你好,我是CSO在线的苏珊·布拉德利。最近,我开始部署基于服务器2019的服务器,随着操作系统的每个新版本,很多东西保持不变,也有很多东西改变。当我是2019年设立服务器,准备从老版本的服务器迁移到这个,我开始思考方式,我一直在做的事情,至少我应该改变或调查,看看我能做事情一点更好。我在网上看到了一些关于活动目录攻击的谈话和讨论,这让我开始思考这个问题。有时我们有遗留的设置,我们甚至没有意识到它们在那里。例如,你可能甚至不知道LLMNR, 2018年6月,黑山信息安全博客指出,你可能想要禁用它,以及为什么要禁用它。LLMNR代表链接本地多播名称解析,很拗口,还有另一个协议你可能想禁用它那就是net bios名称服务。我相信你听说过netbios名称服务,并且使用它很多年了。但在这个服务器2019和Windows 10的时代,你可能不再需要网络bios,你可以阻止这些协议,而不会对你现有的系统产生任何影响。在一个攻击序列中,攻击者让一个人处于中间状态,他监听服务器和客户端罐头之间的连接。 Especially on older systems, what happens first is a multicast packet goes out to ask for names of other locations in the network. Port UDP 5355 is used to send these multicast network address, Windows will use this protocol to identify the server of a file share. Should it receive a reply, it will send the current user's credentials in form of a hash back to that server. This especially happens when you've had retired file servers or old systems and you haven't gone through and pulled them out of Active Directory. If you ever do sniffing or wire shark or look at packets between work stations and your network, you'll probably see requests for old servers that you haven't had in your network for quite a while. If an attacker is able to get in the middle of those transmissions, they can grab that hash value and if they're really smart, they'll pass along that hash value to the file server so that no one in the connection between the client and the file server will be the wiser between the two. The attacker will have the hash value of the credentials. Everyone in the network will be happy. However, there's a ticking time bomb, obviously, since that attacker has the credentials that go into the network. If you disable these protocols and something stops working inside your network, obviously you'll need to go back and undo these settings and then ask yourself and what exactly broke? Is it a line of business application? Go back to that vendor and say, why are you relying on a legacy protocol that should be turned off? In most modern networks, you can turn off these settings and nothing will happen. Everything will go on just as it was before. So let's see what these two settings are. To disable link, local multicast name resolution or LLMNR, you can go into group policy. Here's an example in the local group policy. Go into computer for complete computer configuration administrative templates network DNS client.
所以我们在这里。在底部,它说关闭多播名称解析,你想让它启用。点击,应用,点击,确定。
你也可以使用注册表项。下面是您可以添加的示例注册表项,它将禁用LLMNR。LLMNR在IPv4和6网络中都使用。如果LLMNR失败,那么网络偏误名称服务就会失效。Net bios名称服务与本地多播的不同之处在于它只与IP v4一起工作。要禁用网络bios,你需要在你的域控制器上使用你的DHCP捕捉。您希望为您所保护的网络打开范围选项。用鼠标右键单击配置选项。现在单击高级选项卡,进入供应商类并选择Microsoft Windows 2000选项和可用选项部分。你要点击微软禁用BIOS选项。 And then in the data entry frames section, change the data entry to 0 6. To change that value to a two click. OK. Apply. OK. When the clients renew their addresses, the settings will be refreshed and net bios will no longer be in the network. If you are in a network that no longer uses the DHCP options, you can also do it per TGP IP settings and also using a script. So there you have it. As you migrate to these new versions of server, think about legacy settings, legacy protocols and other changes you can move and take along the way. Make sure you're not building in and bringing over in security from the older versions. Take the time to review options. Make changes for the better until next time. This is Susan Bradley for CSO Online. And don't forget to sign up for tech talk from IDG, the new YouTube channel for the tech news of the day. Until next time.