Anyone who has ever run Windows update is well-aware of the frequent security issues with Microsoft’s OS. Some of those issues make Windows more open to hackers, others simply make DoS attacks easier. Fortunately, Microsoft provides patches for the flaws it can control — but not everything is Redmond’s fault. Some of it is yours.
Many serious OS vulnerabilities are the result of poor management, lax administration, or poor configuration. These problems exist for Windows, and they exist for Unix and Linux as well as other operating systems. In addition, some significant vulnerabilities exist in applications that run on top of these operating systems.
The following items come from the list available at sans.org and the Mitre Corporation Common Vulnerabilities and Exposures database. Both of these sources include information about determining whether or not you’re affected by the vulnerabilities. This list represents just a sampling of potential vulnerabilities.
Data Access Components. This vulnerability is related to Microsoft database access. It can be disabled or patched. Only Windows 2003 seems to have avoided it.
IIS. All but the latest version of IIS have known vulnerabilities that must be patched. If you don’t need IIS, you can avoid problems completely by removing it. (In all but the newest Windows installs, it was included and often enabled by default.)
Remote Access. Until very recently, Windows allowed a variety of remote access methods by default. Fix this vulnerability by manually turning access off and by making sure Windows is patched.
Windows Scripting. Host Installed by default on newer Windows installs — many applications require this capability, so removal, although possible, can be problematic. An updated version is available that solves the problem.
NetWare Enterprise Server. Unpatched versions of NetWare 5.1 can allow command execution by using malformed URLs.
NetWare NFS. Errors in the “read only” flag can give intruders root access. Update NFS or disable it if you don’t need it.
Remote Web Administration Utility. Buffer overflows can be forced. Update the utility or remove it if you don’t need it.
Apache. All versions of Unix and Linux include the Apache Web server, and in many cases it’s installed by default. Older versions must have the latest patches to be secure. Several other OSes, including Windows and NetWare, may also run versions of Apache that share many of these vulnerabilities.
BIND DNS Server. All versions of Unix and Linux include this DNS software to enable name resolutions. Older versions have been shown to have a number of vulnerabilities. The best solution is to use the software only on servers where it’s needed (look for it with the name “named”) and then ensure that you use only the latest version.
RPC Services. Nearly every Unix and Linux install includes RPC; in many cases, it’s enabled by default. Disable these services unless you absolutely must use them. Install patches and updates from your manufacturer in that case.
Sendmail. Older, unpatched versions of this mail transfer service have buffer overflow problems. Updates are available.