Robert Hensing's Blog

Software Security . . . and stuff.

Random Vista Security Factoid Du Jur

Random Vista Security Factoid Du Jur

  • Comments 1
  • Likes

So domain-joined Vista no longer exposes the admin shares by default (i.e. admin$, c$ etc.).

My take:  This is going to break tons of applications (systems management apps, patch deployment apps etc.) that rely on their existance and it will likely be one of the first security changes that is 'undone' by most  IT shops (well . . . errmm . . . that and UAC) - but in my never humble opinion - this change is a very big deal and very well worth it.  Why do I say that?

In a past life, I personally worked dozens of cases involving everything from schools, to hospitals, to DMV's where some systems admin at some organization was asked to login to some random users workstation to see why it's 'acting wierd'.  So what does Mr. / Ms. / Mrs. System Admin do in this situation?  They login to the users workstation with *domain admin* creds of course. 

So now there's a copy of some bot running with *domain admin* creds running on this workstation.  What could *possibly* go wrong?  Sometimes it's even more insane (to me) than that - it would turn out the domain admin was just logged in with domain admin creds and surfing the net or reading email and got hit with an IE 0-day or ran some random email attachment from his friend . . . Well most bots these days (and for many years now), as a simple matter of business begin immediately scanning for all Windows hosts on the network using NetBIOS broadcasts and then try connecting to the admin shares on any hosts they find using the credentials of the currently logged on user (and if that initial attempt fails it reverts to trying to brute-force the admin creds using a variety of usernames and passwords - sometimes overwhelming the DC's in the process if the workstation forwards the requests to the domain controller).  Many times the PSS Security team gets cases from enterprise customers who call in reporting that 'logins to the domain are slow' or 'we can't login to the domain' and it's usually due to the CPU on the aging DC being pegged at 100% due to some bot overwhelming the DC with network authN requests as it does its thing. 

This network propagation technique of using the admin shares to move around in an org would fail miserably with regular domain user creds (well, unless the bot manages to guess the remote machines local admin username / password or your domain admin username / password) - but the minute the domain admin logs on to that infected workstation - click, click boom - game over (assuming the local user who got infected was running with local admin privs which allowed the malware to jack the domain admin upon login - which I dare say most corporate users are these days), now the bot can spread to any host in that domain with admin shares . . . and boy do they!  I've seen entire networks with thousands of PC's owned in a matter of minutes by the dumbest of bots . . . all because some admin - somewhere logs in to the infected machine to 'check things out' and gets a copy of the bot running as him.  Oops.

Soooo . . . after all the dust has settled and order is restored - who takes the fall for this?  Why Microsoft of course - it's all our fault . . . it doesn't matter that the user got infected with the bot by running an e-mail attachment or via some other form of social engineering that we can't easily protect against (which according to our security intelligence report is an increasingly common way of getting owned these days) and the admin did something really dumb (logging in to a suspect machine with domain admin creds to an infected machine).  And guess what!?  To a certain extent - I *agree* and sympathize with our customers!!  We've made it really easy to use our software and to aquire basic system administrator credentials without having very much knowledge of security or the threat environment most organizations operate in.

So now - we are shutting off the admin shares by default - something I've been pushing for, for many years internally.  I like this because it's an all too easy attack vector for malware to abuse, its very dangerous to have 'on by default' and if you DO mange to get thousands of Vista machines owned via the admin shares - now at least we'll know that you had to have gone in and enabled it . . . hey - at least we tried to make your systems more secure by default . . .

Comments
  • As many of you know, by default Windows will share out all of its drives using hidden "admin shares" (i.e. \\computername\c$). In Vista, the new default setting will be to not create the admin shares. Read the main atricle from Microsoft, p

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment