|
|
To print: Select File and then Print from your browser's menu
-------------------------------------------------------------- This story was printed from ZDNet Australia. --------------------------------------------------------------
|
Top Windows security threats By John McCormick, 0 October 22, 2002 URL: http://www.zdnet.com.au/insight/soa/Top-Windows-security-threats/0,139023731,120269265,00.htm
Sometimes, it’s useful to step back from the day-to-day round of warnings, updates, hardware failures, vulnerability scans, penetration reports, and the perennial fight for stronger passwords to get an overall view of what the worst threats to your network really are—if only to see whether you are wasting resources and missing the big picture. 
The SANS Institute and the NIPC (National Infrastructure Protection Center) have released their latest report on the top Internet-related security threats, the SANS/FBI Top 20 List.
Experienced administrators can view this list as an opportunity to run a quick checkup to see whether they’ve missed anything obvious, but it is most useful for newer administrators trying to decide which of the multitude of threats and vulnerabilities they should fix first. This article will focus on the Windows vulnerabilities in that list. My next article will cover the Linux/UNIX vulnerabilities and will include a list of ports that SANS recommends administrators block at the firewall to stop most attacks until you have time to install a proper patch. By way of comparison, you may want to check out the May 2, 2002, Top 20 List and the original Top 10 List from June 25, 2001.
Windows vulnerabilities
Let's take a closer look at these flaws. Internet Information Services IIS is plagued with buffer overflows, the inability to properly filter requests, and poorly implemented sample applications. Some are old problems that should have been patched years ago. But IIS vulnerabilities keep popping up with each new version, so it’s difficult to place much of the blame on sloppy administrators. Run HFNetChk to check for the presence of current patches. Applicability—Windows NT 4 running IIS 4, Windows 2000 running IIS 5, and XP Pro running IIS 5.1 Fix—Apply patches. Stay current on any patches for your particular version of IIS because new problems are almost certain to surface. You should configure the URLScan filter to reject maliciously formed HTTP requests as explained here. Change the ISAPI extensions, such as .htr, .idq, .ism, and .printer, which are mapped by default in most IIS installations but which most users don't need. Get rid of samples. Look for these in the %wwwroot%\scripts directory. Also, don’t install samples or remote administrations tools on new installs. MDAC Microsoft Data Access Components’ Remote Data Services component has a coding error that elevates remote users to administrative privileges and can make databases accessible to anonymous external attacks. Applicability—NT 4.0 systems running IIS 3.0 and 4.0, RDS 1.5, or VS 6.0 Fix—Upgrade to MDAC version 2.1 or later if this doesn’t produce compatibility problems or make changes to your system configuration based on these bulletins: As you can see from the dates on these Security Bulletins, these are well-known vulnerabilities. The fact that this is the second most commonly exploited attack vector used against Windows networks is an indictment of the level of security maintained on a vast number of older systems. Microsoft SQL Server The Internet Storm Center consistently reports SQL Server Port 1433 as one of the top 10 ports scanned for vulnerabilities by attackers, so any weakness in Microsoft SQL is likely to be exploited. Applicability—SQL Server 7.0, SQL Server 2000, or SQL Server Desktop Engine 2000 installations Fix—Apply one of these patches: NETBIOS/Windows networking shares Using the Server Message Block (SMB) protocol or the Common Internet File System (CIFS) to allow remote user access to files also opens the system to attack. Applicability—All Windows systems Risk—The Sircam virus and the Nimda worm both exploited this vulnerability, so it’s a proven danger. Fix—Restrict which files can be accessed and limit access to specific IP addresses rather than easily spoofed DNS names. If file serving isn’t essential on a system, disable this feature and block the ports. TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved. |
