Upcoming pen test - ntpasswd solutions?

First of all, let me say at the beginning of this thread, that I am not being lazy by simply coming to this board and asking for the answer! I am certainly doing in-depth research on the subject myself, but the answers seem to be quite sparse.

Okay, I have an upcoming vulnerability assesment / penetration test that I need to conduct for a small network. Unfortunately, a portion of the network consists of Windows (2003 mainly) computers. (I say unfortunately, because Windows is not my area of expertise)

The pen test will consist of three phases. Local, remote and a wireless segment.

Now, I already know from some preliminary information, that it will be possible to gain admin access to the Windows 2003 server locally through the use of ntpasswd.

As part of the post-assesment report, I am going to need to present the client with solutions to secure his network. This includes giving him a solution to protect his network from tools like ntpasswd.

I have been researching this matter, and the only solid answer I can seem to find is to use an encrypted filesystem with a master password. Some of the other solutions I have heard are:

1) Use a BIOS password - (not a secure solution, because the password can be reset from the MB)
2) Deny CDROM and Floppy drive access on boot from within BIOS - (again, not a secure solution, because the BIOS password can be reset, giving an attacker the ability to give himself access to the CDROM and/or floppy drive on boot)

These are the only suggestions I have heard so far. Is an encrypted filesystem + master password truly the only reliable solution to protect a Windows server from the use of ntpasswd?

Secure the server from unauthorised access behind lock and key. No good implimenting data protection methods if any Tom Dick or Harry can walk in and start messing with it. Knot to mention make off with the hardware.

Jinxy is dead on. One of the key foundation principles of digital security is physical security...access to the box.

All the firewalls, IPS, hueristic scanning engines, and AI based Black-ICE won't help you for SQUAT if I can walk in, unscrew the case, and yank the hard disks out. (Ask Gore about restroom grab and dash tactics... That's ALL ABOUT physical security.)

Physically protect the server and the environment. If you're already worried about people accessing the system via ntpasswd, they've already given up the ghost for network breaches because they have a very insecure physical environment.

Quote:

---

(Ask Gore about restroom grab and dash tactics... That's ALL ABOUT physical security.)

---

lmfao...classic, simply classic. talk about scaring this sh*t out of somone?

but serioulsy. if somone can gain physical access to the box, they win. it really is that simple.

but one a side note, if windows is not your area of expertise, why are you the one doing a security assesment for it? I dont mean to be an *******, but that is just plain stupid. Get somone who knows what they are doing to do the security assesment, otherwise it is pretty pointless. Thats like me agreeing to secure a group of *nix boxes. Sure i could find a hadful of things most likeley, and would know I need ot patch and do stuff like that, but I would be nowere near the rsults someone who is very familiar with the os.

Quote:

---

but one a side note, if windows is not your area of expertise, why are you the one doing a security assesment for it? I dont mean to be an *******, but that is just plain stupid. Get somone who knows what they are doing to do the security assesment, otherwise it is pretty pointless.

---

No, You're not being an ******* at all. It's a very valid point. Let me first say that I do know enough to be compotent in performing the assesment. When I say it's not my area of expertise, I mean just that. I work primarily with Linux and Unix, however I am not incompotent in the Windows arena.

Secondly, beings as I would want the client to have the best, this has already been discussed. His network is not entirely Windows mind you and the job was requested by the client. Thus, it was already discussed that I would recommend he have a second assesment done by someone else who's expertise IS windows, as someone who works primarily in that field may find something that I do not. He still wants me to do the assesment. It's a paid job, and I sure am not going to turn it down!

At some point in the future, I would certainly like to team up with another individual who's expertise is in Windows security. That way, I do not have to recommend someone else to do a second test. As well, it would relieve me of having to do that portion of the assesment, as i much prefer to work with Linux and Unix. However, at the moment, I do not have such an individual available. But, since many jobs are networks comprised of both *nix and Windows, it would absolutely be an asset to me to have such a person working with me.

Bottom line though, is if a client is aware of this and understands my recommendation for a second test to be performed by someone whos expertise is in the Windows field, and he still wants to pay me, I definately will not turn the job down!

I hope these Win2k3 servers aren't mission critical production servers.

I also hope that you aren't intending to do any of this work ever again after this audit.

Why?

Putting BIOS passwords on servers is an automatic, self inflicted Denial of Service unless you can guarantee that the servers will never reboot on their own, (power failure or whatever), or are monitored 24/7/365 by staff that have console access. The suggestion alone will do your credibility little good and would indicate a certain "lack of sophistication" that might bring into question your entire audit..... It would make me question your proficiency.....

