhancements.  Changing how a program runs on your computer, such as blocking

Internet or network connections and ending processes, can cause problems with Windows and other programs that you use. Use Software Explorer to change how a program runs on your computer only if you are certain the program is causing a problem. Once you open Software Explorer, you can select which category of programs you want to view or adjust.  Microsoft SpyNet is the network of Windows Defender users that helps

determine which programs are classified as spyware.  SpyNet builds known signature files for commonly seen malware and finds

malware that is new to the scene. It is recommended that Symantec PGP Desktop for Windows 10.2 crack serial keygen visit SpyNet to get acclimated with the site and the benefits it offers, and that you check back often for updates.

www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 83

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

Frequently Asked Questions The following Frequently Asked Questions, answered Symantec PGP Desktop for Windows 10.2 crack serial keygen the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.

Q: If a company has a good firewall installed, won’t that protect it from all these attacks?

A: No. Firewall products are very useful for controlling what comes into or goes out of a network. But a firewall is like a computer (in many cases, a firewall is a specialized computer); it does only what the person who configures it tells it sweet home 3d linux Archives do. Firewalls can recognize and stop some types of attacks, but certain attacks exploit the characteristics of the protocols commonly used for legitimate network communications, and a packet might appear to be nothing more than a benign bit of data destined for a computer on the Symantec PGP Desktop for Windows 10.2 crack serial keygen network.Trojans, viruses, and worms piggyback into the network as e-mail attachments or through remote file sharing. Firewalls won’t catch them, but a good antivirus program, frequently updated and set to scan all incoming e-mail, might be able to. Many companies seem to operate under the assumption that installing a firewall is akin to invoking a magic spell that casts a force field of protection around their networks, rendering them completely immune to attack. Even the best firewall won’t protect against social engineering attacks, nor will it do any good against internal attackers who have physical access to the network. Studies have shown that a large number of network-related crimes are actually “inside jobs.” Be sure to read Chapter 3, where we discuss how firewalls work, so that you understand why they are not the “cure-all” solution to network security that they’re sometimes made out to be.

Q: I think I understand the differences between a virus, a Trojan, and a worm. But what are all these other types of viruses I hear about: stealth viruses, polymorphic viruses, armored viruses, and cavity viruses?

A: Stealth viruses are able to conceal the changes they make to files, boot records, and the like from antivirus programs.They do so by forging the results of a program’s attempt to read the infected files. A polymorphic virus makes copies of itself to spread, like other viruses, but the copies are not exactly like the original. www.syngress.com

83

431_Vista_02.qxd

84

2/2/07

1:21 PM

Page 84

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

The virus “morphs” into something slightly different in an effort to avoid detection by antivirus software that might not have definitions for all the variations. Viruses can use a “mutation engine” to create these variations on themselves. An armored virus uses a technique that makes it difficult to understand the virus code. A cavity virus is able to overwrite part of the infected (host) file while not increasing the length of the file, which would be a tip-off that a virus had infected the file.

Q: Can a rootkit be used for a good purpose, or is it always classified as malware? A: The term rootkit was developed as a hacker term, although rootkits can also be used for what some vendors consider valid purposes. For example, if Digital Rights Management (DRM) software is installed and kept hidden, it can control the use of licensed, copyrighted material and prevent the user from removing the hidden enforcement program. However, such usage is no more welcomed than a rootkit that does damage or allows spyware to thrive without detection.

Q: I have an infected system and I cannot figure out what is wrong. Where can I look to find further information on the Internet?

A: Information about specific viruses and instructions on how to clean an infected system is available at www.symantec.com and www.mcafee.com. Both antivirus vendors provide detailed databases that list and describe known viruses. For more information on viruses, worms, and Trojans, see the article “How Computer Viruses Work,” at www.howstuffworks.com/virus.htm.

Q: What are cookies and spyware? How are they different? Do some Web sites use cookies to exploit user information?

A: A cookie is just a bit of text in a file on your computer, containing a small amount of information that identifies you to a particular Web site, and whatever information that site wanted to retain about you Symantec PGP Desktop for Windows 10.2 crack serial keygen you were visiting. Cookies are a legitimate tool that many Web sites use to track visitor information. For example, you might go to an online computer store and place an item in your basket, but decide not to buy it right away because you want to compare prices.The store can choose to put the information about what products you put into your basket in a cookie Symantec PGP Desktop for Windows 10.2 crack serial keygen on your computer.This is an example of a good use of cookies to help the user experience.The only Web sites that are supposed to be able to retrieve the information stored in a cookie are the Web sites that wrote the information in that particular cookie.This should ensure your privacy by stopping any site other than the one you are visiting from being www.syngress.com

431_Vista_02.qxd

2/2/07

1:21 PM

Page 85

Microsoft Vista: The Battle Against Malware Lives On • Chapter 2

able to read any cookies left by that site. Some Web sites do use cookies to exploit user information, however. Some also may deceive users or omit their policies. For example, they may track your Web surfing habits across many different Web sites without informing you, and then use this data to customize the advertisements you see on Web sites, which typically is considered an invasion of privacy. It is difficult to identify this and other forms of “cookie abuse,” which makes it difficult to decide whether, when, and how to block them from your system. In addition, the acceptable level of shared information varies among users, so it is difficult to create an “anticookie” program to meet everyone’s needs.

Q: Can spyware send tracked information to other people? A: Some forms of spyware monitor a target’s Web use or even general computer use and send this information back to the spyware program’s authors for use as they see fit.To fight this kind of problem, Symantec PGP Desktop for Windows 10.2 crack serial keygen, a spyware removal tool is obviously helpful, as is a firewall that monitors outgoing connections from your computer. Other forms of spyware take over parts of your Web browsing interface, forcing you to use their own search engines, where they can track your browsing habits and send pop-up advertisements to you at will.The biggest concern regarding spyware is that most spyware is poorly written or designed. Many people first realize their computer is running spyware when it noticeably slows down or stops responding, especially when performing certain tasks such as browsing Web sites or retrieving e-mail. In addition, poorly written spyware can often cause your computer to function incorrectly even after it has been removed.

Q: Malware has completely taken over my PC and I cannot do anything to fix it. What is the best next step?

A: You used to be able to clean up most malware infections using various kinds of specialized antivirus and antimalware software. Sadly, this is no longer the case. Once upon a time, malware was written by amateurs and teenagers. But now, many very skilled programmers work on malware, because it is now a moneymaking business. Malware has become so insidious that it is often impossible to remove without expert or professional help. You should first attempt to remove an infection with automated tools. If that fails (and most likely it will), there are two classes of antimalware software that you should use.The first is traditional antivirus software, which is very good at handling viruses and worms and not so great at handling newer styles of malware.The other kind of software is antispyware software, which is good at the www.syngress.com

85

431_Vista_02.qxd

86

2/2/07

1:21 PM

Page 86

Chapter 2 • Microsoft Vista: The Battle Against Malware Lives On

newer sort of malware but not so good at the old kind. When attempting to clean up an infected system, you should run at least one of each. If you were running antivirus software when you became infected, Symantec PGP Desktop for Windows 10.2 crack serial keygen, you should see whether it was keeping itself up-to-date, or try running a different program. Proven antivirus software companies include Symantec (a.k.a. Norton), McAfee, Panda Software,Trend Micro, F-Secure, Eset (maker of NOD32), and Kaspersky Labs. Many of these companies have free Web-based scanners (ironically based on ActiveX) or downloadable tryout versions. Antispyware software is a little more difficult.The various antivirus companies have been in business a long time, but antispyware is a new kind of software that was born at the same time as the modern age of malware.Therefore, many antispyware software companies are either incompetent or outright frauds. It’s been discovered that malware is very quickly outgrowing the capability for automated software to clean it.The automated tools you try may not work, even if you try multiple ones.Therefore, you will probably end up having to get help. Many local computer repair companies can clean infected computers.You may know an expert who is willing to help you. Sometimes the experts will tell you that the best or only way to take care of a really bad infection is to back up your personal data, clean out the computer completely, and start from scratch. They are not lying, Symantec PGP Desktop for Windows 10.2 crack serial keygen. Attempting to eradicate an infection by hand can be extremely time-consuming and is often unsuccessful, even for experts.

