Windows 2003 - Wanna see....
Results 1 to 10 of 10

Thread: Windows 2003 - Wanna see....

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884

    Windows 2003 - Wanna see....

    what it looks like out of the box?

    Since Windows 2003 is supposed to be much more secure out of the box, I decided to go ahead and post the details of my findings.

    SOFTWARE USED
    ===================================
    Windows 2003 Enterprise Edition, default install. Ver 5.2 (Build 3790.srv03_rtm.030324-2048)
    Nessus 2.0.5 on Redhat 9.0 with all updates, including kernel updates and Nessus NASLs.
    NessusWX 1.4.4 (Windows GUI interface for the scan engine)

    NETSTAT BEFORE WE BEGIN
    ===================================
    I ran a quick netstat on the W2K3 box before I started the scan. Notice the new PID column. This is achieved using the new "o" switch.

    C:\> netstat -ano

    Active Connections

    Proto Local Address Foreign Address State PID
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 620
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 448
    TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 920
    TCP 172.29.4.112:139 0.0.0.0:0 LISTENING 4
    UDP 0.0.0.0:445 *:* 4
    UDP 0.0.0.0:500 *:* 448
    UDP 0.0.0.0:1027 *:* 840
    UDP 0.0.0.0:4500 *:* 448
    UDP 127.0.0.1:123 *:* 920
    UDP 172.29.4.112:123 *:* 920
    UDP 172.29.4.112:137 *:* 4
    UDP 172.29.4.112:138 *:* 4

    There you have it folks, the listening services on a default install of Windows2003 Enterprise Server. One annoying thing to note, the version of IE that comes with W2K3 has security set to "high" by defualt. It caused quite a bit of issues on java enabled websites and it does not tell you that this setting is the cause. Anyway, slight side track but still worth mentioning...

    A few more side notes:

    I threw him up on my lab network and XP,W2K,98,95 and RH9 machines were able to see him and vice versa.

    The desktop is unusually clean in that you only get the Recycle bin in the bottom right hand corner. You'll have to clutter the desktop manually from now on.

    The default shares are alive and well on W2K3 as they are on NT,W2K and XP

    C:>NET SHARE

    Share name Resource Remark
    -----------------------------------------------------------------------------------
    ADMIN$ C:\WINDOWS Remote Admin
    C$ C:\ Default share
    IPC$ Remote IPC

    Hmmmm, isn't that interesting, hey what about remote registry service? I wonder if that is on by default? See attached: REMOTE.JPG for the answer.


    OK OK, HERE'S WHAT YOU HAVE BEEN WAITING FOR: NESSUS OUTPUT
    ============================================================

    NESSUS SECURITY SCAN REPORT

    Created 15.05.2003 Sorted by host names

    Session Name : RedHat 9 Loonix
    Start Time : 15.05.2003 10:24:36
    Finish Time : 15.05.2003 10:40:20
    Elapsed Time : 0 day(s) 00:15:44


    Total security holes found : 20
    high severity : 1
    low severity : 13
    informational : 6


    Scanned hosts:

    Name High Low Info
    ------------------------------------------------
    172.29.4.112 1 13 6


    Host: 172.29.4.112

    Open ports:

    netbios-ssn (139/tcp)
    microsoft-ds (445/tcp)
    LSA-or-nterm (1026/tcp)
    NFS-or-IIS (1025/tcp)
    loc-srv (135/tcp)
    netbios-ns (137/udp)


    Service: netbios-ssn (139/tcp)
    Severity: High


    . It was possible to log into the remote host using a NULL session.
    The concept of a NULL session is to provide a null username and
    a null password, which grants the user the 'guest' access

    To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
    Q246261 (Windows 2000).
    Note that this won't completely disable null sessions, but will
    prevent them from connecting to IPC$
    Please see http://msgs.securepoint.com/cgi-bin/...0204/50/1.html

    . All the smb tests will be done as ''/'' in domain WORKGROUP
    CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222
    BID : 990


    Service: general/tcp
    Severity: Low


    The remote host uses non-random IP IDs, that is, it is
    possible to predict the next value of the ip_id field of
    the ip packets sent by this host.

    An attacker may use this feature to determine if the remote
    host sent a packet in reply to another request. This may be
    used for portscanning and other things.

    Solution : Contact your vendor for a patch
    Risk factor : Low


    Service: general/icmp
    Severity: Low


    The remote host answers to an ICMP timestamp
    request. This allows an attacker to know the
    date which is set on your machine.

    This may help him to defeat all your
    time based authentication protocols.

    Solution : filter out the ICMP timestamp
    requests (13), and the outgoing ICMP
    timestamp replies (14).

    Risk factor : Low
    CVE : CAN-1999-0524


    Service: general/udp
    Severity: Low

    For your information, here is the traceroute to 172.29.4.112 :
    172.29.4.112



    Service: general/tcp
    Severity: Low

    Remote OS guess : Microsoft Windows.NET Enterprise Server (build 3604-3615 beta)

    CVE : CAN-1999-0454


    Service: netbios-ns (137/udp)
    Severity: Low

    . The following 4 NetBIOS names have been gathered :
    W2K3
    WORKGROUP
    W2K3
    WORKGROUP
    . The remote host has the following MAC address on its adapter :
    0x00 0xc0 0x4f 0x83 0xf9 0x9a

    If you do not want to allow everyone to find the NetBios name
    of your computer, you should filter incoming traffic to this port.

    Risk factor : Medium
    CVE : CAN-1999-0621


    Service: general/tcp
    Severity: Low


    The remote host does not discard TCP SYN packets which
    have the FIN flag set.

    Depending on the kind of firewall you are using, an
    attacker may use this flaw to bypass its rules.

    See also : http://archives.neohapsis.com/archiv...2-10/0266.html
    http://www.kb.cert.org/vuls/id/464113

    Solution : Contact your vendor for a patch
    Risk factor : Medium
    BID : 7487


    Service: loc-srv (135/tcp)
    Severity: Low


    DCE services running on the remote can be enumerated
    by connecting on port 135 and doing the appropriate
    queries.

    An attacker may use this fact to gain more knowledge
    about the remote host.

    Solution : filter incoming traffic to this port.
    Risk factor : Low


    Service: NFS-or-IIS (1025/tcp)
    Severity: Low

    Here is the list of DCE services running on this port:
    UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1
    Endpoint: ncacn_ip_tcp:172.29.4.112[1025]
    Annotation: IPSec Policy agent endpoint

    UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1
    Endpoint: ncacn_ip_tcp:172.29.4.112[1025]




    Service: LSA-or-nterm (1026/tcp)
    Severity: Low

    Here is the list of DCE services running on this port:
    UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
    Endpoint: ncacn_ip_tcp:172.29.4.112[1026]

    UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
    Endpoint: ncacn_ip_tcp:172.29.4.112[1026]

    UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1
    Endpoint: ncacn_ip_tcp:172.29.4.112[1026]




    Service: microsoft-ds (445/tcp)
    Severity: Low

    A CIFS server is running on this port


    Service: netbios-ssn (139/tcp)
    Severity: Low

    The remote native lan manager is : Windows Server 2003 5.2
    The remote Operating System is : Windows Server 2003 3790
    The remote SMB Domain Name is : WORKGROUP



    Service: netbios-ssn (139/tcp)
    Severity: Low

    The host SID can be obtained remotely. Its value is :

    : 0-0-0-0-0

    An attacker can use it to obtain the list of the local users of this host
    Solution : filter the ports 137 to 139 and 445
    Risk factor : Low

    CVE : CVE-2000-1200
    BID : 959


    Service: netbios-ssn (139/tcp)
    Severity: Low

    A 'rfpoison' packet has been sent to the remote host.
    This packet is supposed to crash the 'services.exe' process,
    rendering the system instable.
    If you see that this attack was successful, have a look
    at this page :
    http://www.wiretrip.net/rfp/p/doc.asp?id=23&iface=2
    CVE : CVE-1999-0980
    BID : 754

    Now, based on this output (and there are some false positives in here) you decide if the statement made by Mr. Valentine, VP at M$, is accurate in that Win2003 is *much* more secure out of the box.

    --Hope this helps out.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    AO Antique pwaring's Avatar
    Join Date
    Aug 2001
    Posts
    1,409
    Interesting set of statistics, although I wonder how MS will encourage people to upgrade, given that Windows 2000 with service pack 3 is more than adequate for business/network use (sure, it has flaws, but if it ain't broke don't fix it).
    Paul Waring - Web site design and development.

  3. #3
    You said it the_horse.

    The default install of 2k3 is still not save (damned NULL sessions).
    But anyways I like the effort MS is making by disableing Frontpage Extensions and WebDAV by default.
    Thanks for the info.

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    I have accumulated a few more tidbits for anyone who is interested.

    1) When doing file/folder shares, by default, W2K3 now assigns 'Everyone' read only access instead of full blown rights.

    2) I have applied several custom INF security templates that I wrote for Win2000 and they all work without a hitch. No surprise here though. I didn't expect registry or LSA changes to be drastic.

    3) Get used to the new 'netsh' command as it seems to take the place of several long standing CLI tools. We first saw this tool in XP but now we know it is here to stay.

    Anyway, if there is something specific you want to see, just let me know. For now, I am moving on to AD because it seems that is where most of the development efforts went. Oh yeah, also in third-party authentication support and enhancements. I find that humorous seeing that most of the implementations will not use the functionality. I wonder what large customer requested it?


    --Hope this helps

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Pretty good bit of information, definitely valuable for those who are getting a box with Win2k3 on it and plan on knowing facts about it and securing it.
    Space For Rent.. =]

  6. #6
    Junior Member
    Join Date
    Dec 2002
    Posts
    2

    Thumbs up

    Great information.

    Any results yet on its security after patching it?
    There are no rules here - we\'re trying to accomplish something.
    - Thomas A. Edison

  7. #7
    Senior Member
    Join Date
    Apr 2002
    Posts
    634
    We can view here the definition of "secure" by Microsoft. We will still have to reconfigure entirely our systems without even being able to really trust it at the end of the operation.
    I have the feeling that this version will only be a transition step between 2k/XP and Palladium. It will also probably be a way to increase .NET deployment on computers.

    Thanks for the infos Thehorse13.

    KC
    Life is boring. Play NetHack... --more--

  8. #8
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    thks for the info.

    waiting for the ad comments.
    Trappedagainbyperfectlogic.

  9. #9
    Senior Member cheesegoduk's Avatar
    Join Date
    May 2002
    Posts
    224
    For Administrators wishing to test out Windows 2003 final thinking about to upgrade or not who don't wish to purchase a copy of it can get a 180 day test version from microsoft. Its basically the full version which stops working after 180 days, Which should be plenty of time to set up a small test network and try it out.

    Get your copy here

    http://www.microsoft.com/windowsserv...l/default.mspx

    You can either get a cd sent to you, Or download it, Free of charge

    Have fun!

  10. #10
    Senior Member
    Join Date
    Mar 2003
    Posts
    452
    Good post, I figured M$ would launch the same crap dress up in a shiny new package.



    --PuRe
    Like this post? Visit PuRe\'s Information Technology Community. We\'ve also got some kick ass Technology Forums. Shop for books and dvds on LiveWebShop.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •