Microsoft recently released Windows 2000 Service Pack 1 (SP1), which fixes 17 security problems that that the company discovered since it released Win2k. To help you determine whether you need to install this latest service pack, let's take a look at Win2K’s history regarding security risks. Let me begin by stating that you can access SP1 and the Microsoft Security Bulletins that this service pack addresses at Microsoft's Win2K security Web site.
IIS 5.0 Exploits
SP1 fixes seven Microsoft Security Bulletins specific to Win2K Web servers. Four of these fixes are strictly Denial of Service (DoS) problems, and the other three exploits let an attacker view files. Thankfully, none of the exploits let the attacker change files or run arbitrary code or commands. The most serious problem is identified as MS00-006, "Malformed Hit-Highlighting Argument," which involves Win2K Web servers running Indexing Services. Indexing Services, which provides Web-site searching functionality for Win2K, includes a useful feature that highlights words that you've selected for search criteria wherever they occur in a document during a search. Win2K provides this functionality through an Internet Server API (ISAPI) filter called webhits.dll. ISAPI filters run under the same SYSTEM account security context as InetInfo (Microsoft IIS); therefore, Webhits can access any file on the system. When Webhits processes hit highlighting, it fails to first check authorization on the file being requested. This flaw lets a user trick a Win2K Web server into returning any file on the logical volume where the Web site’s virtual directory resides. For more information on this threat, see the security discovery article entitled "Index Server Exposes File System" on the Windows IT Security Web site.
Although SP1 fixes the hit-highlighting problem, you can reduce your exposure without relying on the service pack by following two best-practice configuration methods. First, always disable any App Mappings that aren’t essential to your Web server. App Mappings link different file extensions to ISAPI filters. If you remove the association of webhits.dll to .htw files, as Figure 1 shows, you eliminate this vulnerability altogether. Second, always separate your Web site files (e.g., .html, .asp, .gif) from the rest of your system, including the OS (%systemroot%), databases, and other applications, by creating a dedicated volume for your Web site virtual directories. For example, install Win2K on the C drive and create another volume (e.g., D:\) for your Web site files. When you take these measures, attackers are limited to files on your Web site and can't access OS files under %systemroot% or other database or application files.
Allowing access to your Web files is bad enough because attackers can still access any source code you store in your Active Server Pages (ASP) files. Unfortunately, ASP files often contain database passwords embedded in the code. Again, by following best-practice coding guidelines, you can reduce your risk. For example, don't embed passwords in your source code. One of the simplest methods for protecting these passwords is to store them under a secured key in the registry. Of course, make sure users can’t access the registry remotely according to the guidelines in the IIS 4.0 Security Checklist.
Another Win2K Web server vulnerability that SP1 addresses is MS00-019, "Virtualized UNC Share," which lets an attacker read source code files that you've stored in a virtual directory that maps to a Uniform Naming Convention (UNC) path instead of a local path. This threat is another example of a source-code viewing attack, and you can significantly reduce the associated risk by not storing any secret information in the source code, as I previously discussed.
The last vulnerability that gives attackers unauthorized read access to a Web server is MS00-031, "Undelimited .HTR Request" and "File Fragment Reading via .HTR." The associated security bulletin outlines two problems related to how the Web server processes .htr files. These .htr files allow Web-based password administration. One problem provides a very small opportunity for an attacker to view source fragments on your server. Given the restrictive conditions in which this attack works, this problem is minor. The other problem lets a malformed .htr request slow the server and prevent servicing of .htr password change requests. Again, unless you use .htr functionality on your Web site, you are protected if you remove unneeded App Mappings. Two other DoS attacks specific to IIS 5.0, MS00-023 and MS00-030, let an attacker temporarily slow the Web server.
Two DoS attacks are related to TCP/IP. The first attack, MS00-029, "IP Fragment Reassembly," lets attackers temporarily slow down and sometimes crash a system by sending it a continuous stream of fragmented IP packets. This risk is very real to Web servers and other systems exposed to the Internet because they must accept IP fragments. The other attack is a more minor risk. MS00-021, "Malformed TCP/IP Print Request," lets malformed Line Print Daemon (LPD) and Line Print Remote (LPR) print requests crash TCPSVC, which provides TCP/IP printing services and DHCP server functionality. TCPSVC typically runs only on internal systems behind a firewall; as a result, TCPSVC is vulnerable only to DoS attacks launched by insiders.
Microsoft has identified three vulnerabilities associated with running Internet Explorer (IE) with Win2K. All of these attacks let a malicious Web site operator attack unsuspecting users browsing the operator's Web site. MS00-039, "SSL Certificate Validation," involves a problem in how IE verifies certificates it receives from Web servers. Under a very daunting set of circumstances, this vulnerability lets an attacker pose as another certified Web site. So, for example, an attacker who successfully redirects a user from a legitimate e-commerce site to an impostor site might use this deception to steal users’ credit card numbers.
MS00-011, "VM File Reading," lets a malicious applet read files from the workstation’s local drive or server that the user connects to if the applet knows the exact location of the desired files. Of course, you can disable or restrict Java applets, as Figure 2 shows, to simply remove this attack.
MS00-037, "HTML Help File Code Execution," lets a malicious Web site operator run arbitrary code on a browsing user’s workstation. This exploit depends on the attacker's ability to place a HTML Help file (.chm) within reach of the user’s workstation and wait for the user to browse across a malicious Web page that references the .chm file. Workstations behind a firewall are only vulnerable to attackers within the internal network because firewalls typically prevent users from initiating connections to file servers beyond the firewall. However, a remote user, such as a telecommuter whose workstation isn't blocked from accessing file servers on the Internet, is still vulnerable. Although the actual capability of these attacks is worrisome, bear in mind that the user must first browse across the malicious Web site. One exception to this rule might be Web-based email services and other sites that let users enter HTML code that other users can view. In this scenario, the Web site operator is benign, but a malicious user attacks other users of the site.
Browsing the Internet is an inherently dangerous activity, and you should keep your browser up-to-date. Again, following best-practice security configuration can reduce your exposure to two of these exploits, regardless of your patch level. Disable or restrict client-side scripting, as appropriate, for each IE zone and protect remote laptops and telecommuters with a strictly configured personal firewall such as Black Ice.
Email Client Attacks
Microsoft discovered several vulnerabilities in Outlook and Outlook Express 5 that let intruders attack email recipients. MS00-045, "Persistent Mail-Browser Link," lets an attacker send email to a user and see the email messages that the user receives subsequently. MS00-043, "Malformed E-mail Header," is a buffer overflow exploit that lets the attacker crash the recipient’s email program or even run arbitrary code on the recipient’s system using a malformed email header. MS00-46, "Cache Bypass," is a hole that lets an attacker send an HTML-based email message that can read files on the recipient’s system or file servers accessible to the recipient. This attack applies only to file types viewable by IE, such as .html, .txt, and .gif. Be aware that these HTML-based email attacks can cause more damage than browser attacks. For example, with email attacks, you can actively and specifically target your victims, whereas browser attacks are much more passive and difficult to target at specific users. If you use Outlook or Outlook Express, make sure you install Win2K SP1.
In addition to the vulnerabilities I've already discussed, four other security problems are known that relate to a variety of Win2K components. First, MS00-027, "Malformed Environment Variable," allows a DoS attack by consuming memory via extremely large environment variables in scripts and batch files. Some Web servers are vulnerable to this risk.
Second, MS00-020, "Desktop Separation," is an arcane vulnerability that lets an attacker logged on interactively at the server to interfere with other privileged processes. Following the best practice of not allowing regular users to log on at the console of servers, such as domain controllers, file, and application servers, eliminates this risk—regardless of service pack.
Third, MS00-032, "Protected Store Key Length," is a vulnerability in how the OS protects private keys. Win2K encrypts and protects private keys in the Protected Store. Unfortunately, even if you upgrade your system to 128-bit encryption (the high encryption pack is available from Microsoft online, Win2K continues to protect private keys with only 40-bit encryption. SP1 ensures that Win2K always uses the highest level of encryption available on your system to project private keys. Finally, MS00-026, "Mixed Object Access," exposes a vulnerability that lets authenticated users modify objects in Active Directory (AD) that they don’t have permissions to.
So, how well has Win2K's security held up so far? All in all, the exploits discovered to date aren’t very serious for server operators. The more serious holes are specific to email users. In general, if you follow best practice on your servers and workstations, your risks won't be significant. Because SP1 fixes all the problems I've discussed in this article, it behooves you to deploy this service pack throughout your network. Next time, I’ll explore how Microsoft has improved the process for keeping your systems up-to-date.