Win2K security = 0

[Undertoad]

Granted I'm no MCSE, but...

All I did...

I loaded Win 2K on an empty machine.

I did a Windows Update and retrieved and applied all the patches.

I set a pretty strong Administrator password, and set up requiring ctrl-alt-del to log in.

I set up one non-Admin user for FTP access.

I started IIS and FTP. I did development work on the box for three weeks.

I notice some odd unexpected inbound traffic. Check it out and indeed, the box has been cracked. Somebody's put some warez into the non-Admin user's FTP section.

Now, granted FTP uses plain-text passwords, and granted I don't use a hardware firewall here, and granted a whole bunch of other stuff. But three weeks! Come on!

[MaggieL]

Ummmm...weak non-admin user password? How about the username?

My impression is that traffic on ntbugtraq seems pretty unhappy with using WU for security stuff, too.

[Undertoad]

The user was "anton", password was something like (but was not)"mpv5jd2i".

i generally use a 27 character, alpha-numeric mixed-case password. i don't figure it's very likely that it's going to get cracked. you know. something like

82dwHE7dl29D69G30zltnfau26m

wee!

remembering it can be a bit of a pain in the ass, so i break it down like this:

8 8 6 5

and i always use the password generator that i wrote to come up with 'em. it's good stuff

[russotto]

I use a Mac. Even if you could break in, who would want to?

[MaggieL]

So the password was fairly strong as such things go. Looks like somebody either sniffed your packet logging on, or found a W2K exploit that the box isn't patched for. I'm guessing the latter.

[Kris]

windows update doesn't plug the swiss cheese... it's more geared towards the OS vs. add-ons. They've got a separate tool that'll let you check to see if IIS has all the latest hotfixes applied (similar to up2date, apt get, etc).

You can get it from here .

[mbpark]

FTP on Windows is complete evil.

FTP on any platform is completely bad.

I just run OpenSSH on production Windows boxes, and use WinSCP2 to SCP the files over just like Explorer.

I have actually had that happen to me with Windows 2000 and FTP, and vowed never again to use an unencrypted way to authenticate to a site.

BTW, there's about 40 registry hacks and ACL permissions you have to change.

It's a bitch to get 2K up to some sort of snuff, but it works well if you don't use FTP .

Mitch

[MaggieL]

Quote:

Originally posted by mbpark
I just run OpenSSH on production Windows boxes, and use WinSCP2 to SCP the files over just like Explorer.

I'm delighted to hear there's SSH for Windows boxen. But "just like Explorer?" Is WinSCP2 a GUI app?

[That Guy]

Quote:

Originally posted by Undertoad
Granted I'm no MCSE, but...

Minesweeper Champion and Solitaire Expert?...

[mbpark]

Yep,

It's GUI. This makes me happy because it takes me 5 minutes to explain to someone how to use it, most of which is spent reviewing SSH authentication .

As opposed to standard SCP, which is painful, WinSCP2 allows me to instruct our site people quickly on how to update web sites, without using evil unencrypted and bandwidth hogging FTP.

OpenSSH for Windows runs as a service, and also allows you to ssh right into the box, running multiple interactive command line sessions along with your VNC sessions.

By the time I am done with a Windows box, chances are it's got the following anyway:

1. OpenSSH for Windows, which is also a Cygwin port.
2. PuTTY ssh client, because it's nice.
3. Tunnelier SSH tunneling tool.
4. A Linux or OpenBSD box as a firewall .
5. NAT, to make tunneling over a bitch that you need Tunnelier for.
6. A completely hacked registry.
7. ACL's like mad.
8. Most of IIS completely disabled, except for ASP and Perl scripting. This is how I avoided Code Red and Nimda, because we disabled most of IIS and don't do anything more than ASP with it.

Windows = one bitch and a half to set up, but remarkably stable if you take the time to lock it down and don't use unsigned video drivers.

It takes me about 4-5x the time it takes me to set up a Linux box to set up a Windows one, since Microsoft turns on EVERYTHING by default.

Mitch

Eh, so does RedHat. It's just really easy to turn off RedHat shit.

# chkconfig sendmail off

is usually one of the first things I do.

[Undertoad]

Thanks for the tips folks.

After this current project I'm just gonna turn all the services off that I won't need, and run a software firewall on it. And never offer any Windows-based hosting.

[MaggieL]

Quote:

Originally posted by mbpark

As opposed to standard SCP, which is painful, WinSCP2 allows me to instruct our site people quickly on how to update web sites, without using evil unencrypted and bandwidth hogging FTP.OpenSSH for Windows runs as a service...

Now, that's a cool thing. Goes right into my bag-o-tricks.

Quote:

It takes me about 4-5x the time it takes me to set up a Linux box to set up a Windows one, since Microsoft turns on EVERYTHING by default.

The more features they leave turned on, the more likely that some less-than-clueful local junior developer will build a dependancy on them.

Oh, Tony....one tip I know if you absolutely must run an FTP service is to change the greeting message, making it harder for a script to figure out which exploits to try first. But with the ability to run scp, FTP is much less necessary.

[jaguar]

ISS is very hard to secure, is is far from by deafult
get one of the many free tools around that can secure, i know microsoft has one, tis probably not the best
furthermore can you give me any of the details that was on the warez, group tags etc, i can probably tell you who hacked it.