Any tool that requires physical access to the box to successfully compromise said box clearly indicates that your security has broken down at the most basic level as noted by others. Your only viable recommendation has to be appropriate physical security.

That having been said you imply that your audit is just that, an audit followed by a pen test. Thus, in some ways the physical security of the boxes may be outside your purvue since that would more normally be considered the responsibility of a red team which go much further into the overall security of the organization including social engineering, dumpster diving, physical security and other things like gaining access and attaching their own devices to the target network.

My $2... ;)

Tiger Shark...

Did you perhaps misread my post?

I certainly said nothing in regards to me using a BIOS password as a solution.

What I did say was that in searching for possible solutions to the use of something like ntpasswd on ones network, I came across certain pages, in which the author suggested the use of a BIOS password to prevent the use of ntpasswd. Which I then said was not a viable solution.

I'm not sure how you misread my post to read that I was considering the use of a BIOS password as a viable solution. The fact that you would put my credibility into question based on a misreading of my post suggests to me that you might be a little quick to jump to conclusions. I in fact stated, just as you said, that this WAS NOT a viable solution. Mind you, I did not even make the siuggestion. What I said was that this suggestion was presented by other individuals in my research. I then stated (again) that this would not be a viable solution.

#2) No, this is not a mission critical server
#3) Yes, I DO plan to do more work in this area! Remember that I did not make the suggestion in the first place. You misread my post. If you would like to tell me to 'get out of the business', I can take it (especialy since you said it based on something I did not even say!). However, I am quite happy to put money in my pocket while providing a client with a service which I am quite capable of providing.

I don't like my credibility called into question (just as nobody else does!) However, I will dismiss the statement as a simple misunderstanding of what I posted.

My point was that were you even to allude to it as a solution you would erode your credibility severely....

Your "solutions" both dealt with attempts to block an attacker with physical access and you didn't seem to be concerned with indicating to the client that the physical security is of paramount importance.

Then I tried to point out that you can "avoid" the issue of such things as ntpasswd etc. by exempting them in the contract as being outside the scope of the audit as a whole....

I didn't misread, I did see "issues" with your approach contractually and with what appeared to be yourself "misapplying" your responsibility in such a way that you _could_ do yourself harm.... I tried to help.... Take it for what you will..... ;)

Well, put that way, I understand what you are saying.

You have to understand a couple of things however. The only point in having brought that up, was as I said, I was looking for viable solutions outside of the realm of pysical security (I will explain why in just a second!) and in looking for a good alternative outside the realm of physical security, I ran across those 'suggestions'. Since I was asking for possible solutions here at AO, I thought i would mention what I had read as far as suggestions, and pointed out that they weren't viable solutions. As far as your point about a 'better' reason to not use a BIOS password. I got it. I understand. But because I didn't write that in my post seems to me to not be a very good reason to call someones credibility into question! But, thats okay. I have no control over that. If that is your opinion, I will accept that.

Secondly, you have to keep in mind, this is not a typical mission critical server, nor a large scale network. This is simply someone who runs a small business who would like me to look at his networks security. The physical security aspect that you are suggesting is not a viable solution in this particular scenario. Remember, this is a small business. This is part of the reason I was looking for another alternative that could ensure him that this kind of thing wouldn't happen. He has no place to lock up his server. Granted, there is next to no possibility of anyone walking into his business, going into the backroom and doing something like this without him knowing about it, short of an employee who decided to do something like this. Nevertheless, I would like to secure his network for him as best as one can under the circumstances.

XTC, I certainly am not opposed to anyone trying to 'help me', but when someone says 'Gee..;I hope you never do this kind of work again', I find it hard to take that as any sort of 'help'

It's like I am sitting here going '''hmmmm....physical security....woulda never thought of that! I mean come on! I am not an idiot! I think I might have a little better understanding though of what the conditions are. Whle you are calling my ability into question, how much do you know about what the circumstances of this particular job are?

Anyways, I'm not here to defend my position. I asked if anyone had any other suggestions for this type of situation. I can't lock the mans servers up for him physically.

So...at this point I am sorry I even posted the question. I would hope that the people on this board would be a little more willing to help before calling my abilities into a question over something like this.

But I got it. Thanks.

I wasn't questioning your ability or your credibility.... Maybe I came across wrongly.

