For the fourth time, the SANS Institute has teamed up with the FBI to publish an annual compilation of the top 20 Internet security vulnerabilities. What makes this list particularly important is its focus on vulnerabilities that are actively being exploited rather than on theoretical or potential threats. In most cases, these vulnerabilities are being targeted because administrators failed to properly lock down their systems or install widely available patches. Applying patches and/or tightening firewall configurations to block the SANS/FBI top 20 vulnerabilities could keep administrators from having to put out so many fires and allow them to concentrate on threats as they emerge.
The SANS/FBI list is broken down into two parts: Windows threats and Linux/UNIX threats. Some are relatively easy to combat or the method of blocking them is straightforward (for example, P2P threats). Eliminating these easier problems should free you up to tackle the tougher threats that have no simple solution. Below is a summary of the Windows list. I will cover the Linux/UNIX list in a future article.
Top 10 Windows threats
- Internet Information Services (IIS)
You can tighten IIS security fairly easily by using URLScan to filter potentially malicious HTTP requests and employing the IIS Lockdown Wizard to help you harden the installation. URLScan is included in the current version of IIS Lockdown Wizard but you can also download it for use with older systems. If you are running a default installation of IIS 4.0 or 5.0, you are asking for trouble and are likely to see it exploited.
- Microsoft SQL Server (MSSQL)
Keep an eye on new patches for MSSQL and apply them as soon as possible. The Internet Storm Center always shows MSSQL's default ports, 1433 and 1434, as being among the most actively probed on the net. Any weakness will be quickly exploited.
- Windows authentication
Good password management is the key to effective authentication, and SANS offers guidelines for ensuring that passwords are complex enough to defeat at least casual attacks. According to SANS, passwords shouldn't include any part of a user account name and should be at least six characters long. In addition, passwords "should contain characters from three of the following four categories: English uppercase characters (A through Z), English lowercase characters (a through z), Base 10 digits (0 through 9), non-alphanumeric characters (for example, !, $, #, %)." Starting with Win2K, Windows operating systems have included tools that make it easy to enforce good password creation and maintenance policies. Poor password policies aren't the only weak point in Windows authentication, but they are among the easiest to tackle. The SANS report offers a number of other authentication recommendations as well.
Talkback
Any special reason why this is news today and not on October 8th 2003 when the list was published?