Upcoming pen test - ntpasswd solutions?

[Dr. Psy]

First of all, let me say at the beginning of this thread, that I am not being lazy by simply coming to this board and asking for the answer! I am certainly doing in-depth research on the subject myself, but the answers seem to be quite sparse.

Okay, I have an upcoming vulnerability assesment / penetration test that I need to conduct for a small network. Unfortunately, a portion of the network consists of Windows (2003 mainly) computers. (I say unfortunately, because Windows is not my area of expertise)

The pen test will consist of three phases. Local, remote and a wireless segment.

Now, I already know from some preliminary information, that it will be possible to gain admin access to the Windows 2003 server locally through the use of ntpasswd.

As part of the post-assesment report, I am going to need to present the client with solutions to secure his network. This includes giving him a solution to protect his network from tools like ntpasswd.

I have been researching this matter, and the only solid answer I can seem to find is to use an encrypted filesystem with a master password. Some of the other solutions I have heard are:

1) Use a BIOS password - (not a secure solution, because the password can be reset from the MB)
2) Deny CDROM and Floppy drive access on boot from within BIOS - (again, not a secure solution, because the BIOS password can be reset, giving an attacker the ability to give himself access to the CDROM and/or floppy drive on boot)

These are the only suggestions I have heard so far. Is an encrypted filesystem + master password truly the only reliable solution to protect a Windows server from the use of ntpasswd?

[jinxy]

Secure the server from unauthorised access behind lock and key. No good implimenting data protection methods if any Tom Dick or Harry can walk in and start messing with it. Knot to mention make off with the hardware.

[zencoder]

Jinxy is dead on. One of the key foundation principles of digital security is physical security...access to the box.

All the firewalls, IPS, hueristic scanning engines, and AI based Black-ICE won't help you for SQUAT if I can walk in, unscrew the case, and yank the hard disks out. (Ask Gore about restroom grab and dash tactics... That's ALL ABOUT physical security.)

Physically protect the server and the environment. If you're already worried about people accessing the system via ntpasswd, they've already given up the ghost for network breaches because they have a very insecure physical environment.

[XTC46]

(Ask Gore about restroom grab and dash tactics... That's ALL ABOUT physical security.)

lmfao...classic, simply classic. talk about scaring this sh*t out of somone?

but serioulsy. if somone can gain physical access to the box, they win. it really is that simple.

but one a side note, if windows is not your area of expertise, why are you the one doing a security assesment for it? I dont mean to be an *******, but that is just plain stupid. Get somone who knows what they are doing to do the security assesment, otherwise it is pretty pointless. Thats like me agreeing to secure a group of *nix boxes. Sure i could find a hadful of things most likeley, and would know I need ot patch and do stuff like that, but I would be nowere near the rsults someone who is very familiar with the os.

[Dr. Psy]

but one a side note, if windows is not your area of expertise, why are you the one doing a security assesment for it? I dont mean to be an *******, but that is just plain stupid. Get somone who knows what they are doing to do the security assesment, otherwise it is pretty pointless.

No, You're not being an ******* at all. It's a very valid point. Let me first say that I do know enough to be compotent in performing the assesment. When I say it's not my area of expertise, I mean just that. I work primarily with Linux and Unix, however I am not incompotent in the Windows arena.

Secondly, beings as I would want the client to have the best, this has already been discussed. His network is not entirely Windows mind you and the job was requested by the client. Thus, it was already discussed that I would recommend he have a second assesment done by someone else who's expertise IS windows, as someone who works primarily in that field may find something that I do not. He still wants me to do the assesment. It's a paid job, and I sure am not going to turn it down!

At some point in the future, I would certainly like to team up with another individual who's expertise is in Windows security. That way, I do not have to recommend someone else to do a second test. As well, it would relieve me of having to do that portion of the assesment, as i much prefer to work with Linux and Unix. However, at the moment, I do not have such an individual available. But, since many jobs are networks comprised of both *nix and Windows, it would absolutely be an asset to me to have such a person working with me.

Bottom line though, is if a client is aware of this and understands my recommendation for a second test to be performed by someone whos expertise is in the Windows field, and he still wants to pay me, I definately will not turn the job down!

[Tiger Shark]

I hope these Win2k3 servers aren't mission critical production servers.

I also hope that you aren't intending to do any of this work ever again after this audit.

Why?

Putting BIOS passwords on servers is an automatic, self inflicted Denial of Service unless you can guarantee that the servers will never reboot on their own, (power failure or whatever), or are monitored 24/7/365 by staff that have console access. The suggestion alone will do your credibility little good and would indicate a certain "lack of sophistication" that might bring into question your entire audit..... It would make me question your proficiency.....

