The last of MS06-040: Windows is out. Without OS X Server, what to use instead?

I hope to post the innumerable comments to my series on MS06-040, but I have to clear comments individually via a tedious HTML interface. The task keeps falling to 3rd priority (meaning my job's not riding on it) as content joins my calendar. Don't think I'm trying to spin this my way by stifling dissenting opinions.

Things are now quiet on the MS06-040 front, and I truly don't enjoy saying that it's no thanks to Microsoft. If I had stayed in the character I set out to portray--the non-IT person responsible for running a very small number of Windows servers--I would have been forced to erase and reinstall, as was the advice from Microsoft and security sites. When I failed to heed that advice, sure enough, I got hit with follow-up infections as if to prove the point that an average administrator couldn't finesse his or her way out of this exploit and the ones that tailgated behind it. Windows simply offers too many vectors through which infection can enter, and too many places for malware executables and configuration holes to hide once they get in. I was left with no choice but to hang up the Average Joe hat and let my inner Windows admin loose. It derailed the original drama, but I'll be damned if I'm going to wipe out all of my apps and reconfigure my box from scratch because of some waste of oily skin.

Having to hang up the hat of the typical small business user was a major disappointment. There are more Average Joes out there running one, two or a small number of Windows servers than most people realize. Small Business Server and lower-end Windows Server SKUs like Web and Standard Edition do very well because they target organizations whose computing needs are not likely to grow beyond five to ten machines. For all of Microsoft's enterprise-focused advertising and enterprise-targeted editorial in InfoWorld and elsewhere, I'll always consider Windows most at home in small groups of servers. In that setting, many admins of average skill but lacking the unreasonable amount of time I devoted to tracking and curing the exploit would have wiped their machines clean and, potentially, years of manual patching, tuning and work-arounds along with it. It really is demoralizing.

Commenters asked, "why didn't you have backups?" I did. I do full backups weekly and incremental backups nightly. Not knowing where the infection lived, I'd have had to do a full restore from a week-old backup, and the process would not overwrite Windows system files, including the Registry. Yes, the attack clobbered the backup copy of my Registry.

The system image that I originally restored to build this stopgap Windows server--you may recall that it only has to last until October when the new Xserve comes out--was a Primary Domain Controller. That was back when I had a Windows LAN, and leaving the machine as a PDC was expedient. The infection destroyed Active Directory to the point where I can't execute use the GUI management console to change users' passwords or set security policies. When I tried to use Microsoft Management Console to alter user passwords on a local level, I was told that this operation was not permitted on a PDC. I'm sure there's a good reason for this, but even PDCs have local accounts. I was able to change account passwords with a little LAN Manager command line hoodoo, specifically:

net user username *

The syntax of this command makes its function self-explanatory, no? I find that easy to forgive. If I hadn't known about this command, I wouldn't have been able to perform the essential task of changing likely-cracked passwords. Windows admins, if you don't know the net command, go learn it.

In a bizarre twist, some snot destroyed the DLLs required to use the Windows 2000 Server Resource Kit. The kit's tools help experienced admins dig around in Windows' internals. But the crackers disabled it, and I discovered the same day that Windows 2000 and the Resource Kit are no longer downloadable from Microsoft Developer Network (MSDN). Win2K has had its five-year sunset warning; it won't get any more service packs. But it is still supported and hotfixed, and developers still need to validate code against this very widely-deployed Windows server OS. Win2K's main appeal to me is that it is the last Windows OS that doesn't require on-line activation.

I fired up the freeware ClamWin, the Windows port of the godsend ClamAV open source anti-virus solution. Apple distributes it with OS X. I'm told that ClamAV had a signature for MS06-040 before commercial AV vendors did. I can't speak to that, but ClamWin found the original malware and the follow-on infections I had located and quarantined by hand. ClamWin found one remnant of the SDBot trojan that I had missed that could have been used to resurrect the full exploit. For paranoia's sake, I set ClamWin to run hourly in case another weasel stuck his rosy-palmed hand into my server through another hole in the fence.

