Win 2K3 server, Win XP pro and Win 2000 pro Security Comparision

[NullDevice]

today i had chance to run Nessus agains windows 2k3 server version 5.2(build 3798.srv03_rt.030324-2448), win xp pro ver. 5.1 build 2600 and win 2000 pro ver. 5 build 2195 SP 4 .....
all with default installation by avarage users who connect to internet.........
I found the scans to be interseting.. so i am posting the scans here

---------------------------------------------
For Win 2000 pro ver. 5 build 2195 SP 4
----------------------------------------------

1 security, 10 security warnings, 7 security notes
50% medium, 50% low risks
Null session establishment possible
Remote user and groups enamuration possible
packets with FIN set accepted

------------------------------------
For Win XP Pro ver. 5.1 build 2600
-------------------------------------

6 security, 11 security warnings, 9 security notes
41% medium, 41% low risks, 12% high, 6% serious
Null session establishment possible
packets with FIN set accepted

-----------------------------------------------------------------------
For Win 2K3 Server version 5.2(build 3798.srv03_rt.030324-2448)
-----------------------------------------------------------------------
1 security, 7 security warnings, 7 security notes
41% medium, 41% low risks, 12% high, 6% serious
Null session establishment possible
packets with FIN set accepted

so what u think about the security issues...lets discuss in detail thats why i am posting these here..........

[Cemetric]

So in short overview these scans show us that w2k pro is the safest ...this is so typical Micro$o$t ... they bring out new OS'es and they are less secure then their previous comrades.

Ok the Null-session is always been there and a good administrator knows this is a security risks and acts accordingly ... but a normal user who thinks he is investing in a newer and "safer" os will not like it if he finds out it's not the thing he was hoping for

Offcourse a good firewall solves most of these problems as most of them are medium risk and a few low ones.

But we should actualy compare these scans with one from a *nix box then we have something to compare.

What cought my eye though is this: "The remote host does not discard TCP SYN packets which
have the FIN flag set. Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules."
and if you follow the link it gets explained a bit more Ambiguities in TCP/IP - firewall bypassing .

Also they state : "Other OSes than those tested above are expected to behave in a similar manner after obtaining such a discouraging result"

Maybe this is not new to you guys but i didn't know and I find it a bit upsetting...they speak of patches ...are these available yet.??

[Darksnake]

Just out of curiosity why scan win2k3? Its a server os not intended for workstation. You also use win2k sp4 but not xp sp1? Any reason for this? I guess what im trying to say is that Win2k has a service pack advantage over xp and well if I can quote you

all with default installation by avarage users who connect to internet.........

why would the average user be using win2k3?

[NullDevice]

well that was quite a nice description.....Cemetric....

And one more thing i would like to say here .. all the above windows TCP stack uses sequential initial syquence number in their packets....which means easy session hijacking as well as bogus packet insertion..

i think M$ is raising a lot hue n cry about win 2k3 server.....
what i think from the above scan is they are more relying on just turning the many default services off for the optimazation and security, but the TCP stack implementation remains the same...though turning defaul services is a very good idea...but then i dont know the deatils so i may stand wrong.........

My personal experiance with this win2k3 server when i had it for testing purpose in my LAN is as follows:
broad H/w specs of the sys...

Athelon Pro 1400+ 1600 MHz
128 SDRAM

copying a file over network shared from win2k3 server to win xp (versions same as described above) makes it creep...i dunno how it will stand in the server scenario..... and they are saying theirs is faster than samba...aleast my experiance doesnt says so

i tried SYN attack on this server... it was successfull...in less than 5 mins it made the server creeping slow... even i was unable to move the mouse pointer.....so eventually had to go for a reboot

that was from my side waiting for the answers from ur side wise men..

Originally posted here by Darksnake
Just out of curiosity why scan win2k3? Its a server os not intended for workstation. You also use win2k sp4 but not xp sp1? Any reason for this? I guess what im trying to say is that Win2k has a service pack advantage over xp and well if I can quote you why would the average user be using win2k3?

Darksnake u are quite right....but i got the systems for testing with these OSes only the win2k service pack was installed so it is not default...but i think soon i will give a pure default scan log...so for the timebeing pls bear with this..

