Web Informant #257, 17 August 2001:
Getting Rid of Code Red

http://www.strom.com/awards/257.html

If you are concerned about securing your Windows servers, chances are you are probably in quite a state right now. This week we seemed to have the patch du jour to plug various security loopholes and exploits in Windows NT and 2000 servers, including problems with Microsoft's web and news servers running on these operating systems.

Even those of you who are savvy enough to download the necessary fixes might not have gotten everything locked down. The problem is that you might not have been looking in all the right places. There are plenty of products that make use of Microsoft server software or incorporate it into their own software, including various products from Cisco as Network World reported this week. And it may not be as obvious as you think to track them down. These products are just as vulnerable and require the necessary patches to keep them from being compromised.

Cisco and other vendors include Internet Information Server (Microsoft's web server) as a means of managing some of their networking products, including CallManager, the Cisco Utility Server, Broadband Service Manager, and other tools. And even Cisco Works 2000 is at risk because IIS was required as part of its installation.

Cisco isn't the only networking vendor to leverage Microsoft's web server software. I have looked at numerous and less well-known products over the years that are built on top of IIS because it is an easy and convenient web server. These days just about every piece of gear that you buy has a web-based management interface, from switches and hubs to printers and routers. Most of these products make use of some form of embedded web server that isn't from Microsoft, but there are plenty that do incorporate IIS.

To make matters more confusing, not all Windows versions have the same security issues. Even though Microsoft includes a stripped-down version of its web server in various Windows versions, this software doesn't have the same vulnerabilities as the Windows NT and 2000 Server versions that are running "real" copies of IIS. The Code Red attacks only harm machines that have a particular DLL installed that is part of the indexing server component of IIS.

So if you want to be a Boy Scout and try to fix things, you have a few tools to make use of. But be warned: these tools can make matters even more confusing.

There is one tool from Eeye.com: this is a relatively simple port scanner, and it will look for vulnerable machines that can be exploited just for Code Red attacks across a range of IP addresses on your network.

This doesn't check for any other problem with your Windows servers, however. For that, you will want to run one of the following tools, both developed for Microsoft by Shavlik Technologies:

The first tool, called Microsoft Personal Security Advisor, uses a series of Active X controls to scan your machine and report back on any security weaknesses and problems that it finds. It nicely will provide web links in its report to the Knowledge Base articles that describe the issue and provide the fix over a wide range of problems with the base Windows operating system, IIS, and Internet Explorer.

The second tool is called Hfnetchk.exe and is a command-line utility that just reports on the missing hotfixes that need to be applied to your system, along with the numbers for the Knowledge Base articles (but not any web links to them). It doesn't report on the many other issues (such as anonymous or guest ID access and registry changes) that MPSA finds.

I ran both tools on a few machines in my office, just to see what I could find. Yep, several of my test machines were vulnerable in any number of ways, and if I followed all the instructions it would take me the better part of a day to apply all the fixes. One of the sorry things about Windows is watching it reboot while the operating system takes care of itself, and you have to reboot often in between applying most patches.

But the most frustrating part for me was that both tools delivered different reports. Both listed 33 fixes to one of my Windows 2000 Servers, but each list was different. For example, MPSA reported that I needed to apply the MS00-0062 patch relating to local security policies, but it was missing from Hfnetchk's list. And Hfnetchk (but not MPSA) reported that I needed to apply MS01-005. The more I wanted to know, the more confused I got.

So, riddle me this: why are the lists different, especially since the same company has developed both tools?

Nobody said this security stuff was going to be easy. But it sure would be nice if Microsoft could provide some clear guidance on maintaining its operating system software, especially if it provides multiple utilities that purport to do the same thing, but don't. Still, doing anything is better than doing, particularly considering the consequences of someone being able to take control over your servers and launch various attacks out over the Internet. In the meantime, I got to get back to watching my machines reboot for the 87th time.

To subscribe, send a blank email to
informant-subscribe@pez.oreillynet.com

To be removed from this list, send a blank email to
informant-unsubscribe@pez.oreillynet.com

David Strom
david@strom.com
+1 (516) 944-3407
back issues
entire contents copyright 2001 by David Strom, Inc.
Web Informant is ® registered trademark with the U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress.