Microsoft recently released Windows NT 4.0 Service Pack 3 (SP3), which
includes more than 180 fixes for known problems. After examining SP3, I call it
Security Pack 3, because it adds five strong new security features to
NT, including a neat password-filtering tool for enhancing overall security.
(This password filtering tool, passfilt.dll, first came with SP2, but almost no
one knew it was there. I want to make sure everybody knows about this tool now
that it's also in SP3.) The five security-related changes to NT Workstation and
Server are
- Server Message Block (SMB) signing
- Password filtering
- Anonymous user restrictions
- System keys
- CryptoAPI 2.0
Let's look at each new feature in detail.
Crash Course on SMB Signing
SMB signing is incredibly useful and overdue. Microsoft, IBM, and Intel
jointly developed the SMB protocol, which defines program-level commands for
obtaining or providing remote file services in a network environment. A new
version of the SMB authentication protocol, the Common Internet File System
(CIFS) file-sharing protocol, comes with SP3. This subset of SMB is tuned for
use on the Internet. Microsoft has submitted the CIFS specifications to the
Internet Engineering Task Force (IETF) as an Internet Draft for ratification as
an industry standard. For simplicity, I'll refer to SMB and its subset protocols
as SMB. The SMB protocols let systems transparently access files that reside on
remote systems. These protocols transparently share any item, such as a printer,
that is mapped into the file space.
Some background on TCP/IP network traffic will help you understand SMB
signing: TCP/IP network traffic consists of packets. Each packet contains a
header that carries information such as a source and destination IP address.
Each time you connect to a shared resource, such as a server's disk drive, you
generate and transmit packets to the server for action. The server sends packets
back to your system for an action such as mapping a drive and displaying its
contents. This connection and packet exchange process is an SMB session.
In the past, SMB sessions (e.g., sharing resources) did not ensure the
authenticity of the SMB packets sent and received. When users tried to connect
to a shared resource, they were successful if their permissions allowed the
connection. From that point, all SMB session traffic passed between the client
and server without validation. The security risk lies in non-validated packets,
which make it possible for someone to create and insert rogue packets into the
network traffic stream to launch a messaging attack. In fact, someone on
the network between you and the server could intercept the entire SMB session,
mounting a man-in-the-middle attack. Or someone could completely hijack
the SMB session.
After you implement the new SMB signing feature, client and server can use
a strong mechanism to mutually authenticate SMB sessions, packet by packet:
client and server agree that they will digitally sign each packet to ensure its
authenticity. Then both client and server inspect every packet to ensure that
the packet came from the system it was supposed to come from, thus eliminating
the possibility of attacks. This approach adds overhead to the systems, but the
security is worth the sacrifice, and you might not even notice the difference.
Installing SP3 introduces SMB signing to your NT Workstation and NT Server
systems. On NT Server, SMB signing is disabled by default, but on NT
Workstation, it's enabled by default. You need to edit the Registry to
use SMB for communications with NT Server. You can configure SMB signing in two
ways: enabled and required. Enabled means that if a client system has
SMB signing enabled, it will be the preferred communications method. Required
means that all clients must use SMB signing to communicate with the NT system.
You need to enable SMB signing to use it on NT Server. If you turn on
RequireSecuritySignature by setting its value to 1, while SMB is enabled, NT
Server must use the signing technique for all connections. (For information
about turning on RequireSecuritySignature, see, "SMB Signing.")
Clients that don't use SMB signing won't be able to communicate via SMB with the
NT system (e.g. sharing won't work).
You need the updated service packs for Windows 95 and other Microsoft
client systems that will participate in SMB signing with an NT system. The
current incarnations of non-NT OSs know nothing about this new authentication
technique and won't work with your NT systems if you require SMB signing. If you
only enable SMB signing, the non-NT OSs continue to work with NT; however,
they'll be vulnerable to SMB attacks. Take the time to upgrade your non-NT OSs;
it's worth the effort.
Samba, a freeware UNIX-based SMB server, does not support this new SMB
signing functionality. (For information about Samba, see "Samba,"
March 1997). Adjust your Registry entries accordingly (i.e., don't require SMB
signing) on NT systems that need to communicate with non-Microsoft SMB servers
such as Samba, HP's HP/X, or LAN Manager for UNIX.
Previous
Register
samba for more information).<br>
--Francois-Xavier Peretmere
Francois-Xavier Peretmere August 10, 1999