I worked through a Sasser attempt on my W2K thin server prototype last week and below are basic instructions for locking down port 445 on your machine. This is only a work around and requires that you are not as yet compromised and you will/have immediately applied MS patch 835732 from this link:
formatting link
Please note that disabling port 445 may interfere with some types of DHCP ISP and LAN/WAN connections, so it is advisable to make note of the steps below in case you need to reverse this workaround. You will need a hardware firewall device to properly secure your workstation in this eventuality - but you will also need to review this alert before purchasing a unit:
formatting link
SASSER and ports 445 (TCP UDP)
A:) Confirm you are not infected using the start menu function 'run' to execute the command 'regedit'. Once your registry editor opens use Edit > Find and search for 'avserve2.exe' across the complete registry file.
Start>Run: regedit
Edit>Find: avserve2.exe
If found - update your anti-virus definitions immediately and run a complete sweep. You may then need to remove the machine from the network for professional service dependent upon your skill level regarding the registry file.
B:) Having confirmed you are not yet infected - exit registry editor and return to your main screen. Right click on the 'My Computer' icon and choose 'properties'. Click on the 'Hardware' tab and open 'Device Manager'.
Once open, choose 'view' and select 'Show Hidden Devices'. Open 'Non-Plug and Play Drivers', right click 'NetBios over Tcpip' and select 'Properties'. Finally there - choose the 'disable' option under 'Device usage' menu, press OK and reboot as indicated.
- Non-Plug and Play Drivers>NetBios over Tcpip>(RC)properties;
- Device Usage: Do not use this device (disable);
- Press OK and reboot as indicated:
You may also wish to disable netbios from your network icon properties menu and TCP/IP Helper Service from your services stack if a DHCP or netBios Service error appears in your system event log.
At this point you have shutdown netBios and TCP UDP port 445 completely and, as above, it may or may not impact your Internet connection and/or your home network configuration. Neither the worm nor the workaround above have impacted my node here, however as many of the older regulars will remember I have several 'special' routines built into Radio Free Dexterdyne in this regard.. :) ..
This is sort of a follow up to this post of 2003/08
formatting link
If you decide to pass this workaround out - I would greatly appreciate that you leave my sig tag below intact as feedback regarding effectiveness in other workstation environments would be appreciated.
All the usual disclaimers - Cheers and best wishes.
Hmm, tried this on my servers and ... nothing. Maybe this is yet _another_ virus that isn't compatible with Mac, Linux, or Solaris?
Darn...we never get _any_ of this fun. I'll wander over by the Widoze guys later today & see how they're doing. Seriously, though, good links & info. Is it still accurate that the patch from April would have kept someone from getting it? Keep 'em patched, folks, and backup your data.
Well brother Hinz, it is as it turns out a bit more of a challenge to keep Windows running than most domestic Server Platforms - but I just love that swishy interior.. :) ..
Yeah, the patch noted from April 12th is indeed still current (the update of the 28th hasn't changed patch size). However it still doesn't lock down port 445 functions - it appears to simply apply some bondo to NTOSKRNL.EXE. Like Blaster/MyDoom on port 135 before it - it's really more the fact that yet another TCP UDP port is/was shipped open in the interest of attempting to make networking 'easy' for most people. And as noted in the OP - shutting them down is not without it's consequences.
Here is a very interesting link regarding SMB this from Aug 2002.
formatting link
Don't get me wrong - I think that if MicroSoft were a automobile company - they would have been sued out of business years ago (I'm a one time OS/390 man myself). However, as you well know, Windows mostly gets exploited and reported as exploited so popularly in the public press is because most wetware don't know enough to be alarmed by the Linux/Unix exploits out there.
It's what makes my Windows 2000 thin server prototype project so professionally interesting here at the end of the day actually. Three years and no fatal flatlines yet despite the shower of bastards trying to kill it off.
That said - I think even you will agree that if Linux were treated to the same lack of maintenance and popularly installed with same a lack of understanding as to the implications of operating a NIC - it would be equally hazardous and perhaps even more so given the substantially greater network power built into Linux/Unix operating systems.
I haven't been able cost justify a Mac infrastructure personally - I have a NG SAAB to maintain - but I must say that it's current operating system is pretty interesting.
Anyway - thought I'd better kick it out there in case any of the droids are interested.
Well, some of it is market share, and some of it is OS architecture. Windows is designed so the user (any user) can overwrite the system files, which is why it's easy to target. The default settings of "take me big boy" which are presented to the public internet are another problem.
