Microsoft

Lock IT Down: Don't broadcast info about Windows servers to hackers

Keep your Windows servers from broadcasting information to the world


Throughout the Internet, it's easy to find a plethora of beginner's guides to hacking Windows. And the first lesson in almost all of those guides is to identify the Windows service packs that are installed on the systems you want to attack. Obtaining information about a server's operating system is the first goal of both rookie and veteran hackers. Once armed with your system information, they're ready to seek out the endless number of hacking sites to discover the exploits that exist on your servers. Your job is to make the process of acquiring Windows system information a challenge for them.

Getting to know your server
So how does a would-be hacker get information about your server? The answer is easy. Windows servers are made to announce themselves to whoever needs their services. For instance, a Telnet command to port 80 of a Windows Web server will quickly reveal OS and service pack. Then, for example, an attacker might notice that you're running a Windows 2000 server with IIS 5.0 and no service pack. This information can help the hacker discover holes in your system.

Most hackers want even more information about your system. Many free programs are available for download that can provide key information beyond that of simple OS types and versions. One of the most common tools is GFI LANguard Network Scanner. Among other things, it provides information such as:
  • Service pack level
  • Missing security patches
  • Open shares
  • Open ports
  • Services/applications active on the system
  • Key registry entries
  • Weak passwords
  • Users and groups

You can see where this kind of information could be used to compromise your systems.

Lose what you don’t use
The days of choosing Select All from the Windows components screen during an initial server installation are long gone. The rule now is, “Don’t install it if you don’t need it.” Remember, the less attractive you look to a hacker, the less of a target you will be. This may mean turning off services you don't necessarily use, such as HTTP, FTP, Telnet, and/or SMTP. The mere fact that these services are disabled may be enough to discourage a hacker from going to the next level—actually attempting to break into your system.

Server header information
By far, the most popular targets on the Internet are Web servers running Internet Information Services (IIS) on Windows. One way to prevent hackers from easily discovering that you are running IIS is to mask the server header information. When you mask your Windows server header, you are essentially removing identifying details that intruders could use to detect your operating system version.

To hide the server header information, Windows users can download Microsoft's URLScan security tool. This tool enables you to prevent the IIS version information that the server header contains from being displayed either in a network trace or from the results of a Telnet command.

Author's note
Although URLScan can help you conceal IIS info, this doesn't apply to the FTP service. Admins often want the message "Microsoft FTP Service (Version X.X)" to be removed or hidden. However, the FTP banner or the welcome message that appears before the user logon is hard-coded. This is part of Ftpsvc2.dll file and cannot be removed or changed.

Virus protection
You may wonder why we would talk about virus protection while discussing ways to keep from broadcasting your Windows information to hackers. The focus here is on what we hope the virus protection software will catch: Trojan programs. Trojans are not viruses, since they do not replicate. But they're often just as destructive as viruses because they can be malicious programs that pretend to be benign.

All back-door Trojans have one thing in common: They allow unauthorized access to the infected computer. Just as the name implies, this is like having your back door propped open to let every hacker know they are welcome. A number of Trojan programs are designed to covertly monitor activity on a victim system—typically employing keystroke and screen captures. The results are then e-mailed from the victim system by the Trojan to a specific e-mail account at various intervals. In this way, a hacker can really find out a lot about a system, often including the local admin password and other sensitive information that can be used to compromise the system. As a result, part of protecting the information about your servers involves protecting them against Trojans.

Saving social security
There will be no mention of lock boxes here—just privatization. All the technical precautions known to an administrator can't circumvent the breach that may result from individuals releasing information to possible hackers. The most common example of this is a user providing his or her username and password over the phone to someone claiming to be a company administrator. This is usually called social engineering.

The example does not have to be so obvious, either. Network documentation revealing server names, IP addresses, and even administrator access is often shared with contractors and consultants. These hard-working IT professionals could be moonlighting as hardcore hackers. Or, they might not protect this information well enough, and it could fall into the hands of hackers. The point here is to share your Windows information with authorized and trusted personnel only.

Final word
Knowing the details of a Windows server greatly increases a hacker's efficiency. No combination of detection avoidance will result in complete anonymity of your Windows server. But setting and implementing a goal to avoid broadcasting this information will make your server a less likely victim of an attack.

Editor's Picks