December 22, 2006

Windows Command-Line Kung Fu (2): challenges

My first post in this Blog was about the Windows WMI capabilities (specifically, the WMIC tool). The last post for this year covers the same topic: Wouldn't be terrific to have a single tool capable of helping with all the incident handling (IH) and security-related daily tasks? It seems 2006 has been the year of WMIC (I agree there is some hype in this comment ;-)).

The goal of this post is to provide a couple of challenges for you to solve during Christmas.

The rules are easy: briefly explain the steps you take to solve them and focus on using WMIC only (if possible). If you are interested, submit your solutions to till January, the 12th. The results will be published, together with the names of those sending the best answers, the 15th of January, 2007. This is a beta challenge to promote IH and WMIC and to warm-up for future serious challenges (with prizes) RaDaJo plans to publish in 2007.

TIP: If you are interested in participating, I recommend you to review the references on my original WMIC post and some other Ed's tips & tricks.

Challenge 1:
What Windows WMIC command would help you to identify what systems in your Windows domain are vulnerable to a DHCP security flaw published by Microsoft on July, 2006?

Challenge 2:
Imagine you have identified strange TCP network traffic going to destination port 17503 on one of your Windows XP boxes. Imagine you experience a Déjà vu, and as a result, the only additional thing you know is that the traffic is going to a Windows service inside the box. What steps would you take (having WMIC handy) to discover what is the service that is getting this TCP traffic?

I hope you enjoy and learn from these challenges.

Merry Christmas and Happy New Year! All the best for 2007!

December 08, 2006

Secure file sharing among Windows systems across the Internet

How would you securely share a set of files among a group of Windows users distributed across the Internet?

I'm sure there are many different possibilities, but I think using WebDAV plus proper encryption and authentication probably gives the best balance between security and usability. I'll try to explain this option here but please do not hesitate to post comments with arguments for or against it, success/failure stories or any other solution you think is best. If you prefer, you can send me comments directly to and I'll post a summary of those.

Note that I will be assuming a Windows-only environment to reduce the scope of the task at hand but a similar solution can be implemented using other platforms.

WebDAV (Web Distributed Authoring and Versioning) is a set of extensions to the HTTP protocol that were defined in RFC2518 and related RFCs. Among other things, WebDAV defines a set of new HTTP methods (PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK) that allow a WebDAV client to interact with a web server and do things like modify the contents of files in the server, move them to new locations inside the server, and, importantly, lock a file while updates are being conducted on it so that modifications done by one client are not lost by another client saving different modifications at the same time.

In simpler words, a WebDAV enabled web server can expose content to users just as a common file server would: users will be able to read and write the contents of the shared files and directories. Only, the communication mechanism between the clients and the server will be WebDAV, which is an extended version of HTTP.

For the server side, IIS (Microsoft Internet Information Server) can be configured to support WebDAV for specific files or folders. For the client side, Windows Explorer is already WebDAV capable, so users will be able to simply add a new folder to their My Network Places folder pointing to the shared content.

So far, so good. But, how secure is this? Obviously, there are two main problems to solve:
1.- Because traffic will be travelling the Internet, encryption will be needed to prevent unauthorized access to the information in transit.
2.- Only authorized users should be allowed to access the files and only with the appropriate rights and permissions.

The first problem can be solved using SSL (or TLS) with the appropriate encryption strength. The server will need a certificate so that clients can verify its authenticity, but this can be easily generated using Windows Certificate Services (included in Windows Server 2000/2003) or obtained from a third-party certification authority (CA).

The second problem is actually twofold: user authentication and authorization.

Different methods for user authentication are possible, but for maximum security we can require user certificates, which again can be generated using Windows Certificate Services or obtained from a third party CA. IIS should be configured to map these identities to specific Windows users in the server (local or domain). Once authentication is solved, authorization can be performed and this can be done by setting the appropriate permissions (both NTFS and ISS permissions) on the files and folders. These permissions should reference those Windows (local or domain) user accounts in the server to dictate who can do what on each file and directory.

With this setup, Windows users will be able to securely access the shared files across the Internet as a simple network shared drive.

Again, any comments welcome.