ClamWin doesn't do repairs to the Registry or identify potential security risks. That should be Microsoft's job, but the freeware Spybot Search and Destroy is a little-known gem in this regard. It is most often used to clear away the Web tracking cookies and "helper" apps that marketers and ne'er-do-wells sneak onto a desktop system to watch your every move on the Web. However, switched into advanced mode, Spybot S and D incorporates most of the functionality of the discrete Sysinternals and Resource Kit tools, and then some. It scanned my running services to look for red flags. If I had run that right after the infection, it would have spotted MS06-040 without the need for a specific signature. It also found a lingering Registry entry that left my administrative file shares open to public access. I cleaned up my machine for the price of $10 contributions to two freeware projects. I refuse to put any money in commercial security vendors' pockets since they are part of the chain of publicity and paranoia that gives malware attackers a reason to live. As always with security, I've read nothing that indicates costly commercial tools produced better results than freeware and open source alternatives.

I'll take a brief tangent to address commenters who said that I wouldn't have been vulnerable if I had been running Windows 2003 or XP. These come with firewalls. Windows 2000 has a packet filter, a firewall with a really ugly interface. But neither of these would not have blocked this exploit. I keep my servers' services open to the Internet so that I'm not limited in the research I can do while I'm on the road. I rely on OS and services' security, not the blocking of TCP and UDP ports, to protect my machine. I ran Xserves with all services exposed for about two years with no trouble. The security configurations were OS X Server defaults, except that I didn't allow cleartext passwords. I had that Windows 2000 image locked down tight--nothing got in or out without authentication and encryption.

To pick up the story, I went to Sysinternals and Spybot Search and Destroy after taking one last swing at Microsoft's security tools. Microsoft has one detection and repair utility, dubbed "malware removal tool," but its last update was August 8. The strain of MS06-040 attacks that hit me started spreading on 8/13. I was extremely hopeful that Microsoft Baseline Security Analyzer would tear into my system and set it right. It spat out a number of vague warnings, with question-mark links to a Microsoft Web site that repeated the text of the warning but offered no useful guidance about the severity of the problem or a potential fix. Tip to Microsoft: A tool for analyzing system and network security should not require an active link to the Internet.

Now I'm just barely back in business, bloodied and really pissed off, but unbowed. I can hardly put this in my "win" column. The only service I've left open to the Internet is e-mail, and that's unacceptable. A machine listening on ports 25 and 110 is not a server. I need a lot more than that on the road. Yet Windows continues to bind TCP listeners to weird WAN ports even though I have explicitly disabled all Windows services on that network adapter. What owns these ports? Services.exe. What do they do? Ask Microsoft. I've had it.

I tried, people, I really did, but I won't make it on Windows until October. I have a ton of travel coming up soon. I need my network services back on the air in a shop with no Mac servers, a choice I made because I am flushing out all PowerPC equipment. I'm waffling over what to do in the interim. I'm too disgusted right now to even think about setting up a fresh Windows install, even though that would serve my original "what's it like to switch from Mac to Windows?" research. My answer to that question is neither fit for print nor scientifically derived. I know that it was mostly bad timing; if I had set up this machine two weeks later, or Windows Update had gotten to me just a little bit sooner, this series of blog posts would never have appeared.

I want OS X Server back, but I need to approach Apple's server technology in October from the standpoint of a new user. I am certain that resetting my perspective is the right thing to do, absolutely necessary, but damn it, I'd sure like to get back to work. Sometimes experiencing your pain, or making you glad you're not in my shoes, is job one. I set it up that way. This whole reality show craze? My idea.

Do you want to know the worst part about where things stand now? I've got a Mac Pro sitting not a foot from me. It's calling out, "I can be a server! I'd be really good at it! Send me in, coach!" Held up against Xserve's specs, Mac Pro is clearly and strictly a client box. I have to wait until October. Providence grant me the patience to accept the things I can change, but shouldn't.

Copyright © 2006 IDG Communications, Inc.