Q: Do I need additional antimalware and spyware tools, now that Vista and Internet Explorer are supposedly more secure and provide them?

A: With Windows Vista and Internet Explorer 7, you are Symantec PGP Desktop for Windows 10.2 crack serial keygen more secure than you were using older versions of the OS and Web browser.The fact is that you now get these applications with the base OS instead of having to pay for or download a third-party vendor’s utility. Vista does not come with antivirus software, so you will need to acquire that separately. What Vista does have is a builtin spyware tool that helps prevent “some” malware exploits from taking place. Vista also has a built-in host-based firewall. Make sure that Wondershare Filmora (Activate offline) crack serial keygen add antivirus software for full protection.

www.syngress.com

431_Vista_03.qxd

2/2/07

2:44 PM

Page 87

Chapter 3

Microsoft Vista: Securing User Access Solutions in this chapter: ■

Access Control Fundamentals



Improving the Logon Architecture



User Account Control



Remote Assistance



Network Access Protection

 Summary  Solutions Fast Track  Frequently Asked Questions 87

431_Vista_03.qxd

88

2/2/07

2:44 PM

Page 88

Chapter 3 • Microsoft Vista: Securing User Access

Introduction Windows Vista provides many security benefits, including enhancements to the Vista logon architecture, a new feature called User Account Control (UAC), smart card enhancements, and Network Access Protection (NAP). It also includes redesigned and redeveloped Remote Assistance functionality. Although Microsoft designed Vista to be more secure, nothing really applies more security to your system than “defense in depth.” Defense in depth is the technical term for a secure system that is applied in layers. Vista provides a new level of security with its enhancements.This is combined with ensuring that users handle their credentials properly; that they understand other concepts of physical security, such as limiting access to the systems you want to secure; and that they comply with these concepts. When correctly applied, Symantec PGP Desktop for Windows 10.2 crack serial keygen, a security policy and other security defenses create a secure multilayered “onion.” If one layer is exploited or penetrated, others still stand guard. Windows Vista is secure by design and offers many layers of security by itself. By following Microsoft’s Trustworthy Computing initiative, the developers of Windows Vista have designed the software to eliminate the most common Windows-based attacks, such as buffer overflows. In addition, other known weaknesses to Symantec PGP Desktop for Windows 10.2 crack serial keygen logon subsystems have been reworked. User access has always been an issue and tough to secure within Microsoft’s camp, but with Vista, secure advancements have been made to make these simple exploits a thing of the past. Because of the way Windows was initially designed, an attacker could exploit the OS’s subsystems in many ways with Vista gaining access to the OS EaseUS Partition Master 16.0 Crack Plus License Code 2021 Free sitting directly at the console, through malware and other subvert tactics to deploy rootkits, is very difficult. Administrative access using the Administrator account was considered gaining the keys to the castle, so use of it has been Symantec PGP Desktop for Windows 10.2 crack serial keygen limited as well. Many exploits have been designed to thwart the system’s access defenses, and many attacks have been developed to gain administrative access to the system. In the next section, we discuss the main updates to security user access within Vista and how to configure them. We also provide a brief overview of some of the most common attacks used to thwart a system’s access defenses and controls.

Access Control Fundamentals To protect system and network resources from theft, damage, or unwanted exposure, administrators must understand who initiates this risky behavior, why they do it, and how they do it. Obviously, hackers and those with ill intent are the ones trying to gain access, but the methods by which they do constantly evolve, as do the operating systems (such as Vista) themselves. Understanding the concepts access control can be vital to keeping any system secure. Ensuring physical access control means you will attempt to control physical www.syngress.com

431_Vista_03.qxd

2/2/07

2:44 PM

Page 89

Microsoft Vista: Securing User Access • Chapter 3

access to the servers, networked workstations, network devices, and cabling connections.You also must be aware of other security considerations when working with wireless media, portable systems such as laptops and personal digital assistants (PDAs), and removable media such as Universal Serial Bus (USB) stick drives, DVDs, CDROMs, and external hard disks. By limiting your exposure, using secure methods of authentication, and practicing general workstation security, you will also inherently limit your exposure to risk.

Limiting Exposure An effective security plan does not rely on one technology or solution, but instead takes a multilayered approach. Compare this approach to a business’s physical security measures; most companies don’t depend on just the locks on the building’s doors to keep intruders and thieves out. Instead, they might also have perimeter security (a fence), perhaps additional external security such as a guard or a guard dog, external and internal alarm systems, and, to protect special valuables, further internal safeguards such as a vault. Most administrators keep data backup copies off-site in a secure location in case of fire or some other natural disaster. For example an IT network and system security policy should be similarly layered. For example, an effective IT security policy could incorporate the following: ■

Firewalls at network entry points (and possibly a DMZ or screened subnet between the local area network [LAN] and the network interface connected to the Internet) that function as perimeter protection



Password protection at local computers, requiring user authentication to log on, to keep unauthorized persons out, ensuring that all passwords used are limited by the user’s ability to keep them simplified



Access permissions set on individual network resources to restrict access of those who are “in” (logged on to the network)



Encryption of data sent across the network or stored on disk to protect what is especially valuable, sensitive, or confidential



Network and systems infrastructure (such as servers, Symantec PGP Desktop for Windows 10.2 crack serial keygen, routers, and switches) located in locked rooms with camera’s to prevent people with physical access from accessing data without authorization



Use of antivirus and other hardening applications such as host-based intrusion detection systems (IDSes), host-based firewalls, and spyware defenses such as Windows Defender

www.syngress.com

89

431_Vista_03.qxd

90

2/2/07

2:44 PM

Page 90

Chapter 3 • Microsoft Vista: Securing User Access

NOTE Defense in depth is a concept in which all of the examples of security mentioned in the preceding list are applied simultaneously to create a multilayered security approach. This list is a sampling of some common areas where security is aplied. With the use of firewalls, access control with secure credentials, a security policy, and so on, you apply a layered security posture that is hard to unravel.

Understanding Attacks Although there are many, some of the most common attacks to access control come in the form of attempts to bypass your secure credentials, or getting software on the host machine that can do it for you from the inside, also known as a rootkit.

Источник: [https://torrent-igruha.org/3551-portal.html]
fping -a 192.168.1.254 is alive 192.168.1.227 is alive 192.168.1.224 is alive … 192.168.1.3 is alive 192.168.1.2 is alive 192.168.1.1 is alive 192.168.1.190 is alive

35

36

Hacking Exposed: Network Security Secrets and Solutions

The –a option of fping will simply show systems that are alive. We can also combine it with the –d option to resolve hostnames if we choose. We prefer to use the –a option with shell scripts and the –d option when we are interested in targeting systems that have unique hostnames. Other options like –f, read from a file, may interest you when scripting ping sweeps. Type fping –h for a full listing of available options. Another utility that is highlighted throughout this book is nmap from Fyodor (www.insecure.org/nmap). While this utility is discussed in much more detail later in this chapter, it is worth noting that it does offer ping sweep capabilities with the –sP option. [tsunami] nmap –sP 192.168.1.0/24 Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ ) Host (192.168.1.0) seems to be a subnet broadcast address (returned 3 extra pings). Host (192.168.1.1) appears to be up. Host (192.168.1.10) appears to be up. Host (192.168.1.11) appears to be up. Host (192.168.1.15) appears to be up. Host (192.168.1.20) appears to be up. Host (192.168.1.50) appears to be up. Host (192.168.1.101) appears to be up. Host (192.168.1.102) appears to be up. Host (192.168.1.255) seems to be a subnet broadcast address (returned 3 extra pings). Nmap run completed -- 256 IP addresses (10 hosts up) scanned in 21 seconds

For the Windows inclined, we have found that the freeware product Pinger (see Figure 2-1) from Rhino9 (http://www.nmrc.org/files/snt/) is one of the fastest ping sweep utilities available. Like fping, Pinger sends out multiple ICMP ECHO packets in parallel and simply waits and listens for responses. Also like fping, Pinger allows you to resolve hostnames and save the output to a file. Just as fast as Pinger is the commercial product Ping Sweep from SolarWinds (www.solarwinds.net). Ping Sweep can be blazingly fast because it allows you to specify the delay time between packets sent. By setting this value to 0 or 1, you can scan an entire Class C and resolve hostnames in less than 7 seconds. Be careful with these tools, however; you can easily saturate a slow link such as a 128K ISDN or Frame Relay link (not to mention satellite or IR links). Other Windows ping sweep utilities include WS_Ping ProPack (www.ipswitch.com) and Netscan tools (www.nwpsw.com), Symantec PGP Desktop for Windows 10.2 crack serial keygen. These later tools will suffice for a small network sweep. However, they are significantly slower than Pinger and Ping Sweep. Keep in mind that while these GUI-based tools provide eye-pleasing output, they limit your ability to script and automate ping sweeps. You may be wondering what happens if ICMP is blocked by the target site. Good question. It is not uncommon to come across a security-conscious site that has blocked ICMP Symantec PGP Desktop for Windows 10.2 crack serial keygen the border router or firewall. While ICMP may be blocked, there are some addi-

Chapter 2:

Figure 2-1.

