Unhackable: Windows Challenge Network not Penetrated

Windows Security Challenge network 1, hackers 0.

(Seattle, Wash.) After 31 hours and 40,000 attacks, the Windows 2000 network set up and hardened during the MCP TechMentor Summit on Security remained uncompromised. The purpose of the Challenge was to see how secure a Windows network could be made using standard security checklists and best practices, without any special software or steps being taken. Judging by the results, it can be done -- and done well.

Mark Burnett, who monitored the network with the intrusion detection tool Snort, said that on the second day of the Challenge the attacks got more creative. "Everyone eliminated the more basic stuff and did more interesting stuff," Burnett said. "The big lesson is not what we saw but what we didn't see. The fact for most companies is that most attacks are basic. If you follow basic principles," then your network should be able to turn back the majority of attacks, according to Burnett.

In reality, there was one successful attack, but not through the network. Burnett decided to try gaining physical access to the network, in violation of the stated rules. He said he did it to prove a point. "The fact is you can't set rules for hackers. So I thought I'd try a physical attack although we were told not to. The fact is that if you can get physical access to a server, you can get in. I cheated, I broke the trust," Burnett said.

Burnett filled the security guard full of soda, waited until he had to go to the bathroom, and changed the username and password for the administrator account on a server.

Steve Riley, a Microsoft security expert who configured security for the Exchange server on the Windows Challenge network, said the attack should serve as a warning to companies. "The people with the broadest and most thorough access to your company are the lowest-level employees, the security guards and janitors. It's something you're going to have to think about."

Conference chairperson and Microsoft Certified Professional Magazine Contributing Editor Roberta Bragg echoed those sentiments. "Anyone you trust, you should monitor them, audit them. We have to have that in place."

The Windows Challenge had a Web site open to the Internet, and attacks came from all over the world, from as far away as Asia. In the end, though, no electronic attacks were able to penetrate the network. Several speakers commented that the result points to the human factor as the most important one in proper network security. If the administrator is thorough and diligent, most attacks can be stopped. "It's your admin that gets attacked, not the system, not the application," Burnett said.

SQL expert Ted Malone, who hardened the SQL server for the Challenge, agreed. "You're only as strong as your weakest link," he said.

The MCP TechMentor Summit on Security was a three-day conference focused on Windows security topics.

About the Author

Keith Ward is the editor in chief of Visual Studio Magazine.

comments powered by Disqus

Reader Comments:

Mon, Apr 11, 2005 Michael Temecula

i like it

Thu, Nov 27, 2003 smart india

i want to trail for norton antivirus corporate edition

Sat, Jul 27, 2002 Anonymous Anonymous

One person mentioned about the scripts being used to make the security settings earier. Are these scripts provided by MS or are they written by the individuals? Cause if there are scripts out there that will make it essier for us to tighten a pc up, I would like to get a copy of those.

Thu, Jul 25, 2002 Scott Morris Lexington, KY

The focus of the conference was not to prove how cool the PIX was ('cause it is cool), nor to prove how good I am at configuring and monitoring the firewall ('cause I'm cool too (smirk)).
With that in mind, I deliberately set out to be as "open" as possible, allowing many ports that were necessary, but not doing any of that "fancy PIX stuff" beyond the normal.
We wanted to be generic from that sense to emulate what could be ANY firewall in the real world. Even your cheapest firewall would end up being access-lists on an external/permiter router. Basic port-based stuff was all we went for.
The web server had port 80 open. That's all it needed, and all that any typical web server needs. The ISA server on the other hand, needed more. Port 25 was open for e-mail, port 80 for web, a few other random ports as well. But most interesting for the ISA server was our "business decision" (much against my liking) to open up the Exchange server for RPC calls. This meant that on the firewall, in order to let MS's version of RPC work I had to permit EVERYTHING above port 1024 for TCP.
Now, that also means that all the stuff the ISA server had to deal with was pretty significant as well.
Logs that you will end up seeing were taken by a few devices. In addition to the SNORT box set up, we also had logs from the PIX (things blocked) and from an Cisco IDS sensor that I brought along for amusement.
In the real world, we would have used these logs to not only monitor our system, but perhaps modify our policy and business plans to secure things where they made the most sense.

So the question of how many attacks made it past the PIX? All of them that were targeting the services we had advertised as available. The PIX was an initial filter and that's all.

I could very well have solved almost everything on the PIX, but that wouldn't really prove anything now would it? (Other than the fact that the PIX is cool and so am I) ;)

Oh yeah, I'm modest too, but that's a different story.

Anyway, it was a fair approach, a very realistic approach in the most generic sense possible to accomodate the "typical" network.

I think the CD will be a worthwhile catch for anyone who's interested in it.

Wed, Jul 24, 2002 Jerry Mercks, MCSE Huntsville, AL

What I want to know is how many attacks actually got past the PIX. In other words did you prove MS software can be hardened or did you prove MS software can be secured behind a PIX.
While it is true most companies us some form of hardware firewall the reason for that is because the servers alone were too easy to hack.
Without knowing how many were acutally deterred by the server I cannot agree the test is valid, except to prove a PIX works.
Do it without a firewall then I may believe the results have a degree of validity.
At the very least, tell us how many got past the PIX.

Wed, Jul 24, 2002 David Perdue Great Falls, MT

How about a copy of the checklist/procedures that they used to secure the network?

Mon, Jul 22, 2002 Chad Paquette Minneapolis, MN

I believe that the timeframe for the attempted hack was a little on the short-side. However I believe that the ultimate focus of this test was to demonstrate how easy it is to harden the security settings within the W2K Server O/S.
I am a firm believer in one thing, nothing is 100% secure. If someone wants in your "cookie jar" bad enough, there is always a way in. That point was illustrated by the physical attack on security where the security guard was manipulated by the hacker to "tend to nature" and use the restroom.
All of the folks who are "Anti-Microsoft" do however need to revisit the steps Microsoft is taking to enhance their "out-of-the-box" security settings, and see it as a proactive step in the right direction.

Sun, Jul 21, 2002 Anonymous Anonymous

Wow. Now all that Microsoft has to do is to tighten up the "out of the box" configuration

Sat, Jul 20, 2002 Laura Robinson Pennsylvania

As one of the "six experts" who participated in the Security Challenge, I would like to clarify a couple of the things I've seen in the responses here.

It does not take an "expert" to harden a Microsoft-based environment, which was actually one of the points of the challenge. The basis for the hardening of this network was primarily the Microsoft Security Operations Guide and (again), publicly available checklists and guides published by Microsoft. The reason that we presenters were there was to explain to the attendees what the various settings in the guides *do*, and why one would implement those settings. We were also there to discuss additional subjects such as how one would actually go about monitoring and auditing a network to watch for intrusions, how to develop [written] security policies, how to develop SQL databases with an eye towards security, how to keep up-to-date on patches, and other topics related to *methodology* as opposed to details.

Our role at the summit was to show people *what to look for* and how to "think like a hacker", if you will. As part of that, we simply implemented the settings published by Microsoft. We specifically did not use settings that we had devised because our goal was to show people that you *don't* have to be an "expert" to harden your environment.

As an example, the hardening of the domain, domain controllers and member servers for the challenge took less than five minutes to actually implement. I used the templates provided by the Microsoft SOG and rolled them out via Group Policy. The *only* setting that we then implemented within the domain settings beyond what was in the SOG was as follows:

For the built-in Administrator account in the domain, we set a password of about a hundred characters. Because it wasn't even possible for the two of us who did this to *remember* that password, we stored it on removable media that was physically removed from the staging area. We created a duplicate of the built-in domain Administrator account, gave it an innocuous name and description, and set it so that it could only be logged on via smart card, and only at a workstation in the domain. The accounts that were used the manage the IIS box, SQL server and member servers were not administrative accounts, and didn't have significant rights and permissions beyond what were needed to perform the specific tasks related to their own servers.

That's it. The other presenters gave sessions on how their servers were hardened (primarily, again, via the settings in the SOG), and implemented those settings.

The reason that aside from the PIX box, AV software and Snort, only Microsoft products were used, was to show people that yes, it is possible to harden a Microsoft-based network without a plethora of other software and hardware. In preparing for the summit, all of us had numerous ideas for other things we thought would be fun to throw into the mix, but that wasn't the goal of this summit.