Had you given all the info you did in your last post it would have been a lot clearer.... ;)

'nuff said..... :D

Tiger, one more thing....

on another note. To zero in on your comment about

Quote:

---

what appeared to be yourself "misapplying" your responsibility in such a way that you _could_ do yourself harm

---

I understand exactly what you mean, and perhaps you could be correct. I certainly cannot be help liable 'contractually' over such an issue. I am just trying to secure this clients network for him to the best of my ability. And on that note. Thanks for the point.

No physical security ?

then physically remove CD ROMS and floppy drives ?
Use remote logon only, server is the box only, no GUI, Kybd, mouse local at all
Use KVM kit to allow logon from another position [anything that gives you a breathing space]
Give machines similar names, and bunch them together.
you hide a tree in a wood :)

anything that gives the 'intruder' something to pause over, whether it be a lack of logon facilities, no discernable ID to allow them to grab the 'good' stuff :) whatever.

foxyloxley,

Good suggestions. Thank you. I'm not sure how viable this would be for this particular person, however, definately good suggestions to mention to him. I appreciate your reply.

on the lighter side:

Quote:

---

Let me first say that I do know enough to be compotent in performing the assesment.

---

Really? :D

Compotent: The word you've entered isn't in the dictionary. Click on a spelling suggestion below or try again using the search box to the right.


assesment: The word you've entered isn't in the dictionary. Click on a spelling suggestion below or try again using the search box to the right.


So you're undefined about performing something that doesn't exist? :D

~cheers~

Yeah, sorry. I do tend to mis-spell things when I am typing too fast. Not to mention (on a heavier note) I was burned in a house fire, and on my left hand only have the use of 1 finger and a thumb. :thumbsup:

Quote:

---

Originally posted here by Dr. Psy
Yeah, sorry. I do tend to mis-spell things when I am typing too fast. Not to mention (on a heavier note) I was burned in a house fire, and on my left hand only have the use of 1 finger and a thumb. :thumbsup:

---

Geez Debby Downer.... ;)

Quote:

---

He has no place to lock up his server. Granted, there is next to no possibility of anyone walking into his business, going into the backroom and doing something like this without him knowing about it, short of an employee who decided to do something like this. Nevertheless, I would like to secure his network for him as best as one can under the circumstances.

---

This is one of the exact reasons why you would want to implement physical security. I would think a disgruntled employee would be more inept to do harm to a network than a random off the street. i know you also stated that he doesnt have any means to lockup the workstation.... Why not for ease of mind and CYA recommend he build/purchase a lockbox that has holes for cables to come out of that he can put a padlock on so that noone can get to the PC without the key. At least as some form of physical security.... This is if you don't take foxyloxley's recommendation and remove the devices or use another means...

just my 2cents

Quote:

---

Originally posted here by foxyloxley
No physical security ?

then physically remove CD ROMS and floppy drives ?
Use remote logon only, server is the box only, no GUI, Kybd, mouse local at all
Use KVM kit to allow logon from another position [anything that gives you a breathing space]
Give machines similar names, and bunch them together.
you hide a tree in a wood :)

anything that gives the 'intruder' something to pause over, whether it be a lack of logon facilities, no discernable ID to allow them to grab the 'good' stuff :) whatever.

---

damn you foxy >.<
the first thing i thought when i read the thread was "remove the drives" - lol
but noooooo you had to get in there before me ;)

if however that is not a viable option - one that might offer almost the same kind of thing while still retaining the drives on the machine is to invest in a good sturdy case with a lockable front cover. Sealing of the drives from outside access while stil allowing the manager or whoever has the key to access the drives quickly and easily.

Do not however leave the key sitting in the front cover as I have seen happen on regular basis - kind of defeats the purpose

this case (prolly a little showy for what you need - and i would prefer something a lil sturdier rather than as fancy) should give you an example of what I mean

http://www.xoxide.com/aspire-x-navig...lue-black.html

this however was just first search in google - I would not go for this case but would prefer one of a more sturdy design - ratrher than spendign the extra $$$$ on 'ohhh look blue lights!!!!!1111oneoneoneoneone' type features

To say that physical security isn't important or needed is retarded and ignorant -- hands down.

Just to add a bit to what has already been suggested, I would like suggest, if I can access the server carrying a copy of Ntpasswrd, I can access the server carrying a CD drive and a screw driver.
Tight access control us a must.

However, if all the physical security measures suggested are not viable, (for what ever reason) the best thing I can think of is to place the box where it is in view of those in the company, who are aware of its importance. Open plan offices are a great security device. Either that or in the bosses office, where he has no one to blame but his self, if it gets messed with.