Scanning

Pinger from Rhino9 is one of the fastest ping sweep utilities available—and it’s free

tional tools and techniques that can be used to determine if systems are actually alive; however, they are not as accurate or as efficient as a normal ping sweep. When ICMP traffic is blocked, port scanning is the first technique to determine live hosts (port scanning is discussed in great detail later in this chapter). By scanning for common ports on every potential IP address, we can determine which hosts are alive if we can identify open or listening ports on the target system, Symantec PGP Desktop for Windows 10.2 crack serial keygen. This technique is time-consuming and is not always conclusive. One tool used for this port scanning Symantec PGP Desktop for Windows 10.2 crack serial keygen is nmap. As mentioned previously, nmap does provide the capability to perform ICMP sweeps. However, it offers a more advanced option called TCP ping scan. A TCP ping scan is initiated with the –PT option and a port number such as 80. We use 80 because it is a common port that sites will allow through their border routers to systems on their demilitarized zone (DMZ), or even better, through their main firewall(s). This option will spew out TCP ACK packets to the target network and wait for RST indicating the host is alive. ACK packets are sent as they are more likely to get through a non-stateful firewall.

37

38

Hacking Exposed: Network Security Secrets and Solutions

[tsunami] nmap -sP -PT80 192.168.1.0/24 TCP probe port is 80 Starting nmap V. 2.53 Host (192.168.1.0) appears to be up. Host (192.168.1.1) appears to be up. Host shadow (192.168.1.10) appears to be up. Host (192.168.1.11) appears to be up. Host (192.168.1.15) appears to be up. Host (192.168.1.20) appears to be up. Host (192.168.1.50) appears to be up. Host (192.168.1.101) appears to be up. Host (192.168.1.102) appears to be up. Host (192.168.1.255) appears to be up. Nmap run completed (10 hosts up) scanned in 5 seconds

As you can see, this method is quite effective in determining if systems are alive even if the site blocks ICMP. It is worth trying a few iterations of this type of scan with common ports like SMTP (25), POP (110), AUTH (113), IMAP (143), or other ports that may be unique to the site. Hping from http://www.kyuzz.org/antirez/ is another TCP ping utility with additional TCP functionality Symantec PGP Desktop for Windows 10.2 crack serial keygen nmap. Hping allows the user to control specific options of the TCP packet that may allow it to pass through certain access control devices. By setting the destination port with the –p option, you can circumvent some access control devices similar to the traceroute technique mentioned in Chapter 1. Hping can be used to perform TCP ping sweeps and has the ability to fragment packets, potentially bypassing some access control devices. [tsunami] hping 192.168.1.2 –S –p 80 –f HPING 192.168.1.2 (eth0 192.168.1.2): S set, 40 data bytes 60 bytes from 192.168.1.2: flags=SA seq=0 ttl=124 id=17501 win=0 time=46.5 60 bytes from 192.168.1.2: flags=SA seq=1 ttl=124 id=18013 win=0 time=169.1

In some cases, simple access control devices cannot handle fragmented packets correctly, thus allowing our packets to pass through and determine if the target system is alive. Notice that the TCP ITubeGo YouTube Downloader Crack For Pc (S) flag and the TCP ACK (A) flag are returned whenever a port is open. Hping can easily be integrated into shell scripts by using the –cN packet count option where N is the number of packets to send before moving on, Symantec PGP Desktop for Windows 10.2 crack serial keygen. While this method is not as fast as some of the ICMP ping sweep methods mentioned earlier, it may be necessary, given the configuration of the target network. We discuss hping in more detail in Chapter 11. Our final tool that we will analyze is icmpenum, from Simple Nomad (http://www.nmrc.org/files/sunix/icmpenum-1.1.tgz). This utility is a handy ICMP enumeration tool that will allow you to quickly identity systems that are alive by sending the tradition ICMP ECHO packets, Symantec PGP Desktop for Windows 10.2 crack serial keygen, as well as ICMP TIME STAMP REQUEST and ICMP INFO requests. Thus, if ingress ICMP ECHO packets are dropped by a border router or firewall, it may be possible to still identify systems using an alternate ICMP type:

Chapter 2:

Scanning

[shadow] icmpenum -i2 -c 192.168.1.0 192.168.1.1 Wondershare Recoverit 9.7.2+ Crack 2021 Torrent! up 192.168.1.10 is up 192.168.1.11 is up 192.168.1.15 is up 192.168.1.20 is up 192.168.1.103 is up

In this example, we enumerated the entire 192.168.1.0 class C network using an ICMP TIME STAMP REQUEST. However, the real power of icmpenum is to identify systems using spoofed packets to avoid detection. This technique is possible because icmpenum supports the ability to spoof packets with the -s option and passively listen for responses with the –p switch. To summarize, this step allows us to determine exactly what systems are alive via ICMP or through selective port scans. Out of 255 potential addresses within the class C range, we have determined that several hosts are alive and have now become our targets for subsequent interrogation. Thus, we have significantly reduced our target set, saving testing time and narrowing the focus of our activities.

Sweeps Countermeasures U Ping While ping sweeps may seem like an annoyance, it is import to detect this activity when it

happens. Symantec PGP Desktop for Windows 10.2 crack serial keygen on your security paradigm, you may also want to block ping sweeps. We explore both options next. Detection As mentioned, network mapping via ping sweeps is a proven method for performing network reconnaissance before an actual attack ensues. Thus, detecting ping sweep Symantec PGP Desktop for Windows 10.2 crack serial keygen is critical to understanding when an attack may occur and by whom. The primary methods for detecting ping sweep attacks are network-based IDS programs such as Network Flight Recorder (NFR) and snort (http://www.snort.org/) or host-based mechanisms. Shown next is the NFR N Code that can be used to detect network ping sweeps. # # # # #

ICMP/Ping flood detection By Stuart McClure This will detect the use of a ping scanner on your network. You can play with the maxtime and maxcount settings to find your sweet spot.

ping_schema = library_schema:new( 1, [ "time", "ip", "ip", "ethmac", "ethmac" ], scope() ); count = 0; maxtime = 10; maxcount = 5; # a ping scan dest = 0;

# Number of seconds # Number of ICMP ECHO's or ARP REQUESTS before it's considered

39

40

Hacking Exposed: Network Security Secrets and Solutions

source ethsrc ethdst time =

= 0; = 0; = 0; 0;

filter icmp_packets icmp ( ) { if (icmp.type == 0x08) # Check for ICMP ECHO packets { if ((source == ip.src) && (dest != ip.dst)) # Found the dog! { count = count + 1; time = system.time; } else count = 1; dest = ip.dest; source = ip.src; ethsrc = eth.src; ethdst = eth.dst; } on tick = timeout ( sec: maxtime, repeat ) call checkit; } func checkit { if (count >= maxcount) { echo ("Found PING scanner dog! Time: ", time, "\n"); record system.time, source, dest, eth.src, eth.dst to the_recorder_ping; count = 0; dest = 0; } else { dest = 0; count = 0; } return; } the_recorder_ping=recorder( "bin/histogram packages/sandbox/pingscan.cfg", "ping_schema" );

From a host-based perspective, several UNIX utilities will detect and log such attacks. If you begin to see a pattern of ICMP ECHO packets from a particular system or network,

Chapter 2:

Scanning

it may indicate that someone is performing network reconnaissance on your site. Pay close attention to this activity, as a full-scale attack may be imminent. Windows host-based ping detection tools are difficult to come by; however, a shareware/freeware product worth looking at is Genius 3.1. Genius is now version 3.1—check out the review on http://softseek.com/Internet/General/Review_20507_index.html— located at http://www.indiesoft.com/. While Genius does not detect ICMP ECHO (ping) scans to a system, it will detect TCP ping scans to a particular port. The commercial solution to TCP port scanning is BlackICE from Network ICE (www.networkice.com). The product is much more than a TCP ping or port scan detector, but it can be used solely for this purpose. Table 2-1 lists additional ping detection tools that can enhance your monitoring capabilities. Prevention While detection of ping sweep activity is critical, a dose of prevention will go even further. We recommend that you carefully evaluate the type of ICMP traffic you allow into your networks or into specific systems. There are many different types of ICMP traffic—ECHO and ECHO_REPLY are only two such types. Most sites do not require all types of ICMP traffic to all systems directly connected to the Internet, Symantec PGP Desktop for Windows 10.2 crack serial keygen. While almost any firewall can filter ICMP packets, organizational needs may dictate that the firewall pass some ICMP traffic. If a true need exists, then carefully consider which types of ICMP traffic to pass. A minimalist approach may be to only allow ICMP ECHO-REPLY, HOST UNREACHABLE, and TIME EXCEEDED packets into the DMZ network. In addition, if ICMP traffic can be limited with ACLs to specific IP addresses of your ISP, you are better off. This will allow your ISP to check for connectivity, while making it more difficult to perform ICMP sweeps against systems connected directly to the Internet. While ICMP is a powerful protocol for diagnosing network problems, it is also easily abused. Allowing unrestricted ICMP traffic into your border gateway may allow attackers to mount a denial of service attack (Smurf, for example). Even worse, if attackers actually manage to

Program

Resource

Scanlogd

http://www.openwall.com/scanlogd

Courtney 1.3

http://packetstorm.securify.com/UNIX/audit/ courtney-1.3.tar.Z

Ippl 1.4.10

http://pltplp.net/ippl/

Protolog 1.0.8

http://packetstorm.securify.com/UNIX/loggers/ protolog-1.0.8.tar.gz

Table 2-1.

Some UNIX Host-Based Ping Detection Tools

41

42

Hacking Exposed: Network Security Secrets and Solutions

compromise one of your systems, they may be able to back-door the operating system and covertly tunnel data within an ICMP ECHO packet using a program such as loki. For more information on loki, check out Phrack Magazine, Volume 7, Symantec PGP Desktop for Windows 10.2 crack serial keygen, Issue 51, September 01, 1997, Symantec PGP Desktop for Windows 10.2 crack serial keygen, article 06 (http://phrack.infonexus.com/search.phtml?view&article=p51-6). Another interesting concept, which was developed by Tom Ptacek and ported to Linux by Mike Schiffman, is pingd. Pingd is a userland daemon that handles all ICMP_ECHO and ICMP_ECHOREPLY traffic at the host level. This feat is accomplished by removing support of ICMP_ECHO processing from the kernel and implementing a userland daemon with a raw ICMP socket to handle these packets. Essentially, it provides an access control mechanism for ping at the system level. Pingd is available for BSD (http://www.enteract.com/~tqbf/goodies.html) as well as Linux (http://www.2600.net/ phrack/p52-07.html).

]

ICMP Queries Popularity

2

Simplicity

9

Impact

5

Risk Rating

5

Ping sweeps (or ICMP ECHO packets) are only the tip of the iceberg when it comes to ICMP information about a system. You can gather all kinds of valuable information about a system by simply sending an ICMP packet to it. For example, with the UNIX tool icmpquery (http://packetstorm.securify.com/UNIX/scanners/icmpquery.c) - or icmpush (http://packetstorm.securify.com/UNIX/scanners/icmpush22.tgz), you can request the time on the system (to see the time zone the system is in) by sending an ICMP type 13 message (TIMESTAMP). And you can request the netmask of a particular device with the ICMP type 17 message (ADDRESS MASK REQUEST). The netmask of a network card is important because you can determine all the subnets being used. With knowledge of the subnets, you can orient your attacks to only particular subnets and avoid hitting broadcast addresses, for example. Icmpquery has both a timestamp and address mask request option: icmpquery [-B] [-f fromhost] [-d delay] [-T time] targets where is one of: -t : icmp timestamp request (default) -m : icmp address mask request The delay is in microseconds to sleep between packets. targets is a list of hostnames or addresses -T specifies the number of seconds to wait for a host to respond. The default is 5, Symantec PGP Desktop for Windows 10.2 crack serial keygen. -B specifies 'broadcast' mode. icmpquery will wait for timeout seconds and print all responses. If you're on a modem, you may wish to use a larger TurboTax 2022 Crack MAC Full Activated Torrent Free Download and –T

Chapter 2:

Scanning

To use icmpquery to query a router’s time, you can run this command: [tsunami] icmpquery -t 192.168.1.1 192.168.1.1 : 11:36:19

To use icmpquery to query a router’s netmask, you can run this command: [tsunami] icmpquery -m 192.168.1.1 192.168.1.1

:

0xFFFFFFE0

Not all routers/systems allow an ICMP TIMESTAMP or NETMASK response, so your mileage with icmpquery and icmpush may vary greatly from host to host.

Query Countermeasures U ICMP One of the best prevention methods is to block the ICMP types that give out information at your border routers. At minimum you should restrict TIMESTAMP (ICMP Adobe PhotoShop v3.00 5 users Mac crack serial keygen 13) and ADDRESS MASK (ICMP type 17) packet requests from entering your network. If you deploy Cisco routers at your borders, you can restrict them from responding to these ICMP request packets with the following ACLs: access-list 101 deny icmp any any 13 access-list 101 deny icmp any any 17

! timestamp request ! address mask request

It is possible to detect this activity with a network-based intrusion detection system (NIDS) such as snort (www.snort.org). Here is a snippet of this type of activity being flagged by snort. [**] PING-ICMP Timestamp [**] 05/29-12:04:40.535502 192.168.1.10 -> 192.168.1.1 ICMP TTL:255 TOS:0x0 ID:4321 TIMESTAMP REQUEST

]

Port Scanning Popularity

10

Simplicity

9

Impact

9

Risk Rating

9

Thus far we have identified systems that are alive by using either ICMP or TCP ping sweeps and have gathered selected ICMP information. Now we are ready to begin port scanning each system. Port scanning is the process of connecting to TCP and UDP ports on the target system to determine what services are running or in a LISTENING state.

43

44

Hacking Exposed: Network Security Secrets and Solutions

Identifying listening ports is critical to determining the type of operating system and applications in use. Active services that are listening may allow an unauthorized user to gain access to systems that are misconfigured or running a version of software known to have security vulnerabilities. Port scanning tools and techniques have evolved significantly over the past few years. We will focus on several popular port scanning tools and techniques that will provide us with a wealth of information. The port scanning techniques that follow differ from those previously mentioned, when we were trying to just identify systems that were alive. For the following steps, we will assume that the systems are alive and we are now trying to determine all the listening ports or potential access points on our target. There are several objectives that we would like to accomplish when port Symantec PGP Desktop for Windows 10.2 crack serial keygen the target system(s). These include but are not limited to the following: ▼

Identifying both the TCP and UDP services running on the target system



Identifying the type of operating system of the target system



Identifying specific applications or versions of a particular service

Scan Types Before we jump into the requisite port scanning tools, we must discuss the various port scanning techniques available. One of the pioneers of implementing various port scanning techniques is Fyodor. He has incorporated numerous scanning techniques into his nmap tool. Many of the scan types we will be discussing are the direct work of Fyodor himself. ▼

TCP connect scan This type of scan connects to the target port and completes a full three-way handshake (SYN, SYN/ACK, and ACK). It is easily detected by the target system. Figure 2-2 provides a diagram of the TCP three-way handshake.



