There are security issues beyond the widely accepted Windows hardening practices and security standards that, if you are not careful, will creep into your environment and bleed you dry.
Security best practices include requiring strong passwords, renaming the administrator account and disabling unused accounts. However, I'm not convinced they're the best ways to spend your resources -- at least until the bigger problems are fixed. In fact, often default installations of Windows desktops as well as other lower-hanging fruit pose even greater risks. These things include open file shares, enabled null sessions, a lack of drive encryption, and insecure versions of software like SQL Server Express and VNC.
To find vulnerabilities in Windows, the right tools are needed. I'm partial to the commercial tool QualysGuard, which I've used for a decade and I have yet to find another tool that produces results at the same quality level. However, these days it can be difficult to scrounge up money for security tools. The good news is that if you've got the time and are willing to put forth the effort, there are many low-cost and free tools to help with Windows security, including the following:
- DumpSec, SuperScan and Winfo for system enumeration
- ShareEnum for gathering information on open shares
- TCPView to view TCP and UDP session information
- Microsoft Baseline Security Analyzer for checking missing patches and weak passwords
- GFI LANguard (5-IP freeware version) for in-depth unauthenticated and authenticated vulnerability scans
- Metasploit for exploiting missing patch-related vulnerabilities
With these tools, you can accomplish a lot in the ethical hacking methodology of scan, enumerate, assess and exploit -- especially if you integrate BackTrack and the Sysinternals suite into the mix. While you may not find everything, and it may take longer, it beats overlooking critical Windows flaws waiting to be exploited.
Keep in mind that in order to find security flaws in the majority of Windows systems, you need to look at only a relatively small cross-section of them. If a specific security weakness is on 10% or 20% of Windows desktops, odds are it's on all of them.
If you really need higher-end tools for scanning Windows systems, try to get a trial version of the software. Such tools can help you convince management that their money will be well spent.
Finally, don't take your Windows security tools too seriously -- they're not all you need. The missing ingredient for well-rounded Windows security assessments is good old-fashioned experience. If you don't know what to look for -- i.e., the things that count in your environment -- then you might as well not be looking.
|ABOUT THE AUTHOR:|
Kevin Beaver is an information security consultant, keynote speaker and expert witness at Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments and helping IT professionals enhance their careers. Beaver has also written and co-authored seven books on information security, including Hacking for Dummies and Hacking Wireless Networks for Dummies (Wiley). In addition, he's the creator of the Security on Wheels information security audio books and Security on Wheels blog providing security learning for IT professionals on the go. He can be reached at firstname.lastname@example.org.
This was first published in December 2009