Linux/Unix/Mac usually has things defaulting to a safe option (off) unless someone intentionally turns them on. One would _hope_ that if an admin turns these things on, they've got at least an idea of the implications of it, but who knows.
When the first step a virus has to do is to ask for the user to type in the root password so it can break important things, well, that limits it's propegation a bit.
It's Unix. FreeBSD, specifically, with a nice GUI on top of it. I use it to prototype stuff for work fairly frequently, even though the systems there are mostly Solaris or Linux - same compilers, same tools, same procedures for nearly everything. I never considered Mac before it went to a Unix core, but they did that right about the time my 'doze98 box was being _particularly_ annoying, and my kid was just starting to get interested in computers, so we abandoned windows in favor of something that didn't involve frequent 3-finger salutes and scandisk sessions.
Good writeup. Regardless of the OS, keeping things up to date prevents most if not all problems of this nature.
Are you saying that the Ford Tempo is just as safe as a Saab 9-5 in a crash, and that the good safety statistics of the 9-5 is just a result of fewer 9-5 on the road?
The inside and philosophy of MS Windows is quite different from most modern operating systems, and that difference shows up in how easy it is to exploit bugs.
Have you ever looked at the timeline of patches versus exploits? It's the lack of patching (or code validation if you like) in the first place that's the real issue rather than one of exploiting bugs that were closed prior to the exploit being written.
Yes, but that is another issue. The virus writers are lzay at the moment. They just wait for the next MS security fix and finds out what it fixes. Much easier than looking for new security problems, and just as effective due to too many unpatched computers.
The amazing thing about MS Windows is that it seems that every security issue results in exploits that totaly opens up the system. I have never seen the same "openness" in other operating systems. MS Windows security is like a house of cards, a small disturbance and everything comes falling down.
in article c78b1k$tiaq$ snipped-for-privacy@ID-134476.news.uni-berlin.de, Dave Hinz at snipped-for-privacy@spamcop.net wrote on 04/05/2004 15:57:
Someone say Mac OS? I overheard some sniffings from our network manager today about some virus or other. I turned to my Mac OS colleague and had a giggle and a gloat. I do often think Mac OS is the undiscovered OS - it offers a very high standard operating system with all the under the hood fun of UNIX ... If you want ...
In car terms, Mac OS is a SAAB. Mind you, my Mac OS colleague is an Audi driver, but he's very quick to point out that his is a real Audi, rather than some VAG hybrid thing.
I've owned a Mac since OS 8.5. This was when I was looking at building my own PC (having never actually bought one ... And still haven't!) and all the cases and setups looked like iMacs - so, I bought one. Yes, I struggled ... Until I found out that it's actually easy ... And then OS X came along and it all got so much cleaner. I never had much against OS 8/9 - they worked; they ran MS Office ... OS X runs all the good open source stuff from Mozilla through Open Office without crashing. Heck, even L**nix crashes :)
Yup. More stable, less crashes, easier to use, and well designed.
I crashed my Mac once. In 2 years. While changing kernel parameters on the fly on a running system, in an undocumented manner (translation: I deserved it). It's actually quite a good analogy to compare Mac to a Saab.
in article c78ue4$13nte$ snipped-for-privacy@ID-134476.news.uni-berlin.de, Dave Hinz at snipped-for-privacy@spamcop.net wrote on 04/05/2004 21:28:
I had a crash just after upgrading OS 8.6 to 9.0 - it was a green screen that took up the space equivalent of 640x480 on a 1025x768 screen. I've never seen one since.
I've also crashed one Saab ... With no damage ... The other car didn't fair so well. My current Saab suffered a lot more that my old flat nose :(
See, but the thing is, an Apache webserver installation on a *nix or Mac, or even on a 'doze box, includes opening that port. It's scriptable, so the user doesn't even have to know they're doing it.
Can you say "buffer overflow waiting to happen"?
Still looking, eh? That '88 SPG went for rather a lot on eBay, would have done you nicely y'know. I seriously considered cashing in the
Yup, the 9-5 is a nice car, don't get me wrong, but it's not a c900, y'know?
Oddly enough, I was in the barn this weekend working how to get the Sonett out. I have to move the 93 out, which doesn't run, so it takes bit of shuffling. Hopefully this weekend I'll get it out & un-mothball it. I'm sure I'll go on and on about it once that happens.