TCP SYN scan This technique is called half-open scanning because a full TCP connection is not made. Instead, a SYN packet is sent to the target port. If a SYN/ACK is received from the target port, we can deduce that it is in the LISTENING state, Symantec PGP Desktop for Windows 10.2 crack serial keygen. If a RST/ACK is received, it usually indicates that the port is not listening. A RST/ACK will be sent by the system performing the port scan so that a full connection is never established. This technique has the advantage of being stealthier than a full TCP connect, and it may not be logged by the target system.



TCP FIN scan This technique sends a FIN packet to the target port. Based on RFC 793 (http://www.ietf.org/rfc/rfc0793.txt), the target system should send back an RST for all closed ports. This technique usually only works on UNIX-based TCP/IP stacks.

Chapter 2:

Figure 2-2.

Scanning

A TCP connect requires a three-way handshake: (1) sending a SYN packet, (2) receiving a SYN/ACK packet, and (3) sending an ACK packet



TCP Xmas Tree scan This technique sends a FIN, Symantec PGP Desktop for Windows 10.2 crack serial keygen, URG, and PUSH packet to the target port. Based on RFC 793, the target system should send back an RST for all closed ports.



TCP Null scan This technique turns off all flags. Based on RFC 793, the target system should send back an RST for all closed ports.



TCP ACK scan This technique is used to map out firewall rulesets. It Symantec PGP Desktop for Windows 10.2 crack serial keygen help determine if the firewall is a simple packet filter allowing only established connections (connections with the ACK bit set) or a stateful firewall performing advance packet filtering.



TCP Windows scan This technique may detect open as well as filtered/ non-filtered ports on some systems (for Nitro Pro full version Archives, AIX and FreeBSD) due to an anomaly in the way the TCP windows size is reported.



TCP RPC scan This technique is specific to UNIX systems and is used to detect and identify remote procedure call (RPC) ports and their associated program and version number.



UDP scan This technique sends a UDP packet to the target port. If the target port responds with an “ICMP port unreachable” message, the port is closed. Conversely, if we don’t receive an “ICMP port unreachable” message, we can deduce the port is open. Since UDP is known as a connectionless protocol, the accuracy of this technique is highly dependent on many factors related to the utilization of network and system resources. In addition, UDP scanning is a very slow process if you are trying to scan a device that employs heavy packet filtering. If you plan on doing UDP scans over the Internet, be prepared for unreliable results.

Certain IP implementations have the unfortunate distinction of sending Symantec PGP Desktop for Windows 10.2 crack serial keygen RSTs for all ports scanned whether or not they are listening. Thus, your results may vary when performing these scans; however, SYN and connect ( ) scans should work against all hosts.

45

46

Hacking Exposed: Network Security Secrets and Solutions

Identifying TCP and UDP Services Running The utility of a good port scanning tool is a critical component of the footprinting process. While there are many port scanners available for both the UNIX and NT environment, we shall limit our discussion to some of the more popular and time-proven port scanners.

Strobe Strobe is a venerable TCP port scanning utility written by Julian Assange (ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/strobe-1.06.tgz). It has been around for some time and is one of the fastest and most reliable TCP scanners available. Some of strobe’s Symantec PGP Desktop for Windows 10.2 crack serial keygen features include the ability to optimize system and network resources and to scan the target system in an efficient manner. In addition to being efficient, strobe version 1.04 and later will actually grab the associated banner (if available) of each port that they connect to. This may help identify both the operating system and the running service. Banner grabbing is explained in more detail in Chapter 3. Strobe output lists each listening TCP port: [tsunami] strobe 192.168.1.10 strobe 1.03 © 1995 Julian Assange ([email protected]). 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10

echo discard sunrpc daytime chargen ftp exec login cmd ssh telnet smtp nfs lockd unknown unknown unknown unknown unknown

7/tcp 9/tcp 111/tcp 13/tcp 19/tcp 21/tcp 512/tcp 513/tcp 514/tcp 22/tcp 23/tcp 25/tcp 2049/tcp 4045/tcp 32772/tcp 32773/tcp 32778/tcp 32799/tcp 32804/tcp

Echo [95,JBP] Discard [94,JBP] rpcbind SUN RPC Daytime [93,JBP] ttytst source File Transfer [Control] [96,JBP] remote process execution; remote login a la telnet; shell like exec, but automatic Secure Shell Telnet [112,JBP] Simple Mail Transfer [102,JBP] networked file system unassigned unassigned unassigned unassigned unassigned

While strobe is highly reliable, it is important to keep in mind some of its limitations. Strobe is a TCP scanner only and does not provide UDP scanning capabilities. Thus, for our earlier scan, we are only looking at half the picture. In addition, strobe only employs TCP connect scanning technology when connecting to each port. While this behavior adds to strobe’s reliability, it also makes port scans easily detectable by the target system. For additional scanning techniques beyond what strobe can provide, we must dig deeper into our toolkit.

Chapter 2:

Scanning

udp_scan Since strobe only covers TCP scanning, we can use udp_scan, originally from SATAN (Security Administrator Tool for Analyzing Networks), written by Dan Farmer and Wietse Venema in 1995. While SATAN is a bit dated, its tools still work quite well. In addition, newer versions of SATAN, now called SAINT, have been released by http://wwdsilx.wwdsi.com. There are many other utilities that perform UDP scans; however, we have found that udp_scan is one of the most reliable UDP scanners available. We should point out that although udp_scan is reliable, it does have a nasty side-effect of triggering a SATAN scan message from major IDS products. Thus, it is not one of the more stealthy tools you could employ. Typically, we will look for all well-known ports below 1024 and specific high-risk ports above 1024, Symantec PGP Desktop for Windows 10.2 crack serial keygen. [tsunami] udp_scan 192.168.1.1 1-1024 42:UNKNOWN: 53:UNKNOWN: 123:UNKNOWN: 135:UNKNOWN:

netcat Another excellent utility is netcat or nc, written by Hobbit ([email protected]). This utility can perform so many tasks that we call it the Swiss army knife in our security toolkit. While we will discuss many of its advanced features throughout the book, nc will provide basic TCP and UDP port scanning capabilities. The –v and –vv options provide verbose and very verbose output, respectively. The –z option provides zero mode I/O and is used for port scanning, and the –w2 option provides a timeout value for each connection. By default, nc will use TCP ports. Therefore, we must specify the –u option for UDP scanning (as in the second example). [tsunami]

nc -v -z -w2 192.168.1.1 1-140

[192.168.1.1] [192.168.1.1] [192.168.1.1] [192.168.1.1] [192.168.1.1] [192.168.1.1] [192.168.1.1] [192.168.1.1] [192.168.1.1] [192.168.1.1] [192.168.1.1]

139 (?) open 135 (?) open 110 (pop-3) open 106 (?) open 81 (?) open 80 (http) open 79 (finger) open 53 (domain) open 42 (?) open 25 (smtp) open 21 (ftp) open

[tsunami] nc [192.168.1.1] [192.168.1.1] [192.168.1.1] [192.168.1.1]

-u -v -z -w2 192.168.1.1 1-140 135 (ntportmap) open 123 (ntp) open 53 (domain) open 42 (name) open

47

48

Hacking Exposed: Network Security Secrets and Solutions

Network Mapper (nmap) Now that we have discussed basic port scanning tools, we can move on to the premier port scanning tool available, nmap. Nmap (http://www.insecure.org/nmap) by Fyodor provides basic TCP and UDP scanning capabilities as well as incorporating the aforementioned scanning techniques. Rarely does a tool come along that provides so much utility in one package. Let’s explore some of its most useful features. [tsunami]# nmap –h nmap V. 2.53 Usage: nmap [Scan Type(s)] [Options] Some Common Scan Types ('*' options require root privileges) -sT TCP connect() port scan (default) * -sS TCP SYN stealth port scan (best all-around TCP scan) * -sU UDP port scan xlstat license key 2019 Archives ping scan (Find any reachable machines) * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sR/-I RPC/Identd scan (use with other scan types) Some Common Options (none are required, most can be combined): * -O Use TCP/IP fingerprinting to guess remote operating system -p ports to scan. Example range: '1-1024,1080,6666,31337' -F Only scans ports listed in nmap-services -v Verbose. Its use is recommended. Use twice for greater effect. -P0 Don't ping hosts (needed to scan www.microsoft.com and others) * -Ddecoy_host1,decoy2[.] Hide scan using many decoys -T <Paranoid tr -s : : Services menu. Detailed Windows NT risks and countermeasures are discussed in Chapter 5. In addition, Tiny Software (www.tinysoftware.com) sells a wonderful packet-filtering kernel module for Windows NT that will allow you to protect many of your sensitive ports. For other operating systems or devices, consult the user’s manual to determine how to reduce the number of listening ports to only those required for operation.

