Windows NT/2000 Security Tools/Patches
by Ryan Smith
With the recent outbreak of wide-scale "viruses" such as Code-Red and NIMDA that attack known vulnerabilities of Windows NT 4.0 and Windows 2000 it seemed appropriate to write an article on security tools/patches for Windows NT/2000.With the recent outbreak of wide-scale 'viruses' such as Code-Red and NIMDA that attack known vulnerabilities of Windows NT 4.0 and Windows 2000 it seemed appropriate to write an article on security tools/patches for Windows NT/2000
Security patches are designed to eliminate security holes in Microsoft's applications. Security patches are typically considered mandatory to apply since they can resolve known vulnerabilities. In 2000, Microsoft released approximately 100 security patches for their products. So far, in 2001 they have released 53 security patches.
Over the past few months, Microsoft has released many new tools and updated information related to security patches and provided very valuable information for a system administrator to ensure that his/her responsible systems are kept as up to date as possible.
Severity Rating System
Microsoft recently released a Security Bulletin Severity Rating System that allows administrators to quickly look at a new security patch and see how affected their systems would be. The new rating system is grouped by system environment and then by severity rating. System environment is basically three different classes, Internet-facing server, Internal server and Client system. Severity ratings are classified as Critical, Moderate and Low. Using this rating system, you can determine how rapidly you need to react to a new security patch that is released.
The following table from Microsoft summarizes the severity rating system by severity level and system environment.
|Internet-facing Servers||Web site defacement, denial of service or full control||Difficult to exploit, unusual configuration, or transient effect||Limited impact such as disclosure of scripts|
|Internal Servers||Elevation of privilege, data disclosure, or modification. Auditing difficult||Auditable data disclosure, modification, or denial of service||Untargeted or fragmentary data theft or modification, limited denial of service|
|Client Systems||Run arbitrary code without user action; remote escalation of privilege||Local escalation of privilege; untargeted data disclosure or denial of service; exploitation of user actions||Limited or fragmentary data theft or modification; hostile web site attacks|
URLScan Security Tool
URLScan allows a system administrator to check the security of their IIS servers. URLScan screens all inbound requests to the IIS server and filters them based on pre-configured rules which ensures that the server only responds to valid requests. URLScan is very flexible since the administrator has the capability to add new rules to customize it to your needs.
The downside of this very powerful tool is that it's relatively complex and should only be used by experienced administrators. Unfortunately, it's entirely too simple to filter out your valid requests to your IIS server and shut it down to incoming requests completely. But if you are an experienced IIS administrator, URLScan should be loaded on all of your IIS servers without hesitation.
Microsoft Personal Security Advisor
Microsoft Personal Security Advisor is web based application that can assist you in securing your Windows NT 4.0 and/or Windows 2000 PC. The Personal Security Advisor can scan your NT 4.0/2000 PC through the Internet and build a custom report of your computer's security settings. In addition to the reporting, it will also provide recommendations for improvement. The Personal Security Advisor includes items such as: missing security patches, weak passwords, Internet Explorer and Outlook Express security settings, and Office macro protection settings. When Personal Security Advisor finds an area for improvement, it provides additional information about the issue. When you correct the problem area you can simply run the Personal Security Advisor again and see the updated information.
The downside of Personal Security Advisor is two-fold. First, it's not designed for NT 4.0 Server or Windows 2000 Server, it only works with NT 4.0 Workstation and Windows 2000 Professional. Second, Personal Security Advisor is designed to scan the system that you are physically running it at. It's impractical to run if you've got dozens or hundreds of Windows NT/2000 systems to scan. That's where the next tool comes in.
HFNetChk Security Tool
HFNetChk is a command-line tool that enables an administrator to check the patch status of all the machines in a network from a central location. The tool does this by referring to an XML database that's constantly updated by Microsoft. HFNetChk can be run on Windows NT 4.0 or Windows 2000 systems, and will scan either the local system or remote ones for patches available for Windows NT 4.0, Windows 2000 Internet Information Server 4.0 and 5.0, SQL Server 7.0 and 2000 and Internet Explorer 5.01 and later.
HFNetChk can also be automated. For example, I'm running HFNetChk in an AT scheduled batch file that performs a system scan of all of the NT/2000 systems in our domain and then sends the results to me via e-mail. I use the command line SMTP application BLAT to send the e-mail. BLAT can be found via a Google search. If you're going to schedule the HFNetChk process, and you have end-users running NT/2000 on their desktops, make sure that you schedule the scan to run during the day when the user's PC's are powered on. If the PC isn't on, obviously HFNetChk won't be able to scan it.
hfnetchk -v -z -d domain-name > temp.txt
Blat temp.txt -subject "Today's HFNetCheck File" -to e-mail-address
With all of the recent releases from Microsoft in the area of system security, it's obvious that this is a very big priority for them. That's a very good thing. System security needs to be a very big priority for every system administrator as well, regardless if you have 2 servers or 2,000 servers.Ryan Smith