Securing Registry by using Permissions

In this short note, I’d like to talk a little about Windows registry and how you can secure it using permissions. Basically registry is composed of six hives that are described as below:

HKEY_CURRENT_USER = It stores information about the profile of the user who is logged into the system now.

HKEY_USERS = It has subkeys about all the users’ local profiles.

HKEY_CLASSES_ROOT = It contains file associations and information about COM registration

HKEY_LOCAL_MACHINE = It contains the configuration of the operating system and applications

HKEY_CURRENT_CONFIG = It includes the current hardware profile used now

HKEY_PERFORMANCE_DATA = It has information about performance counters

 

When the system is up and running, the registry is loaded into memory and when the system is shut down, the values in the registry are written into the hard disk. Below is the location for some registry hives:

HKEY_LOCAL_MACHINESYSTEM =          %systemroot%system32ConfigSystem

HKEY_LOCAL_MACHINESAM =                %systemroot%system32ConfigSam

HKEY_LOCAL_MACHINESECURITY =      %systemroot%system32ConfigSecurity

HKEY_LOCAL_MACHINESOFTWARE =   %systemroot%system32ConfigSoftware

HKEY_CURRENT_USER =               %systemdrive%Documents and Settings<username>Ntuser.dat

HKEY_USERS =  %systemdrive%Documents and Settings<username>Local SettingsApplication DataMicrosoftWindowsUsrclass.dat

HKEY_USERSDEFAULT =              %systemroot%system32ConfigDefault

 

Just like NTFS permissions on files and folders, we also have permissions on registry container objects. Individual registry value inherits its security permissions from its parent object. We generally have two types of permissions for registry objects: Read and Full-Control permissions. Apart from that, we also have special permissions on registry objects which are as follows:

Permission Description
Query Value Allows the value of the registry key to be read
Set Value Allows the value of an existing key to be written
Create Subkey Allows the creation of subkeys
Enumerate Subkeys Allows the enumeration of subkeys
Notify Required to request change notifications for a registry key or for subkeys of a registry key
Create Link Reserved for use by the operating system
Delete Allows the key to be deleted
Write DACL Allows the modification of the DACL
Write Owner Allows the modification of the owner
Read Control Allows the SACL to be read

In order to set permissions on a container in registry, you just need to right click on that and click Permissions:

That’s it for today friends 🙂

All the best 🙂

Increase the performance and stay secure…

There are so many types of files on a computer or server and the anti-virus software is responsible for scanning all of them to find out possible malicious pieces of codes attached to any of them. That could seriously impact the performance of the system as you can see many people avoid installing anti-virus softwares only because of this reason.

For instance, I myself used to have so much trouble with Norton 2004 when I installed it on my machine in the past. But What can be done?

There are so many files in the Windows OS that do not need to be scanned really as they are either locked and impossible to be scanned or always clean and never infected and trying to scan them all would be just the waste of time and effort and would greatly reduce the performance of the system. So how about excluding them all from the scanning tasks of our anti-virus?

That seems like a good solution for improving the performance of the operating system when there is an anti-virus software on your machine which has a terrible effect on the operating speed of your machine. But the question is which files need to be excluded?

Here is a list of types of files that need to be excluded for scanning in Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, Windows XP, Windows Vista, or Windows 7. There is something very important about this exclusion as you can also read on the page whose link I gave you; that excluding these file types should only be temporary to see if the problem with your computer being slow is the anti-virus and if that’s the case, you can contact the producer of your anti-virus company to ask for possible solutions.

Thanks for reading…

Possible Attacks on Windows and Countermeasures – Part 1

It’s been a great week with so much news in the world of security. Of course Security both in the real world and the virtual world. Today I decided to begin writing a series of articles about possible attacks and their countermeasures on Windows operating systems whether client or server including the latest ones such as Windows 7 and Windows Server 2008 R2.

In this series I will try to put a little bit of my experiences into words and in easy words explain to you different types of hacking techniques used by attackers to penetrate into your network. I will try to get it started with the most common ones to the most advanced like those causing millions of dollars loss; and then I will dig into different ways of defense against such hacking techniques and will show you how to keep your network services and servers secure against them.

Password Cracking Attacks:

This is one of the most common types of attacks used at least once by every attacker. It always seems the dummiest but honestly this has shown to be one of the most effective way to find a way into somebody’s computer if not protected against such attacks.

This type of cracking has a pretty long history and I really cannot count the number of softwares developed to crack password by different hacking groups or even security companies. The only difference between these two is that the second one believe their software is only purposed for a so-called act of Ethical Hacking but who knows what is being done by those tools and softwares.

There are different ways to perform password cracking among which Brute Force attacks are the most popular. Brute Forcing is simply finding a computer’s password by trying different combinations of letters, numbers and even characters. The time required for it to work depends on the complexity of passwords. However more complex the password, the longer it takes to be cracked.

A single computer can try from one to fifteen million passwords per second against a password hash (That is true) for weaker algorithms like DES (Which is very commonly used nowadays) using a fairly good password cracking tool and if let’s say you choose an 8-character password of letters (both cases), numbers and symbols, we could say that it would take something like 16 minutes for it to be cracked. So you feel pretty unsafe.. huh???

