8 Tips for Avoiding the Next Big Worm

Email this Article

Printer-Friendly

View Reader Comments

[October 2002]
8 Tips for Avoiding the Next Big Worm
Act now to protect your network tomorrow
By: Randy Franklin Smith
Focus
InstantDoc #26354
From the October 2002 edition of Windows IT Pro

SideBar Using IPSec to Prevent Workstation-to-Workstation Communication

Modern worms such as Nimda and CodeRed are blended threats that use multiple propagation methods and exploits to spread rapidly. Such worms infect one computer, then from that system attack others, so a seemingly unimportant computer that becomes infected can easily cause damage to more important machines. Therefore, you need to protect every computer on your network—not only systems with crucial information or processes. In addition to virus scanning and border firewalls, you need to implement layers of defense at each workstation and server.

It's only a matter of time before the next big worm hits, but you can take steps now to prepare your Windows 2000 systems to resist it. The following eight tips can help you protect workstations and servers behind the firewall. Sound like a lot of work? Don't worry—you can use nifty built-in Win2K tools such as Group Policy, IP Security (IPSec), and startup scripts to automate much of the process.

1. Disable Unused Services
One way in which Nimda spreads is by looking for servers and workstations running Microsoft IIS, then using an IIS bug to infect those computers. Disabling all unneeded services and features is the most effective way to protect systems against future threats. How many computers on your network truly need to run IIS, and exactly which services within IIS (e.g., FTP, SMTP, Network News Transfer Protocol—NNTP) are necessary on even those systems? Nimda attacks the WWW service (aka the World Wide Web Publishing Service), but who's to say the next worm won't attack a vulnerability in Telnet? I recommend you disable the following services by default on workstations and servers: ClipBook, FTP Publishing, IIS Admin, Indexing, Internet Connection Sharing (ICS), NetMeeting Remote Desktop Sharing, NNTP, Remote Registry, Routing and Remote Access, Simple TCP/IP, SMTP, Telnet, Terminal Services, World Wide Web Publishing Service, and Windows Media Services (WMS). For more information about the potential problems related to these services, see my three-part Web-exclusive series "Dangerous Services," http://www.secadministrator.com, InstantDoc ID 16301, InstantDoc ID 16363, and InstantDoc ID 16476. For more information about Win2K Server services in general, see Jordan Ayala, "Win2K Server Services, Part 1," November 2001, InstantDoc ID 22541, and "Win2K Server Services, Part 2," November 15, 2001, InstantDoc ID 22762.

Even when your default installation image excludes the services that you want to disable, users can easily install such services without your knowledge after you've deployed a computer. Consider editing the Default Domain Policy Group Policy Object (GPO) to disable the services by default. See the Web-exclusive sidebar "Disabling Services by Default," http://www.winnetmag.com, InstantDoc ID 26394, for instructions. Be aware that when you edit a GPO to disable or enable services, Win2K populates the GPO with the services it finds on the computer from which you're working. Therefore, edit the GPO from a computer that already has all the relevant services installed.

What about computers that need to access one or more disabled services? For example, what about workstations that need to access the IIS WWW service for use with Microsoft FrontPage? You can create exception GPOs that enable appropriate services for the computers that need them. See the Web-exclusive sidebar "Enabling Disabled Services on Certain Systems," http://www.winnetmag.com, InstantDoc ID 26392, for details.

2. Lock Down IIS
CodeRed relied on IIS's support for the Internet Printing Protocol (IPP). I don't know anyone who uses IPP, but IIS's script mappings (aka Internet Server API—ISAPI—filters, application mappings, or ISAPI mappings) enable it by default. For those computers on which you need to install IIS, bear in mind that most IIS exploits depend on features that users typically don't need. You can and should disable such features on most Web servers, and Microsoft provides a great tool to automate the process: the IIS Lockdown Wizard. The wizard installs the IIS Lockdown Tool, which disables unneeded features such as script mappings, removes sample files and directories, removes unneeded services such as WWW Distributed Authoring and Versioning (WebDAV), and strengthens default permissions. The wizard also installs URLScan, an ISAPI filter that looks for and blocks suspicious content in URL requests. (For more information about URLScan, see "Protect Your IIS Server with URLScan," http://www.windowswebsolutions.com, InstantDoc ID 25230, and "Deploy URLScan to Protect Your IIS Server," InstantDoc ID 25581.)

