The importance of conducting internal security assessments cannot be overstated, in ensuring your network, data and user environment are secure not only from internal staff threats but from the outside world. Many of today’s attack vectors work outbound from client systems, therefore inbound firewall rules may not stop this. It is also vital to ensure that data sensitive information such as H.R or payroll data is not accessible to standard users.
Below are the top 5 most common issues I find when conducting internal infrastructure assessments within Windows based domains.
1. Missing Security Patches On Servers
The most common exploitable issues found with servers relate to missing Microsoft security patches. Typically most Windows servers will have the SMB ports open (139 and 445) which allows someone on the same network segment (unauthenticated or authenticated) to send exploits to the server. Even if the server is not carrying out important functions (such as print server or test/development box) if this can be exploited it normally can be used to compromise the entire domain.
3rd party applications are often found un-patched and exploitable. Any application that sits outside of the standard Windows update system and is not updated could lead to exploitation of the server even if the core operating system is fully patched.
2. Common Credentials
Common usernames and passwords are often found between workstations and servers. Therefore any software or physical exploit that compromises a workstation can then use the retrieved credentials to exploit a fully patched server. If the password is strong and can’t be cracked it is possible to send just the hash of the password out to servers to authenticate without knowing what the password is.
Common passwords between servers is also a risk as if one non essential server is compromised the credentials gained can be used to authenticate against a business critical server that is not vulnerable to exploitation.
3. Weak Password Policies
Easily guessable user accounts and passwords are found within organisations that have shared job roles such as reception, helpdesk, security etc. As these are positions where multiple users may use the same computer, for ease of use logins such as “reception” with a password of “reception” are commonly seen to make life easier for the users.
Passwords are often based on the company name or something obvious relating to the company that can be guessed. Weak password policies are found that allow short and weak passwords for users and administrator accounts without any complexity or forced password changes.
4. Sensitive Information Stored Within SMB Shares
Sensitive information is often found within shares that are accessible by unauthenticated or authenticated standard users. Examples of this are old SQL backup files that can be downloaded and restored which contain sensitive information such as credit cards, HR details, salaries etc. Other files often found are Cisco config files, password spreadsheets and documentation containing credentials.
Batch files and XML files are often seen with hard coded SQL server credentials that have domain admin privileges or allow access to the SQL server directly. Shares such as NETLOGON often contain batch files with drive mappings or software installs that also contain hard coded domain administrator credentials or reveal a commonly used password. This allows a standard user browsing the network to obtain very sensitive information and high privileged user credentials to access servers without any exploitation being required.
Permission issues with user directories on file servers are often found which allow any user to view other users data, typically this include H.R or salary information and in some cases I.T support staff data and passwords.
5. Workstation Security
Workstations are often not considered to be that important with regards to security. With internal testing these are often the easiest method of exploiting the servers and domain. The main areas are:
Missing Microsoft patches - Workstation patching is also very important. The most typical exploits relate to SMB ports just the same as the servers. If a workstation can be exploited it could contain credentials that can allow a fully patched server to be compromised. If a Windows workstation has the firewall enabled then all inbound ports are filtered, therefore only an exploit that requires user interaction would work such as a PDF exploit that creates an outbound connection to the attacker.
Boot security - Workstations often do not have any boot security enabled within the BIOS. It is therefore possible to power on the workstation and insert a CDROM or USB stick to mount the Windows partition bypassing all security and extract the local administrator password hashes. The workstation could also contain cached credentials for domain administrators as when the system was originally joined to the domain the cached value is typically stored. If common credentials are found between workstations and servers, this can result in the domain being fully compromised.
3rd Party applications - Applications such as Adobe PDF reader, Java, QuickTime etc are susceptible to vulnerabilities in the same way as the operating system. Even with a fully patched operating system a vulnerability within a 3rd party application can lead to the system being compromised. Often these applications are not patched or left up to the end user to control if they wish to install updates. These are also excluded from Windows updates services and are often not considered an important application to patch.