]

Active Operating System Detection Popularity

10

Simplicity

8

Impact

4

Risk Rating

7

As we have demonstrated, Symantec PGP Desktop for Windows 10.2 crack serial keygen wealth of tools and many different types of port scanning techniques are available. If you recall, our first objective of port scanning was to identify listening TCP and UDP ports on the target system. Our second objective is to determine the type of operating system that we are scanning. Specific operating system information will be useful during our vulnerability-mapping phase, discussed in subsequent chapters. It is important to remember that we are trying to be as accurate as possible in determining the associated vulnerabilities of our target Symantec PGP Desktop for Windows 10.2 crack serial keygen. Thus, we need to be fairly confident that we can identify Metadata Miner Catalogue PRO v4.2 crack serial keygen target operating system. We can perform simple banner grabbing techniques, as discussed in Chapter 3, that will grab information from such services as FTP, telnet, SMTP, HTTP, POP, and others. This is the simplest way to detect an operating system and the associated version number of the service running. Of course, there are tools designed to help us with this task. Two of the most accurate tools we have at our disposal are the omnipowerful nmap and queso, which both provide stack fingerprinting capabilities.

Active Stack Fingerprinting Before we jump into using nmap and queso, it is important to explain exactly what stack fingerprinting is. Stack fingerprinting is an extremely powerful technology that allows you to quickly ascertain each host’s operating system with a high degree of probability. Essentially, there are many nuances between one vendor’s IP stack implementation versus another’s. Vendors often interpret specific RFC guidance differently when writing their

61

62

Hacking Exposed: Network Security Secrets and Solutions

TCP/IP stack, Symantec PGP Desktop for Windows 10.2 crack serial keygen. Thus, by probing for these differences, we can begin to make an educated guess as to the exact operating system in use. For maximum reliability, stack fingerprinting generally requires at least one listening port. Nmap will make an educated guess about the operating system in use if no ports Symantec PGP Desktop for Windows 10.2 crack serial keygen open; however, the accuracy of such a guess will be fairly low. The definitive paper on the subject was written by Fyodor, first published in Phrack Magazine, and can be found at http://www.insecure.org/nmap/ nmap-fingerprinting-article.html. Let’s examine the types of probes that can be sent that help to distinguish one operating system from another. ▼

FIN probe A FIN packet is sent to an open port. As mentioned previously, RFC 793 states that the correct behavior is not to respond; Symantec PGP Desktop for Windows 10.2 crack serial keygen, many stack implementations (such as Windows NT) will respond with a FIN/ACK.



Bogus Flag probe An undefined TCP flag is set in the TCP header of a SYN packet. Some operating systems, such as Linux, will respond with the flag set in their response packet.



Initial Sequence Number (ISN) sampling The basic premise is to find a pattern Symantec PGP Desktop for Windows 10.2 crack serial keygen the initial sequence chosen by the TCP implementation when responding to a connection request.



“Don’t fragment bit” monitoring Some operating systems will set the “Don’t fragment bit” to enhance performance. This bit can be monitored to determine what types of operating systems exhibit this behavior.



TCP initial window size Initial window size on returned packets is tracked. For some stack implementations, this size is unique and can greatly add to the accuracy of the fingerprint mechanism.



ACK value IP stacks differ in the sequence value they use for the ACK field, so some implementations will send back the sequence number you sent, and others will send back a sequence number + 1.



ICMP error message quenching Operating systems may follow RFC 1812 (www.ietf.org/rfc/rfc1812.txt) and limit the rate at which error messages are sent. By sending UDP packets to some random high-numbered port, it is possible to count the number of unreachable messages received within a given amount of time.



ICMP message quoting Operating systems differ in the amount of information that is quoted when ICMP errors are encountered. By examining the quoted message, you may be able to make some assumptions about the target operating system.



ICMP error message–echoing integrity Some stack implementations may alter the IP headers when sending back ICMP error messages. By examining the types of alterations that are made to the headers, you may be able to make some assumptions about the target operating system.

Chapter 2:

Scanning



Type of service (TOS) For “ICMP port unreachable” messages, the TOS is examined. Most stack implementations use 0, but this can vary.



Fragmentation handling As pointed out by Thomas Ptacek and Tim Newsham in their landmark paper “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection” (http://www.clark.net/ ~roesch/idspaper.html), different stacks handle overlapping fragments differently. Some stacks will overwrite the old data with the new data and vice versa when the fragments are reassembled. By noting how probe packets are reassembled, you can make some assumptions about the target operating system.



TCP options TCP options are defined by RFC 793 and more recently by RFC 1323 (www.ietf.org/rfc/rfc1323.txt). The more advanced options provided by RFC 1323 tend to be implemented in the most current stack implementations. By sending a packet with multiple options set, such as no operation, maximum segment size, window scale factor, and timestamps, it is possible to make some assumptions about the target operating system.

Nmap employs the techniques mentioned earlier (except for the fragmentation handling and ICMP error message queuing) by using the –O option. Let’s take a look at our target network: [tsunami] nmap -O 192.168.1.10 Starting nmap V. 2.53 by [email protected] Interesting ports on shadow (192.168.1.10): Port State Protocol Service 7 open tcp echo 9 open tcp discard 13 open tcp daytime 19 open tcp chargen 21 open tcp ftp 22 open tcp ssh 23 open tcp telnet 25 open tcp smtp 37 open tcp time 111 open tcp sunrpc 512 open tcp exec 513 open tcp login 514 open tcp shell 2049 open tcp nfs 4045 open tcp lockd TCP Sequence Prediction: Class=random positive increments Difficulty=26590 (Worthy challenge) Remote operating system guess: Solaris 2.5, 2.51

63

64

Hacking Exposed: Network Security Secrets and Solutions

By using nmap’s stack fingerprint option, we can easily ascertain the target operating system with precision. YouTube Music Downloader v3.8 if no ports are open on the target system, nmap Native Instruments All products crack serial keygen still make an educated guess about its operating system: [tsunami]# nmap -p80 -O 10.10.10.10 Starting nmap V. 2.53 by [email protected] Warning: No ports found open on this machine, OS detection will be MUCH less reliable No ports open for host (10.10.10.10) Remote OS guesses: Linux 2.0.27 - 2.0.30, Linux 2.0.32-34, Linux 2.0.35-36, Linux 2.1.24 PowerPC, Linux 2.1.76, Linux 2.1.91 - 2.1.103, Linux 2.1.122 2.1.132; 2.2.0-pre1 - 2.2.2, Linux 2.2.0-pre6 - 2.2.2-ac5 Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

So even with no ports open, nmap correctly guessed the target operating system as Linux. One of the best features of nmap is that its signature listing is kept in a file called nmap-os-fingerprints. Each time a new version of nmap is released, this file is updated with additional signatures. At this writing, there were hundreds of signatures listed. If you would like to add a new signature and advance the utility of nmap, Symantec PGP Desktop for Windows 10.2 crack serial keygen, you can do so at http://www.insecure.org:80/cgi-bin/nmap-submit.cgi. While nmap’s TCP detection seems to be the most octane 4 cracked Archives at this writing, it was not the first program to implement such techniques. Queso from http://www.apostols.org/ projectz/ is an operating system–detection tool that was released before Fyodor incorporated his operating system detection into nmap. It is important to note that queso is not a port scanner and performs only operating system detection via a single open port (port 80 by default). If port 80 is not open on the target server, it is necessary to specify an open port, as demonstrated next. Queso is used to determine the target operating system via port 25. [tsunami] queso 10.10.10.20:25 10.10.10.20:25 * Windoze 95/98/NT