Attackers nowadays could easily find pre-computed password hashes for different algorithms stored in database files called Rainbow Tables and it would take a matter of minutes to crack almost any passwords in a network.

There are other techniques used as well such as dictionary or words-list attacks that are usually tried before the Brute Force to kind of guess the user’s password if the user has used common dictionary words or things like 123456 or anything like that as passwords.

L0pht Crack:

One of the most famous password cracking tools is l0pht Crack developed by a famous group of expert hackers called l0pht who officially joined @stake which itself was later on announced to be an acquisition of Symantec corporation. You can download the latest version of L0pht Crack from their website. Below is a screenshot of this tool:

Any operating system could be the target of this tool even Windows Server 2008 R2 and could really well work on almost any operating system to target the other hosts on the network. You can get more information on their website.

John the Ripper:

John the Ripper is another well-known name among password cracking tools. This is a tool firstly developed to be run on Unix-based operating system but now it supports Windows as well. You can download this tool from their website.

John the Ripper truly is one of the fastest password cracking tools I have ever seen. It is being used by a lot of penetration testers and of course hackers every day.

Countermeasures:

Protecting your network against password cracking is completely dependent on the policies on your network and your servers and clients. Whether you have a very small environment and operating a workgroup of computers or you have a big domain network you should have policies and more specifically account and password policies.

Password policies can be defined in Group Policies in Windows and Active Directory. So if you open up the Group Policy Editor either locally (By typing gpedit.msc in thr Run) or on the domain using the Group Policy Management console, you need to go to:

Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy

Below you can see a screenshot of the password policies settings:

Now let’s go one by one with what they mean:

Enforce Password History: You can set how many passwords for each user is stored in the history. If we set this number to 10, it means the user is not able to choose any of the past 10 passwords for his new password.

Maximum Password Age: The maximum time a user can keep a password and after it comes to an end, they should change it.You could use it to force the users to change their passwords every now and then.

Minimum Password Age: The minimum time a password must be used before a user changes that. You can use it to stop users from changing their passwords every hour.

Minimum Password Length: The number of characters that a user must have in a password. Do not let it be less than 8.

Password must meet complexity requirements: You can decide whether or not you want to force the user to choose a password including letters (Both cases), numbers and symbols. You must definitely enable it.

Store passwords using reversible encryption: Let it be disabled as it is used by some protocols rarely used and enabling it is equal to storing the passwords plain-text.

The other settings that you need to configure is Account Lockout policies which are more important if you want to protect against the brute force attacks:

So in order to access the policies you need to open the Group Policy Editor and go to this address:

Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policies

Account Lockout Duration: How long do you want the account to be locked out after a number of invalid logon attempts.

Account Lockout Threshold: How many invalid logon attempts are needed to lock the account. If you set it to a number, then the password cracking tools can not try millions of passwords on your computer since the account is going to get locked.

Reset Account Lockout Counter After: If you set it to 30 minutes for example, in 30 minutes if there are more than 4 invalid logon attempts are made, then the account gets locked. If it takes more than 30 minutes for the number of invalid logon attempts specified in the previous settings, then the account does not get locked and the policy will not apply so you must be really careful when defining your policies.

Usually 30 minutes will be the best since it can block all kinds of password cracking tools even the slowest ones.

Here we come to the end of this first article and I hope you liked it. If you had any question, please leave me a comment and I will answer that almost in no time.

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book: 

To get more information about the book click on the book below:

1

Cheers

Security from the Inception !!!

The experience shows that consumers whether they are ordinary people using their computers for everyday tasks or even experienced network administrators never tend to be very open to security updates. Talking to so many network admins about security updates especially Service Packs (They do not necessarily include only security updates) of operating systems especially Windows Server, they mostly didn’t show much interest for installing some specific updates and service packs for some reasons:

  • They thought of some of the security updates as unnecessary
  • Some of them believed it is too risky to install some of the updates due to a fear of possible service crackdown. Some also believe some hotfixes and security patches are not compatible with some other services and could possibly create problems
  • They mostly considered service packs as unnecessary update packages with this reasoning that they have already installed those needed hotfixes and the rest included in the service packs are unnecessary
In my own experience I’ve always seen people hit by a pretty famous worm on the Internet like Sasser and even after that they were always looking for some virus removal tool to get them out of the trouble and not a security patch unaware of the fact that an anti-virus software can not stop a worm from functioning.
So you can see that security people at Microsoft are on a very difficult road to educate all those users and admins and kind of convince them that patching a system is the best thing to do for every user to stay safe on the Internet. But here it comes another concept called Security from the Inception which says instead of going through all these difficulties of educating the users which seem pretty impossible at times, a much better approach is to try to secure the code of the products by applying SDL (Security Development Lifecycle) from the beginning of the development of a product. That is how we can reduce the impact of security vulnerabilities missed during the software development process.
Right now Microsoft is on the right track in developing more secure code by only applying SDL as we can see less security vulnerabilities in its products.
Cheers
Esmaeil