Windows 2003 - Wanna see....

[thehorse13]

what it looks like out of the box?

Since Windows 2003 is supposed to be much more secure out of the box, I decided to go ahead and post the details of my findings.

SOFTWARE USED
===================================
Windows 2003 Enterprise Edition, default install. Ver 5.2 (Build 3790.srv03_rtm.030324-2048)
Nessus 2.0.5 on Redhat 9.0 with all updates, including kernel updates and Nessus NASLs.
NessusWX 1.4.4 (Windows GUI interface for the scan engine)

NETSTAT BEFORE WE BEGIN
===================================
I ran a quick netstat on the W2K3 box before I started the scan. Notice the new PID column. This is achieved using the new "o" switch.

C:\> netstat -ano

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 448
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 920
TCP 172.29.4.112:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 448
UDP 0.0.0.0:1027 *:* 840
UDP 0.0.0.0:4500 *:* 448
UDP 127.0.0.1:123 *:* 920
UDP 172.29.4.112:123 *:* 920
UDP 172.29.4.112:137 *:* 4
UDP 172.29.4.112:138 *:* 4

There you have it folks, the listening services on a default install of Windows2003 Enterprise Server. One annoying thing to note, the version of IE that comes with W2K3 has security set to "high" by defualt. It caused quite a bit of issues on java enabled websites and it does not tell you that this setting is the cause. Anyway, slight side track but still worth mentioning...

A few more side notes:

I threw him up on my lab network and XP,W2K,98,95 and RH9 machines were able to see him and vice versa.

The desktop is unusually clean in that you only get the Recycle bin in the bottom right hand corner. You'll have to clutter the desktop manually from now on.

The default shares are alive and well on W2K3 as they are on NT,W2K and XP

C:>NET SHARE

Share name Resource Remark
-----------------------------------------------------------------------------------
ADMIN$ C:\WINDOWS Remote Admin
C$ C:\ Default share
IPC$ Remote IPC

Hmmmm, isn't that interesting, hey what about remote registry service? I wonder if that is on by default? See attached: REMOTE.JPG for the answer.


OK OK, HERE'S WHAT YOU HAVE BEEN WAITING FOR: NESSUS OUTPUT
============================================================

NESSUS SECURITY SCAN REPORT

Created 15.05.2003 Sorted by host names

Session Name : RedHat 9 Loonix
Start Time : 15.05.2003 10:24:36
Finish Time : 15.05.2003 10:40:20
Elapsed Time : 0 day(s) 00:15:44


Total security holes found : 20
high severity : 1
low severity : 13
informational : 6


Scanned hosts:

Name High Low Info
------------------------------------------------
172.29.4.112 1 13 6


Host: 172.29.4.112

Open ports:

netbios-ssn (139/tcp)
microsoft-ds (445/tcp)
LSA-or-nterm (1026/tcp)
NFS-or-IIS (1025/tcp)
loc-srv (135/tcp)
netbios-ns (137/udp)


Service: netbios-ssn (139/tcp)
Severity: High


. It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/...0204/50/1.html

. All the smb tests will be done as ''/'' in domain WORKGROUP
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222
BID : 990


Service: general/tcp
Severity: Low


The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.

An attacker may use this feature to determine if the remote
host sent a packet in reply to another request. This may be
used for portscanning and other things.

Solution : Contact your vendor for a patch
Risk factor : Low


Service: general/icmp
Severity: Low


The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.

This may help him to defeat all your
time based authentication protocols.

Solution : filter out the ICMP timestamp
requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524


Service: general/udp
Severity: Low

For your information, here is the traceroute to 172.29.4.112 :
172.29.4.112



Service: general/tcp
Severity: Low

Remote OS guess : Microsoft Windows.NET Enterprise Server (build 3604-3615 beta)

CVE : CAN-1999-0454


Service: netbios-ns (137/udp)
Severity: Low

. The following 4 NetBIOS names have been gathered :
W2K3
WORKGROUP
W2K3
WORKGROUP
. The remote host has the following MAC address on its adapter :
0x00 0xc0 0x4f 0x83 0xf9 0x9a

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621


Service: general/tcp
Severity: Low


The remote host does not discard TCP SYN packets which
have the FIN flag set.

Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.

