Hack into Windows Vista to test security features

The security of Vista Does Vista mean the end of malware? End-to-end encryption for Windows Vista systems: BitLocker

That's fine and dandy, but it's not the real world. Testing for vulnerabilities on a default install of the operating system (OS) is one thing, but once you get users on board and software is installed, drives are shared and other complexities are thrown into the mix, then there's plenty of room for attacks…secure OS or not.

It can happen to you

Remember that the art of hacking doesn't have to focus solely on fancy code injection, address spoofing and virtual server hopping. In fact, many -- if not most -- of the breaches carried out against Windows-based systems are simplistic issues. It usually boils down to power users tweaking their systems, and that introduces vulnerabilities and administrators not having the resources or technology to apply patches in a timely manner. This is exactly the stuff you want to focus on during your Windows security testing. They are your highest payoff tasks. When and if you get the time, then you can dig in looking at minute nuances that someone may exploit in your environment a hundred years from now.

Like its predecessors, Windows Vista can be exploited in numerous ways by an external hacker or rogue insider. Here are some approaches that hackers use:

• Scan for open ports looking for running services that can be probed further.

• Establish null sessions and enumerate the OS to detect various system configuration settings.

• Gain access to the network via ARP poisoning using Cain & Abel in order to glean Windows passwords and other passwords off the wire.

• Gain physical access to a Vista desktop or laptop system and obtain the password hashes out of the SAM (Security Accounts Manager) database files using a tool such as BartPE and then loading the hashes into a password cracking tool such as Elcomsoft's Proactive Password Auditor. Or, as an alternate, you can use Elcomsoft's new all-in-one bootable solution based on WindowsPE called Elcomsoft System Recovery. This will allow you (or an attacker) to reset the list of local user accounts, view account privileges, grant administrator privileges to any account, reset accounts, reset passwords and more.

• Connect to Windows shares with previously cracked or easy-to-guess passwords and copy and/or delete sensitive files.

• Exploit a missing patch and obtain a remote command prompt using Metasploit or CORE IMPACT.

Remember, all it takes is your users installing software or making very minor configuration changes to their Vista systems to create big problems. Even if you have an enterprise domain, air-tight GPOs and a formal acceptable use policy banning anything and everything you can imagine, you're still going to have issues with Vista on your network.

Likewise, once Vista-based systems are outside of your control (for example, at a user's home, hotels or coffee shops), it only takes one disabled firewall, one shared directory or one missing patch for Vista to be abused and network security to be compromised.

About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well asThe Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels audiobook series. You can reach Kevin at kbeaver@principlelogic.com>.

Rate this Tip To rate tips, you must be a member of SearchWindowsSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Windows Vista security How to use Group Policy to control wireless access Minasi talks Vista security, Windows Server 2008 features Windows Resource Protection (WRP) protects critical system resources The finer points of User Account Control (UAC) in Windows Vista Vista SP1 vs. XP SP3 -- upgrade or business as usual? How to secure BitLocker configurations How to recover from lost BitLocker PINs and startup keys PatchGuard defends against rootkits in Windows Vista Windows Server 2008 security aided by NAP and IPsec Windows Vista security: Top 10 tips of 2007 Microsoft Windows Vista Security Microsoft Windows Vista: Security feature reviews Windows Vista's little surprises Windows Vista tips and expert responses NTFS and the Registry in Vista packaged up BOOT.INI is gone, BCD is here Administering Windows Vista Security: The Big Surprises: Chapter 1 Administering Vista Security: The Little Surprises Remote Desktop gets a bit more secure Microsoft Windows Vista Security Center review Windows Live OneCare 1.5: How does it compare? Vista tested: Expert shares results RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.