In this era of PCI DSS and heightened audit requirements, you're likely looking at your Windows servers in a new
light – a big, bright spotlight that is.
Using specialized vulnerability scanners such as QualysGuard or GFI LANguard, you can look at your Windows servers from every perspective to find the low-hanging fruit and more obscure weaknesses that can be exploited.
But there's a dirty little secret about vulnerability scanning that vendors and auditors don't want you to know about. The fact is, many – if not most – of the findings your vulnerability scanners spit out are not as big of a deal as they're made out to be. Be it a vendor marketing trick or people trying to justify their jobs, you have to take the findings of your vulnerability scanners with a big grain of salt.
I think we're only kidding ourselves and creating more work when we look at a vulnerability scanner report and assume that just because everything looks bad that it actually is. Case in point: a client of mine was recently told by his outside auditor that all medium- and high-priority (levels 3 through 5) vulnerability scanner findings have to be remediated regardless of the situation. Seriously!?
Once a rarely-performed act requiring specialized skills, basic Windows server vulnerability scans are now a dime a dozen. Unfortunately these scans are often performed and interpreted by people who have very limited knowledge of operating systems, applications, and hacking techniques. It's sort of like a nurse interpreting the results of a CT scan or MRI and totally bypassing the expertise of a well-trained radiologist. We have to step out of this mindset that's leading to these amateurish "the sky is falling" audits, as it's really missing the big picture.
A best practice is to up the ante on the human context you bring to your Windows server security assessments. By doing so, you'll be able to:
- see what can actually be exploited – or reasonably lead to an exploit – by a malicious attacker
- find out what truly matters in your specific business environment
- determine which findings you need to focus your efforts on
Every scenario is different, but you can often count on the same vulnerabilities to create the greatest risks, as shown in Figure 1.
Figure 1. Windows server weaknesses that usually lead to trouble
- Guest and Administrator accounts not being renamed
- Exchange servers accepting plain text SMTP login credentials
- NetBIOS names being accessible over the network
- Internet Information Services (IIS) configured to use NTLM authentication
The list goes on and on. But what do these items really mean? Are they actual vulnerabilities? Are they as a high-priority as the scanners and auditors make them out to be?
The important thing is to not be fooled. If you get a negative report from a vulnerability scanner, auditor, or outside consultant/security firm, be sure to ask how and why each thing matters in your environment. You can filter out the noise by applying the following questions to each of the findings:
- Is sensitive information such as personal identifiable information (PII) or intellectual property being put at risk?
- Is a written policy or regulation being violated?
- Can the weakness lead to further system penetration?
You have to be fair about these questions and give them the attention they deserve. You'll likely find that the majority of findings don't matter all that much in the grand scheme of things.
If and when you get your Windows servers really tightened down and can justify the time, there's nothing wrong with tweaking them to come up with a clean assessment report. Just use some common sense and reasonable discretion – two things we can certainly use more of in IT these days.
ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, expert witness, seminar leader and keynote speaker with Atlanta-based Principle Logic, LLC. Kevin specializes in performing independent security assessments. He has also authored/co-authored several books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheelsinformation security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at his website www.principlelogic.com.