Left the Back Door Unlocked?

Friday, January 14, 2011

Ben Keeley

0b8d1c9dc5f4a80e6646d8d18b8683fe

Business 'X' is a company that takes Infosec seriously. They’ve deployed their hardened web application and database servers over multi-tiered DMZ’s, restricting the addresses and ports as required.

The servers themselves have the latest patches installed, minimal services enabled, minimal accounts with complex passwords.

In addition they’ve deployed IPS at the entry points into the DMZ, SIEM on all their servers….. I could go on for ever, the point is this company has considered outside threats and are reasonably protected.

Are they as well protected though from either their employees or partner organizations?

Staff are needed to support solutions, and the support of solutions often requires compromises on the levels of access given to employees or 3rd parties. No sensible organization would give wide open access to employees or 3rd parties, so they restrict access to the levels needed to perform an individuals role.

How often though are these support mechanisms tested? I don’t mean a vulnerability test, using a tool such as Nessus (though they are of course valid and worthwhile tests). I mean how often are (ideally independent) penetration testers given the opportunity to try and break out of the restrictions that Business 'X' (in this case) places on its staff or 3rd parties.

For example if an individual can gain access to a windows open dialog, the chances are they can browse the network (even if you’ve restricted access to windows explorer). How you ask? Enter \\127.0.0.1 in the file name box, press enter, individual is now looking at shares on that server.

If they click the up button, they are now looking at all the machines within that domain/workgroup, and are obviously free to try to connect to each machine in turn and see if they have access to any of the file shares.  Lets hope the support teams restricted the share permissions…

Or how about...

A support individual is faced with a locked down desktop on a server, in this case the individual has access to a handful of utilities which come with windows, one of the utilities being the command prompt.

From here said individual can check the patching levels of a server by using the reg query command line directed at a specific location in the registry. Obviously this information is valuable in finding out what the patching regime is like in an organization.

Yet another example being, if an individual has access to a text editor and a web browser on a server, they can create a Javascript port scanner and use that to scan the internal network for services….

These are just three examples, none of which required access to malicious utilities and all very easily achieved.  Yet does your organization defend against them?  They may defend against malware, may defend against password brute forcing, possibly even be able to detect a port scan but do they defend against something as ‘good-natured’ as someone browsing the domain for open shares from a well placed sensitive server?

Cross-posted from Yeleek

Possibly Related Articles:
10157
Network->General
malware Javascript Networks Servers Scanning
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.