Security Basics mailing list archives
RE: Windows Server 2003 - Not secure from my test but OSX from Mac is secure from the start
From: "Nero, Nick" <Nick.Nero () disney com>
Date: Wed, 17 Sep 2003 16:32:10 -0400
About your point on resetting the local admin password . . .. Try Syskey. When enabled in mode 3 you can store the system encryption key on a removable floppy (or even a USB Jumpdrive mounted to A:). This means that without this device/disk on bootup, there is NO chance of decrypting/resetting the admin password without a lengthy brute force attack - I believe it uses RC4 at 128bit and the password is a minimum of 15 characters with the UTF-8 characterset. This should make for something like a 1 year cpu time bruteforce attack. Furthermore, the local data can be secured with Encrypting File System which on XP SP1 and Win2k3 is 256bit AES. When coupled with roaming profiles (for the EFS cert storage), this means that a system with Syskey enabled in mode 3 and encrypted data could not be compromised even with an incredible amount of unrestricted physical access (and remember, if someone has unrestricted physical access to your box, it ain't your box anymore) their only option is an equally incredible length of time and cpu cycles dedicated to a brute force attack of either the SAM database or the encrypted file system. Sadly most Windows admins are not fully aware of all the security tools at their disposal and therefore dismiss the security of the platform. Check out this page: http://www.infosecwriters.com/projects/osscan/results.php Although it doesn't show OSX, it does show that based on a default install Win2k3 stands up extremely well to the Solaris's and other OS's. I have to agree with the previous statement that judging a default install is pretty stupid. Although, I am pretty sure that a huge portion of MS's security woes are that the average Joe installs a box and then just lets it go, no box that has any real exposure to anyone should be left at default. It is an interesting argument, but I think it is semantics. Nick Nero CISSP The Walt Disney Company -----Original Message----- From: Damon McMahon [mailto:inst_karma () hotmail com] Sent: Tuesday, September 16, 2003 6:51 PM To: security-basics () securityfocus com Subject: Re: Windows Server 2003 - Not secure from my test but OSX from Mac is secure from the start I think you miss the point, somewhat. Not wanting to turn this into a flame war [feel free to reject, moderator :)]: On Monday, Sep 15, 2003, Sebastian Schneider <ses () straightliners de> wrote:
Secure and security are completly different things. As far as I remember, there are several flaws in the software shipped with MacOS X. I guess you might remember the last three security updates. If not try running the Software Update panel.
Nowhere near the number of Windows 2000/XP/Server 2003.
The concealment of ports is not really meaningful, since security is more than about if port scans succeed or fail.
I disagree. Concealment of (i.e. packet filtering based on) ports is an effective way of prohibiting - or at least restricting - remote access to vulnerable applications. If Windows hosts concealed ports 135 and 445 the Blaster worm would have been a blip on the radar. Sure, layer 3/4 packet filtering is not the be-all-and-end-all, but the comparison of netstat/nmap/etc output on a MacOSX host compared with a Windows 2000/XP host is telling [I haven't seen it on a Server 2003 host, but I'm led to believe it's almost as bad]. I also believe that the Internet Connection Firewall on Windows XP/Server 2003 is _off_ by default, whereas the opposite is true of MacOSX. I may stand corrected on this...
I guess, there will be some more flaws within that operating system.
Yes, as there are in Windows (several root-level RPC flaws discovered in several weeks). So the point is, knowing the probability of such flaws, how do we proactively minimise the risk? Layer 3/4 packet filtering goes some way towards this.
By the way, when having physical access to an Apple running MacOS X everything's so easy. All you need is inserting the MacOS X setup CD and welcome to wonderland. Even booting into single-user mode if helpful much often. Thanks to Apple.
There are so many tools out there that can reset the Administrator account with console access to Windows that _no_ Windows machine is safe if it is not physically secure. For anyone interested, it is quite simple to prevent access to the MacOSX file system through alternate boot disk or single user mode boot without a firmware password - something similar to the BIOS password on a WinTel (a little more user friendly, however). Sure, MacOSX security is not perfect, but on the security<->functionality scale it certainly sits closer to the 'security' end... whether this is at the expense of functionality is a subjective judgement, I guess. ------------------------------------------------------------------------ --- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- Re: Windows Server 2003 - Not secure from my test but OSX from Mac is secure from the start Damon McMahon (Sep 17)
- Re: Windows Server 2003 - Not secure from my test but OSX from Mac is secure from the start Jimi Thompson (Sep 19)
- Re: Windows Server 2003 - Not secure from my test but OSX from Mac is secure from the start Ansgar -59cobalt- Wiechers (Sep 22)
- Re: Windows Server 2003 - Not secure from my test but OSX from Mac is secure from the start Jimi Thompson (Sep 29)
- Re: Windows Server 2003 - Not secure from my test but OSX from Mac is secure from the start Ansgar -59cobalt- Wiechers (Sep 22)
- RE: Windows Server 2003 - Not secure from my test but OSX from Mac is secure from the start Zachary Mutrux (Sep 22)
- RE: Windows Server 2003 - Not secure from my test but OSX from Mac is secure from the start Zachary Mutrux (Sep 22)
- Re: Windows Server 2003 - Not secure from my test but OSX from Mac is secure from the start Robert Reidenbach (Sep 23)
- <Possible follow-ups>
- RE: Windows Server 2003 - Not secure from my test but OSX from Mac is secure from the start Nero, Nick (Sep 17)
- RE: Windows Server 2003 - Not secure from my test but OSX from Mac is secure from the start Depp, Dennis M. (Sep 19)
- Re: Windows Server 2003 - Not secure from my test but OSX from Mac is secure from the start Jimi Thompson (Sep 19)