Sometimes, it’s useful to step back from the day-to-day round of warnings, updates, hardware failures, vulnerability scans, penetration reports, and the perennial fight for stronger passwords to get an overall view of what the worst threats to your network really are—if only to see whether you are wasting resources and missing the big picture.
The SANS Institute and the NIPC (National Infrastructure Protection Center) have released their latest report on the top Internet-related security threats, the SANS/FBI Top 20 List.
Experienced administrators can view this list as an opportunity to run a quick checkup to see whether they’ve missed anything obvious, but it is most useful for newer administrators trying to decide which of the multitude of threats and vulnerabilities they should fix first.
This article will focus on the Windows vulnerabilities in that list. My next article will cover the Linux/UNIX vulnerabilities and will include a list of ports that SANS recommends administrators block at the firewall to stop most attacks until you have time to install a proper patch.
By way of comparison, you may want to check out the May 2, 2002, Top 20 List and the original Top 10 List from June 25, 2001.
The SANS/FBI report is more than just a simple list. It offers valuable details about the problems and how to deal with them. You can check out the original report for more information on any individual vulnerability.
Here are the most exploited Windows vulnerabilities detailed on the list:
- W1 Internet Information Services (IIS)
- W2 Microsoft Data Access Components (MDAC)—Remote Data Services
- W3 Microsoft SQL Server
- W4 NETBIOS—Unprotected Windows Networking Shares
- W5 Anonymous Logon—Null Sessions
- W6 LAN Manager Authentication—Weak LM Hashing
- W7 General Windows Authentication—Accounts with No Passwords or Weak Passwords
- W8 Internet Explorer
- W9 Remote Registry Access
- W10 Windows Scripting Host
Let's take a closer look at these flaws.
Internet Information Services
IIS is plagued with buffer overflows, the inability to properly filter requests, and poorly implemented sample applications. Some are old problems that should have been patched years ago. But IIS vulnerabilities keep popping up with each new version, so it’s difficult to place much of the blame on sloppy administrators. Run HFNetChk to check for the presence of current patches.
Applicability—Windows NT 4 running IIS 4, Windows 2000 running IIS 5, and XP Pro running IIS 5.1
Fix—Apply patches. Stay current on any patches for your particular version of IIS because new problems are almost certain to surface. You should configure the URLScan filter to reject maliciously formed HTTP requests as explained here. Change the ISAPI extensions, such as .htr, .idq, .ism, and .printer, which are mapped by default in most IIS installations but which most users don't need. Get rid of samples. Look for these in the %wwwroot%\scripts directory. Also, don’t install samples or remote administrations tools on new installs.
Microsoft Data Access Components’ Remote Data Services component has a coding error that elevates remote users to administrative privileges and can make databases accessible to anonymous external attacks.
Applicability—NT 4.0 systems running IIS 3.0 and 4.0, RDS 1.5, or VS 6.0
Fix—Upgrade to MDAC version 2.1 or later if this doesn’t produce compatibility problems or make changes to your system configuration based on these bulletins:
As you can see from the dates on these Security Bulletins, these are well-known vulnerabilities. The fact that this is the second most commonly exploited attack vector used against Windows networks is an indictment of the level of security maintained on a vast number of older systems.
Microsoft SQL Server
The Internet Storm Center consistently reports SQL Server Port 1433 as one of the top 10 ports scanned for vulnerabilities by attackers, so any weakness in Microsoft SQL is likely to be exploited.
Applicability—SQL Server 7.0, SQL Server 2000, or SQL Server Desktop Engine 2000 installations
Fix—Apply one of these patches:
NETBIOS/Windows networking shares
Using the Server Message Block (SMB) protocol or the Common Internet File System (CIFS) to allow remote user access to files also opens the system to attack.
Applicability—All Windows systems
Risk—The Sircam virus and the Nimda worm both exploited this vulnerability, so it’s a proven danger.
Fix—Restrict which files can be accessed and limit access to specific IP addresses rather than easily spoofed DNS names. If file serving isn’t essential on a system, disable this feature and block the ports.
Windows’ SYSTEM account provides many critical services, but it also allows access to files on other machines through an anonymous logon procedure (null session). Unfortunately, this means that attackers can also log on anonymously.
Applicability—Windows NT, 2000, and XP
Fix—About all you can do is modify the registry to limit the potential damage. There are some suggestions in the SANS list.
LAN Manager LM hashing
LAN Manager is a legacy tool. The passwords and encryption used during its heyday were strong enough, but they can quickly be compromised with today’s much faster systems.
Applicability—All Windows operating systems: Default installations of NT, 2000, and XP all store LAN Manager hashes by default.
Fix—If you don’t need it, disable LM Authentication. Details of how to do this are included in the SANS/FBI report. Also see:
- "How to Disable LM Authentication on Windows NT" [Q147706]
- "LMCompatibilityLevel and Its Effects" [Q175641]
- "How to Enable NTLM 2 Authentication for Windows 95/98/2000 and NT" [Q239869]
- "New Registry Key to Remove LM Hashes from Active Directory and Security Account Manager" [Q299656]
Weak passwords are the bane of admins' existence. Various schemes have been developed to force users to adopt strong passwords and change them periodically, but users usually complain so loudly that administrators are often forced to compromise in one way or another, thus weakening access controls.
The fact that this problem is listed as the seventh most commonly exploited vulnerability may provide you with some ammunition the next time you attempt to enforce good password policies.
Applicability—All password-protected systems or applications
Fix—I won’t go into the various ways to create and protect strong passwords here. (See this article for some useful tips.) This is a user and management issue. The problem usually isn't ignorance of how to create strong passwords. It's a matter of convincing management to allow you to take a hard line on this.
The major threats to Internet Explorer users lie in several areas:
- ActiveX controls
- Scripting vulnerabilities
- MIME type and content misinterpretation
- Buffer overflows
Risk—Cookies and other local files can be compromised, vulnerable systems can be taken over, and malicious code can be installed and run, as can any local program, including critical ones such as del (delete) or format.
Fix—Upgrade and then patch. Microsoft doesn’t support IE versions earlier than 5.01, so you can’t secure it until you update to a relatively new version. After you upgrade to IE 5.01 or 5.5, install Service Pack 2 for 5.01 or Service Pack 2 for 5.5 and then apply the cumulative security patch (Q323759). If you move to IE6, just install Service Pack 1.
The registry is the most critical file on any Windows system and remote access to it can do unlimited damage to the system.
Applicability—All Windows versions: The NT Resource Kit contains regdump.exe, which will test remote registry access permissions and show whether your system is vulnerable.
Fix—Limit access: This isn’t a software bug but a feature of Windows, so all you can do is limit access and try to avoid potential damage.
Microsoft Knowledge Base Article Q153183 shows how to restrict remote access to the NT registry, and the SANS/FBI report details some ways to limit both authorized and unauthorized remote access using registry keys.
Windows Scripting Host
Visual Basic is great for programming macros, but The Love Bug and other VB script worms have caused untold damage when users were tricked into downloading a .vbs text file that was then automatically executed by Windows Scripting Host (WSH).
Applicability—Any Windows system
Fix—Disable WSH: Follow the Symantec or Sophos directions to remove the Windows Scripting Host so that .vbs files won’t run automatically. Running antivirus software and keeping the definition database current can also help mitigate this problem.
It’s critical to remember that hackers, especially script kiddies who can use only known vulnerabilities, also know about these threats. And they know that the threats aren’t being patched as often as they should be. You can expect that when hackers turn their attention to your systems, these will be among the first they will attempt to exploit.