RE: Windows Server 2003 - Not secure from my test but OSX from Mac is secure from the start

["Nero, Nick" <Nick.Nero () disney com>]

About your point on resetting the local admin password . . .. Try
Syskey.  When enabled in mode 3 you can store the system encryption key
on a removable floppy (or even a USB Jumpdrive mounted to A:).  This
means that without this device/disk on bootup, there is NO chance of
decrypting/resetting the admin password without a lengthy brute force
attack - I believe it uses RC4 at 128bit and the password is a minimum
of 15 characters with the UTF-8 characterset.  This should make for
something like a 1 year cpu time bruteforce attack.  Furthermore, the
local data can be secured with Encrypting File System which on XP SP1
and Win2k3 is 256bit AES.  When coupled with roaming profiles (for the
EFS cert storage), this means that a system with Syskey enabled in mode
3 and encrypted data could not be compromised even with an incredible
amount of unrestricted physical access (and remember, if someone has
unrestricted physical access to your box, it ain't your box anymore)
their only option is an equally incredible length of time and cpu cycles
dedicated to a brute force attack of either the SAM database or the
encrypted file system.

Sadly most Windows admins are not fully aware of all the security tools
at their disposal and therefore dismiss the security of the platform.

Check out this page:
http://www.infosecwriters.com/projects/osscan/results.php  Although it
doesn't show OSX, it does show that based on a default install Win2k3
stands up extremely well to the Solaris's and other OS's.  

I have to agree with the previous statement that judging a default
install is pretty stupid.  Although, I am pretty sure that a huge
portion of MS's security woes are that the average Joe installs a box
and then just lets it go, no box that has any real exposure to anyone
should be left at default.  It is an interesting argument, but I think
it is semantics.

Nick Nero
CISSP
The Walt Disney Company

-----Original Message-----
From: Damon McMahon [mailto:inst_karma () hotmail com] 
Sent: Tuesday, September 16, 2003 6:51 PM
To: security-basics () securityfocus com
Subject: Re: Windows Server 2003 - Not secure from my test but OSX from
Mac is secure from the start

I think you miss the point, somewhat.

Not wanting to turn this into a flame war [feel free to reject,
moderator :)]:

On Monday, Sep 15, 2003, Sebastian Schneider <ses () straightliners de>
wrote:

> Secure and security are completly different things. As far as I 
> remember, there are several flaws in the software shipped with MacOS 
> X. I guess you might remember the last three security updates. If not 
> try running the Software Update panel.

Nowhere near the number of Windows 2000/XP/Server 2003.

> The concealment of ports is not really meaningful, since security is 
> more than about if port scans succeed or fail.

I disagree. Concealment of (i.e. packet filtering based on) ports is an
effective way of prohibiting - or at least restricting - remote access
to vulnerable applications. If Windows hosts concealed ports 135 and
445 the Blaster worm would have been a blip on the radar.

Sure, layer 3/4 packet filtering is not the be-all-and-end-all, but the
comparison of netstat/nmap/etc output on a MacOSX host compared with a
Windows 2000/XP host is telling [I haven't seen it on a Server 2003
host, but I'm led to believe it's almost as bad].

I also believe that the Internet Connection Firewall on Windows
XP/Server 2003 is _off_ by default, whereas the opposite is true of
MacOSX. I may stand corrected on this...

>  I guess, there will be some more flaws within that operating system.

Yes, as there are in Windows (several root-level RPC flaws discovered in
several weeks). So the point is, knowing the probability of such flaws,
how do we proactively minimise the risk? Layer 3/4 packet filtering goes
some way towards this.

> By the way, when having physical access to an Apple running MacOS X 
> everything's so easy. All you need is inserting the MacOS X setup CD 
> and welcome to wonderland. Even booting into single-user mode if 
> helpful much often. Thanks to Apple.

There are so many tools out there that can reset the Administrator
account with console access to Windows that _no_ Windows machine is safe
if it is not physically secure.

For anyone interested, it is quite simple to prevent access to the
MacOSX file system through alternate boot disk or single user mode boot
without a firmware password - something similar to the BIOS password on
a WinTel (a little more user friendly, however).

Sure, MacOSX security is not perfect, but on the
security<->functionality scale it certainly sits closer to the
'security' end... whether this is at the expense of functionality is a
subjective judgement, I guess.



------------------------------------------------------------------------
---
Captus Networks
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW -  FREE
Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------