RE: IIS on 443 replaced by serv-u
From: Eddie Bowers [MSFT] (eddieb_at_online.microsoft.com)
Date: 05/14/04
- Next message: Roopesh K K: "RE: IWAM Account"
- Previous message: Aaron: "Password expiration notification"
- In reply to: Andrea: "IIS on 443 replaced by serv-u"
- Next in thread: Karl Levinson [x y] mvp: "Re: IIS on 443 replaced by serv-u"
- Reply: Karl Levinson [x y] mvp: "Re: IIS on 443 replaced by serv-u"
- Reply: Karl Levinson [x y] mvp: "Re: IIS on 443 replaced by serv-u"
- Reply: Alun Jones [MS MVP - Security]: "RE: IIS on 443 replaced by serv-u"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 14 May 2004 20:33:24 GMT
It sounds like your system was compromised before installing the patch.
Since this is a test machine, you should really take the safe route and
rebuild.
Serv-u ftp may only be one of many backdoors placed on your system.
Steps to rebuild your environment:
1. If possible re-build your servers using a fully patched slip-streamed
share. More information on creating slip-streamed installs of Windows can
be found here:
http://www.microsoft.com/windows2000/downloads/servicepacks/sp3/HFDeploy.htm
#installing_windows_2000_with_hotfixes_ykot
http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/hfdeploy.a
sp#the_combination_installation_gxsi
Patch Management Info:
http://www.microsoft.com/security/whitepapers/patch_management.asp
Patch Management Web site:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
topics/patch/default.asp
Download the Security Patch Management Guide:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=73AC
38B7-5826-421D-99E8-CDCC608B8992
2. If you can't re-build from a slip-streamed source (i.e. you will be
booting off the installation CD) the risk is that you will get infected
from a network based worm before you can connect to the Windows Update web
site to download critical service packs and patches or if the machine is
connected to the Internet the risk is that it will be infected by a worm or
attacked / exploited by a determined attacker.
For this reason we recommend that you either build AND fully patch the
system while the network cable is unplugged (i.e. burn Windows 2000 SP4+
all post-sp4 critical updates to CD) or build it from a known good VLAN /
subnet that is isolated from the rest of your network so that you don't get
infected with Code Red / Nimda / Blaster / Slammer / Nachi etc. :(
Unfortunately even Windows 2003 Server is vulnerable to network based
attacks and will need to be patched immediately.
Windows 2003 does offer the Internet Connection firewall however it's not
enabled by default and you could get infected on the network before you get
a chance to login as administrator for the first time and enable it. When
building Windows 2003 servers though you CAN leave the network cable
un-plugged, log-in for the first time as administrator and enable ICF on
the adapter and then plug the cable in - this will protect you while you
connect to the Internet to download patches.
It's important to not that not all security patches are offered by the
Windows Update web site. Only core operating system security patches are
offered by Windows Update, other products like SQL, Front Page, Commerce
Server, etc. will not be offered by Windows Update and for this reason you
should visit
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
current.asp and browse for security patches based on products you have
installed on top of the operating system (like SQL etc.).
3. During the build process it is absolutely imperative that you create
good / strong local administrator passwords for each machine. NOTE: Each
machine should have a different / unique local administrator password, do
NOT share them between machines.
The following guides offer good advice on how to create good strong
passwords and what the phrase 'strong password' means. If you create
strong enough administrative passwords, they will not fall victim to remote
password guessing attacks and you reduce your attack surface and worries
significantly!
http://www.microsoft.com/technet/security/readiness/content/documents/passwo
rd_tips_for_administrators.doc
http://www.microsoft.com/technet/security/readiness/content/documents/passwo
rd_tips_for_users.doc
4. After you've downloaded all of the security patches from Windows Update
you should scan the system using the Microsoft Baseline Security Analyzer
and address any remaining patches and security issues that need to be
addressed:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
tools/mbsahome.asp
5. IIS servers should be hardened using the IIS Lockdown tool:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
tools/locktool.asp
6. You should sign up for the security bulletin notification service (hint:
We are releasing 4 new security bulletins on Tuesday):
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/notify.asp
7. Finally after you've built the server and patched, it's time to harden
it so that you are not relying solely on security patches for your
security. We recommend a layered approach to security so that if one
component of your security scheme fails you are protected by others.
This final link offers links to all of our best / authoritative guidance on
hardening our enterprise operating systems:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bestprac/default.asp
Specifically these links are very useful:
" Microsoft Windows 2000 Security Hardening Guide
" Windows Server 2003 Security Guide
" Microsoft Windows XP Security Guide
" Threats and Countermeasures Guide: Security Settings in Windows
Server 2003 and Windows XP
This is a lot of reading, it will probably take numerous weeks to go
through this all, but once you know it, and once you've done it - you will
be FAR more resistant to attack.
Eddie Bowers
PSS Security
eddieb@online.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights
- Next message: Roopesh K K: "RE: IWAM Account"
- Previous message: Aaron: "Password expiration notification"
- In reply to: Andrea: "IIS on 443 replaced by serv-u"
- Next in thread: Karl Levinson [x y] mvp: "Re: IIS on 443 replaced by serv-u"
- Reply: Karl Levinson [x y] mvp: "Re: IIS on 443 replaced by serv-u"
- Reply: Karl Levinson [x y] mvp: "Re: IIS on 443 replaced by serv-u"
- Reply: Alun Jones [MS MVP - Security]: "RE: IIS on 443 replaced by serv-u"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
