Disabling Machine Account Creation

Since Windows 2000, Microsoft has enabled the ability for all users to create up to 10 machine accounts by default. This is a “feature” implemented by Microsoft that inadvertently introduces potential vulnerabilities within an Active Directory environment. Secure deployment should ensure that Machine Account creation is limited to specific users or groups; Lucid Security strongly recommends making this quick change to bolster your Active Directory environment’s security. This article demonstrates how to set the MachineAccountQuota to 0 instead of the default 10.

Dangers of User Machine Account Creation

First off, let me briefly highlight why having a MAQ of anything over “0” for users is a bad idea. First, once an attacker has valid user credentials, a machine account is trivial to add. This opens up attack paths for a threat actor that often lead to domain compromise. These include:

• Resource Based Constrained Delegation Attacks.
• Possibility of elevating computer account to domain admin via relaying attacks.
• Active Directory Certificate Services (AD CS) attacks.
• Additional persistence for an attacker should a user or administrator change existing user credentials.

How to Disable User Machine Account Creation

First, this is what it looks like from an attacker viewing the Machine Account Quota (MAQ) remotely from an attacker controlled device:

Second, this is what it looks like for an attacker creating a machine account:

Log into your domain controller and perform the following:

1. Press Windows Key + R and type adsiedit.msc
2. Right click on the “DC=” drop down menu and select Properties
3. Scroll down until you see ‘ms-DS-MachineAccountQuota’ and select it and then click Edit
4. Modify the value to “0” and hit OK
5. Apply

Assuming you’ve done everything correctly, this is what it will look like when a user checks the MAQ:

Lastly, when attempting to create a computer account, an attacker will be met with an error stating the relayed user machine quota is exceeded, or they do not have sufficient privileges:

Final Thoughts

Restricting the ability for users to create machine accounts is an important step in hardening an Active Directory environment and is often overlooked by IT administrators as it is an default value set by default by Microsoft. Lucid Security recommends having annual or bi-annual penetration testing to uncover settings such as this.

Contact us today at [email protected] or fill out our Contact Us form to speak with a qualified expert to determine the best solution for you!

What is a Web Application Penetration Test? The Open Web Application Security Project (OWASP) defines a web application security test as “…an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities”. This is an excellent definition of a web application penetration test, but this article will dive a bit deeper in why you should have one performed for your organization.

Overview of a Web Application Penetration Test

A web application penetration test (“Web app pentest”), is a tactical assessment to uncover vulnerabilities and weaknesses within an application. It tests many aspects of course, but the important thing to understand is that this is a where a security vendor will actively act as a hacker (or attacker) and exploit potential vulnerabilities.

Benefits of a Web App Pentest

Lucid Security has experienced a large variety of applications and industries for it’s clients. Because of this, Lucid has a unique take on approaching an application. By and large, many security vendors focus on a single industry or niche area. While that can be absolutely beneficial, Lucid has the opportunity to view many different types of functionality, business logic, implementations, etc. This allows us to build out a robust custom methodology when testing applications. Lucid Security strives to uncover critical vulnerabilities such as injection-style vulnerabilities (i.e. cross-site scripting (XSS), SQL injection (SQLi), etc.), as well as business logic flaws where an attacker can take advantage of areas in the application to bypass intended functions.

Further, what are the practical implications or impact of a vulnerability? This is something that Lucid Security can specifically target, and is an objective that Lucid will actively seek when defined by a client during the kickoff call. It is not uncommon for a client to worry about risks such as authorization weaknesses where ‘Organization A’ could view ‘Organization B’s’ sensitive data/information. This is always a standard issue that Lucid Security attempts to identify during a web app pentest.

Lastly, Lucid Security offers at no additional cost a certification letter to attest that the client has received penetration testing in which they can disseminate this document to current and potential customers in order to receive further business. A common requirement for companies these days when assessing a vendor, is to require penetration testing and/or vulnerability assessments.