As an aside, the people who were tasked with "hardening" the ISA box discussed the fact that aside from patching the underlying OS, there was nothing that actually needed to be done to "harden" it. The product does work. The reason the PIX box was implemented was that it is common in networks to utilize an external, packet-filtering firewall, and an internal, application firewall from a different vendor and of a different type because this provides better performance and another "speed bump" for an attacker. Could we have set up the challenge without the PIX box? Absolutely. However, again, the goal was to set up a microcosmic environment that was relatively representative of what is "out there" today.

We all would have liked to have left the network up and running for much longer than it was, but given the fact that the goal of the summit was to first show people how to harden the network, then open it up to the world, and then analyze the results, we simply couldn't do it with the time constraints we had. What I *can* tell you is that there were some very skilled hackers attacking that network from the outside world. It wasn't just script kiddies out there. How do I know this? Because I was in contact with some of them. We didn't exchange specifics about the network or what they'd tried, but they did report back with their impressions (which were good).

Last, I want to mention one thing regarding Mark's physical compromise of the network. The account on which Mark reset the password was the local Administrator account on the IIS box, and the IIS box wasn't even a member of the domain we'd built. That account was useless on any other machine in the network. This is not to say that his compromise was meaningless, because as we repeatedly said to the attendees, physical access to your machines means you've lost your security. Should somebody be able to physically access a machine on your network, s/he need only walk off with the hard drive and you've now suffered a denial

Sat, Jul 20, 2002 Randy Grein Belllevue, WA

Huh. Marketing security at it's finest. 31 hours is hardly what I'd call a test; nor are 40,000 'attempts' proof. Every other test of this nature I've seen leaves the server up for at least a week. Leave the darn thing up for a few weeks and see how 'unhackable' it is.

At least they showed how easy it is to get past physical security.

Fri, Jul 19, 2002 Rob NYC

"standard security checklists and best practices," Go a very long way indeed. I manage 80 IIS servers on the public internet, and have no problems keeping them secure. Lockdown for a server can be almost entirely automated with scripts and templates. This article demonstrates what I have always believed, that its the admin being hacked not the platform.

I also use snort as an IDS, running mysql for the DB. On Windows 2000 servers, no less. ;)

Fri, Jul 19, 2002 Anonymous Anonymous

what an asshat. windows is easy to secure and doesn't take long if automated. i've got your unhackable system right here buddy.

Thu, Jul 18, 2002 ahkruchas Anonymous

Very Impressive! Six experts watching over one box for 31 hours, behind a hardware firewall. And can a physical attack not be considered valid? The article said they were running Snort, how much other third party (and Open Source) software was used on the system?
Microsoft has always claimed a lower TCO because you don't have to keep highly trained Unix people on staff to maintain a secure system, they recently recanted that statement and this demonstration only proves that if you bring in enough hired guns you can hold the bad guys out for a while.
If you want a real test send a real admin with a real system using ISA as the only firewall to, say DefCON for a week and then tell us it is "unhackable".

Thu, Jul 18, 2002 Ms. Geek Paranoia City, CA

The next server OS from MS will have all those settings turned well they should! They absolutely should NOT install unnecessary services by default, and they absolutely should not give the Everyone group Full Control over everything! This has been a weakness of the Microsoft approach for way too long. Although UNIX-like operating systems are also guilty of the same took the Linux distributions a lot of embarrassing r00tings before they got religion and stopped installing things like telnetd by default. You don't want someone without clue running a network. This is the approach Microsoft should have taken from day one.

Thu, Jul 18, 2002 Ryan Orlando, FL

The next server OS from Microsoft will have all of those settings turned off by default. The burden will shift from locking down your server, to explicitly allowing your users access. Although this is a good shift, it will require admins to be much more knowledgeable to successfully run their network and user apps.

Thu, Jul 18, 2002 P. J. Belmore Anonymous

To say that all you have to do is spend hours (applying service packs, hot fixes, security patches, etccc. ) to stop, shut down and disable a million unused / unneeded / unwanted / installed by default / EVERYONE FULL CONTROL PERMISSIONS... (list could go on but you get the point) that cause alot of these breaches are the fault of a network admin? I say BU||$hit... IF Windows did not come straight out of the box with every door open, then alot of what you are calling BASIC attacks on small networks would not have occured in the first place. Services should only be installed if needed not forced upon you.

Thu, Jul 18, 2002 Anonymous Anonymous

Was the network actually accesible and useable from the outside?
As an end user I have found that when there is this level of security on the network then it becomes unusable by the general users.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.