Any tool that requires physical access to the box to successfully compromise said box clearly indicates that your security has broken down at the most basic level as noted by others. Your only viable recommendation has to be appropriate physical security.

That having been said you imply that your audit is just that, an audit followed by a pen test. Thus, in some ways the physical security of the boxes may be outside your purvue since that would more normally be considered the responsibility of a red team which go much further into the overall security of the organization including social engineering, dumpster diving, physical security and other things like gaining access and attaching their own devices to the target network.

My $2...

[Dr. Psy]

Tiger Shark...

Did you perhaps misread my post?

I certainly said nothing in regards to me using a BIOS password as a solution.

What I did say was that in searching for possible solutions to the use of something like ntpasswd on ones network, I came across certain pages, in which the author suggested the use of a BIOS password to prevent the use of ntpasswd. Which I then said was not a viable solution.

I'm not sure how you misread my post to read that I was considering the use of a BIOS password as a viable solution. The fact that you would put my credibility into question based on a misreading of my post suggests to me that you might be a little quick to jump to conclusions. I in fact stated, just as you said, that this WAS NOT a viable solution. Mind you, I did not even make the siuggestion. What I said was that this suggestion was presented by other individuals in my research. I then stated (again) that this would not be a viable solution.

#2) No, this is not a mission critical server
#3) Yes, I DO plan to do more work in this area! Remember that I did not make the suggestion in the first place. You misread my post. If you would like to tell me to 'get out of the business', I can take it (especialy since you said it based on something I did not even say!). However, I am quite happy to put money in my pocket while providing a client with a service which I am quite capable of providing.

I don't like my credibility called into question (just as nobody else does!) However, I will dismiss the statement as a simple misunderstanding of what I posted.

[Tiger Shark]

My point was that were you even to allude to it as a solution you would erode your credibility severely....

Your "solutions" both dealt with attempts to block an attacker with physical access and you didn't seem to be concerned with indicating to the client that the physical security is of paramount importance.

Then I tried to point out that you can "avoid" the issue of such things as ntpasswd etc. by exempting them in the contract as being outside the scope of the audit as a whole....

I didn't misread, I did see "issues" with your approach contractually and with what appeared to be yourself "misapplying" your responsibility in such a way that you _could_ do yourself harm.... I tried to help.... Take it for what you will.....

[Dr. Psy]

Well, put that way, I understand what you are saying.

You have to understand a couple of things however. The only point in having brought that up, was as I said, I was looking for viable solutions outside of the realm of pysical security (I will explain why in just a second!) and in looking for a good alternative outside the realm of physical security, I ran across those 'suggestions'. Since I was asking for possible solutions here at AO, I thought i would mention what I had read as far as suggestions, and pointed out that they weren't viable solutions. As far as your point about a 'better' reason to not use a BIOS password. I got it. I understand. But because I didn't write that in my post seems to me to not be a very good reason to call someones credibility into question! But, thats okay. I have no control over that. If that is your opinion, I will accept that.

Secondly, you have to keep in mind, this is not a typical mission critical server, nor a large scale network. This is simply someone who runs a small business who would like me to look at his networks security. The physical security aspect that you are suggesting is not a viable solution in this particular scenario. Remember, this is a small business. This is part of the reason I was looking for another alternative that could ensure him that this kind of thing wouldn't happen. He has no place to lock up his server. Granted, there is next to no possibility of anyone walking into his business, going into the backroom and doing something like this without him knowing about it, short of an employee who decided to do something like this. Nevertheless, I would like to secure his network for him as best as one can under the circumstances.

XTC, I certainly am not opposed to anyone trying to 'help me', but when someone says 'Gee..;I hope you never do this kind of work again', I find it hard to take that as any sort of 'help'

It's like I am sitting here going '''hmmmm....physical security....woulda never thought of that! I mean come on! I am not an idiot! I think I might have a little better understanding though of what the conditions are. Whle you are calling my ability into question, how much do you know about what the circumstances of this particular job are?

Anyways, I'm not here to defend my position. I asked if anyone had any other suggestions for this type of situation. I can't lock the mans servers up for him physically.

So...at this point I am sorry I even posted the question. I would hope that the people on this board would be a little more willing to help before calling my abilities into a question over something like this.

But I got it. Thanks.

[Tiger Shark]

I wasn't questioning your ability or your credibility.... Maybe I came across wrongly.

Had you given all the info you did in your last post it would have been a lot clearer....

'nuff said.....