Frequently, there are a large number of services running on a typical Windows or Unix server -- often enough to discourage a network admin with too little time and too few resources from determining which are needed and which are redundant. As a result, these unused (and often vulnerable) services provide a number of opportunities for an attacker to gain access into an otherwise secure server or workstation.
For instance, on Compaq (and now Hewlett-Packard Co.) servers, there's an interesting server and infrastructure management service called Compaq Insight Manager (or, more recently, called HP Systems Insight Manager). This service is sometimes poorly configured, either because manufacturer default credentials remain unchanged, or because busy administrators fail to understand the importance of choosing difficult-to-guess passwords. A Web browser interface to this service, in fact, can often be found on TCP ports 2301 and 2381. Older versions have a default administrator password of "administrator," permitting an unauthorised user to gain control of a server remotely, read or alter the SNMP strings (thus defeating any hardening of SNMP that may have been implemented) and even power down a server.
Another example of a potentially unused service is Internet Information Server (IIS), which is installed by default on many Windows servers. Since it's a huge job to patch every Windows system in a corporate network, an understaffed or overburdened organisation's focus is typically on Internet-facing devices. This leaves unpatched servers (and sometimes workstations) vulnerable to a significant number of IIS vulnerabilities, which provide attackers with administrative access, and thus the ability to install a Trojan or rootkit that can subsequently harvest all the data they want.
In many sites that my firm has tested, it's common to have business systems running on Unix operating systems whilst the majority of in-house staff's technical expertise is on Windows systems. As a result, these Unix systems are sometimes remotely administered by the third parties who supplied the business application. Unfortunately, the third parties are not always motivated to install the latest patches or to harden the operating system configuration. This results in a variety of older services being ripe for exploitation, often on business-critical systems running finance applications.
For these reasons, it's imperative to properly secure or remove unused or unpatched services after they are identified. This need can be addressed by the selective and careful use of one of many commonly available vulnerability scanners. Nessus remains one of the most popular free scanners and provides a good overview of an enterprise's network exposure by highlighting missing patches and out-of-date software, and by listing all the services running on each device. Inexperienced users should ensure they understand how their scanner works and which of its many settings are appropriate for their environment. Occasionally, overzealous administrators have been known to cause system outages and even crashes by running improperly configured vulnerability scanners. Alternatively, an occasional visit by a third party to conduct a vulnerability assessment and penetration test can be a cost-effective alternative, especially where the IT department is already over-stretched or may not have the necessary security skills to interpret a scanner's results accurately.
About the author:
Peter Wood is Chief of Operations at First Base Technologies, an ethical hacking firm based in the UK. He is a world-renowned security evangelist, speaking at conferences and seminars on ethical hacking techniques and social engineering. He has appeared in documentaries for BBC television, provided commentary on security issues for TV and radio and written many articles on a variety of security topics. He has also been rated the British Computer Society's number one speaker.