Exactly, except that in Windows - the port is already flipping open and ticking over on install - but not being monitored or secured *unless* you install a webserver or block the port. I choose Apache naturally, which then effectively secured the port - and - it is a great way to bypass windows sharing entirely as it does a way-hey-hey better job of sharing the files and directories you actually want to share.
Pretty much every time I light up the NG900 I picked up to replace my beloved 89 9000T brother Dave.
I have got to think that somewhere in the vast southern wilderness of North America there is a late, rust free series one slant nose 5 door 5 speed with a croaked engine and a disenchanted owner. Unfortunately, I fear most of them have simply given up and don't even bother to look around for a 'Wanted - used SAAB 9000 Turbo in need of an engine' posts like mine.
The basic problem is driven architecturally by the Microsoft
*Business* model. It is a strategic problem, not tactical.
The issue is Microsoft's integration of the desktop into the world. That is, they want to eliminate the lines, between application, desktop, server, and the Internet. This is their goal, vision, direction and purpose. It is in fact their entire software strategy and the key to their architectural design. They want to allow any application to call any application from anywhere. Total integration of the desktop to the file system to the Internet. No walls, and (eventually) no user knowledge that there is even a difference in opening a document that is on the Internet, on the local hard drive, or on a server. OS, network, and applications merge in one homogeneous mass. Good for simple minded users, good for selling an integrated environment to the corporate clients, bad for the world.
This strategy leads to their inappropriate blending of the OS with the applications. Applications do not run in isolated spaces as they should, they run in shared spaces with no real boundaries. Security is always a patch because their architecture is not secure. The lawsuit bought against them for browser integration was correct in it's goal - separate the applications from the OS - but unfortunately not only did the Judge have no insight into the vision (above) neither did those bringing the lawsuit.
As a practical example, witness the "Code Red" era problems wherein a smart invader could simply (publicly) call the IIS server, feed it a CGI call that effectively walked out of the server directories and into the OS, and do *whatever* they wanted to the server. This hole was totally unexcusable. There is no reason that an application on a web server should, ever, ever be able to get outside the web server's directories. Yet it was possible because MS wanted the server itself to be able to call any part of the OS or any application on the server without any restrictions.
As another example, look at how the did the user "security" on an IIS server - they force the administrator to set up accounts for any user who will access restricted *web* resources. This is so incredibly stupid that it's hard to find words to describe it. You have to give a user a *local* login in order to provide them with access to restricted *web only* resources. Why ? Because the MS master plan calls for a "one login" approach to all resources as part of the integration. They only way to do this was to combine your MS-domain login with your web server login. Security is never an issue for MS when it runs up against the master plan of homogeneous integration.
These are just two examples and I fear this has become a rant. So, I'll shut up now except to say that nearly every MS "problem" can be traced right back to their vision as cited above.
An excellent and perfectly correct observation - however is it the correct conclusion?
On the mainframe planet there is but one central job processor and data repository and an almost limitless number of login shells in which user and system accounts share services and resources across a processor board grid as completely self contained session bubbles. Upon creation/login/job call - security group policy assignment determines the resources, data access and services which can be impacted by the bubble (be it machine or wetware) - which then secures the greater installation resources to the extent that the actual administrator does his or her job carefully and correctly.
'Zone security' is not as important because operational check and balance parameters allow that all currently operating sessions and data environments can be recreated in real time (literally re-inflate the bubble mold from last, or any previous, action). Anything being executed or read is subject to the approval of administrative job rules and recorded in exacting detail. Everything else can only executed from the hollow floor room with video camera running.
In the unix universe there is no true central authority governing internode OS, processor or services security access. The router system (which works like the phone company) mostly just passes stuff around. Each node to a greater or lessor extent is either slaved to a more central administrative workstation - or more often these days - allowed to share specific resources and services remotely as dedicated machines on a filament grid. The vision being to specialize single or limited purpose workstations and processors to a given task to distribute and protect the wealth.. man..
Grid security is determined by each workstation's group inclusion and exclusion policy. More important or central workstations on the grid
*should usually* maintain extremely strict policy so that it mimics MVS security modeling in effective operation. Actually - it is sometimes argued that true grid UNIX is more secure than MVS and Windows given that it's distributed nature can mean that security breeches are limited to single or single groups of machines and their resources.
However - where the MVS system has an almost infinite and unbelievably granular 'back & undo' function at an administrative and operator level it is sometimes argued that despite UNIX zone distribution - Unix breech is not quickly repairable and data loss is much more operationally impactful. Given that it is for all practical purposes impossible to ghost entire infrastructures across the fiber grid in real time - the grid hits the throughput physics wall.
The MicroSoft dimension - at least in my opinion because who the heck really knows - operates somewhere in between in that each diecast workstation on the network is designed to be a familiar port of call onto itself and/or a member of a federation of shared resources on a fiber grid
- Mc-MicroSoft if you will.
It's cheap desktop *AND* network processing for the price, no matter where in the world you are - the bath room is always on the side near the door, the food is usually identically bland and staff is bargoon until they set the service manual alight in the fryer from the boredom.
Anyway this compromise has it's own upsides and downsides as befits the compromise. But thusly, it is often treated as 'cheap' by managers and owners who have been repeatedly assured that they don't have to pay real experienced System Admins to configure and maintain their systems. Mostly
- 'everybody knows how to use Word' - particularly in the executive wing.
Breaking into a mainframe may let you read something you shouldn't - but they know what and you can't damage anything unless you are actually in the hollow floored room - in which case they know who you should be. Breaking into a Unix workstation the right way will allow you to read stuff you shouldn't and do damage to whatever extent the victim has rights on it's grid and however creatively the grid is administered and created.
Breaking into an average MicroSoft workstation allows you to break into most other MicroSoft workstations so configured and as each service or process is another diecut from either MicroSoft or any other vendor who sells commercially compatible MicroSoft software - you can effect damage, read stuff you shouldn't *and* change a lot of things while you are in there. Then repeat the process on almost any other similar installation worldwide.
The same may be said of MAC-OS/Redhat one day - to the extent system administrators/home owners/teenagers really open the gates on the stack - for mostly the same reason.
But is this the fault of the Operating System or the System Administrator blithely following the approved cook book and software licensing model?
My workstation server has sailed through all the plagues including Code Red. I've run my W2K workstation as a permanent IP on the public Internet without resorting to a firewall for almost four years now.
Radio Free Dexterdyne is really and entirely just a set of small background services on the very computer I'm sending this missive out on. I use it all day long to build for clients and shop around for a used 9000 with a pooched engine and flog my basement crap and drone on here at alt.autos.saab.
It hasn't fallen over dead yet - though some of my brother SAAB flagellants have no doubt done so by now. Quick - someone poke Grunff before he drowns snoring in the soup touraine!.. :) ..
Anyway - I have made a point of investing the time to really understand exactly what W2K was doing on the network and what the network was trying to do to it - and then revised and/or replaced things that made me nervous before they became a problem - and it all works just great actually. It lets me know if something isn't right long before it blue screens so I can check around to see what happening and fix it.
If you ask me, my take is that the basic Windows 2000 Operating System isn't a pig at all and the idea that people should be empowered to directly share data and resources on the open network is a really good thing - but it requires someone give a enough of a crap to look after it like any other OS. Or more rarely these silly days - actually pay someone to look after it for them.
Blaster MyDoom and Sasser Virus variants take advantage of just that. netBios over Tcpip is specifically in place so that free automated system administration works and thusly - you get what you are willing to pay for.
But because most people and businesses don't care a single fig about their computers until they flatline and take out the customer and/or tax records with them - they flip on the cruise control and dose off at the wheel while the APNIC nodes pimp out their SMTP ports and the script kiddies pillage their registry keys.
That's why everyone still feels the need to 'print stuff off' and file it brother bob.
In summary, my complaint is not that the MS is can't be made moderately secure, but they do have some serious architectural issues with their model. WNT security was modeled on VMS - a seriously secure OS. However, MS chose to discard some vital pieces in the interest of freewheeling -witness the repeated "buffer overrun" issues. It should not be possible for this to happen in a "real" OS, but it does on all MS platforms.
Because of this freewheeling approach, MS security becomes a band aid, a front door, not an integral part of the OS's operation. This "once they're in, let 'em go wild" strategy is the root of nearly every MS security issue. I defy anyone to tell me what specific privileges to what specific modules a piece of software like (e.g. SQL Server) needs to run on my server (or even MS-word on my desktop). It isn't documented and it's too malignant to determine. You have to give it that "OK, you're in the front door, prowl the house" authority. Not good.
Oh, and, I admire your ability and dedication to running a win-server without a firewall. But, if it were me (and it is), I'd run the firewall too. The firewall has duties beyond simply trying to plug MS gaps, oversights, and intentional mis-steps.
MotorsForum website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.