Why Sasser did not infect Windows Server 2003
The Sasser worm took advantage of a defect in logging code within the Local Security Authority Subsystem (LSASS.) The entry point for this functionality is through an RPC interface, which is open by default for all users to access on Windows 2000 and Windows XP. The code existed in Windows Server 2003 prior to the security update (MS04-011, https://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx); however, the Sasser worm did not affect Windows Server 2003!
Why?
To me, the answer is very important. Some years ago I realized that fixing code is honorable, and nothing is better than writing great code from the get-go. But people are imperfect, and code will be imperfect, so we need to do more than simply create better code, we need extra defenses, “just in case.”
And this is where attack surface reduction enters the picture. The RPC interface in question is NOT accessible by anyone on the Internet in Windows Server 2003. Even if the firewall is not turned on, only local administrators can access the RPC endpoint.
This is a very important point, attack surface reduction is not just about turning stuff off and shutting things down; it’s also about limiting who can access what by default. In this case, the RPC endpoint is an administrative interface into DCPromo, and it made perfect sense to limit the code to local admins only in Windows Server 2003.
SSSOOOoooo…. to attack this code in Windows Server 2003 requires the attacker be a local admin. In others a user with administrative rights seated at the console. Let’s be honest, if you have people attacking systems this way, a bug in DCPromo is the least of your problems!
Comments
- Anonymous
June 16, 2004
Yea!
Can't agree more! I get tried of people attack MS all of the time..... even programmers who should know better. - Anonymous
June 17, 2004
The comment has been removed - Anonymous
June 17, 2004
It's really up to the app in question. For example, you can limit IP addresses in IIS. It's in the admin tool - Anonymous
June 19, 2004
The comment has been removed - Anonymous
June 23, 2004
You're just making me want to go write a new exploit for 2003 when you say these sorts of things. :> - Anonymous
June 23, 2004
Hi Dave!!! :) - Anonymous
July 29, 2004
I think Dave succeeded because my 2003 Server keeps picking up some derivative of SASSER. Can't find a patch or asolution as yet.