Imagine a scenario where your most critical Windows servers running Exchange, SQL Server and Active Directory and the like are completely exposed to insiders running Metasploit and
You say, "No, that couldn’t happen in our environment because we keep our Windows servers patched." Well, it’s not that cut and dried.
Outside of solid full disk encryption running on workstations and zero controls on smartphones, a missing patch on a Windows server is a very predictable vulnerability. For some reason, Windows-based servers from Server 2008 R2 all the way back to Windows NT,are just not getting patched appropriately. Windows hotfixes (not service packs) dating back to 2001 can be missing from any given number of servers in my internal network vulnerability testing. It’s only a problem on Windows servers. Workstations are almost always up to date.
At first, I suspected the problem was the common “We can’t patch that server because, if we do, our vendor won’t support this or that application.” But I’ve been digging in further and finding that these Windows servers are within the scope of patching via Windows Server Update Services (WSUS) or another third-party system. Perhaps the randomly missing patches are related to network admins uninstalling certain patches here and there for troubleshooting? Maybe something has gone awry in the patch management process, such as an oversight on the part of the responsible party?
For some reason WSUS and third-party patch management tools are not reporting these missing patches. It seems the older the patch the greater the chance of it being overlooked and exposed. You’d expect to find a missing patch here or there but this is a consistent problem in many projects.
Regardless of the underlying cause, it’s important to understand that the odds are great that you’ve got Windows servers on your network right now that are missing numerous patches – patches that are waiting to be exploited by malware or a rogue insider.
What’s the solution? The best course of action is to,go back and ensure that all Windows server patches appear to be installed. Then, trust but verify. You can do this by running any number of vulnerability scanners such as QualysGuard, NeXpose, Retina or LanGuard to determine what’s being overlooked. Even if you just use a trial or free version of one of the scanners, you’ll likely see what I’m talking about.
You can run these vulnerability scanners without authentication, perhapsfrom the perspective of someone plugged into your network but not authenticated to the Windows domain or any specific Windows host. If the scanner is good enough, it’ll find just what you need. Recently, I’ve been taking this a step further and running authenticated scans with normal domain user credentials. This type of scan will find the same – likely more – missing patches and provide a more accurate representation of what can be seen and exploited on your network.
The critical thing is to recognize that you may not be getting accurate patching information on your Windows servers. Bad information equals unnecessary risks. Assuming that everything’s hunky dory can create a serious false sense of security, especially given how simple it is for an insider to use Metasploit against you. If you haven’t been performing periodic internal vulnerability scans, this is as great a time as ever to get started.
ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, expert witness, and professional speaker with Atlanta-based Principle Logic, LLC. With over 22 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. Kevin can be reached at www.principlelogic.com and you can follow in on Twitter at @kevinbeaver.
This was first published in August 2011