A Bit of Homeland Security on Your Home PC

Let me start this month's commentary by sincerely thanking Microsoft for its recent certification program realignment. On October 11, Microsoft announced that it won't decertify Windows NT 4.0 MCSEs at the end of 2001. Instead, Microsoft will recognize two kinds of MCSEs: NT 4.0 MCSEs and Windows 2000 MCSEs. Microsoft also announced a somewhat easier-to-get certification called a Microsoft Certified Systems Administrator (MCSA) that requires candidates to pass only four tests. No, you can't get the certification now: Microsoft won't release all the tests until January, according to its Web site. And finally, Microsoft allowed a few of the old NT 4.0 electives to count toward Win2K certification. (That worked for me—now I'm an "unintentional" Win2K MCSE, you might say.)

In last month's column, I said that although I don't hold in high regard vendor-controlled certifications, many hiring personnel use the MCSE as a proxy for skill and knowledge, and so having the certification—or losing it—can affect a person's employability or even cause them to lose their jobs. So thank you, Redmond—you've probably let a lot of people sleep easier.

This month, I want to talk a bit about securing home PCs. Nimda, as well as the rainbow of worm codes—Red, Red II, Blue, and an interesting variant, Green, which is actually a good worm that inoculates Microsoft IIS servers to protect them from the Code Reds and Code Blue—underscore the fact that the IIS world is under attack. Looking at my IIS server logs drives me nuts because I see all the servers that are trying to infect my system with one kind of worm or another. How can so many people still be running Code Red, Code Blue, or Nimda after all this time?

So I tried tracking down a few of the attack attempts. Guess what I found? In a number of cases, the owners of the offending systems didn't respond. Looking a bit further into their domains, I was surprised to find that many of the infected machines were member systems in large Web-hosting farms! I guess these farms just roll out Web servers by the truckload and apply security patches when they get around to it; that's not very good net-neighborliness.

The Web server owners that did respond usually said something such as "I'm sorry, but I don't know what you're talking about. I'm not running a Web server." As you might have guessed, these people were probably running a Win2K server for some other purpose and, because Win2K Server automatically installs IIS, they were indeed running a Web server, although they didn't know it. Or they were running a desktop Microsoft OS (Win2K Professional, Windows Me, or Windows 98) that lets you load a personal Web server.

Here's a quick way to determine whether one of your systems is running IIS. Run Internet Explorer (IE). In the Address field, type "http://localhost" and press Enter. If you get a Web page or a dialog box asking you to enter your name, password, and domain, then congratulations—you're an "accidental Webmaster!"

The existence of worms as aggressive as the recent IIS attackers has brought new meaning and focus to security. Security used to be about protecting your network from attackers. But suppose you're unintentionally running a few Web servers, all of which are hammering other people's Web servers, trying to infect them. What's your responsibility, given that you don't really care whether the unused Web function on those servers works well or not?

If infecting other people's machines isn't bad enough, infected Web servers have other serious consequences. Some days, the IIS worms grab so much bandwidth that they seriously slow down the Internet. So if I don't keep my intranet in order, I could damage the entire Internet. I have a public responsibility to prevent that.

And I don't mean to be alarmist here, but the Internet has already seen one "cyberskirmish," when some individuals in mainland China launched attacks against US Web sites (particularly the White House sites). We've also seen how malicious kids can recruit thousands of machines to launch zombie attacks against a given IP address, shutting that site down by overloading its routers. Imagine a more determined antagonist with the intention of shutting down the Internet for days, months, or perhaps forever. The antagonist could use tools no more complex than the computer on your desk at home—the one attached to the Internet via DSL or cable modem and that never gets a hotfix or service pack until it's painfully obvious that you need it. So, irritating as it is, we all have a responsibility to keep our systems' security up to date—not just for our own convenience but for the health of the Internet. To find out more information, search Microsoft's Knowledgebase for "hfnetchk" and "qchain.exe," or click here:

After all, how would you feel if the bad guys crashed the Internet, and you found out that your machine helped them do it?

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.