System Detection Countermeasures U Operating Detection Many of the aforementioned port scanning detection tools can be used to watch for operating system detection. While they don’t specifically indicate that an nmap or queso operating system detection scan is taking place, they can detect a scan with specific options, such as SYN flag, set. Prevention We wish there were an easy fix to operating system detection, but it is not an easy problem to solve. It is possible to hack up the operating source code or alter an operating system parameter to change one of the unique stack fingerprint characteristics; however, it may adversely affect the functionality of the operating system. For example, FreeBSD 4.x supports the TCP_DROP_SYNFIN kernel option, which is used to ignore a SYN+FIN packet used by nmap when performing stack fingerprinting. Enabling this op-

Chapter 2:

Scanning

tion may help in thwarting O/S detection, but will break support for RFC 1644 (TCP Extensions for Transactions). We believe only robust, secure proxies or firewalls should be subject to Internet scans. As the old adage says, “security through obscurity” is not your first line of defense. Even if attackers were to know the operating system, they should have a difficult time obtaining access to the target system.

]

Passive Operating System Identification Popularity

5

Simplicity

6

Impact

4

Risk Rating

5

We have demonstrated how effective active stack fingerprinting can be using tools like nmap and queso. It is important to remember that the aforementioned stack-detection techniques are active by their very nature. We sent packets to each system to determine specific idiosyncrasies of the network stack, which allowed us to guess the operating system in use. Since we had to send packets to the target system, it is relatively easy for a network-based IDS system to determine that an O/S identification probe was launched; thus, it is not one of the more stealthy techniques an attacker will employ.

Passive Stack Fingerprinting Passive stack fingerprinting is similar in concept to active stack fingerprinting; however, instead of sending packets to the target system, an attacker passively monitors network traffic to determine the operating system in use. Thus, by monitoring network traffic between various systems, we can determine the operating systems on a network. Lance Spitzner has performed a great deal of research in this area and has written a white paper that describes his findings at http://www.enteract.com/~lspitz/finger.html. In addition, the subterrain crew has developed siphon, a passive port mapping and O/S identification tool that can be found at http://www.subterrain.net/projects/siphon. Let’s look at how passive stack fingerprinting works.

Passive Signatures There are various signatures that can be used to identify an operating system; however, we will limit our discussion to several attributes associated with a TCP/IP session: ▼

TTL What does the operating system set as the time-to-live on the outbound packet?



Window Size



DF



TOS

What does the operating system set as the Window Size?

Does the operating system set the Don’t Fragment bit? Does the operating system set the type of service, and if so, at what?

65

66

Hacking Exposed: Network Security Secrets and Solutions

By passively analyzing each attribute and comparing the results to a known Symantec PGP Desktop for Windows 10.2 crack serial keygen of attributes, you can determine the remote operating system. While this method is not guaranteed to produce the correct answer every time, the attributes can be combined to generate fairly reliable results. This technique is exactly what siphon performs. Let’s look at an example of how this works. If we telnet from the system shadow (192.168.1.10) to quake (192.168.1.11), we can passively identify the operating system using siphon. [shadow]# telnet 192.168.1.11

Using our favorite sniffer, snort, we can review a partial packet trace of our telnet connection. 06/04-11:23:48.297976 192.168.1.11:23 -> 192.168.1.10:2295 TCP TTL:255 TOS:0x0 ID:58934 DF **S***A* Seq: 0xD3B709A4 Ack: 0xBE09B2B7 Win: 0x2798 TCP Options => NOP NOP TS: 9688775 9682347 NOP WS: 0 MSS: 1460

Looking at our four TCP/IP attributes, we can find ▼

TTL = 255



Window Size = 2798



Do not fragment bit (DF) = Yes



TOS = 0

Now, let’s review the siphon fingerprint database file osprints.conf: [shadow]# grep -i solaris osprints.conf # Window:TTL:DF:Operating System DF = 1 for ON, 0 for OFF, Symantec PGP Desktop for Windows 10.2 crack serial keygen. 2328:255:1:Solaris 2.6 - 2.7 2238:255:1:Solaris 2.6 - 2.7 2400:255:1:Solaris 2.6 - 2.7 2798:255:1:Solaris 2.6 - 2.7 FE88:255:1:Solaris 2.6 - 2.7 87C0:255:1:Solaris 2.6 - 2.7 FAF0:255:0:Solaris 2.6 - 2.7 FFFF:255:1:Solaris 2.6 - 2.7

We can see the fourth entry has the exact attributes as our snort trace. A window size of 2798, a TTL of 255, and the DF bit set (equal to 1). Thus, we should be able to accurately guess the target O/S using siphon. [crush]# siphon -v -i xl0 -o fingerprint.out Running on: 'crush' running FreeBSD 4.0-RELEASE on a(n) i386 Using Device: xl0 Host Port TTL DF Operating System 192.168.1.11 23 255 ON Solaris 2.6 - 2.7

Chapter 2:

Scanning

As you can see, we were able to guess the target O/S, which happens to be Solaris 2.6, with relative ease. It is important to remember that we were able to make an educated guess without sending a single packet to 192.168.1.11. Passive fingerprinting can be used by an attacker to map out dll fixer full version free download Archives potential victim just by surfing to their web site and analyzing a network trace or by using a tool like siphon. While this is an effective technique, it does have some limitations. First, applications that build their own packets (for example, nmap) do not use the same signature as the operating system. Thus, your results may not be accurate. Second, it is simple for a remote host to change the connection attributes. Solaris: ndd -set /dev/ip ip_def_ttl 'number' Linux: echo 'number' > /proc/sys/net/ipv4/ip_default_ttl NT: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters

Operating System Detection Countermeasure U Passive See prevention countermeasure under “ Operating System Detection Countermeasures” earlier in the chapter.

THE WHOLE ENCHILADA: AUTOMATED DISCOVERY TOOLS Popularity

10

Simplicity

9

Impact

9

Risk Rating

9

There are many other tools available, and more written every day, that will aid in network discovery. While we cannot list every conceivable tool, we wanted to highlight two additional utilities that will augment the tools already discussed. Cheops (http://www.marko.net/cheops/), pronounced (KEE-ops), depicted in Figure 2-8, is a graphical utility designed to be the all-inclusive network-mapping tool. Cheops integrates ping, traceroute, port scanning capabilities, and operating system detection (via queso) into a single package. Cheops provides a simple interface that visually depicts systems and related networks, making it easy Symantec PGP Desktop for Windows 10.2 crack serial keygen understand the terrain. Tkined is part of the Scotty package found at http://wwwhome.cs.utwente.nl/ ~schoenw/scotty/. Tkined is a network editor written in Tcl that integrates various network management tools, allowing you to discover IP networks. Tkined is quite extensible and enables you to perform network reconnaissance activities graphically depicting the

67

68

Hacking Exposed: Network Security Secrets and Solutions

Figure 2-8.

Cheops provides many network-mapping utilities in one graphical package

results. While it does not perform operating system detection, it will perform many of the tasks mentioned earlier and in Chapter 1. In addition to tkined, there are several other discovery scripts provided with Scotty that are worth exploring.

Discovery Tools Countermeasures U Automated Since tools like Scotty, tkined, and cheops use a combination of all the techniques al-

ready discussed, the same techniques for detecting those attacks apply to detecting automated tool discoveries.

SUMMARY We have covered the requisite BlueStacks Crack With Serial Key Full Free Download 2022 and techniques to perform ping sweeps, both TCP and ICMP, port scanning, and operating system detection. By using ping sweep tools, you can identify systems that are alive and pinpoint potential targets. By using a myriad

Chapter 2:

Scanning

of TCP and UDP scanning tools and techniques, you can identify potential services that are listening and make some assumptions about the level of exposure associated with each system. Finally, we demonstrated how attackers could use operating Symantec PGP Desktop for Windows 10.2 crack serial keygen software to determine with fine precision the specific operating system used by the target system. As we continue, we will see that the information collected thus far is critical to mounting a focused attack.

69

CHAPTER 3 n o i t a r e m

Enu

Copyright 2001 The McGraw Hill Companies, Inc. Click Here for Terms of Use.

71

72

Hacking Exposed: Network Security Secrets and Solutions

ssuming that initial target acquisition and non-intrusive probing haven’t turned up any immediate avenues of conquest, Symantec PGP Desktop for Windows 10.2 crack serial keygen, an attacker will next turn to identifying valid user accounts or poorly protected resource shares. There are many ways to extract valid account or exported resource names from systems, Symantec PGP Desktop for Windows 10.2 crack serial keygen, a process we call enumeration. This chapter will detail the most prevalent methods. The key difference between previously discussed information-gathering techniques and enumeration is in the level of intrusiveness—enumeration involves active connections to systems and directed queries. As such, they may (should!) be logged or otherwise noticed. We will show you what to look for and how to block it, Symantec PGP Desktop for Windows 10.2 crack serial keygen, if possible. Much of the information garnered through enumeration may appear harmless at first glance. However, the information that leaks from the following holes can be your undoing, as we will try to illustrate throughout this chapter. In general, once a valid username or share is enumerated, it’s usually only a matter of time before the intruder guesses the corresponding password or identifies some weakness associated with the resource sharing protocol. By closing these easily fixed loopholes, you eliminate the first foothold of the hacker. The type of information enumerated by intruders can be loosely grouped into the following categories:

A



Network resources and shares



Users and groups



Applications and banners

Enumeration techniques are also mostly operating-system specific and thus targeted using information gathered in Chapter 2 (port scans and OS detection), Symantec PGP Desktop for Windows 10.2 crack serial keygen. By knowing what types of information hackers are after, and how your specific system divulges it, you can take steps to seal these leaks. This chapter is divided into three sections based on operating system—Windows NT/2000, Novell NetWare, and UNIX. We have omitted direct mention of Win 9x because the user and application enumeration techniques referenced here are not relevant to its single-user operational architecture; many of the file share enumeration techniques used for Win NT/2000 work just fine against Win 9x, however. Each section describes the preceding techniques in detail, how to detect them, and how to eliminate the vulnerability if possible.

WINDOWS NT/2000 ENUMERATION During its lifetime, Windows NT has achieved a well-deserved reputation for giving away free information to remote pilferers. BitDefender AntiVirus for MS Exchange 5 5 1.9.5 crack serial keygen is primarily due to the Common Internet File System/Server Message Block (CIFS/SMB) and NetBIOS data transport protocols upon which its network services are heavily dependent. Although Win 2000 has the capa-

Chapter 3:

Enumeration

bility to run TCP/IP natively and live comfortably without NetBIOS, it comes out of the box configured with all of the insecurities of its older sibling NT. The multifaceted Win 2000 also adds a few other points of interest for casual information gatherers. We will discuss these features, new and old, and recommend steps to remedy them before someone collects enough information to mount a serious attack. Before any proper discussion of Windows enumeration, however, a critical toolset and AnyDVD Archives important concept must be introduced: the Windows NT/2000 Resource Kit and null sessions. These two entities will be used time and again throughout the ensuing chapters, and will greatly inform this initial assault on Windows NT/2000.

]

The Windows NT/2000 Hacking Kit Popularity:

5

Simplicity:

8

Impact:

8

Risk Rating:

7

Since the release of Windows NT 3.1, Microsoft has provided (at extra cost) a supplementary set of documentation and a CD-ROM full of software utilities for administering NT networks: the Windows NT Resource Kit (Workstation and Server versions). The NTRK (as we’ll call it throughout this book) contains a diverse collection of powerful utilities, from a limited implementation of the popular Perl scripting language, to ports of many common UNIX utilities, to remote administration tools not provided in the retail version of NT. No serious NT admin should live without it. There is a dark side to all the conveniences provided by NTRK, however. Many of these tools can be used by intruders to gain valuable information, earning it the moniker “The Windows NT Hacking Kit” in some circles. Since NTRK retails for around $200, including two updated Supplements, it’s fair to assume that “resourceful” attackers might be using these tools against you (some are available free at ftp://ftp.microsoft.com/bussys/winnt/ winnt-public/reskit/). The Win 2000 version (W2RK) continues this tradition by including many tools that have a two-edged nature. In addition, the Win 2000 Server operating system CD includes many hacker-friendly utilities in the Support\Tools folder. We will discuss the Resource Kit and Support tools that greatly facilitate enumeration in this chapter, and leave coverage of many of the other security-related tools for Chapters 5 and 6. The Perl environment that comes with NTRK is not as robust as the ActiveState distribution for Windows, available at http://www.activestate.com. Microsoft actually includes ActiveState’s ActivePerl Build 521 in W2RK. If you are going to use Perl on Windows, we suggest ActiveState’s implementation, as many of the Perl-based tools discussed in this book do not function properly with the NTRK Perl binary.

73

74

Hacking Exposed: Network Security Secrets and Solutions

Although we highly encourage security-conscious NT/2000 administrators to purchase all the Resource Kits and see what they’re missing, do NOT install them on production servers, lest the guns be turned against you! At the very most, install only relevant utilities for ongoing application functionality. Keep a removable disk or network drive full of RK utilities used solely for maintenance, and mount it only when needed.

]

Null Sessions: The Holy Grail of Enumeration Popularity:

8

Simplicity:

10

Impact:

8

Risk Rating:

9

As alluded to previously, Windows NT/2000 has a serious Achilles heel in its default Forza Horizon 2 crack serial keygen on CIFS/SMB and NetBIOS. The CIFS/SMB and NetBIOS standards include APIs that return rich information about a machine via TCP port 139—even to unauthenticated users. The first step in accessing these APIs remotely is creating just such an unauthenticated connection to an NT/2000 system by using the so-called “null session” command, assuming TCP port 139 is shown listening by a previous port scan: net use \\192.168.202.33\IPC$ "" /u:""

The preceding syntax connects to the hidden interprocess communications “share” (IPC$) at IP address 192.168.202.33 as the built-in anonymous user (/u:””) with a null (““) password. If successful, the attacker now has an open channel over which to attempt all the various techniques outlined in this chapter to pillage as much information as possible from the target: network information, shares, users, groups, Registry keys, and so on. Almost all the information-gathering techniques described in this chapter take advantage of this one out-of-the-box security failing of Windows NT/2000. Whether you’ve heard it called the “Red Button” vulnerability, null session connections, or anonymous logon, it can be the single most devastating network foothold sought by intruders.

Session Countermeasure U Null Null sessions require access to TCP 139, so the most prudent way to stop them is to filter the

NetBIOS-related TCP and UDP ports 135 through 139 at all perimeter network access devices. You could also disable NetBIOS over TCP/IP on individual NT hosts by unbinding WINS Client (TCP/IP) from the appropriate interface using the Network Control Panel’s Bindings tab. Under 2000, this is more easily accomplished via the appropriate Network Connection applet, Advanced TCP/IP Settings, WINS tab: Disable NetBIOS Over TCP/IP. Win 2000 introduces another SMB port, 445, that will yield the same information. See Chapter 6 for more information and a fix.

Chapter 3:

Enumeration

Following NT Service Pack 3, Microsoft provided a mechanism to prevent enumeration of sensitive information over null sessions without the radical surgery of disabling NetBIOS over TCP/IP (although we still recommend doing that unless NetBIOS services are necessary). It’s called RestrictAnonymous, after the Registry key that bears that name: 1. Open regedt32, and navigate to HKLM\SYSTEM\CurrentControlSet\Control\LSA. 2. Choose Edit

Notice: Undefined variable: z_bot in /sites/mlbjerseyschina.us/multimedia/symantec-pgp-desktop-for-windows-102-crack-serial-keygen.php on line 109

Notice: Undefined variable: z_empty in /sites/mlbjerseyschina.us/multimedia/symantec-pgp-desktop-for-windows-102-crack-serial-keygen.php on line 109

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *