Friday, December 06, 2002

Updated Virus Defs, after resetting the Symantec Update Server: How to reset LiveUpdate to use the default Symantec LiveUpdate server. Ran a full system scan.
Posted by at No comments:

BUILTIN\Administrators in Sysadmin Role


Issue




Local administrators should not also be database administrators. These roles are very different
and are typically performed by different people.


Solution




Remove BUILTIN\Administrators from the sysadmin role.


Note: There are special circumstances that require Administrators to belong to the
Sysadmin role. These circumstances are outlined in the following Microsoft Knowledge Base
articles:


SQL
Server Agent Does Not Start and Displays Error 18456 (Q237604)

How to
Prevent Windows NT Administrators from Administering a Clustered SQL Server (Q263712)



IsAlive Check Does Not Run Under the Context of the BUILTIN\Administrators
Account (Q291255)


Microsoft Search Service May Cause 100% CPU Usage if BUILTIN\Administrators
Login is Removed (Q295034)


Instructions




  1. Click Start,
    point to Programs, point to Microsoft SQL Server, and then click Enterprise Manager.

  2. In SQL Server Enterprise Manager, double-click SQL Server Group, and then double-click the SQL Server that you want
    to secure.

  3. Click the Security folder, click Server Roles, and then double-click System
    Administrators     in the right pane.

  4. In the Server Role Properties dialog box, click BUILTIN\Administrators, and then click
    Remove.




Additional Information





SQL Server 7.0 Security





Microsoft SQL Server 2000 Security


Posted by at No comments:

Service Accounts on SQL Server




Issue




All services log on under an account, with some services running as LocalSystem.
This can be a potential security vulnerability because a bug in the service code
could be exploited by a malicious user to gain system-level access, which is possible because the
service runs in the context of the local computer. It is recommended that you run
services that do not require full system access under a lesser-privileged account,
and that this account is not a member of the Local Administrators group.


Solution




Ensure that the SQL service accounts are not running as LocalSystem and are not
running under accounts that are a member of the Local or Domain Administrators group.
It is recommended that you run these service accounts under a domain user account.
Windows XP introduces two new service accounts: LocalService and
NetworkService. Services running under the LocalService account have minimum
privileges on the local computer, and they present anonymous credentials on the
network. Services running under the NetworkService account have minimum
privileges on the local computer, and they act as the computer on the network. For
more information, see Additional Resources.


Instructions




To ensure that services are not running as Local System Accounts in Windows 2000


  1. Click Start, point to Settings, and then click Control Panel.

  2. Double-click Administrative Tools, and then double-click Computer Management.

  3. Under the Services and Applications node,

    click Services.

  4. Double-click the service that was flagged in the security report.

  5. In the dialog box that appears, click the Log On tab.

  6. Under
    Log On As, select the This account radio button and specify a
    local account under which the service should run.




To ensure that services are not running as Local System Accounts in Windows NT 4.0


  1. Click Start, point to Settings, and
    then click Control Panel.

  2. Click Services.

  3. Double-click the service that was flagged in the security report.

  4. Under Log On As in
    the dialog box that appears, select the This account radio button and
    specify a local account under which the service should run.





Additional Resources



SQL Server 7.0 Security


href="http://www.microsoft.com/SQL/techinfo/administration/2000/securityWP.asp">
Microsoft SQL Server 2000 Security





LocalService Account



NetworkService Account

Posted by at No comments:
MS Security Baseline Analyzer Results:

