How Windows servers get hacked

Server hacking doesn't have to be that complex and, in reality, it often isn't. Sure, the propeller head hackers will flaunt their "mad skillz," but these really aren't the guys we need to worry about. Instead, it's usually the people with lesser skills combined with patient determination that'll cause the most problems. In fact, these people are on the inside of many networks this very moment, seeking out vulnerabilities that can be exploited for ill-gotten gains.

When it comes to keeping Windows servers protected from intrusion, I'm a strong believer in focusing on the low-hanging fruit first. Remember, it's the basic security weaknesses that'll get you every time. In a previous tip, I outlined some of the common causes of Windows server security vulnerabilities. Now, let's take a look at two common exploits I see in Windows servers and how they're actually carried out.

Missing patches that lead to remote command prompts
As simplistic (and boring) as patching can be, you'd think most Windows servers would be somewhat up-to-date on patches. Unfortunately, that's often not the case. Inconsistent patch management is one of the greatest contributors to Windows server weaknesses.

Here's how the bad guys carry out their attacks against unpatched Windows servers:

1. Attackers run a free vulnerability scanner from outside or -- more commonly -- inside the network and find a missing patch.
2. Attackers confirm that the vulnerability can be exploited using the free Metasploit tool.
3. Attackers launch Metasploit and obtain a remote command prompt.
4. Attackers set up a backdoor user account and add themselves to the local administrators group.
5. Attackers have full access to the system (local login, remote desktop, VPN, etc.) and odds are in their favor that no one will never notice.

Unsecured network shares that lead to unauthorized file access
Sharing files on the network is one of the basic functionalities of Windows servers. Unfortunately, it's also the Achilles heel that facilitates unauthorized access by otherwise "trusted" users. Boredom, curiosity and revenge sometimes find their way into the scenario of an employee clicking around in Windows Explorer and stumbling across sensitive information he or she should not be able to access.

Here's how the bad guys carry out their attacks against unsecured Windows shares:

1. Attackers run a free share scanner tool such as GFI LANguard inside the network and find numerous shares on Windows servers – many of which happen to have Full Control granted to the Everyone group.
2. Attackers click through the shares to see what they can find.
3. Attackers may stumble across some sensitive information or, better yet, download and install a free text search tool like FileLocator Pro.
4. Attackers plug some keywords in the text search tool that signify sensitive information such as "password", "SSN", or "confidential", and off it goes.
5. Attackers find Microsoft Excel spreadsheets, Word documents, PDF files, and databases chock full of sensitive employee and customer information that can be used for illicit purposes. Once again, chances are no one will ever notice.

With enough "sticktuitiveness" an attacker can find missing/simple passwords on Windows servers, weak SQL Server configurations, IIS-based servers configured to share entire drives out via anonymous FTP, and much more. If physical access is possible (which is often the case in smaller businesses), attackers can reboot Windows servers and bring them up using a live CD containing Ophcrack or Elcomsoft System Recovery. They can then gain full access to all user accounts and passwords, including the Active Directory file ntdis.dit. The entire Windows environment is "0wned" and, yet again, odds are in the attacker's favor that no one will ever notice.

Be it an external hacker or malicious insider, it's likely that there are weaknesses on your Windows servers waiting to be exploited. Given enough time, they very well could be. Your mission is to seek out what's vulnerable and plug the holes before the bad guys beat you to the punch.

Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.IN. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Hacking countermeasures WNS' SIEM tool boosts inhouse incident management capabilities Demystifying WAF solutions: A Web application firewall evaluation guide How to foil ATM card skimming How to remove rootkits from your organization Man in the middle attack prevention strategies Microsoft to patch serious zero-day flaw, fix display driver bug Looking to better manage insider security risks? Try compliance Web 2.0 widgets: Enterprise protection for Web add-ons Inhouse IAM system streamlines Yes Bank's identity management Bloxx provides means of filtering personal emails Windows and other OS security best practices Microsoft: Vulnerability disclosure will be coordinated, rather than 'responsible' How to use Windows Group Policy to secure and restrict USB devices Microsoft fixes serious zero-day flaw, Outlook bug Microsoft to patch serious zero-day flaw, fix display driver bug Gartner: Windows 7 security features have strings attached Latest Adobe Flash Player update to fix 32 security vulnerabilities Google bug hunter discovers serious Windows XP flaw All-in-one-security software vs. best-of-breed products Report: Google to phase out Windows, cites security issues Microsoft issues advisory for Windows display driver flaw Vulnerability and patch management Microsoft: Vulnerability disclosure will be coordinated, rather than 'responsible' How to stop Conficker: Anti-Conficker patch management, defense KHOBE attack technique: Kernel bypass risk or much ado about nothing? Microsoft fixes serious zero-day flaw, Outlook bug Microsoft to patch serious zero-day flaw, fix display driver bug Critical Adobe Reader, Acrobat update due today Gartner: Windows 7 security features have strings attached Gartner: Enterprises must learn to detect botnet threats Frustration growing over limited ability to shut down botnets Zeus botnet analysis: Past, present and future threats RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary man-in-the-middle (MitM) attack  (SearchSecurityIN.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.