Whenever remote access is allowed (i.e., whenever a network service is enabled), it creates a new potential vector of attack, therefore increasing the risk of unauthorized entry into the system. Therefore, network services should be enabled only when there is a legitimate business need for them.
New security holes are discovered and communicated frequently to the Windows community (including potential attackers). If the system administrator is not aware of these alerts, and if he or she does not install security patches, well-known security holes could exist on the system, providing a vector for compromising the system.
Note | This is one of the most critical steps you will perform. Unnecessary and unsecured network services are the number one vector of attack on Windows servers. They are what will allow someone who has no business being on the system to gain access to the system and/or to disrupt the system. These steps go hand in hand with the vulnerability scanning performed later in the audit. |
The results of the tools shown in Table 6-2 reveal key pieces of the internal operations of the host to help you to view what's happening on the system. Netstat reveals the active sockets on your computer listening for external communications. Psservice, sc, and DumpSec list the running services. Next, you can map the running services to the open ports using fport or tcpvcon. The last utility mentioned, procexp, is also capable of showing you much of this information but cannot be scripted. It is mentioned here because of its powerful capabilities and because it is free. This may seem like a lot of utilities, but it's worth taking the time to look through them to decide what information you need for your audit.
Tool | Description | Where to Get It |
---|---|---|
netstat | Provides network information | Native Windows command |
psservice | List service information | http://www.sysinternals.com |
sc | Native tool for talking with service controller | Native Windows command |
DumpSec | GUI and command-line "Swiss army knife" of the security settings | http://www.somarsoft.com |
tcpvcon | CLI view of processes mapped to ports | http://www.sysinternals.com |
tcpview | GUI view of processes mapped to ports | http://www.sysinternals.com |
procexp | Very powerful GUI process explorer | http://www.sysinternals.com |
Fport | CLI view of processes mapped to ports | http://www.foundstone.com |
You can use the native netstat command by typing netstat -an at the command line. Look for lines containing LISTEN or LISTENING. The host is available for incoming connections on these TCP and UDP ports. You can find a list of services using such tools as psservice.
Other utilities that map processes to port numbers include the built-in sc (try sc query type= service) command, Fport from foundstone, and tcpvcon from SysInternals. We recommend tcpvcon from SysInternals. The "Tools and Technology" section below has information on where to find these tools and more. You can run tasklist /svc if you want to quickly map existing process IDs to running services. If you want to know absolutely everything about a process, then download and run the SysInternals Process Explorer.
Once you have obtained a list of enabled services, talk through the list with the system administrator to understand the need for each service. Many services are enabled by default and therefore were not enabled consciously by the system administrator.
For any services that are not needed, encourage the administrators to disable them. The Microsoft snap-in for the management console can be launched by typing services.msc from the Run option on the Start menu.
The services listed in Table 6-3 probably should not be running unless necessary for other applications or legitimate business reasons.
Alerter | Network DDE |
Application Layer Gateway Service | Network DDE DSDM |
Clipbook | Print Spooler |
Error Reporting Service | Routing and Remote Access |
Fax Service | Telephony |
IMAPI CD-Burning COM Service | Telnet |
Indexing Service Wireless | Upload Manager |
Intersite Messaging | Windows Audio |
Windows Messenger Service | Windows Image Acquisition (WIA) Configuration |
NetMeeting Remote Desktop Sharing |
It is critical for administrators to manage the application set that gets installed on their hosts.
Not all applications play well together.
Applications may have a dependency that's not installed.
More applications means more areas of potential compromise.
Unmanaged or unknown applications also may have configuration or coding issues that makes the server vulnerable to compromise. For example, a poorly managed application could be missing patches, allow access to a privileged process, or inadvertently create a covert channel for an unprivileged user.
Use the results from the output of psinfo -s. This output has information about the installed applications. Compare this with organizational policy, and discuss your findings with the administrator.
Scheduled tasks can stay hidden for weeks until an administrator takes the time to view the running scheduled tasks on the host. Scheduled tasks created by malicious or unknowing sources could damage host or network resources.
Note that reading scheduled tasks from the command line doesn't show you what the task is really going to do. The task can be called anything an attacker wants to call it while setting it up. This being said, there is a way to view tasks from the command line using schtasks.
The current directory is C:\> schtasks TaskName Next Run Time Status ------------------------------ ---------------------- ----------- Malicious Task 12:27:00 PM, 5/19/2006
Note that running the old AT on the command line on this server doesn't list Malicious Task. Get in the habit of using schtasks to view tasks. If you really want to understand in-depth exactly what each task does, you need to open the properties of each task independently. From there, you also can see the target file and review several other settings. Manually go to Start | Control Panel | Scheduled Tasks, right click each task, and click on "Properties" in the popup menu.