[Cemetric]

Just out of curiosity why scan win2k3? Its a server os not intended for workstation. You also use win2k sp4 but not xp sp1? Any reason for this? I guess what im trying to say is that Win2k has a service pack advantage over xp and well if I can quote you

Now I don't mean this in a bad way but as I stated in my previous post ...M$ should of learned after w2k that they should do something about there security or lack of ... if it took 4 service packs to tighten the security on there w2k os then they should of known this in the winxp and definetly in W2K3 but nooo the holes are still there ...there should be no need for a SP on the Winxp because the security should have been adapted they should of learned from previous os'es and don't get me started on W2K3 ...this should be even more secure as this is a server os ... tsk tsk tsk M$

And wonder why people start switching to other OS'es.



C.

[catch]

*sigh*

Who cares about default configuration? People that think OpenBSD is the most secure OS in the world, that's who. In other words, people that know jack about security.

I am currently running Windows 2003 and I have been very impressed by its security improvements over Win2k. (which in my professional opinion had the best security of any non-TOS) The eased ability to audit rights propigation, ease of implementing even more finely grained access controls, and simpler structuring of RBAC both locally and domain wide.

What does this mean? It means that MS still favors default functionality over default security, especially with the release of a new rev with so many changes. This is the method I prefer as well, it is good for admins to establish security themselves and not just assume that things are secure, and altering default security configurations may weaken aspects of the system the admin may not consider, especially when their focus is getting something to work and not security at that moment.

This also means that with it's finely grained access controls, RBAC, segregation of administrators and operators and decent ISO 15408 rating (EAL4)... makes the NT line the most secure system under $1000 (at $995 heh), the most secure and highest assurance system under ~$10,000 and with third party security products from Argus and AITS, NT can be put up in the same realm as Trusted XENIX. (which is quite dated, though XENIX was also made by MS. Tusted XENIX however was XENIX tuned by TIS)

catch

[Maestr0]

Geez, I might take serious sh*t for this, but I think you're being a bit hard on M$ (Please don't throw your rocks yet) The idea that a company is putting out an OS which is excedingly more complicated than all its predecessors on a 3-5 year schedule is incredible. The technology behind *nix based OS's is mature aka been tried and tested for years and improved along the way(and STILL has plenty of holes mind you). The NT kernel as we know it is young and still evolving rapidly and the position it will be completely secure on release is both unfair and unrealistic. It seems strange that people want an OS that is easy on the end-user as well as secure, yet fail to reflect on how these 2 needs will affect each other proportionately. Sure many *nix installs dont have every service running on default but how much does an end user know about what services should be running and how to secure them or even care? Users WANT services, they want to stream media, share files, drag things to other little things, they dont CARE if its secure thats the admins job. Yes, linux is probably safer out-of-the-box.Linux also requires you to know what the hell you are doing and it doesnt do as much for an end-user either(out-of-the-box), face it.The fact that the Win2k box was the most secure is hardly suprising as its also the most mature of the lot. And I think someone else pointed out what the hell is an end-user doing with a Win2k3 server anyway? Of COURSE its less secure its a SERVER with SERVICES, its not for an end user. And the idea that all the little monkeys in Redmond can find all the problems on the latest 750,000 lines of code they added is ridiculous, you can't even get a video game to work right on release much less the most complex OS in the universe. There's no substitute for thousands of users across the globe messing around with your OS to find the holes, if you want a secure OS use one thats mature, how many of you run all your *nix installs with the unstable releases of everything? I too would like to see a report on a few linux distros with all the fun stuff installed and see how they compare. I'm not saying that M$ is doing a bang up job or anything, the TCP/IP stack and null sessions are idiotic but you gotta give some credit where credit is due, they have implemented a significant amount of changes that show they're at least aware of the problem. And you should also keep in mind that Windows is a far larger target for people seeking exploits than *nix systems, first off because *nix users know what they are doing are are more likely to actively pursue their security concerns(which means its harder to gain access and do so un-noticed), as well as the fact that there is just alot more Windows boxes out there and an attacker is going to use probability in his favor, I mean come on, how many of you have a working exploit for an AS/400? Maybe we should spend more effort in adressing these new security concerns then bashing M$. Just a thought.

