Possible Attacks on Windows and Countermeasures – Part 1

It’s been a great week with so much news in the world of security. Of course Security both in the real world and the virtual world. Today I decided to begin writing a series of articles about possible attacks and their countermeasures on Windows operating systems whether client or server including the latest ones such as Windows 7 and Windows Server 2008 R2.

In this series I will try to put a little bit of my experiences into words and in easy words explain to you different types of hacking techniques used by attackers to penetrate into your network. I will try to get it started with the most common ones to the most advanced like those causing millions of dollars loss; and then I will dig into different ways of defense against such hacking techniques and will show you how to keep your network services and servers secure against them.

Password Cracking Attacks:

This is one of the most common types of attacks used at least once by every attacker. It always seems the dummiest but honestly this has shown to be one of the most effective way to find a way into somebody’s computer if not protected against such attacks.

This type of cracking has a pretty long history and I really cannot count the number of softwares developed to crack password by different hacking groups or even security companies. The only difference between these two is that the second one believe their software is only purposed for a so-called act of Ethical Hacking but who knows what is being done by those tools and softwares.

There are different ways to perform password cracking among which Brute Force attacks are the most popular. Brute Forcing is simply finding a computer’s password by trying different combinations of letters, numbers and even characters. The time required for it to work depends on the complexity of passwords. However more complex the password, the longer it takes to be cracked.

A single computer can try from one to fifteen million passwords per second against a password hash (That is true) for weaker algorithms like DES (Which is very commonly used nowadays) using a fairly good password cracking tool and if let’s say you choose an 8-character password of letters (both cases), numbers and symbols, we could say that it would take something like 16 minutes for it to be cracked. So you feel pretty unsafe.. huh???

Attackers nowadays could easily find pre-computed password hashes for different algorithms stored in database files called Rainbow Tables and it would take a matter of minutes to crack almost any passwords in a network.

There are other techniques used as well such as dictionary or words-list attacks that are usually tried before the Brute Force to kind of guess the user’s password if the user has used common dictionary words or things like 123456 or anything like that as passwords.

L0pht Crack:

One of the most famous password cracking tools is l0pht Crack developed by a famous group of expert hackers called l0pht who officially joined @stake which itself was later on announced to be an acquisition of Symantec corporation. You can download the latest version of L0pht Crack from their website. Below is a screenshot of this tool:

Any operating system could be the target of this tool even Windows Server 2008 R2 and could really well work on almost any operating system to target the other hosts on the network. You can get more information on their website.

John the Ripper:

John the Ripper is another well-known name among password cracking tools. This is a tool firstly developed to be run on Unix-based operating system but now it supports Windows as well. You can download this tool from their website.

John the Ripper truly is one of the fastest password cracking tools I have ever seen. It is being used by a lot of penetration testers and of course hackers every day.

Countermeasures:

Protecting your network against password cracking is completely dependent on the policies on your network and your servers and clients. Whether you have a very small environment and operating a workgroup of computers or you have a big domain network you should have policies and more specifically account and password policies.

Password policies can be defined in Group Policies in Windows and Active Directory. So if you open up the Group Policy Editor either locally (By typing gpedit.msc in thr Run) or on the domain using the Group Policy Management console, you need to go to:

Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy

Below you can see a screenshot of the password policies settings:

Now let’s go one by one with what they mean:

Enforce Password History: You can set how many passwords for each user is stored in the history. If we set this number to 10, it means the user is not able to choose any of the past 10 passwords for his new password.

Maximum Password Age: The maximum time a user can keep a password and after it comes to an end, they should change it.You could use it to force the users to change their passwords every now and then.

Minimum Password Age: The minimum time a password must be used before a user changes that. You can use it to stop users from changing their passwords every hour.

Minimum Password Length: The number of characters that a user must have in a password. Do not let it be less than 8.

Password must meet complexity requirements: You can decide whether or not you want to force the user to choose a password including letters (Both cases), numbers and symbols. You must definitely enable it.

Store passwords using reversible encryption: Let it be disabled as it is used by some protocols rarely used and enabling it is equal to storing the passwords plain-text.

The other settings that you need to configure is Account Lockout policies which are more important if you want to protect against the brute force attacks:

So in order to access the policies you need to open the Group Policy Editor and go to this address:

Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policies

Account Lockout Duration: How long do you want the account to be locked out after a number of invalid logon attempts.

Account Lockout Threshold: How many invalid logon attempts are needed to lock the account. If you set it to a number, then the password cracking tools can not try millions of passwords on your computer since the account is going to get locked.

