We all know that Windows-based systems have plenty of potential security risks. But are your systems vulnerable? Likely so. Any given network is chock full of Windows vulnerabilities. It's a law of nature and a side effect of doing business using networked computers. But with the thousands of Windows vulnerabilities in the wild, what do you really need to focus your efforts on? Well, let me share with you the Windows-based weaknesses I'm seeing most often in my work -- things that can get you in a bind if you ignore them.
Here's my top 10 list:
- File and share permissions that give up everything to everyone -- This is easily the biggest vulnerability I'm seeing with Windows systems regardless of the type of system or Windows version. Users who create shares to make their local files available across the network are typically the culprits. Sometimes it's careless admins; other times they're honest mistakes. Unfortunately, all too often the "Everyone group" is given full access to every file on the system. Then, all it takes is for an insider to search for sensitive keywords stored in .pdf, .xls, .doc and other file formats using a text search tool such as Effective File Search or FileLocator Pro. Odds are -- nearly 100% of the time -- the attacker will come across sensitive information (SSNs, credit card numbers, you name it) that they shouldn't have access to. Best case scenario, this is an identity theft in the making. Worst case, this becomes a serious breach that makes the headlines.
- Lack of malware protection -- I know, I know, it's really basic but I'm seeing it more now than ever. I've seen antivirus and antispyware software both disabled and not installed at all with no one being aware of the problem.
- Lack of personal firewall protection -- This is another basic security control that's still not enabled on many Windows systems. Even the basic (and free) Windows Firewall can prevent connections to the IPC$ and ADMIN$ shares that are often open and providing information and access that they shouldn't be divulging. Personal firewalls can also block malware infiltrations, wireless intrusions and more. I can't think of a good reason not to use a personal firewall on all workstations and most servers.
- Weak or nonexistent drive encryption -- The drive encryption marketing machine is working its magic, but I'm still seeing the majority of organizations (large and small) not using encryption. I'm of the belief that whole-disk encryption is the only way to go. If a laptop or desktop machine is lost or stolen, the only way to prevent someone from cracking the Windows password and gaining full access to the hard drive is to encrypt everything using reasonable passphrases. Relying on Windows Encrypted File System (EFS) or other file/directory/volume-level encryption puts too much security control in the hands of users and is a breach waiting to happen.
- No minimum security standards -- Users with wireless networks, especially, need to follow secure company policies at their homes, like requiring SSL for Outlook Web Access, a PPTP VPN connection for remote network connectivity or WPA-PSK with a strong passphrase to help ensure everything is safe and sound. This can be tough to enforce without a workstation-based wireless IDS/IPS (typically a component of an enterprise wireless management system) or a well-configured Network Access Control (NAC) system. Nevertheless, make it your policy and enforce it wherever possible.
- Missing patches in Windows as well as third-party software, such as VNC, RealPlayer and others -- This is a big problem that often gets overlooked. I'm not saying you should try to find these types of holes just to claim that patches are missing. Using Metasploit or its commercial alternatives CANVAS and CORE IMPACT, many missing patches can actually be exploited by a rogue insider or outsider who's gotten into your network via other means. Full remote access anyone?
- Weak Windows security policy settings -- Some examples of this include audit logging that is not being enabled for failed events; no password-protected screensavers; not requiring Ctrl+Alt+Del for login; not requiring password complexity; and displaying the last user name that logged in. Polices to control these issues are easy to implement locally on each Windows system for smaller Windows shops not running Active Directory. It's even easier for larger enterprises via Active Directory Group Policy.
- Unaccounted for systems running unknown, and unmanaged, services such as IIS and SQL Server Express -- These are often legacy Windows systems that aren't within the scope of enterprise security and compliance. Sometimes, they're not even supported by third-party security management apps so they get pushed aside. These systems (typically Windows 98, NT and 2000) are often unhardened and unpatched and are waiting to be exploited. Inevitably there's going to be some random training or test system that everyone forgot about. But such a system is all it takes for someone with ill intent to get onto your network and do bad things.
- Weak or nonexistent passwords -- I can't tell you how many systems (especially Windows laptops) I see that do not have a password assigned to the Administrator account or the default user's password is the same as the user name. The password problem has been around since the dawn of time, so there's no excuse for this one.
- Windows Mobile and other mobile device weaknesses -- In today's mobile world, I'd be remiss to not at least mention the vulnerabilities associated with Windows Mobile and similar mobile devices. Some mobile-specific issues are essential to have on your radar. In a tip called Windows mobile security: Get it locked down, I outline several things to consider.
In order to find these vulnerabilities, you're going to need good tools, including port scanners and system enumeration tools, such as SuperScan or, ideally, vulnerability scanners that do it in one fell swoop, such as QualysGuard. An easy-to-use network analyzer such as OmniPeek or CommView is a must, and so is a good hex editor. Last, but certainly not least, you'll have to use your own expertise to manually analyze your systems to check for weaknesses. It's easy to verify whether malware protection is installed but not so simple to determine just how weak file permissions, missing Group Policies and the like can be exploited.
Now that you know what to focus on, you can start finding out what's what. The bottom line is to know what's on your systems and what can be done with your systems. This is the recipe for a secure Windows environment.
ABOUT THE AUTHOR:
Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent security assessments. Beaver has authored/co-authored several books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and a blog providing security learning for IT professionals on the go. He can be reached at firstname.lastname@example.org.