Risks of a Web App Pentest

With all of Lucid’s articles, we try to highlight the benefits, as well as the risks for any tactical assessment. The reason for this is there is always room for error and where things can go wrong, especially during an active penetration test. However, there are mitigating controls and things that can be done to prevent such issues from arising. First off, the client will always have the opportunity to call out specifically risky areas of the application which may cause an email to trigger, a process to be initiated, or a cost to be incurred. Further, vulnerabilities can arise that may cause disruptions/downtime. These vulnerabilities may not always be obvious, but is something that is made aware to the client before initiating testing. For this reason, Lucid recommends conducting testing in a QA or dev environment that mirrors a production build of the application.

Conclusion

A web app pentest is a important and necessary assessment to uncover potential vulnerabilities. In identifying these vulnerabilities, a organization can then remediate the issues and ensure that their clients data is secure. As previously mentioned, a certification letter attesting that an organization has received penetration testing can further strengthen organization/vendor relationships, as well as development new business.

How Lucid Security Can Help

Lucid Security consists of seasoned security professionals with decades of experience in security and penetration testing. Our unique and competent perspective enables us to enhance clients’ security environments. Please contact us today to learn more about our services and how we can make your organization more secure.

A common theme amongst clients when conducting penetration tests is a large attack surface. Generally, the biggest risk is amongst externally exposed assets. However, this can be related to internal penetration tests and web application penetration tests. This blog post will briefly examine the biggest risks associated with a large attack surface.

Unknown Assets

It is not uncommon for companies to have unknown assets exposed to their networks. Historically, Lucid Security has encountered client’s who have acquired other companies. As such, they assume control of the assets that the acquired company. This can lead to client’s having exposed assets that they are unaware of, or not inventoried. If this is the case, these assets may go unpatched/updated leading to further security vulnerabilities.

Test Content

It is important for organizations to continue to grow and evolve. Because of that, IT administrators may test out new software and services. While this is a great idea, unfortunately this test content may find itself exposed externally to the Internet. By testing out software and exposing it to the Internet, typical hardening procedures may have not been made.

Excessive Logging Solutions Exposed

Oftentimes for development reasons, logging software is included in dev/staging environments. However, organizations may forget to exclude them from their applications or external perimeter. This can lead to information disclosures such as database information or internal server architecture.

Conclusion

Between an everchanging security climate and regular development procedures, it is possible for organizations to expose more information/assets than necessary. For this reason, Lucid Security recommends conducting annual penetration testing and at a minimum quarterly external vulnerability assessments to stay on top of issues.

How Lucid Security Can Help

Lucid Security often conducts penetration testing and vulnerability assessments. Our services are catered to assist in identifying issues and help provide expert remediation advice. Contact us today to get started!

What is the difference between a vulnerability scan and a penetration test?

A common question many client’s may ask, is what is the difference between a vulnerability scan and a penetration test? This blog post will go into addressing the similarities and differences of each activity.

What is a Vulnerability Scan?

A vulnerability scan is a thorough scan and assessment of a network or application. For the purposes of this article, we will assume the context of a client having an assessment of their external perimeter. That is, any assets that are exposed to the Internet that anyone in the world can access.

A vulnerability scan for a client’s external perimeter will generally include all of the IP addresses or FQDNs (Fully Qualified Domain Names) belonging to that client’s organization. This may include all sorts of assets such as the main marketing website, a VPN portal, a web application, and other various services. Lucid Security generally recommends including all assets during a vulnerability scan, especially critical systems. Once the hosts have been provided, it is now time to run the vulnerability scan. A popular vulnerability scanner is Tenable’s Nessus. The scan runtime will vary based on the amount of hosts included by the client, and the complexity of the services that may be running.

From here, the vulnerability scanner will generate a list of all of the potential vulnerabilities and security risks. This is where Lucid Security’s expertise comes into play. From here, our experienced Security Engineers parse through the results to determine the following:

• Is this a false positive?
• Is this truly a security risk?
• What is the true criticality of this vulnerability?

These are just a few questions Lucid Security considers when reviewing the results. At this point, Lucid Security will now compile a list of all of the vulnerabilities and their associated affected assets, and create a custom-tailored report for the client. This report will include the following:

• Complete list of all vulnerabilities.
• Associated criticality of each finding.
• A detailed remediation description to assist in fixing the issue.
• Supplemental information which is not provided by vulnerability scanners.

The report is then sent to the client securely.

