Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

From http://blog.gartner.com/blog/index.php?itemid=1637: “We think Windows SharePoint Services (WSS) is a natural upgrade from LAN file-shares. So much so that, by 2010, WSS will replace a majority of Windows-based, LAN file shares. (We expect explosive growth in WSS deployment and usage.)”

Wow!

Well, I think that the ‘majority’ of Windows file shares will live on at least until the hardware they’re running on fails. After that, will they be replaced by something that’s more complex to deploy and administer? Not sure about that one. The explosive growth prediction is proving true, though.

Permalink | Comments (0)

A bit of an old post, but still up to date on the product lines discussed: http://www.inputoutput.ca/2006/microsoft-sharepoint-2007-licencing/.

Permalink | Comments (0)

That’s the Northwest Entrepreneur Network’s Early Stage Investment Forum, coming up on May 9. I’ve been a few times in previous years and have never been disappointed.

http://www.nwen.org/index.php?option=3Dcom_events&Itemid=3D15&id=3D87

 

Permalink | Comments (0)

Check out Jeff Sigman’s video/blog entry featuring interviews of some of Microsoft’s NAP partners on the RSA trade show floor. Prominently featured are JW Secure customer Blue Ridge Networks and local start-up Napera.

Permalink | Comments (0)

Just got back from this “Red Team” volunteer event. Man, it was so fun! There were nine student teams from all over the northwest, and I’d guess that each team had around 10 people. Today’s red/attack team was another 10 or so people. Add in the support staff, and you can tell it was a pretty big event.

The rules are described at the link below, but in summary, each of the nine defense teams was responsible for maintaining a set of network resources including a router, switches, and a mix of Windows and Linux boxes. Most were pretty well patched by today, but the red team still found plenty of fun!

Indeed, it’s kind of scary how fun it is. I found a few good ones: default “enable” (admin account, basically) passwords on a Cisco router and a switch (two separate teams). And a default MySQL password on a third team. Other red team members found cross-site scripting vulnerabilities, a cracked SAM database or two, and a few other compromised routers
and switches.

We managed to show moderate restraint in terms of exploitation, except that we kept the compromised router and switches until the end, then reset them to the factory settings with 10 minutes left in the competition. Ok, maybe that was kind of mean …

Permalink | Comments (7)

Been doing some research on SharePoint lately, mostly focused on SharePoint Services 2.0, since that’s a dependency of Team Foundation Server.

The SharePoint “administration port” is an interesting feature, if for no other reason than what this TechNet article has to say about it. See the “About Remote Administration and Security” section about two-thirds of the way down.

My recommendation to SharePoint administrators (even if that’s your title only by default) of the world would be to read those instructions carefully, since the default installation requires authentication (good) to the remote admin site, but doesn’t require encryption (bad). Thus, you may be entering sensitive information, such as a password, that can be sniffed on the wire. Be sure to require SSL - there are instructions on that page for doing so.

As an aside, I don’t see why the default installation doesn’t require SSL (and update the shortcuts to the https URL). If there’s no suitable Server Authentication certificate available, just create a self-signed one and warn the admin. That’s better than no-encryption-by-default. Maybe SharePoint 3.0 fixed that; I haven’t checked.

Anyway, what prompted me to post about this is the following text from that article:

“Require the use of a non-standard HTTP port for accessing the Central Administration pages. This precaution makes it much more difficult for malicious users to guess the URL of HTML Administration pages or the remote administration programs. When you install Windows SharePoint Services on the Microsoft Windows platform, a random non-standard administration port is automatically used for the SharePoint Central Administration pages.”

Much more difficult, huh? Well, the use of a non-standard port is not an effective security measure. In fact, the fact that the SharePoint administration console requires its own web port actually makes remote fingerprinting easier. That is, it helps an attacker identify server roles, and versions, simply by scanning for open ports. I’ll demonstrate with the port scanning tool nmap.

Suppose that I’m initiating a network-based penetration test, I’ve identified some interesting IP addresses, and I want to learn more about what’s running on each server. One way to gather more information is to start scanning high ports:

>nmap.exe -r -p1025-65535 192.168.1.183
...
Interesting ports on 192.168.1.183:
Not shown: 64507 closed ports
PORT STATE SERVICE
1025/tcp open NFS-or-IIS
1433/tcp open ms-sql-s
2383/tcp open unknown
15130/tcp open unknown

Now we know there are two high ports on the target server that don’t have known protocol or product associations. A more thorough scan of both doesn’t reveal much more about 2383, but tells us that IIS is listening on 15130 and that it requires authentication:

>nmap.exe -A -p15130 192.168.1.183
...
Interesting ports on 192.168.1.183:
PORT STATE SERVICE VERSION
15130/tcp open http Microsoft IIS webserver 6.0
|_ HTML title: You are not authorized to view this page
| HTTP Auth: HTTP Service requires authentication
| Auth type: Negotiate
|_ Auth type: NTLM
...
Running: Microsoft Windows 2003
OS details: Microsoft Windows Server 2003 SP1 or SP2

Putting my attacker hat on, I’m thinking to myself, ‘why is there a web server listening on a seemingly random port and why does it require authentication? Not only that, but this machine is running SQL as well. Must be a juicy target! And hey, SQL plus a high web port … could be SharePoint!’

A quick test on the server itself confirms the research:

C:\Program Files\Common Files\Microsoft Shared\web server extensions\60\BIN>STSADM.EXE -o getadminport
...
The SharePoint administration port is ":15130:".

I’m summary, SharePoint administration might as well use a fixed port. And I’d rather that the product not open a management port at all, since securing it requires extra work that many customers won’t understand.

Permalink | Comments (5)

If you’re using WiX to build MSI installation packages, you’ll probably find this site to be a good read - http://www.tramontana.co.hu/wix/lesson4.php.

Permalink | Comments (0)

Red Team: members wanted

April 21, 2008

The Pacific Rim Cyber Defense Competition (http://www.dc206.org/?page_id=14) is this weekend, and they’re seeking network security professionals to volunteer for Red Team responsibilities. Area University students compose the defensive teams, thereby learning how scary it is to be a sysadmin.

Please see the website if you’re interested.

Permalink | Comments (1)

Check out http://www.edge-security.com/metagoofil.php. The ostensible purpose of the tool is to allow you to prepare for a pentest by pointing it at the target’s website. It automatically downloads files of relevant types and extracts potentially compromising metadata (e.g. MAC addresses, user names, etc).

Rest assured that there are tools out there that do the same with Social Security, credit card, and bank account numbers …

Permalink | Comments (0)
Newer Posts »