Security Updates Volume 1

[Spyrus]

Security Updates Volume 1

I wasn’t sure if anyone has done something like this before but I thought I would put together a series of threads, I haven’t decided if it would be monthly or weekly or annually.

What I plan on doing, with good feedback, is going through and putting a list together of the most recent virus threats/updates. The FBI list of the latest vulnerabilities and any other information I can pull together into a single source.

Bits of Advice for Security:

1) Keep your updates, well umm up to date. Check Antivirus updates daily, or setup their automatic update managers.
2) Keep your Operating system updates, again up to date. But while you do this make sure you have time to reboot the workstation/server and that these updates wont mess up certain services you are running. You can check these by reading about the hotfixes before you apply them
3) Run a firewall Even the free ones are a set in the right direction.
Be sure to block these common vulnerable ports. (unless you are a geek like me and use half of them for personal reasons)
1.Login services-- telnet (23/tcp), SSH (22/tcp), FTP (21/tcp), NetBIOS (139/tcp), rlogin et al (512/tcp through 514/tcp)
2.RPC and NFS-- Portmap/rpcbind (111/tcp and 111/udp), NFS (2049/tcp and 2049/udp), lockd (4045/tcp and 4045/udp)
3.NetBIOS in Windows NT -- 135 (tcp and udp), 137 (udp), 138 (udp), 139 (tcp). Windows 2000 – earlier ports plus 445(tcp and udp)
4.X Windows -- 6000/tcp through 6255/tcp
5.Naming services-- DNS (53/udp) to all machines which are not DNS servers, DNS zone transfers (53/tcp) except from external secondaries, LDAP (389/tcp and 389/udp)
6.Mail-- SMTP (25/tcp) to all machines, which are not external mail relays, POP (109/tcp and 110/tcp), IMAP (143/tcp)
7.Web-- HTTP (80/tcp) and SSL (443/tcp) except to external Web servers, may also want to block common high-order HTTP port choices (8000/tcp, 8080/tcp, 8888/tcp, etc.)
8."Small Services"-- ports below 20/tcp and 20/udp, time (37/tcp and 37/udp)
9.Miscellaneous-- TFTP (69/udp), finger (79/tcp), NNTP (119/tcp), NTP (123/udp), LPD (515/tcp), syslog (514/udp), SNMP (161/tcp and 161/udp, 162/tcp and 162/udp), BGP (179/tcp), SOCKS (1080/tcp)
10.ICMP-- block incoming echo request (ping and Windows traceroute), block outgoing echo replies, time exceeded, and destination unreachable messages except "packet too big" messages (type 3, code 4). (This item assumes that you are willing to forego the legitimate uses of ICMP echo request in order to block some known malicious uses.)

{Begin Quoting, not all this material is from the source but a majority of it is}
Windows Top Vulnerabilities
1)IIS (Internet Information Services)
Problem: IIS is prone to vulnerabilities in three major classes: failure to handle unanticipated requests, buffer overflows, and sample applications.

How to Protect against this:
NT http://www.microsoft.com/ntserver/nt...SP6/allSP6.asp
2k
Service Pack 3: http://www.microsoft.com/windows2000...vicepacks/sp3/
XP
Unfortunately this fix slows your system down for some reason (M$)
Service Pack 1: http://www.microsoft.com/WindowsXP/p...vicepacks/sp1/

2)Microsoft Data Access Components (MDAC) aka Remote Data Service
Problem: Allows remote users to run commands as an administrator

How to protect against this: http://www.wiretrip.net/rfp/p/doc.asp?id=29&iface= 2

3)Microsoft SQL server
Problem: MSSQL has exploits that allow remote users to alter database info, can compromise servers, and open up sensitive information.

How to protect against this:
1.Apply the latest service pack for Microsoft SQL server.
2.Apply the latest cumulative patch that is released after the latest service pack.
3.Apply any individual patches that are released after the latest cumulative patch.
4.Secure the server at system and network level.