Reset Account Lockout Counter After: If you set it to 30 minutes for example, in 30 minutes if there are more than 4 invalid logon attempts are made, then the account gets locked. If it takes more than 30 minutes for the number of invalid logon attempts specified in the previous settings, then the account does not get locked and the policy will not apply so you must be really careful when defining your policies.

Usually 30 minutes will be the best since it can block all kinds of password cracking tools even the slowest ones.

Here we come to the end of this first article and I hope you liked it. If you had any question, please leave me a comment and I will answer that almost in no time.

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book: 

To get more information about the book click on the book below:

1

Cheers

Backing Up Bitlocker and TPM Recovery Information into Active Directory

The use of Bitlocker Drive Encryption in an enterprise has always been tempting for security engineers because of the fact that it can add another layer of security to the network by encrypting the data stored on the disk. Even when the PC is hibernated, the hibernation data is also encrypted and safe; so this is what makes it so tempting…

And on the other hand, what makes administrators avoid using it in their enterprise networks is the fear of those less careful employees losing their passwords and recovery keys with a hard disk fully encrypted not being able to read a single bit of data from it…

Today I want to pretty simply show you how to store Bitlocker and of course TPM Recovery information into Active Directory even if you do not have a great knowledge of Active Directory, so stay with me…

What is TPM?

TPM or Trusted Platform Module is a microchip built into your PC to keep cryptographic information. Bitlocker information is also one of that kind of information that a TPM will keep. In order to keep the cryptographic information safe on your TPM, you need to create a TPM PIN. In order for Bitlocker to use TPM for storing its information on, the TPM version must be 1.2 or higher, otherwise Bitlocker could use a Flash Memory to store its information…

Now what if you forget both your TPM PIN or Bitlocker Recovery Password or key? They must be stored somewhere to be able to retrieve and use them whenever we want. right? What’s a better place than Active Directory?

Step One: (Extend your Active Directory Schema)

Keep in mind these points:

  • If you have Windows Server 2008 Beta 3 (Which of course you do not have it now) or later, you do not need to extend your AD schema as it is already extended.
  • If you have Windows Server 2003 SP1 or Windows Server 2008 Beta 2 or earlier, you have to extend your AD schema.
  • If you have Windows Server 2003 without Service Pack 1 installed, you cannot extend your schema.

You can check the version of your Windows Server by right clicking on the Computer icon and clicking on Properties.

Now if you need to extend your AD schema, here is the easy step. download this file here. unzip the file and there is a script in it called: BitLockerTPMSchemaExtension.ldf

In your forest, you should log into the domain controller which is your schema master role holder and of course your user must be a member of the Schema Admins group.

Now it is time to run a command to make use of the LDF script above:

ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c “DC=X” “DC=nttest,dc=microsoft,dc=com” -k -j .

“-k” option will ignore “Object Already Exists” errors and “-j” option will create a log file for the process in the same working directory.

In order to check to see whether extending AD Schema has been successful, in the click on Run and type in adsiedit.msc and then press Enter to see the following windows:

Open the schema container and then look for the following objects that must have been created there:

  • CN= ms-FVE-KeyPackage – attributeSchema object
  • CN=ms-FVE-RecoveryGuid – attributeSchema object
  • CN=ms-FVE-RecoveryInformation – classSchema object
  • CN=ms-FVE-RecoveryPassword – attributeSchema object
  • CN=ms-FVE-VolumeGuid – attributeSchema object
  • CN=ms-TPM-OwnerInformation – attributeSchema object

If they are there like the picture above, you are done with the Active Directory extension and let’s proceed to the next step…

Step Two:

Now you need to add the permission so that we are able to back up TMP recovery information. In the same zipped file, there is another script named as: Add-TPMSelfWriteACE.vbs

Run this script using this command:

Cscript Add-TPMSelfWriteACE.vbs

Your Domain Administrator account must be a member of the domain that you are running this command in.

and then done…

Step Three:

Then at the end we need to configure the group policy settings so that both the TPM and Bitlocker recovery information will be stored in Active Directory:

In order to store Bitlocker recovery information into AD:

Open up Group Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Bitlocker Drive Encryption and then click on Turn on Bitlocker backup to Active Directory and then enable it

In order to turn on TPM recovery information backup into AD:

Open up Group Policy -> Computer Configuration -> Administrative Templates -> System ->Trusted Platform Module Services and then click on Turn on TPM backup to Active Directory and then enable it

This was all you needed to do…

You want to learn more specifically about BitLocker and recovery in different scenarios? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:

1

Thanks for being with me and taking your time to read this

Cheers