\[Editor's Note: Do you have a security-related question about Windows 2000? Send it to [email protected], and you might see the answer in this column!\]
Keeping systems, especially Web servers, up-to-date against the latest attacks seems like a vicious cycle. What can I do to proactively secure my systems against unforeseen vulnerabilities?
Each week, new vulnerabilities crop up in Windows 2000, Windows NT, Microsoft IIS, and other products, including non-Microsoft products. You can stay up-to-date on these vulnerabilities by subscribing to Windows 2000 Magazine's Security UPDATE newsletter and alerts and visiting security Web sites such as Windows IT Security (http://www.WindowsITsecurity.com). For some exploits, the only way to defend yourself is to be aware of the problem and quickly load the fix.
However, you can take action to relieve some of the time pressure and reduce the reactive nature of securing computers. Many security holes that get wide publicity don't affect my clients because they follow the best practices of minimum functionality and least privilege. Microsoft recommends these practices and others in its "Secure Internet Information Services 5 Checklist" (http://www.microsoft.com/technet/security/iis5chk.asp).
With regard to minimum functionality, you can greatly reduce your exposure to new exploits by disabling every unneeded feature and service. For example, many of the recent serious IIS security holes have been related to FTP. How many Web servers really need FTP? If you must make files available to the Internet over FTP, I recommend you use a Web-hosting service or another inhouse server.
The Windows IT Security article "Unchecked Buffer in Internet Information Server 5.0" (http://www.WindowsITsecurity.com/articles/index.cfm?articleid=20920) describes another highly publicized exploit. A buffer overflow in IIS lets you execute arbitrary code on the IIS server under the all-powerful System account. That vulnerability sounds bad, and I don't deny the seriousness of the risk. However, practicing minimum functionality protects you from that exploit. In this case, the vulnerability is in the part of IIS that supports the Internet Printing Protocol (IPP), which most Web sites don't use. IIS implements IPP by using the .printer Internet Server API (ISAPI) extension. The "Secure Internet Information Services 5 Checklist" recommends removing unused script mappings such as .printer.
With regard to the least-privilege best practice, you should always assign user accounts the absolute minimum authority necessary for users to accomplish their work. Following least privilege greatly reduces the level of exposure to another recent IIS exploit that allows remote command execution, which the Windows IT Security article "IIS May Allow Remote Command Execution" (http://www.WindowsITsecurity.com/articles/index.cfm?articleid=21101) describes. In this case, the exploit lets an attacker run commands as the IUSR_MachineName account. Again, Microsoft's checklist mitigates the risk because one best practice recommends that IUSR_MachineName not have access to the OS or database server folders.
