In Part 1 of this article, I described several services in Windows 2000 that open potential doors to attackers or present Denial of Service (DoS) targets. Here, in Part 2, I’ll share some other important tips for keeping your systems secure from network attacks.
The Server service. It's important for users to understand the Server service. Microsoft documents the Server service as simply providing file-and-print sharing, which is true. If you disable this service on a given system, no one can map drives or use printers that connect to that system. But the Server service also provides administrators remote access to other Win2K resources that they manage when using the Microsoft Management Console (MMC), including the event log, and local user and group maintenance. Even if no one has explicitly shared any folders, the Server service automatically creates hidden administrative shares at the root of each volume, such as C$ for the C drive.
Obviously, if you can connect to the Server service, you can do a lot of damage. Ideally, you might want to disable this service on workstations and other hardened servers such as Web servers; however, disabling the Server service makes it impossible to administer these systems from anywhere but the local console. Thankfully, Win2K limits access, by default, to these resources to Domain Admins and the local Administrator account in that system’s local SAM. If you assume that Domain Admins are protected by quality passwords and an appropriate account lockout policy, then all that remains is protecting the local Administrator account, which I describe how to do in "Protecting the Administrator Account".
The Simple TCP/IP services. Simple TCP/IP services provide seldom-used services from the UNIX world, such as Character Generator, Daytime, Discard, Echo, and Quote of the Day. This component of Networking Services does not install by default, and because DoS attacks already exist that target Simple TCP/IP services in Win2K, I recommend that you don’t install these services.
The SMTP service. The SMTP service makes your system an SMTP server. Running SMTP on a system exposes you to DoS attacks, arbitrary code attacks, and attackers who try to use your server as a way point for spoofed email. Carefully determine whether your system really needs SMTP. The only time Win2K might require SMTP is for domain controllers (DC). SMTP is an optional transport used for replicating information between DCs. Win2K installs SMTP by default when you promote a server to DC status. Unless you explicitly configure the DC for SMTP replication, you can disable the SMTP service.
The FTP Publishing service. I consider the FTP Publishing service (a component of Microsoft IIS) to be dangerous. FTP makes your local file system available to other systems on the network with all the potential exposures this protocol brings with it. Native Win2K features, such as DC functionality, don't require FTP. Unless you have clients that require FTP or other applications that need to send files using FTP (such as those that communicate with UNIX systems), I recommend that you disable this service. I also encourage you to disable the Network News Transfer Protocol (NNTP) service (another IIS component); you need to enable NNTP only for hosting a discussion site on the Internet or for doing the same on your intranet.
The Telnet service. The Telnet service is another dangerous service. Telnet provides remote command-line access. If attackers use Telnet to break into your system, they can run arbitrary commands according to their authority. Because you can administer the system using the MMC or scripts, you typically don’t need Telnet on a Win2K system.
The Task Scheduler service. The Task Scheduler service lets you schedule commands to run in the future in the background. Using the AT command or Task Scheduler, you can schedule jobs on remote systems. However, the Server service provides remote access to the Task Scheduler and limits access to administrators. The protection measures for the Server service also provide protection for remote tasks, so enabling the Task Scheduler service doesn’t significantly increase your risk to remote attacks.
The Terminal service. The Terminal service uses thin-client technology to provide remote access to your server’s desktop—in effect, making it as though a user at another workstation were sitting at the server’s console. The Terminal service is a powerful tool for both remote administration and for reaping the benefits of delivering applications in a thin-client environment. However, consider the door you are opening with this service—full console access from a remote system. As with any service, if you aren’t using it, disable it. If you need the Terminal service, be sure to read up on its many security features so you can properly secure this door.
The Windows Media services. The Windows Media services lets you deliver streaming video and audio to intranet or Internet clients. These services, like many others, have already been the victim of DoS attacks. Remember, any service accepting incoming connections is a potential target for DoS and buffer overflow attacks, providing the perpetrator with high-level access to run arbitrary code with administrator authority.
The World Wide Web Publishing service. As the name suggests, the World Wide Web Publishing service makes your system an http Web server. Several Win2K features, including Certificate Services, require this principal component. Unfortunately, this service is probably the source for 50 percent of Win2K server exploits that the Windows IT Security Web site alerts you to each week. The issue is not that the Web service in Win2K is weaker than other areas; it's just that the Web service receives more attention from hackers. Because you can’t disable the World Wide Web Publishing service on every system, you can protect yourself using two approaches. First, separate server roles. Don’t combine Web server responsibilities on the same server that handles other tasks, such as a file server or application server (e.g., Oracle, SAP, PeopleSoft). If someone breaks into one of your servers using the World Wide Web Publishing service, they’ll probably be able to access other information on that server as well. Make sure you never use an internal DC as a public Web server. Otherwise, if attackers compromise your Web site, they'll get the users, applications, and resources in your internal domain. Second, for those systems where you can’t disable the World Wide Web Publishing service, make sure you stay up-to-date with service packs, hotfixes, and other countermeasures. Just check the Windows IT Security Web site regularly, and subscribe to Microsoft's security alert service.
As you can see, many doorways exist for accessing a Win2K system from the Internet. The doorways I've discussed in this series of articles are by no means all of them. To harden systems exposed to a hostile network, don’t try to identify and disable only risky services. Instead, disable everything you can. Each service you disable is one less drain on resources, one less target for attackers, and one less component that you must configure for security and keep up-to-date with security patches. Next time, I’ll show you how to manage services centrally using the Security Settings portion of Group Policy.