See also : http://archives.neohapsis.com/archiv...2-10/0266.html
http://www.kb.cert.org/vuls/id/464113

Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487


Service: loc-srv (135/tcp)
Severity: Low


DCE services running on the remote can be enumerated
by connecting on port 135 and doing the appropriate
queries.

An attacker may use this fact to gain more knowledge
about the remote host.

Solution : filter incoming traffic to this port.
Risk factor : Low


Service: NFS-or-IIS (1025/tcp)
Severity: Low

Here is the list of DCE services running on this port:
UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1
Endpoint: ncacn_ip_tcp:172.29.4.112[1025]
Annotation: IPSec Policy agent endpoint

UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1
Endpoint: ncacn_ip_tcp:172.29.4.112[1025]




Service: LSA-or-nterm (1026/tcp)
Severity: Low

Here is the list of DCE services running on this port:
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_ip_tcp:172.29.4.112[1026]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_ip_tcp:172.29.4.112[1026]

UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1
Endpoint: ncacn_ip_tcp:172.29.4.112[1026]




Service: microsoft-ds (445/tcp)
Severity: Low

A CIFS server is running on this port


Service: netbios-ssn (139/tcp)
Severity: Low

The remote native lan manager is : Windows Server 2003 5.2
The remote Operating System is : Windows Server 2003 3790
The remote SMB Domain Name is : WORKGROUP



Service: netbios-ssn (139/tcp)
Severity: Low

The host SID can be obtained remotely. Its value is :

: 0-0-0-0-0

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959


Service: netbios-ssn (139/tcp)
Severity: Low

A 'rfpoison' packet has been sent to the remote host.
This packet is supposed to crash the 'services.exe' process,
rendering the system instable.
If you see that this attack was successful, have a look
at this page :
http://www.wiretrip.net/rfp/p/doc.asp?id=23&iface=2
CVE : CVE-1999-0980
BID : 754

Now, based on this output (and there are some false positives in here) you decide if the statement made by Mr. Valentine, VP at M$, is accurate in that Win2003 is *much* more secure out of the box.

--Hope this helps out.

--TH13

[pwaring]

Interesting set of statistics, although I wonder how MS will encourage people to upgrade, given that Windows 2000 with service pack 3 is more than adequate for business/network use (sure, it has flaws, but if it ain't broke don't fix it).

[noODle]

You said it the_horse.

The default install of 2k3 is still not save (damned NULL sessions).
But anyways I like the effort MS is making by disableing Frontpage Extensions and WebDAV by default.
Thanks for the info.

[thehorse13]

I have accumulated a few more tidbits for anyone who is interested.

1) When doing file/folder shares, by default, W2K3 now assigns 'Everyone' read only access instead of full blown rights.

2) I have applied several custom INF security templates that I wrote for Win2000 and they all work without a hitch. No surprise here though. I didn't expect registry or LSA changes to be drastic.

3) Get used to the new 'netsh' command as it seems to take the place of several long standing CLI tools. We first saw this tool in XP but now we know it is here to stay.

Anyway, if there is something specific you want to see, just let me know. For now, I am moving on to AD because it seems that is where most of the development efforts went. Oh yeah, also in third-party authentication support and enhancements. I find that humorous seeing that most of the implementations will not use the functionality. I wonder what large customer requested it?


--Hope this helps

--TH13

[Spyder32]

Pretty good bit of information, definitely valuable for those who are getting a box with Win2k3 on it and plan on knowing facts about it and securing it.

[jlopez1066]

Great information.

Any results yet on its security after patching it?

[KissCool]

We can view here the definition of "secure" by Microsoft. We will still have to reconfigure entirely our systems without even being able to really trust it at the end of the operation.
I have the feeling that this version will only be a transition step between 2k/XP and Palladium. It will also probably be a way to increase .NET deployment on computers.

Thanks for the infos Thehorse13.

KC

[gold eagle]

thks for the info.

waiting for the ad comments.

[cheesegoduk]

For Administrators wishing to test out Windows 2003 final thinking about to upgrade or not who don't wish to purchase a copy of it can get a 180 day test version from microsoft. Its basically the full version which stops working after 180 days, Which should be plenty of time to set up a small test network and try it out.

Get your copy here

http://www.microsoft.com/windowsserv...l/default.mspx

You can either get a cd sent to you, Or download it, Free of charge

Have fun!

[PuReExcTacy]

Good post, I figured M$ would launch the same crap dress up in a shiny new package.



--PuRe