Welcome to MSDN Blogs Sign in | Join | Help

SECURE WORLD-Know your threats

Know your threats
IIS and WINDOWS built-in Accounts and Default privileges

From Security stand I thought it will be great if know IIS & built in windows account and default privileges. I started looking around, here I came with findings. I tried to define them and a table followed by their default privileges

It can be a high risk to change the identity of a worker process so that it runs as an account with a high level of access, such as the LocalSystem user account.

IIS uses a ~ 7 built-in Windows accounts/groups, as well as accounts that are specific to IIS 6 & IIS 5.

IIS 7.0 we have couple of new accounts and we get rid of some.  New Accounts are IUSR which replace IUSR_MachineName account. The IIS_IUSRS built-in group replaces the IIS_WPG group.

Local system Account-Full permission = it is the member of Admin group. If a worker process identity runs as the LocalSystem user account, that worker process has full access to the entire system. When IIS 6.0 is running in IIS 5.0 isolation mode, this is the default user account for worker process identities. However, running an application pool under an account with increased user rights presents a high security risk.

Network Service. By default, application pools run under the Network Service user account, which has low-level user access rights, so it provides better security against attackers or malicious users who might attempt to take over the computer on which the WWW service is running.

Local Service. The Local Service user account also has low-level access rights, and is useful when you want to configure application pools to run as the Local Service user account in situations that do not require access to resources on remote computers.

IIS_WPG user group is new in IIS 6.0. It provides the minimum set of privileges and permissions required to start and run a worker process on a Web server

IUSR_ComputerName :- Anonymous access, the most common Web site access control method, allows anyone to visit the public areas of your Web sites. In IIS 6.0, anonymous users are assigned to the IUSR_ComputerName account, which is created when IIS is installed

IWAM_ComputerName user account is for starting out-of-process applications in IIS 5.0 isolation mode.

ASPNET user account is for running the ASP.NET worker process in IIS 5.0 iso. mode.

Fig 1.

IIS

 
Posted: Monday, August 10, 2009 2:25 PM by Mahavir Sancheti | 2 Comments
Good articles on Passwords

While browsing through TechNet. I came across few good articles related to Passwords by Jesper.

Worthy to read least once.

1.    Frequently Asked Questions about Passwords and Password Attacks

http://technet.microsoft.com/en-us/library/cc512606.aspx

2.    The Great Debates: Pass Phrases vs. Passwords series

http://technet.microsoft.com/en-us/library/cc512613.aspx

 

Posted: Thursday, July 16, 2009 7:02 PM by Mahavir Sancheti | 1 Comments
Filed under: , ,
All About PASSWORDS

 

All about PASSWORDS

 

In Last blog, I discussed about 70 day password policy. In the blog entry I will try all about passwords. Characteristics of passwords, strong passwords policy, List of Don’ts etc.

 

Passwords are an important aspect of computer security. Implementation of secure passwords is an important component of securing the enterprise from unauthorized access.  They are the front line of protection for user Accounts. A poorly chosen password may result in the compromise of Company Name's entire corporate network

As the complexity of computing in the 21st century increases, the need for advanced security measures is on everyone's mind. But not all security measures require an advanced degree in security to implement. An often ignored step that everyone can take to significantly reduce their risk of identity theft, stolen data is the use of strong passwords. A breach in one person's computer puts every other computer on our network at risk.

 

Poor, weak passwords have the following characteristics:

 

• Password contains less than 8 characters

Password is a word found in a dictionary (English or foreign)

Password is a common usage word such as:

ü  Names of family, pets, friends, co-workers, fantasy characters, etc.

ü  Computer terms and names, commands, sites, companies, hardware, software.

ü  The words "Company Name", "Microsoft", "microsoft123" or any derivation.

ü  Birthdays and other personal information such as addresses and phone numbers.

ü  Word or number patterns like aaabbb, asdflkj, abcdefg, 123321, etc.

ü  Any of the above spelled backwards.

ü  Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

ü  Passwords must contain any recognizable part of the user’s name. like username=ABC@1234 password=ABC

ü  Repeating characters like “MS1111”, DELL2222, a110011 etc.

ü  Passwords must not match any portion of your full name.

 

 

Strong passwords have the following characteristics:

 

·         Passwords must be at least 8 characters long and contain all of the following: 

o   Letters: upper or lower case (A,B,C,…Z: a,b,c,…z)

o   Digits: (0,1,2,3,…9)

o   Intersperse punctuation marks or symbols such as #, !, %, etc.

 

·         Use passphrase (“My password is Strong enough for 1 year”=” MpiSef1y”).

·         Are not a word in any language, slang, dialect, jargon, etc.

·         Are not based on personal information, names of family, etc.

·         Passwords should never be written down or stored on-line.

Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "My password is Strong enough for 1 year" and the password could be: "MpiSef1y" or” MpiSef1y ~" or some other variation.

 

 

Here is a list of "dont":

Ä      Don't reveal a password over the phone to ANYONE

Ä      Don't reveal a password to co-workers while on vacation

Ä      Don't reveal a password in an email message

Ä      Don't talk about a password in front of others

Ä      Don't hint at the format of a password (e.g., "my family name")

Ä      Don't reveal a password on questionnaires or security forms

Ä      Don't share a password with family members

Ä      Don’t transmit User names and passwords together in an unencrypted format.

Ä      Don’t add your passwords in Trouble tickets.

Ä      Don’t Store Passwords in readable form in batch files, automatic log-in scripts, software macros, terminal function keys, in computers without access control, or in other locations where unauthorized persons might discover them.

Ä      Don’t use vendor/mfg supplied default passwords.

Ä      Do not use a password that you are using for some other purpose, such as your PIN at the bank or your password to another system.

 

Useful tips

 

·       All accounts (including service accounts, IIS anonymous user accounts and administrator accounts) must be configured to require password changes at least once every 70 days.

·       Passwords must be significantly different from prior passwords.  Users must not use “recurring” passwords, i.e., passwords that contain the same basic content as previous passwords, but with only a part of the content changed. Pwd1=ABC@12 pwd2= ABC@123, pwd3= ABC@1234 etc

·       Passwords must be promptly changed if they are suspected of being known by unauthorized individuals.

·      Group policies enabling checks for password complexity requirements and password history (24) must be enabled for all accounts. 

 

 

Posted: Monday, June 29, 2009 4:39 PM by Mahavir Sancheti | 2 Comments
Filed under: , ,
Why IT Department mandate X days password renewal policy in most of organization? Or Why Password Policy is in place?

 

What makes it to add in policy- To make it hard for malicious user to discover a password. In todays Fast computing world it is more susceptible than ever.

 

Here is behind the story. Let’s discuss 3 scenarios

 

Case

Password length

Characters allowed

# of days

Case 1

6

94(Upper, Lower chars, Numbers & Special chars )

70

Case 2

8

94(Upper, Lower chars, Numbers & Special chars)

70

Case 3

8

62 (Alpha Numeric)

70

 

Case # 1

 

When you enforce password complexity with a password length of 6 and set the password to expire in 70 days, a user can choose from a permutation of:

 

1.     26 lowercase characters

2.     26 uppercase characters

3.     32 special characters

4.     10 numbers

 

This means that:

·         26 + 26 + 32 + 10 = 94 possible characters in a password

·         Password length policy = 6

·         946=  689,869,781,056 unique password permutations

·         70 Day Password expire policy

·         689,869,781,056 divide by (70 days* 24 hours*60 min*60 sec)= 114,066 .

·         114,066   attempts/second to discover the password before it *EXPIRE*.

 

Ø  133,077 attempts/second=   60 days Password Expire

Ø  114,066 attempts/second =  70 days Password Expire

Ø  99,808 attempts/second  =   80 days Password Expire

Ø  88,718 attempts/second  =   90 days Password Expire

Ø  79,846 attempts/second  =   100 days Password Expire

Case# 2

    

This means that:

·         26 + 26 + 32 + 10 = 94 possible characters in a password

·         Password length policy = 8

·         948=  6,095,689,385,410,816 unique password permutations

·         70 Day Password expire policy

·         6,095,689,385,410,816 divide by (70 days* 24 hours*60 min*60 sec)= ~ 1 Billion.

·         1 Billion attempt/second to discover the password before it *EXPIRE*.

 

Ø  1,175,866,007 attempts/second=  60 days Password Expire

Ø  1,007,885,149 attempts/second = 70 days Password Expire

Ø  881,899,505 attempts/second =    80 days Password Expire

Ø  783,910,671 attempts/second =    90 days Password Expire

Ø  705,519,604 attempts/second =   100 days Password Expire

 

 

Case# 3

 

This means that:

·         26 + 26 + 10 = 62 possible characters in a password

·         Password length policy = 8

·         628= 218,340,105,584,896 unique password permutations

·         70 Day Password expire policy

·         218,340,105,584,896 divided by (70 days* 24 hours*60 min*60 sec) = 36,101,208.

·         36,101,208   attempts/second to discover the password before it *EXPIRE*.

 

Ø  42,118,076 attempts/second   =    60 days Password Expire

Ø  36,101,208 attempts/second   =   70 days Password Expire

Ø  31,588,557 attempts/second   =   80 days Password Expire

Ø  28,078,717 attempts/second   =   90 days Password Expire

Ø  25,270,846 attempts/second   =   100 days Password Expire

 

 Note: - Account lockout policy is always there to save us.

 

Posted: Friday, February 27, 2009 1:51 PM by Mahavir Sancheti | 5 Comments
Filed under: , ,
Finally ...@ http://blogs.msdn.com/mahavir

Protect Confidentiality, Integrity, and Availability of information and information systems. Advise and engineer secure solutions for business opportunities. Learn and experience, mentor and share.

The Three words are my part of daily calendar. By now you understand what my profession is, I am Security Engineer.

Little about myself... My name is Mahavir Sancheti working for ACE Team. Joined Microsoft a year back. 

I have Seven years of overall IT experience for Fortune 100 Inc in which includes Five + years of experience in Application Security. In depth knowledge of Application Security, Code Reviews, Design Reviews, Deployment reviews, Threat modeling, Risk Assessment, Final Security Reviews, Black Box testing ,Privacy Reviews.

Now in OSSC SDL Team, Responsible for Final Security Reviews(FSR) in online space at Microsoft

Posted: Friday, February 27, 2009 10:44 AM by Mahavir Sancheti | 3 Comments
Page view tracker