What is a Penetration Test?

A penetration test has elements of a standard vulnerability scan, but takes it a step further. Again, we will be assuming the scenario is testing an organization’s external perimeter by conducting an external penetration test. A penetration test is a comprehensive assessment of an organizations assets, in this case provided again as IP addresses or FQDNs. The penetration test will have the following phases:

1. Scope verification – All assets provided by the client are rigorously verified as belonging to the client. While the scope provided to the client is generally accurate, it is always possible for a typo to be made or IP addresses to change from previous years assessments. This ensures that testing is true to the organizations intended hosts.
2. Open-Source Intelligence (OSINT) – In this phase, the security team scours the Internet for any potentially sensitive information which may aid in the assessment. This could be usernames, sensitive documents/files, etc.
3. Enumeration of assets – Here the security team begins to actively examine what is running on the hosts. The team will be looking for any open ports or services that can potentially be attacked.
4. Vulnerability Identification – One of the most important phases of an external penetration test is actually identifying the vulnerabilities which may exist. This is crucial for the remediation process for a client.
5. Exploitation – At this phase, the security team will attempt to exploit potential vulnerabilities. This is beneficial to demonstrate impact, as well as potentially uncover additional sensitive information which may aid in follow-on attacks.
6. Reporting – The reporting phase consists of gathering all of the identified vulnerabilities and information during the OSINT phase and ensuring that all the findings are accurate and have remediation steps to aid in fixing the issues. During the reporting phase, the reports are peer-reviewed by a Lucid Security engineer to ensure that all findings are addressed, and the remediation steps are accurate.
7. Debrief – The debrief is generally an 30 minute to an hour long call in which the security team will review the findings with the client. In this phase, the client can ask any questions, address any concerns, and get a detailed and comprehensive understanding of the findings.

Conclusion

While a vulnerability scan and a penetration test both attempt to identify vulnerabilities for a client, the biggest takeaway is that a penetration test goes a few steps further. Both are very important and recommended by Lucid Security to be conducted. Generally, a vulnerability scan should be conducted monthly or quarterly to monitor any new threats that may be introduced in the ever-changing security landscape. While a penetration test is generally recommended to be conducted annually or bi-annually.

How Lucid Security Can Help

Lucid Security has decades of hands-on security experience in vulnerability threat assessments and penetration testing. Our expert security engineers are ready to secure your networks and applications. Reach out today to get started!

External penetration tests often require organizations to safeguard their external perimeter against threats, whether for compliance, banking, or client requirements. However, it can be a daunting task which may have you wondering, “What can go wrong during a penetration test?”. This blog post examines the risks and will empower you to address these issues before kicking off an assessment.

Account Lockouts

Clients often worry about account lockouts during external penetration tests, although such incidents are rare. A proficient security team and penetration tester will consider this risk before each assessment. Lucid Security employs custom methodologies to prevent employee lockouts during assessments. Organizations with unique account lockout policies should inform the security team during kickoff calls to ensure appropriate measures are in place to prevent such issues.

Disruptions and Downtime

Related to account lockouts, disruptions and downtime also pose concerns during penetration tests. These often pertain to system or web application stability. A reputable penetration testing firm will not test for denial of service (DoS) vulnerabilities, as such tests offer little value and can hinder the discovery of other vulnerabilities by rendering the application or host unresponsive. Lucid Security reports potential DoS vulnerabilities without actively testing them to prevent client downtime.

Fear of the Unknown

Undergoing a penetration test can be daunting, particularly when organizations have invested heavily in infrastructure and data security. Lucid Security ensures clients feel comfortable by informing them about testing activities and providing clear, transparent results, embodying the clarity and transparency that is a core value of Lucid Security.

Conclusion

While external penetration tests can present several issues, a skilled security provider will anticipate and address these concerns, working closely with clients to mitigate risks.

Lucid Security’s Assistance

Lucid Security routinely conducts external penetration tests and services for various client sizes. Contact us today to discuss how we can help secure your network.

What is an External Penetration Test?

Before diving into what an external penetration test entails, let’s first recap what a penetration test involves. A penetration test simulates an attack on a network, application, device, location, controls, or humans in a controlled environment. Lucid Security conducts external penetration tests by simulating attacks on their internet-facing assets. These tests are crucial for an organization’s security maturation process, ensuring that websites and services are secure against attackers.