To take advantage of the IIS Lockdown Wizard, download iislockd.exe from http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/locktool.asp. Run

iislockd.exe /q /c /t:c:\iislockd

to unpack the wizard's files to the C:\iislockd folder. The iislockd.chm file contains the wizard's documentation. When you have many IIS computers to lock down, consider running the wizard in unattended mode, which the file runlockdunattended.doc documents. To run the wizard on all the computers in an Active Directory (AD) group, you can configure a startup script in a GPO. For example, you can use a startup script in the FrontPageWorkstationsPolicies GPO to run the wizard on all the systems in the sample FrontPageWorkstations group. Win2K automatically runs startup scripts each time a computer reboots, so you need to add some special logic to prevent the wizard from rerunning each time the computers reboot.

To configure the sample startup script, edit C:\iislockd\iislockd.ini in Notepad or another text editor. Set the UnattendedServerType option to the server template you want to use. (A server template defines the options to enable or disable according to how you're using IIS. For example, you don't want to disable certain features if you use FrontPage. The iislockd.ini file contains 14 server templates, matching common types of IIS servers, after the [Info] section. Each template begins with the template's name in brackets, followed by a longer label name and the template options.) For our example, set UnattendedServerType to frontpage, as follows: UnattendedServerType=frontpage. Set Unattended=TRUE and save the file.

Prev. page [1] 2 3 4 next page

You must log on before posting a comment.

If you don't have a username & password, please register now.

ADS BY GOOGLE SPONSORED LINKS

Microsoft® Tech•Ed EMEA 2008 Developers: Learn through hands-on experience with the latest tools and acquire skills to build more streamlined, scalable, and secure applications, Nov. 10-14, 2008 in Barcelona, Spain.

Order Your SharePoint Fundamentals CD!: Learn how to uncover rich information management capabilities with this free SharePoint CD.

Try Idera’s new SQL admin toolset!: 24 essential desktop tools for managing SQL Server for $495.

Evaluating Your Database Infrastructure: The wind of change is in the air for your corporate databases. SQL Server 2008 and other new technologies can mean it is possible to deploy more powerful and effective databases.

True High Availability for SQL Servers: SQL Server DBA’s must ensure that they have some form of protection in place. This seminar gives useful tips on HA and resources that are available for your disaster recovery planning.

Simplify your data management: Affordable multi-database query and design tool-- free trial!

Virtualization Congress Oct. 14-16: Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16 in London.

FEATURED LINKS

Coming This Fall - Deploying SharePoint - Live Event Series: Join SharePoint experts for best practices regarding infrastructure, design, forms configurations, and redundancy. Early Bird Price of $99!

SQL Server Magazine Connections Conference: Don’t miss the premier event for Microsoft developers and DBAs in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).

Find a new job on the all new IT Job Hound!: Search jobs, post your resume, and set up job e-mail alerts!

Virtualization 101 – Live Web Seminar Aug. 21: Get an introduction to all the uses of virtualization and the differences between hosted, hypervisor-based, and OS-level virtualization.

Master SharePoint with 3 eLearning Seminars!: Learn how to customize field types, create scheduled services, and go further with the Content Query Web Part with MVP Andrew Connell. Register today!

Virtualization for Mission-Critical BI with SQL Server: Join this Aug. 20th web seminar to learn a different approach to virtualization for BI-based application infrastructure. Ask questions of live experts!

Windows IT Pro Is Your Definitive Source for BI Tools: Our tools are BI-lateral (relating to both the front and back ends of BI). Build the best platforms and reports with help from SQL Server Magazine. Master data-delivery with solutions in Windows IT Pro. Choose the resource that's right for you.

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technical Resources Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home Windows Excavator SuperSite IT Job Hound ITTV

	Copyright © 2008 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

Search

Related Whitepapers

Related Events

Related eBooks

Related Essential Guides

Related Resources

vLabs Links

SQL Job Openings

ADS BY GOOGLE SPONSORED LINKS

FEATURED LINKS