112255 introduction bad admin summary 33 non-technical issues admin even worse! 44
TRANSCRIPT
Unmasking Administrator’s EvilSIM 306
Paula JanuszkiewiczIT Security Auditor, MVP, [email protected]
Agenda
1 2 5
Introduction
Bad Admin
Summary
3
Non-Technical Issues
Admin Even Worse!
4
Innocent Games
Summary
Task Manager Is Not Enough
Explorer Is Not Enough
MoveFileEx Function
Diagnostic and Recovery Toolset
Data Is Trickling
Administrators Take Shortcuts
Introduction
Innocent Games
Summary
Task Manager Is Not Enough
Explorer Is Not Enough
MoveFileEx Function
Diagnostic and Recovery Toolset
Data Is Trickling
Administrators Take Shortcuts
Introduction
Innocent Games
WINLOGONSupports user authenticationSpecial session in OS with strong limitations…but this is a session and can be owned
Image HijacksAttaches debugger to an executable fileOS does not check if a file is a debugger
Sourc
e:
Pho
tosu
r@fli
ckr
demo
WINLOGONImage HijacksThe scenario of the deleted account
Innocent Games
Summary
Task Manager Is Not Enough
Explorer Is Not Enough
MoveFileEx Function
Diagnostic and Recovery Toolset
Data Is Trickling
Administrators Take Shortcuts
Introduction
Task Manager is Not Enough
Tool for home users
Power of Kernel Mode:No rulesAlmost no managementNo securityNo time limits
Driver is the method to get to Kernel Mode!
demo
Task Manager vs. Windows DebuggerUnder the cover - Processes
Innocent Games
Summary
Task Manager Is Not Enough
Explorer Is Not Enough
MoveFileEx Function
Diagnostic and Recovery Toolset
Data Is Trickling
Administrators Take Shortcuts
Introduction
Explorer Is Not Enough
Let’s make it clear:If you remove admin’s access, he WILL NOT be impressed
RightsShould be used according to some patternsShould be audited
BackupRead/ BackupWriteCopy operation that is more important that ACLsUsed by backup software
Under the Cover
Files
Innocent Games
Summary
Task Manager Is Not Enough
Explorer Is Not Enough
MoveFileEx Function
Diagnostic and Recovery Toolset
Data Is Trickling
Administrators Take Shortcuts
Introduction
MoveFileEx Function
Documented in MSDN: „Moves an existing file or directory, including its children, with various move options.”
MOVEFILE_DELAY_UNTIL_REBOOT flagCan rename and delete files during next reboot
Just after autochkLong before normal protection mechanisms startStores data in registry (PendingFileRenameOperations)By default ignores system files
demo
Till The Next Restart
Broken Server Scenario
Innocent Games
Summary
Task Manager Is Not Enough
Explorer Is Not Enough
MoveFileEx Function
Diagnostic and Recovery Toolset
Data Is Trickling
Administrators Take Shortcuts
Introduction
Diagnostic and Recovery Toolset
Helps to diagnose and repair a systemSupport for
Windows 7 (x86 and x64 architectures) Windows Server 2008 R2 (x86 and x64 architectures)
Allow resetting of local account passwordsUseful for offline activities
demo
File Tracing
Tracing of what could happen
Innocent Games
Summary
Task Manager Is Not Enough
Explorer Is Not Enough
MoveFileEx Function
Diagnostic and Recovery Toolset
Data Is Trickling
Administrators Take Shortcuts
Introduction
Data Trickling
Perform regular network tracingUseful not only in critical situationsSome applications send sensitive data over the wire
Perform port scanning on the edgeEvil admin may listen to your network
demo
Watchdog Service
Admin is still working
DNS Tunneling
Interesting way of sending files
Entry TTL!
Ouch!
demo
EntryTTL
Unappropriate attribute usage
Innocent Games
Summary
Task Manager Is Not Enough
Explorer Is Not Enough
MoveFileEx Function
Diagnostic and Recovery Toolset
Data Is Trickling
Administrators Take Shortcuts
Introduction
Administrators Take Shortcuts
Technical „power” against people having 100% power
Non-technical issuesLawRules and compliance DocumentationRotate responsibilitiesExternal audits
Innocent Games
Summary
Task Manager Is Not Enough
Explorer Is Not Enough
MoveFileEx Function
Diagnostic and Recovery Toolset
Data Is Trickling
Administrators Take Shortcuts
Introduction
Be Proactive!
Infrastructure must be well documentedSplit and rotate tasks between adminsUse the legal code
Perform periodical checksAutorunsKernel Level FilesNetwork TrafficProcesses
Sourc
e:
Hea
rd.T
ypeP
ad.c
om
Thank You!
Complete an evaluation on CommNet and enter to win!
Resources
EZNamespaceExtensions.Net v2011http://blogs.technet.com/b/plitpromicrosoftcom/Thanks to:
Grzegorz TworekBartosz Kierun
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.