Windows Scan Results Vulnerabilities Check failed (critical) Windows Hotfixes 5 hotfixes are missing or could not be confirmed.
Windows Scan Results Vulnerabilities Check failed (critical) Password Expiration Some user accounts (19 of 31) have non-expiring passwords.
Windows Scan Results Vulnerabilities Check failed (critical) File System All hard drives (6) are using the NTFS file system.
Windows Scan Results Vulnerabilities Check failed (critical) Local Account Password Test Some user accounts (1 of 31) have blank or simple passwords, or could not be analyzed.
Windows Scan Results Vulnerabilities Check failed (critical) Guest Account The Guest account is disabled on this computer.
Windows Scan Results Vulnerabilities Check failed (critical) Autologon Autologon is not configured on this computer.
Windows Scan Results Vulnerabilities Check failed (critical) Restrict Anonymous Computer is running with RestrictAnonymous = 2. This level prevents access to any resources that do not have explicit permissions set for the Anonymous account.
Windows Scan Results Vulnerabilities Check failed (critical) Administrators No more than 2 Administrators were found on this computer.
Windows Scan Results Additional System Information Check failed (critical) Auditing Logon Failure auditing is enabled, however Logon Success auditing should also be enabled.
Windows Scan Results Additional System Information Additional information Shares 8 share(s) are present on your computer.
Windows Scan Results Additional System Information Check failed (critical) Services Some potentially unnecessary services are installed.
Windows Scan Results Additional System Information Additional information Windows Version Computer is running Windows 2000 or greater.
Internet Information Services (IIS) Scan Results Vulnerabilities Check failed (critical) Parent Paths Parent paths are enabled in some web sites and/or virtual directories.
Internet Information Services (IIS) Scan Results Vulnerabilities Check failed (critical) Sample Applications IIS sample applications are not installed.
Internet Information Services (IIS) Scan Results Vulnerabilities Check failed (critical) IIS Admin Virtual Directory IISADMPWD virtual directory is not present.
Internet Information Services (IIS) Scan Results Vulnerabilities Check failed (critical) Msadc and Scripts Virtual Directories The MSADC and Scripts virtual directories are not present under the default web site.
Internet Information Services (IIS) Scan Results Vulnerabilities Check failed (critical) IIS Lockdown Tool The IIS Lockdown tool has been run on the machine.
Internet Information Services (IIS) Scan Results Vulnerabilities Check failed (critical) IIS Hotfixes No missing hotfixes were found.
Internet Information Services (IIS) Scan Results Additional System Information Best practice IIS Logging Enabled Some web or FTP sites are not using the recommended logging options.
Internet Information Services (IIS) Scan Results Additional System Information Best practice Domain Controller Test IIS is not running on a domain controller.
SQL Server Scan Results Vulnerabilities Check failed (critical) Exposed sa Password The 'sa' password may be exposed in clear text.
SQL Server Scan Results Vulnerabilities Check failed (critical) SQL Account Password Test Some SQL user accounts (1 of 5) have blank or simple passwords.
SQL Server Scan Results Vulnerabilities Check failed (critical) SQL Server Security Mode SQL Server authentication mode is set to SQL Server and Windows (Mixed Mode).
SQL Server Scan Results Vulnerabilities Check failed (critical) SQL Server Hotfixes 3 hotfixes could not be confirmed.
SQL Server Scan Results Vulnerabilities Check failed (critical) Sysadmin role members BUILTIN\Administrators group is part of sysadmin role.
SQL Server Scan Results Vulnerabilities Check failed (critical) Sysadmins More than 2 members of sysadmin role are present.
SQL Server Scan Results Vulnerabilities Check failed (critical) Service Accounts SQL Server and/or SQL Server Agent Services accounts are members of the local Administrators group or run as LocalSystem.
SQL Server Scan Results Vulnerabilities Check failed (critical) Domain Controller Test SQL Server is not running on a domain controller.
SQL Server Scan Results Vulnerabilities Check failed (critical) CmdExec role CmdExec is restricted to sysadmin only.
SQL Server Scan Results Vulnerabilities Check failed (critical) Registry Permissions The Everyone group does not have more than Read access to the SQL Server registry keys.
SQL Server Scan Results Vulnerabilities Check failed (critical) Folder Permissions Permissions on the SQL Server installation folders are set properly.
SQL Server Scan Results Vulnerabilities Check failed (critical) Guest Account The Guest account is not enabled in any of the databases.
Desktop Application Scan Results Vulnerabilities Check failed (critical) IE Zones Internet Explorer zones do not have secure settings for some users.
Desktop Application Scan Results Vulnerabilities Check failed (critical) Outlook Zones No Microsoft Office products are installed
Desktop Application Scan Results Vulnerabilities Check failed (critical) Macro Security No Microsoft Office products are installed
Posted by at No comments:
I ran Windows Update on Zorak, which required a restart. I successfully installed the critical updates, but did not elect to install the driver update. Then, on to MS Security Baseline Analyzer. I still have to open all the ports to run these two programs.
Posted by at No comments:

Thursday, August 15, 2002

I'm at a public terminal at the Kennybunk Library. Problems with the familyaware.org domain. Here's what I sent: 


I successfully completed a request with Register.com

to set Hosting.com as the SOA for familyaware.org.    

