Why 'Sasser' does not affect Win2003
As you may be aware, a new worm has emerged named, 'Sasser', and Windows Server 2003 is not infected. Why? Because the RPC interface, which is accessible to anyone (ie; anonymous) on Windows XP and Win2000, was changed in Win2003 so that it requires a local admin to access. Not a remote admin, a local admin using the server's keyboard.
Comments
- Anonymous
May 02, 2004
Are there any chances to have the same for XP? - Anonymous
May 03, 2004
Michael had a quick blurb on his blog on the fact that with the latest 'Sasser' worm, Windows Server 2003 was not infected. Why? As he says, "Because the RPC interface, which is accessible to anyone (ie; anonymous) on Windows XP and Win2000, was changed in Win2003 so that it requires a local admin to access. Not a remote admin, a local admin using the server's keyboard." Here is where Microsoft's change in stance in applying infosec principles to the design, defaults and deployment of their operating systems start to show real benefits. The rule of least privilege applies a harness to the RPC interface and lessens the attack surface by explicitly knowing the difference between local and remote admins and confining the abilities of such foreign bodies of code. In this way, attack patterns built into Sasser are useless against Microsoft's latest OS. This is where their policy of "Secure by Default" limits new unknown attack vector such as this. Are we beginning to see a change? Time will only tell.... - Anonymous
May 03, 2004
For XPSP2 we've done a number of things, all in the interest of reducing attack surface. First, RPC endpoints require authentication, and because the firewall is on by default you can't get to the ports anyway. Next we simply removed that code from LSASS in XPSP2! - Anonymous
May 04, 2004
Thanks. It's great to see such SP2 features indeed. - Anonymous
May 04, 2004
Michael Howard has a blurb on why the Sasser worm does not affect Windows Server 2003. This is because Microsoft made a change to the RPC interface that requires local admin access instead of remote admin.... - Anonymous
May 08, 2004
If security to you means removing bloated features that should have never been implemented, that's saying a lot! - Anonymous
May 08, 2004
There's a little bit more than removing code! - Anonymous
May 08, 2004
The comment has been removed