For the fourth time, the SANS Institute has teamed up with the FBI to publish an annual compilation of the top 20 Internet security vulnerabilities. What makes this list particularly important is its focus on vulnerabilities that are actively being exploited rather than on theoretical or potential threats. In most cases, these vulnerabilities are being targeted because administrators failed to properly lock down their systems or install widely available patches. Applying patches and/or tightening firewall configurations to block the SANS/FBI top 20 vulnerabilities could keep administrators from having to put out so many fires and allow them to concentrate on the newly released threats as they come out.
The SANS/FBI list is broken down into two parts: Windows threats and Linux/UNIX threats. Some are relatively easy to combat or the method of blocking them is straightforward (e.g., P2P threats). Eliminating these easier problems should free you up to tackle the tougher threats that have no simple solution. Below is a summary of the Windows list. I will cover the Linux/UNIX list in a future article.
Top 10 Windows threats
- Internet Information Services (IIS)
You can tighten IIS security fairly easily by using URLScan to filter potentially malicious HTTP requests and employing the IIS Lockdown Wizard to help you harden the installation. URLScan is included in the current version of IIS Lockdown Wizard but you can also download it for use with older systems. If you are running a default installation of IIS 4.0 or 5.0, you are asking for trouble and are likely to see it exploited.
- Microsoft SQL Server (MSSQL)
Keep an eye on new patches for MSSQL and apply them as soon as possible. The Internet Storm Center always shows MSSQL's default ports, 1433 and 1434, as being among the most actively probed on the net. Any weakness will be quickly exploited.
- Windows authentication
Good password management is the key to effective authentication, and SANS offers guidelines for ensuring that passwords are complex enough to defeat at least casual attacks. According to SANS, passwords shouldn't include any part of a user account name and should be at least six characters long. In addition, passwords "should contain characters from three of the following four categories: English uppercase characters (A through Z), English lowercase characters (a through z), Base 10 digits (0 through 9), non-alphanumeric characters (e.g., !, $, #, %)." Starting with Win2K, Windows operating systems have included tools that make it easy to enforce good password creation and maintenance policies. Poor password policies aren't the only weak point in Windows authentication, but they are among the easiest to tackle. The SANS report offers a number of other authentication recommendations as well.
- Internet Explorer (IE)
Every version of IE has critical threats, and new ones are found all the time. Any administrator without a regular plan for updating this critical tool is making a major mistake. SANS suggests that you use online browser tests, such as the one from Qualys, to help maintain IE security. This is particularly useful because the test can easily be run by a nontechnical staffer.
- Windows remote access services
To make things easier for those migrating from other systems or connecting to them, Windows platforms support most other networking protocols. If you aren't using them, you should disable them immediately. Klez, Sircam, and Nimda all spread around the world so quickly because many systems don't properly configure network shares that allow a host to remotely access files.
- Microsoft Data Access Components (MDAC)
The Remote Data Services component of many MDAC versions has serious vulnerabilities. You might want to look over Wiretap.net's report on hardening RDS for a quick overview, in addition to reading Microsoft's recommendations such as the Knowledge Base article on this topic.
- Windows Scripting Host (WSH)
You probably can't simply disable WSH because it's used for many administrative and desktop automation functions, so you should simply change the default treatment of script files with these extensions: .vbs, .vbe, .js, jse, and .wsf.
- Microsoft Outlook and Outlook Express
If you can't live without Outlook and Outlook Express, a good antivirus signature update policy will provide some necessary protection.
- Windows peer-to-peer file sharing (P2P)
P2P applications should be ruthlessly expunged from business networks, if only because P2P networks are often used for illegal purposes in violation of copyright or other laws. Although you can't block all the ports used by P2P software (after all, KaZaa uses port 80), you can probably cripple most of its activity at the firewall.
- Simple Network Management Protocol (SNMP)
This one is pretty obvious. SNMP is used to remotely manage everything from printers to wireless access points and is therefore a major threat if not maintained properly. If you don't need or use SNMP then the fix is simple—disable it. I suspect that a large number of the SNMP exploits are due to installations where the people running the system don't even realize it's there.
The vulnerabilities listed here are ones that hackers are most actively exploiting against Windows networks.
Patch or apply a workaround where appropriate. Some of these threats keep popping up as new vulnerabilities or ways to exploit them appear, but patches or workarounds are available for all the older exploits that are not being applied on many systems.
Some threats, such as the continuing problem with P2P file sharing, simply shouldn't be permitted on a business network. To block it, administrators must periodically scan for the presence of P2P and push upper management for the creation of strict enforcement of rules forbidding users from installing such software.
I suspect that some administrators are secretly happy that the SANS/FBI top 20 list isn't more widely publicized in the general media. If upper management questioned many IT departments about whether their company was covered against these threats, many of them would not get a very satisfactory response.
There are good reasons why some of these vulnerabilities (e.g., popular software such as IIS and SQL Server) are perennial favorites. But some of the others should be eliminated in any properly managed operation. This is especially true for installations where unused services are allowed to remain active when they shouldn't even be there. Because they are rarely used, they also tend to be ignored when it comes to proper maintenance, which makes them doubly vulnerable and dangerous.
Also watch out for…
- Two important OpenBSD updates top the list of new threats this week. The first is OpenBSD Packet Filter Denial of Service Vulnerability (Secunia Advisory SA9949), which Secunia rates "moderately critical." This is a denial of service threat that can be exploited remotely. The other threat, ARP Request Denial of Service Vulnerability (Secunia Advisory SA9948) is also a DoS threat, which Secunia rates "less" critical. This poses a threat from local users on the network and is not remotely exploitable. Patches/updates are available.
- Those who are convicted of using a computer in a crime of almost any sort now receive much stiffer penalties. There's a good story on this in The Washington Post. A key sentence in the story is this: "The new guidelines let victims tally financial loss based on the costs of restoring data, fixing security holes, conducting damage assessments and lost revenue." That makes almost any hacker incident bad enough to trigger prosecution.
- In California, an attorney has filed a suit against Microsoft and is seeking class action status for the legal claim that poor Microsoft security practices pose a major threat. You can bet that Redmond will pull out all the stops to block this one. SANS posted a copy of the complaint online, if you want to look over this interesting document.