I then sent dns@familyaware.org the following DNSrequest:

-----Original Message-----From: Neil Johnson [mailto:neilj@cadent.com]

Sent: Monday, August 12, 2002 12:26 PMTo: dns@hosting.comSubject: DNS Changes

Hi. We are a colo customer who has recently moved fromVerio. We've switched

SOA to your name servers with our registrars for thefollowing domains:

*	familyaware.org*	cadent.com*	cadent.net*	theconstant.com

Please make the following updates to the DNS recordsfor each domain (Note:

I'm sure you could have figured out the SOA and NSrecords, but I just

wanted to confirm that your servers are theauthoritative ones). Please set

up these changes to take effect any time after 5:00 PMtoday. If you have

any questions, please contact me via email.Thanks,NeilChanges:FamilyAware.org

familyaware.org.               SOA   auth01.ns.harvard.netauth02.ns.harvard.net

familyaware.org.               NS    auth01.ns.harvard.net

familyaware.org.               NS    auth02.ns.harvard.net

familyaware.org.               A      64.55.106.132

familyaware.org.               MX     20  media3.familyaware.org

familyaware.org.               MX     10  mail.familyaware.org

mail                           A      64.55.106.132

www                            A      64.55.106.132

media3                         A      206.67.52.172

familyaware.org.               SOA   auth01.ns.harvard.netauth02.ns.harvard.net

Cadent.comcadent.com.                    SOA   auth01.ns.harvard.net

auth02.ns.harvard.netcadent.com.                    NS    auth01.ns.harvard.net

cadent.com.                    NS    auth02.ns.harvard.net

cadent.com.                    A      64.55.106.131

cadent.com.                    MX     10  mail.cadent.com

cadent.com.                    MX     20  mail2.cadent.com

mail                           A      64.55.106.131

mail2                          A      206.67.52.103

www                            A      64.55.106.131

cadent.com.                    SOA   auth01.ns.harvard.netauth02.ns.harvard.net

Cadent.net[remainder of DNS changes cut, 2 of 4]Thanks again!Neil Johnson

Cadent Technologies Corp.(617) 924-9173www.cadent.com 

-----End of Original Message-----ISSUE :::::::::::::::::::::::

The FamilyAware.org domain does not resolve correctly.

Since the Cadent.com changes do all seem to work, I

conclude that there is a problem with the

FamilyAware.org DNS record on your servers.

For details, see the results of a ping command at thebottom of this message.

RESOLUTION :::::::::::::::::Please FIX THE PROBLEMS WITH THE FAMILYAWARE.ORG DNS

RECORD as follows:familyaware.org.               A      64.55.106.132

See the original request above for the complete set of

DNS changes you'll need to implement.

Then, contact me via email to describe the steps you

took to fix the problem. Let me know how you tested

your configuration. You can reply to all of the

recipients of this email if you like.Thanks,Neil

-----------sample ping commands--------------C:\>ping media3.familyaware.org

Bad IP address media3.familyaware.org.C:\>ping www.familyaware.org

Bad IP address www.familyaware.org.C:\>ping mail.cadent.com

Pinging mail.cadent.com [64.55.106.131] with 32 bytesof data:

Reply from 64.55.106.131: bytes=32 time=70ms TTL=108

-----------end sample ping commands--------------


Let's hope they can fix it!
Posted by at No comments:

Friday, August 09, 2002


Zorak Update


11:46 PM 8/8/2002


Patch OS, SQL Server


Via pcAnywhere:

Connect to 64...130


Open TCP/IP Ports




1. Start > Run... > secpol.msc [Run]

2. Select: Security Settings > IP Security Policies on Local Machine
> Secure TCP Server

3. R-click: Un-assign

4. Minimize

Note: could I do this by just opening port 443?




Check Configuration Against MS List


1. Run MS Baseline Security Analyzer

2. Scan a Computer : Start Scan

Scan Time: ~5 min




      
The latest service pack for this product is not installed. 

         MS02-029 Unchecked Buffer in Remote Access Service Phonebook Could Lead          to Code Execution (Q318138) 

         MS01-022 WebDAV Service Provider Can Allow Scripts to Levy Requests as          User 

         MS02-027 Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's          Choice (Q323889) 


      
Run Windows Update


      
1. http://v4.windowsupdate.microsoft.com/en/default.asp


        2. Install SP3 Exclusively - removed other two fixes.


      
SP3 Install


      
1. Archive Files


        2. Restart


        3. Restart OK


      
Repeat Check Configuration Against MS List


      
X - Can't run MS Baseline Security Analyzer - Not Responding.


        Restart.


        After second restart, can't run it again. Can't run MSIE.


      
Could it be the second NIC again? I can't open Network Ctrl Panel. But 

        the device mgr says that the Intel 82559 #2 is disabled. All ports still 

        open.


      
Test services


      
port scan - show host responses


        ping ip


        ping www.cadent.com


        http://cadent.com/


        email Send & receive - generate new email from external account.


      
Results


      
pcAnywhere - flashing cursor on console


        port scan - sees ports (all ports are open!)


        ping ip - ok


        ping www.cadent.com


        http://cadent.com/


        email Send & receive - generate new email from external account. - 

        pcAnywhere crashed and won't reconnect. Mail goes in and out










Posted by



at





No comments:
  






































        

      









Subscribe to:
Posts (Atom)