Unpatched Servers at Microsoft|
By John Holstein, Cotse Help Desk Coordinator
You receive the notifications from NTBugTraq, you apply the patches and go about your daily routine wondering if you have done everything necessary to provide your servers with adequate protection from "prying-eyes". However, it is brought to your attention that the "Patchers" themselves do not keep up with their own material.
Recently, while traversing several security related sites, one of our members became re-enlightened with the vision that Microsoft System Administrators do not keep up with their own security patches. On several occasions we found where third party security professionals have probed numerous Microsoft Servers to find out just how many applied patches are in place. Of course we have known about this for years, but with the ever-increasing need to secure web-based E-Commerce sites, it becomes apparent that the teacher needs to be the student.
One example of a non-applied-patch is located at http://egg.microsoft.com. It was found that Microsoft, not listening to their own Product Security messages, did not patch their server in relation to one particular exploit where vital information can be withdrawn by a web surfer utilizing a malformed URL in the address location.
Folks, this is scary. If the Security “Experts” at Microsoft can let this one slip through, how many more have escaped? How many security exploits have escaped other consultants grasps? If by chance this is the “lone-instance” and it NEVER happens anywhere else, I could let it go, case solved, go on to the next debate. Seriously, what’s the chances of that?
This latest find is simply another example of how vast an operating system such as Windows NT can be in relation to being able to find particular bugs/exploits and dealing with them accordingly.
Frankly, I think most everyone in the Computer Security Industry knows, as a rule of thumb, we should not allow a server to go online until all current security patches are in place for the working operating system and web server software. In the case mentioned above, the site URL leads one to a location where they are still “under construction”. This in itself is an open invitation to crackers. “Under Construction” on a domain is simply asking for trouble. At this point, many crackers will have the mindset that if the web masters are still working on the site, it’s all that much easier to gain root access and further penetrate the system.
What lies beneath? How many other systems are affected by the decision to “get the site up and running as quickly as possible”? This in itself has torn down entire network infrastructures in a single blow. It has become common place for small businesses to operate their web servers at the same location as their primary network. Although these servers may remain behind a hardware/software firewall and seemingly separated from the rest of the network, this still leaves the chance that non-web related and sometimes “sensitive” internal information can escape into the ether.
What’s the chance this can happen to me? I may be a bit paranoid, but from the looks of things across the Internet-Board, I see this occurring all the time.
What happens when you have an employee, such as a web developer or SysAdmin terminate their employment and they still have access to your systems? Is it a corporate mandate that you keep a working log of all patches that have been put in place? Do you have an outside, third party security audit every few months? Do you have a Security Policy in place? Who wrote it? These are but a few questions that need answering.
What can you do to secure your systems? Keep up with the patches, read BugTraq reports and other security mailing lists and “out-do” the people that are supplying your Operating Systems to you. Security is an everyday job. If you have the time to spend, and granted it’s a lot of time, reading all the reports is the only way to keep up with the Jones’ or in this case, the crackers.
Problems? Questions? Bugs? Email me.
Return to the Help Desk