Microsoft

Lock IT Down: Roll up your own Windows 2000 security

Some quick security fixes in lieu of Windows 2000 Security Pack 3


With all of the security attacks that have been made against Windows 2000 in recent months, you’d think that Microsoft would change the familiar Windows logo to look like a big bull's-eye. Barely a week goes by without some new exploit or attack making the news.

Even though Microsoft hasn’t yet released Service Pack 3 for Windows 2000, it continues to provide smaller updates and hot fixes. Keeping up with and applying all these updates can be quite a challenge. Microsoft has made this task a little easier by releasing the Windows 2000 Security Rollup Package. In this Daily Feature, I’ll take a look at the package, showing you what’s in it and how to apply it.

What is it and why do I need it?
Since shipping Service Pack 2 for Windows 2000, Microsoft has released dozens of hot fixes and security updates for Windows 2000. Even though Service Pack 3 hasn’t been shipped yet, Microsoft decided there were enough security hot fixes available that it would be useful to create one large package containing them all. So Microsoft created the Windows 2000 Security Rollup Package.

As you can probably guess by the name, the package is only intended for Windows 2000 servers and workstations. In addition, the package is only for those Windows 2000 servers and workstations that are running Service Pack 2. You can’t install this package if you’re running an earlier service pack or if you’ve never updated your server at all.

The Windows 2000 Security Rollup Package patches many potential security problems in Windows 2000, almost 50 security problems in all. Components patched by this package include the base operating system, Front Page Server Extensions, the Indexing Service, and IIS 5.0. Key fixes include the following:
  • NetMeeting vulnerability: By attacking port 1720, a hacker can cause NetMeeting to flood the CPU with requests, driving up usage to 100 percent and slowing down the entire system.
  • Windows 2000 Event Viewerbuffer vulnerability: Event Viewer contains an unchecked buffer that can be used to run arbitrary code on a server. The event displayed by Event Viewer would have to be properly formed to trigger the event, and the user viewing the event would have to have full system rights for the vulnerability to be effective.
  • Malformed domain controller service request vulnerability: This vulnerability could enable a user to temporarily disrupt service on Windows 2000 domain controllers. If a hacker sends a continuous stream of malformed requests to the domain controller, the service that’s vulnerable to the attack would consume most of the computer's resources. This could cause the domain controller to process requests for the service slowly or not at all.
  • FTP service vulnerability: With this vulnerability, IIS 5.0 allows users to log on using a Domain Guest Account. If a user wants to log on to an FTP server by using a domain user account rather than a local one, he or she is required to precede it with the name of the domain. However, if the user precedes an account name with a particular set of characters, a flaw causes the FTP service to search the domain and all trusted domains for the user account. If the user enters the correct password for the account, FTP lets the user access the server. This vulnerability only works if the Guest account on the local computer has been disabled and the Guest account on a trusted domain is enabled.
  • Memory leaks in Terminal Services: Windows 2000 Terminal Services contains a memory leak in one of the functions that processes incoming Remote Data Protocol (RDP) data via port 3389. When a malformed RDP packet arrives at the server, the memory leak depletes overall server memory by a small amount. If a hacker sent enough of these malformed RDP packets to the server, the hacker could completely deplete the server’s RAM, causing the server to crash or run extremely slow.
  • Memory leaks in the NNTP Service: The Network News Transfer Protocol (NNTP) service in Windows 2000 contains a memory leak that occurs when the NNTP processes news postings. The server’s memory can be depleted each time a specifically malformed new posting is handled by NNTP. If a hacker sent a large number of such posts, the hacker could completely deplete the server’s RAM, causing the server to crash or run extremely slow.

The downside
Unfortunately, the Windows 2000 Security Rollup Package doesn’t fix every security problem with Windows 2000. New exploits appear on a reasonably regular basis, so it’s difficult for Microsoft to produce new patches to keep up.

The Windows 2000 Security Rollup Package doesn’t address security problems that have occurred since Microsoft Security Bulletin MS01-052. This includes such things as the Exchange 5.5 OWA script vulnerability and the unchecked buffer vulnerability in SQL Server 7.0. This package also doesn’t address vulnerability in WebDAV that can cause certain Web scripts to execute WebDAV requests on a user’s behalf without the user’s knowledge or permission.

Additionally, many security issues arise from poor administration practices rather than security problems, due to breakdowns that are inherent in the system. Don’t expect the Windows 2000 Security Rollup Package to save you from your own administrative mistakes.

Obtaining and installing the package
To obtain the Windows 2000 Security Rollup Package, you can go to the Windows 2000 Security Rollup Package information page  and click the Download link. You can also go directly to  the Windows 2000 Security Rollup Package download page.

On the information page, select the language you have installed on your Windows 2000 server from the drop-down list and click Go. When the Security Update page appears, click the Network Installation link. Microsoft’s Web site suggests that, when the File Download window appears, you select the Run This Program From Its Current Location radio button. Or, if you have more than one server you want to update, you should select Save This Program To Disk and save the program to a temporary directory on your server.

Next, you’ll see the w2kSP2SRP1.exe file download to your server. This file is 16.9 MB long, so it may take a while to download if you’re only connecting with a dial-up account. After you’ve downloaded the file, just execute it on each Windows 2000 server on your network. Follow the directions on screen to extract and install the security package when the Windows 2000 SP2SRP1 Setup Wizard appears. You’ll need to restart your server after the package installs.

Microsoft suggests that you run Qfecheck after you install the Security Rollup Package to ensure that all of the patches applied properly. For more information on Qfecheck, see the Daily Feature “Keep track of Windows 2000 hot fixes with Qfecheck.”

You can also confirm that the package has installed by opening a command prompt on your Windows 2000 server. If you type winver and press [Enter], you’ll see a dialog box appear that shows your current Windows version as being Version 5.0 (Build 2195; Service Pack 2). Below the Microsoft copyright information, you’ll see SRP1, which indicates that the Security Rollup Package has been properly applied.

Conclusion
Keeping up with all of the latest security patches for Windows 2000 can be a time-consuming chore. Microsoft’s Windows 2000 Security Rollup Package can help make sure you’ve applied security patches that you might have otherwise missed. Applying this package will help make your Windows 2000 server more reliable and more secure.

Editor's Picks