Phases of an External Penetration Test

An external penetration test consists of several phases:

• Scope Verification – This critical phase ensures everyone understands that the listed assets are correct. It’s common for typos to occur when defining the scope, and IP addresses may change annually. Therefore, the security team must verify the scope the client provides. If discrepancies arise, the security team will contact the client for further clarification and verification.
• Open-Source Intelligence (OSINT) – This process involves using services like Google to find potentially sensitive information, such as documents, username formats for password attacks, internal company information for phishing campaigns or social engineering, or technology details to target applications or infrastructure more effectively.
• Enumeration – After identifying assets, the next step involves enumerating the “target” or host to determine what is available, such as a web server or an FTP server. The goal is to create an accurate attack map of the external perimeter to prioritize targets.
• Vulnerability Identification – This phase works alongside enumeration. Once the team knows what’s running on a host, it’s important to identify any potential vulnerabilities.
• Exploitation – This phase might not always apply. Here, the security team actively attacks a vulnerability to compromise a host, application, service, etc. The attack could allow information gathering, remote access to the web server, or unauthorized application access.
• Post Exploitation – The security team assesses the impact level of the exploit, which could range from minimal to critical, depending on the vulnerability and any mitigating controls in place. For example, a SQL injection could lead to remote code execution under the right circumstances.
• Reporting – Lucid Security compiles a custom-tailored report based on the findings from the engagement. The report will detail the vulnerabilities, their impacts or potential impacts, solutions, and any helpful references for remediation.
• Deliverable – This phase provides an excellent opportunity for the security team and client to discuss the results in real-time. They will also address any questions or concerns to ensure the client fully understands the findings.

Benefits of an External Penetration Test

It’s common for third parties to require security testing, often specifying the assessments required before partnership. An external penetration test is a typical prerequisite for organizations seeking to do business with another company. This precaution ensures data protection and proactive measures against security breaches. Moreover, an external penetration test identifies potential security risks along an organization’s external perimeter. Often, IT teams are unaware of external assets, which a competent security team needs to identify and address.

How Lucid Security Can Help

Lucid Security consists of seasoned security professionals with decades of experience in security and penetration testing. Our unique and competent perspective enables us to enhance clients’ security environments. Please contact us today to learn more about our services and how we can make your organization more secure.

This process, involving the simulated attack on a network to identify vulnerabilities, is critical for maintaining the integrity and confidentiality of an organization’s data. However, there’s a crucial aspect often neglected during these tests: application security testing.

Lucid Security Engineers regularly encounter HTTP headers during web application or network penetration testing that reveal potentially sensitive information such as application architecture, server versions, or information about the underlying host system. These types of information disclosure vulnerabilities can be utilized by attackers to quickly determine vulnerable server versions and perform more targeted attacks. As a developer, system administrator, or IT manager you probably find these types of findings frustrating! Here’s how to remediate “HTTP Response Header Information Disclosure”:

Nginx

To remove the “Server” or “X-Powered-By” headers for a Nginx server, implement the following:

• In the nginx.conf file, set:
  “server_tokens off”
• In the case of a load balancer, remove the “Server” header from responses
• To completely remove the “Server” header, compile Nginx with the Headers More module and add:
  “more_clear_headers ‘Server’;”

References

https://serverfault.com/questions/214242/can-i-hide-all-server-os-info

https://github.com/openresty/headers-more-nginx-module#readme

Apache

Like Nginx, you can either rewrite the “Server” header value or add an additional module to completely remove it:

• Utilize the URL Rewrite module and configure an outbound rule to change the “Server” header value. This can also be set to a blank value.
• To completely remove the “Server” header, utilize the StripHeaders module to rewrite all HTTP response headers.

References

http://httpd.apache.org/docs/current/mod/mod_headers.html

IIS

Microsoft IIS makes removing HTTP headers pretty easy, with the notable exception of the “Server” header. Luckily we dug around and found a way to do this on Windows Server 2016, 2019 and newer.