4)NETBIOS (Unprotected Shares)
Problem: Microsoft Windows provides a host machine with the ability to share files or folders across a network with other hosts through Windows network shares. The underlying mechanism of this feature is the Server Message Block (SMB) protocol, or the Common Internet File System (CIFS). These protocols permit a host to manipulate remote files just as if they were local.
How to Protect Against this:
•Disable sharing wherever it is not required. If the host does not need to share files, then disable Windows network shares in the Windows network control panel. If an open share should be closed, you can disable it through Explorer's properties menu for that directory, in Server Manager for Domains or in Group Policy Editor.
•Do not permit sharing with hosts on the Internet. Ensure all Internet-facing hosts have Windows network shares disabled in the Windows network control panel. File sharing with Internet hosts should be achieved using FTP or HTTP.
•Do not permit unauthenticated shares. If file sharing is required then don't permit unauthenticated access to a share. Configure the share so a password is required to connect to the share.
•Restrict shares to only the minimum folders required. Generally only one folder and possibly sub-folders of that folder.
•Restrict permissions on shared folders to the minimum required. Be especially careful to only permit write access when it is absolutely required.
•For added security, allow sharing only to specific IP addresses because DNS names can be spoofed.
•Block ports used for Windows shares at your network perimeter. Block the NetBIOS ports commonly used by Windows shares at your network perimeter using either your external router or perimeter firewall. The ports that should be blocked are 137-139 TCP and 137-139 UDP, and 445 TCP and 445 UDP.

5)Anonymous Logon
Problem: As it sounds it’s a vulnerability that allows anonymous users to access your user names and shares on a network or gain unauthorized access.

How to Protect against it:
Domain controllers require Null sessions to communicate. Therefore, if you are working in a domain environment, you can minimize the information that attackers can obtain, but you cannot stop all leakage. To limit the information available to attackers, modify the following registry key:
HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous=1
Whenever you modify the registry, it could cause your system to stop working properly. Therefore any changes should be tested before hand. Also, the system should always be backed up to simplify recovery.
Setting RestrictAnonymous to 1 will still permit certain information to be made available to anonymous users, but will minimize leakage. This is the tightest host-level restriction in NT. In Windows 2000 and XP, you can set the value to 2 instead. Doing so will bar anonymous users from all information where explicit access has not been granted to them or the Everyone group, which includes null session users. But this higher setting may affect domain synchronization or other services, and therefore should be thoroughly tested. For this reason, it is recommended that only those machines which are visible to the Internet have this value configured. All other machines should be protected by a firewall configured to block NetBIOS and CIFS.
If you do not need file and print sharing, unbind NetBIOS from TCP/IP.
6)LAN Manager Authentication
Problem: Microsoft locally stores LM password Hashes (aka Lanman Hashes) on NT, 2k, and XP. These are easy to crack allowing access to your network.
How to protect against this:
Disable LM Authentication Across the Network. The best replacement in Windows for LAN Manager authentication is NT Lan Manager version 2 (NTLMv2). NTLMv2 challenge/response methods overcome many weaknesses in LM by using stronger encryption and improved authentication and session security mechanisms. The registry key that controls this capability in both Windows NT and 2000 is:

Hive: HKEY_LOCAL_MACHINE
Key: System\CurrentControlSet\Control\LSA
Value: LMCompatibilityLevel
Value Type: REG_DWORD - Number
Valid Range: 0-5
Default: 0

Prevent the LM Hash from Being Stored
Hive: HKEY_LOCAL_MACHINE
Key: System\CurentControlSet\Control\LSA\NoLMHash
On 2k this will prevent Lanman hashes from being created in AD

On XP
Hive: HKEY_LOCAL_MACHINE
Key: System\CurrentControlSet\Control\Lsa
Value: NoLMHash
Type: REG_DWORD - Number
Data: 1

7)General Windows Authentication
Weak Passwords or no passwords

How to protect: Make sure your users are using proper security measures and using good passwords, ie. Not their name or the word on the sticky note pasted to their monitor 

8)Internet Explorer
Problem: Is strongly implemented in windows platforms allowing malicious web designers to exploit your pc/network.

How to protect: run the windows updates for IE.

9)Remote Registry Access
Problem: Improper security can allow remote access allowing exploits and access.

•How to protect: Visit the Sans source at the bottom

10)Windows Scripting Host
Problem: permits any text file with a ".vbs" extension to be executed as a Visual Basic script
How to fix: Keep your AV definitions and software up to date, follow steps from your AV provider to protect against this.

{END QUOTE}

Sources
http://www.sans.org/top20/#W1
http://securityresponse.symantec.com...r/vinfodb.html
http://icat.nist.gov/icat.cfm
http://alcor.concordia.ca/~helpline/...abilities.html

Also check this website for a security check
www.symantec.com/SecurityCheck

[phaza7]

Man what great info it's surely a security udate. nice links 2.

I had seen some on winguides.com but U informed me more