The FBI has worked with the SANS Institute to develop a list of the 10 most exploited Windows threats
For the fourth time, the SANS Institute has teamed up with the FBI to publish an annual compilation of the top 20 Internet security vulnerabilities. What makes this list particularly important is its focus on vulnerabilities that are actively being exploited rather than on theoretical or potential threats. In most cases, these vulnerabilities are being targeted because administrators failed to properly lock down their systems or install widely available patches. Applying patches and/or tightening firewall configurations to block the SANS/FBI top 20 vulnerabilities could keep administrators from having to put out so many fires and allow them to concentrate on threats as they emerge.
The SANS/FBI list is broken down into two parts: Windows threats and Linux/UNIX threats. Some are relatively easy to combat or the method of blocking them is straightforward (for example, P2P threats). Eliminating these easier problems should free you up to tackle the tougher threats that have no simple solution. Below is a summary of the Windows list. I will cover the Linux/UNIX list in a future article.
Top 10 Windows threats
Internet Information Services (IIS)
You can tighten IIS security fairly easily by using URLScan to filter potentially malicious HTTP requests and employing the IIS Lockdown Wizard to help you harden the installation. URLScan is included in the current version of IIS Lockdown Wizard but you can also download it for use with older systems. If you are running a default installation of IIS 4.0 or 5.0, you are asking for trouble and are likely to see it exploited.Microsoft SQL Server (MSSQL)
Keep an eye on new patches for MSSQL and apply them as soon as possible. The Internet Storm Center always shows MSSQL's default ports, 1433 and 1434, as being among the most actively probed on the net. Any weakness will be quickly exploited.Windows authentication
Good password management is the key to effective authentication, and SANS offers guidelines for ensuring that passwords are complex enough to defeat at least casual attacks. According to SANS, passwords shouldn't include any part of a user account name and should be at least six characters long. In addition, passwords "should contain characters from three of the following four categories: English uppercase characters (A through Z), English lowercase characters (a through z), Base 10 digits (0 through 9), non-alphanumeric characters (for example, !, $, #, %)." Starting with Win2K, Windows operating systems have included tools that make it easy to enforce good password creation and maintenance policies. Poor password policies aren't the only weak point in Windows authentication, but they are among the easiest to tackle. The SANS report offers a number of other authentication recommendations as well.Internet Explorer (IE)
Every version of IE has critical threats, and new ones are found all the time. Any administrator without a regular plan for updating this critical tool is making a major mistake. SANS suggests that you use online browser tests, such as the one from Qualys, to help maintain IE security. This is particularly useful because the test can easily be run by a nontechnical staffer.Windows remote access services
To make things easier for those migrating from other systems or connecting to them, Windows platforms support most other networking protocols. If you aren't using them, you should disable them immediately. Klez, Sircam, and Nimda all spread around the world so quickly because many systems don't properly configure network shares that allow a host to remotely access files.Microsoft Data Access Components (MDAC)
The Remote Data Services component of many MDAC versions has serious vulnerabilities. You might want to look over Wiretap.net's report on hardening RDS for a quick overview, in addition to reading Microsoft's recommendations such as the Knowledge Base article on this topic.Windows Scripting Host (WSH)
You probably can't simply disable WSH because it's used for many administrative and desktop automation functions, so you should simply change the default treatment of script files with these extensions: .vbs, .vbe, .js, jse, and .wsf.Microsoft Outlook and Outlook Express
If you can't live without Outlook and Outlook Express, a good antivirus signature update policy will provide some necessary protection.Windows peer-to-peer file sharing (P2P)
P2P applications should be ruthlessly expunged from business networks, if only because P2P networks are often used for illegal purposes in violation of copyright or other laws. Although you can't block all the ports used by P2P software (after all, KaZaa uses port 80), you can probably cripple most of its activity at the firewall.Simple Network Management Protocol (SNMP)
This one is pretty obvious. SNMP is used to remotely manage everything from printers to wireless access points and is therefore a major threat if not maintained properly. If you don't need or use SNMP then the fix is simple -- disable it. I suspect that a large number of the SNMP exploits are due to installations where the people running the system don't even realise it's there.
Risk level -- Critical
The vulnerabilities listed here are ones that hackers are most actively exploiting against Windows networks.
Fix
Patch or apply a workaround where appropriate. Some of these threats keep popping up as new vulnerabilities or ways to exploit them appear, but patches or workarounds are available for all the older exploits that are not being applied on many systems.
Some threats, such as the continuing problem with P2P file sharing, simply shouldn't be permitted on a business network. To block it, administrators must periodically scan for the presence of P2P and push upper management for the creation of strict enforcement of rules forbidding users from installing such software.
Final word
I suspect that some administrators are secretly happy that the SANS/FBI top 20 list isn't more widely publicised in the general media. If upper management questioned many IT departments about whether their company was covered against these threats, many of them would not get a very satisfactory response.
There are good reasons why some of these vulnerabilities (for example, popular software such as IIS and SQL Server) are perennial favourites. But some of the others should be eliminated in any properly managed operation. This is especially true for installations where unused services are allowed to remain active when they shouldn't even be there. Because they are rarely used, they also tend to be ignored when it comes to proper maintenance, which makes them doubly vulnerable and dangerous.