• Open the web.config file in the root directory of the site, after <system.web> add:
  <httpRuntime enableVersionHeader="false" />
• To remove the “Server” header (Windows Server 2016/2019), configure requestFiltering in the web.config system.webServer node:

References

https://techcommunity.microsoft.com/t5/iis-support-blog/remove-unwanted-http-response-headers/ba-p/369710

https://www.ibm.com/support/pages/disabling-iis-web-banner-and-other-iis-headers

Conclusion

Fixing information disclosure issues can be painful, but we’re here to help. Hopefully this short post on how to remediate HTTP response header information disclosures was helpful. For up to 90 days after a penetration test, Lucid Security offers free retesting of discovered vulnerabilities. Reach out to us and schedule a security assessment today!

Asking “What can go wrong during a penetration test?” before initiating an assessment is both wise and prudent. This blog post outlines the risks associated with penetration testing and strategies to mitigate these risks.

Downtime or Disruptions

One of the top concerns client’s have about what can go wrong during a penetration test is downtime or disruptions, fearing significant revenue loss. However, a competent security vendor will carefully conduct tests to avoid such outcomes. They will avoid exploiting vulnerabilities that could trigger denial-of-service conditions. Lucid Security advises clients to highlight particularly sensitive systems during the pre-engagement kickoff call to prevent downtime.

Missing Findings

Missing findings represent another potential issue during penetration tests. A good security vendor aims to uncover every vulnerability. However, the pursuit of quick wins at the expense of thorough examination is a hallmark of inferior vendors. Lucid Security commits to comprehensive testing to identify all possible vulnerabilities, acknowledging the variability of results due to human factors. Annual penetration tests and rotating engineers ensure fresh perspectives and comprehensive coverage.

Generate Alerts

Penetration tests often generate numerous alerts, potentially overwhelming IT teams. While generating alerts is generally positive, it’s important for tests to be noticeable to IT and security operations centers (SOCs). Security engineers might use tools like Nessus, Nikto, and BurpSuite, generating alerts. The testing vendor should provide a list of their IP addresses to help adjust alert settings accordingly.

Account Lockouts

Account lockouts are a risk during penetration testing, especially during password attack simulations. Lucid Security employs methods to avoid account lockouts, but discussing unique account lockout policies with the engineers during the planning phase is crucial for making necessary adjustments.

Summary

Several factors can complicate a penetration test. Effective communication between the security vendor and the client organization beforehand can address concerns and preempt potential issues. Lucid Security prioritizes preventing problems during penetration tests by gathering extensive pre-test information.

How Lucid Security Can Help

Lucid Security is ready to assist with your next penetration test, addressing any concerns to ensure a smooth process. Contact us today for collaboration.

Preparing for an Upcoming Penetration Test

An upcoming penetration test can stress any organization. Whether your company undergoes annual assessments or faces its first one, ensuring everything is in order is crucial. This article will guide you through preparing for your upcoming penetration test.

Determining Scope

Several factors influence your assessment’s scope. Consider these elements, not in any particular order:

• Your organization’s budget — The number of assets you want tested and desired security assessments can increase the engagement’s overall cost. Prioritize applications or services at highest risk from attackers.
• Overall objectives/goals — The reason behind the assessment, be it compliance, a recent security incident, or identifying security enhancement areas, will aid you in determining what systems to include.
• Critical systems/infrastructure — While many fear testing critical systems might cause downtime or disruptions, such incidents are rare. Nevertheless, it is important to address these concerns during the kickoff call.

Preparing for the Kickoff Call

Lucid Security always sets up a kickoff call with our clients, where you’ll discuss the assessment with the engineers who will actively conduct the assessment. Use this opportunity to ask any questions, aiming to resolve potential queries during this call. With that in mind, Lucid Security attempts to address any potential questions before they arise.

One Week Before the Test

Ensure to send all testing information to the security team a week before the test. The security engineers will then confirm the scope’s accuracy, check credentials, and look for connectivity issues to prevent schedule delays. It is important to make the most out of the allotted testing period to ensure the security team identifies any potential security issues.

How Lucid Security Can Help

By now, your organization should be well-prepared for the upcoming penetration test. If you have any questions, Lucid Security is ready to assist. Contact us today!