We present Windows Server 2003 and its security. We explain what security enhancements it offers, what is still exploitable, what new exploitation techniques have been devised lately and what can we do to protect it as much as possible against possible break-in.

 

Windows Server 2003 is not a new platform, being now almost three years old. Therefore, some readers might think, that talking about its security now is a bit outdated. Wrong. The time has come, when many businesses will be forced to migrate from Windows 2000 Server, which is losing support. The logical choice is the Windows Server 2003. Therefore, it is worth knowing what security enhancements it offers, what is still exploitable, what new exploitation techniques have been devised lately and what can we do to protect it as much as possible against possible break-in.

 

Windows server history

Windows 32-bit operating systems were originally designed and marketed for higher-reliability business use with no DOS heritage. After Windows NT 3.1, NT 3.5, NT 3.51, NT 4.0, Microsoft then moved to combine their consumer and business operating systems. Their first attempt, Windows 2000, failed to meet their goals, and was released as a business system.

The home consumer edition of Windows 2000, codenamed Windows Neptune, ceased development and Microsoft released Windows Me in its place. Eventually Neptune was merged into their new project, Whistler, which later became Windows XP. Since then, a new business system, Windows Server 2003, has expanded the top end of the range, and the forthcoming Windows Longhorn Server will complete it.

However, most businesses today still stick to Windows 2000. Only some moved on to Windows Server 2003, which seemed to go a bit unnoticed through the last two and a half years, compared to all the hype created by Windows XP. A study by AssetMetrix shows that in the first quarter of 2005, 48% of business PCs still had Windows 2000 installed, which was down only four percentage points from the third quarter of 2003. This shows that popularity of Windows 2000 is dropping very slowly and business users seem to be afraid to migrate to newer Windows environments.

Another problem with Windows 2000 is the fact, that Microsoft dropped future support for this system some time ago. There were plans to deliver SP5, which never happened. As of July 2005, Windows 2000 is in the extended support phase of its lifecycle, which means that there won't be any more service packs or free non-security-related hotfixes. Soon time will come, when even security hotfix support will end.

So it seems, like the only way for businesses that want to have secure servers is to choose the next generation of Microsoft server systems. The release of Longhorn is planned for 2007, so many businesses won't wait for it to come. Windows Server 2003 becomes the obvious choice, since Windows XP is not meant for server use.

Let's then have a look at the security aspects of Windows Server 2003, the latest vulnerabilities found, and see whether it's now, almost three years after the system has been released, finally worth migrating from Windows 2000, or choosing this platform for new projects.

 

 

Now, for most organizations, security is the top priority (see Inset Approaches to security). Microsoft has responded to this in many ways, starting with their Trustworthy Computing initiative. Windows Server 2003 is a strong effort towards providing secure computing environment compared to its predecessors, but it still falls apart in some scenarios.

One big change, very noticeable in Windows Server 2003, is the difference in default settings. Remember, this is the point where time and again Microsoft has proved vulnerable and hackers most often exploit these default services. We'll discuss how the out-of-the-box server differs in its defaults from previous versions and how the new defaults make the OS more secure, while at the same time causing frustration for some system administrators and users who find themselves unable to gain access that was available without any additional configuration in the earlier versions. We will take a quick look at the default changes being made with the advancement of Windows Server 2003, concentrating mainly on service settings, authentication, and most importantly IIS. It should be noted that IIS has been the notorious cause for exploitability for most Windows server systems.

What's new, what's better

Windows Server 2003 is based on Windows 2000 Server, but brings compatibility and some other features found in Windows XP. Most important of all, it brings more security. None of the server components are turned on at boot-up time, which reduces attack vectors for new install. Certain other security enhancements were also introduced. Let's have a look at them.

Default settings for common services

A change in Windows Server 2003 is that a lesser number of services now run under the local system account (NT AUTHORITY\SYSTEM). Almost all services used this account in Windows 2000. Programs that run in this context have unlimited privileges on the local computer, which presents an obvious security risk. Instead of using the local system account, some common services now use the local service (NT AUTHORITY\LOCAL SERVICE) or network service account (NT AUTHORITY\NETWORK SERVICE). These accounts have much a lower level of privileges than the local system account.

There are still many services that do log on as the local system (for example, the Automatic Updates service, the computer browser service and the DHCP client, along with many others). However, several others do not. For example, the Alerter service, which used the local system account in Windows 2000, uses the local service account in Server 2003, and the DNS, which used the local system account in Windows 2000, uses the network service account in Server 2003. This provides for better security.

Changes in the authentication process

The authentication process has been improved for better security, both when logging onto the local computer and when logging onto a domain. One important change for local computer authentication is the inability to use blank passwords when accessing the system remotely (note, however, that blank passwords can still be used at the console).

Cross-forest trusts (see Inset What are cross-forest trusts) are a new feature for Active Directory domain authentication. A forest trust uses Kerberos v5 (see Inset What is Kerberos), routing the authentication requests across forests. Administrators can control the scope of authentication between two forests that have a trust relationship, using selective authentication. When the selective authentication option is in use, one can manually set permissions on the domains and resources to which one wants to grant access to users in the other forest.

 

 

Changes to IIS

Some of the most dramatic changes are to the default settings in IIS 6.0. The web server is now not installed by default when one installs Windows Server 2003 Standard, Enterprise and Datacenter editions (it is installed in Web Server edition, for obvious reasons). This helps to eliminate the all too common occurrence in which administrators are inadvertently running rogue web servers on the network.

If we do install IIS 6.0, by default it is in a locked down mode in which dynamic content components such as ASP, WebDAV and FrontPage extensions are disabled. IIS 6.0 also includes new authentication method and URL authorization for greater security. A principal new feature incorporated in the design of IIS 6.0 is the kernel-mode HTTP driver, HTTP.sys. It is not only tuned to enhance the web server's performance and scalability characteristics, but also to significantly strengthen the security posture of the server. HTTP.sys acts as the gateway for user requests to the web server. It first parses the request and then dispatches it to the appropriate user-level worker processes. The restriction of the worker processes to the user-mode prevents them from accessing privileged resources in the system kernel. Thus the target space of an attacker intending to gain privileged access to the server is greatly limited.

Changes to the membership of the Everyone group

In past versions of Windows, the built-in Everyone group consisted of literally everyone who accessed the system, including anonymous users. In Server 2003, the Everyone group does not include anonymous users, so that even if permissions are granted to the Everyone group, those who are logged on anonymously do not have those permissions. Those who log on anonymously are part of the Anonymous Logon group, another built-in group with set membership.

In a Windows Server 2003 domain environment, we can allow members of the Anonymous Logon group to be members of the Everyone group on a domain controller by editing the domain security policy (Start -> Programs -> Administrative Tools -> Domain Security Policy). In the left pane of the console, expand the following nodes: Default Domain Controller Policy, Computer Configuration, Windows Settings, Security Settings, Local Policies, and click Security Options. In the details pane, right click Network Access: Let Everyone permissions apply to anonymous users. Select Properties and check the Define this policy checkbox, then select Enabled to apply the policy.

Windows Server 2003 brought those security changes and some more. But a question keeps repeatedly popping up. Is this endeavor enough? - guess not. This is because in the first place we have a relatively secure out-of-the box configuration. Ok, fine. But do we really want to keep the newly loaded server as is, without making it purposeful for any specific service? We must realize, that most of the server systems are for delivering end user purposes - be it configured as a web server or hosting some other intranet/Internet applications.

sum:

0 €