-Maestr0

EDIT: Catch just posted before me while I was writing this, so now everyone can throw their rocks at him too.

[The3ntropy]

What kinds of services were running on these boxes. It makes a huge difference if you have full blown domain controller, IIS 6.0, ftp, . . . set up as apposed to nothing. And by average user, does this include the built in firewall capabilities. And, are these behind or in front of a NAT router, or some kind of gateway, some more information, elaborating on the configuration of these boxes is necessary for in depth discussion.

[NullDevice]

Originally posted here by Maestr0
Geez, I might take serious sh*t for this, but I think you're being a bit hard on M$ (Please don't throw your rocks yet) The idea that a company is putting out an OS which is excedingly more complicated than all its predecessors on a 3-5 year schedule is incredible. The technology behind *nix based OS's is mature aka been tried and tested for years and improved along the way(and STILL has plenty of holes mind you). The NT kernel as we know it is young and still evolving rapidly and the position it will be completely secure on release is both unfair and unrealistic. It seems strange that people want an OS that is easy on the end-user as well as secure, yet fail to reflect on how these 2 needs will affect each other proportionately. Sure many *nix installs dont have every service running on default but how much does an end user know about what services should be running and how to secure them or even care? Users WANT services, they want to stream media, share files, drag things to other little things, they dont CARE if its secure thats the admins job. Yes, linux is probably safer out-of-the-box.Linux also requires you to know what the hell you are doing and it doesnt do as much for an end-user either(out-of-the-box), face it.The fact that the Win2k box was the most secure is hardly suprising as its also the most mature of the lot. And I think someone else pointed out what the hell is an end-user doing with a Win2k3 server anyway? Of COURSE its less secure its a SERVER with SERVICES, its not for an end user. And the idea that all the little monkeys in Redmond can find all the problems on the latest 750,000 lines of code they added is ridiculous, you can't even get a video game to work right on release much less the most complex OS in the universe. There's no substitute for thousands of users across the globe messing around with your OS to find the holes, if you want a secure OS use one thats mature, how many of you run all your *nix installs with the unstable releases of everything? I too would like to see a report on a few linux distros with all the fun stuff installed and see how they compare. I'm not saying that M$ is doing a bang up job or anything, the TCP/IP stack and null sessions are idiotic but you gotta give some credit where credit is due, they have implemented a significant amount of changes that show they're at least aware of the problem. And you should also keep in mind that Windows is a far larger target for people seeking exploits than *nix systems, first off because *nix users know what they are doing are are more likely to actively pursue their security concerns(which means its harder to gain access and do so un-noticed), as well as the fact that there is just alot more Windows boxes out there and an attacker is going to use probability in his favor, I mean come on, how many of you have a working exploit for an AS/400? Maybe we should spend more effort in adressing these new security concerns then bashing M$. Just a thought.

-Maestr0

EDIT: Catch just posted before me while I was writing this, so now everyone can throw their rocks at him too.

I agree with u Maestr0 totally end user dont need Win 2K3 server....but my friend downloaded and installed it...becoz he said "It was secure" just as propagated by M$....everyone in todays world is caring for his/her systems security..............so once they see M$ stating "it is very secure"...they fell for it.............did M$ ever stated it is not for end users and they should not use it...they say just one thing "its very secure" luring you...some of the avarage users might fell for this for security concerns....jus like my friend.........

Secondly i am not finding faults or bashing or what so ever.....but just seeing it....and addressing the very basic security issues which are to be there.......

The point buddies i want to raise is....M$ improved on logging etc in win 2k3 server....but much of the TCP/IP stack implementation remains the same....which in my view needs alot of tweaking......M$ knew it was going to be a "very secure server"... and was going to be implemented mainly in server scenario where file sharing not so common..........
then whats the point in NULL session being there........

i think the M$ guys dont ever look at the securities....if it was going to be an excellent server(as being propagated) the issue of FIN acknowledgement and sequential initial sequence numbers have been taken care of ........ but only if they might have put in some effort to rewrite the stack...

Yes no OS can be perfect in first release but i think M$ has a good lot experiance with NT,2000 pro, 2000 server, XP pro etc...

[Jehnny]

Default configuration doesn't matter one bit. Real security is not in the default config, it's in the user, who knows how to modify things to their liking and their own safety.