Microsoft boasts that Windows Server 2008 is the most secure Windows server yet, but a researcher who put it to the test claims the product isn't as ironclad as advertised.
Cesar Cerrudo, founder and CEO of Argeniss Information Security in Argentina, said he'll show off flaws he discovered April 17 at the HITBSecConf2008 in Dubai during a presentation entitled "Token Kidnapping."
Windows Server 2008 does include a host of security improvements, he said. Nevertheless, Cerrudo said he found design flaws Microsoft engineers failed to catch during its Security Development Lifecycle (SDL). The flaws allow accounts commonly used by Windows to bypass new Windows services protection mechanisms and elevate privileges to achieve complete control over the operating system.
"The design weaknesses can be abused on Windows XP, Vista, Internet Information Services 7 (IIS 7) and Windows Server 2003 and 2008," he said. Among other things, he said, "an attacker could exploit this by uploading an ASP.NET Web page and running it with an IIS 7 default configuration."
Cerrudo said the problem is especially severe because any Windows service, even when running under a low-privileged account, can potentially break through the security protections and fully compromise the operating system. This includes all Web applications deployed on IIS 6.
He said the only way to mitigate the threat is to restrict ASP.NET functionality, prevent users from executing dangerous system calls that are allowed by default and preventing binary content from being uploaded. On IIS 7, the threat can be avoided by running Web applications under a different account than NetworkService, LocalService and LocalSystem.
Microsoft notes on its Windows Server 2008 Web page that the product comes with IIS 7, a Web server and security-enhanced, easy-to-manage platform for developing and reliably hosting Web applications and services. Furthermore, Microsoft said, IIS 7 plays a central role in unifying Microsoft's Web platform technologies -- ASP.NET, Windows Communication Foundation Web services, and Windows SharePoint Services.
Microsoft also claims that Windows Server 2008 is the most secure server yet. It comes with Network Access Protection (NAP) to help ensure that computers that try to connect to the network comply with the organization's security policy, Microsoft said.
Bill Sisk, security response communications manager for Microsoft, said the company is aware of Cerrudo's upcoming presentation and is working with researchers to fully understand the findings.
"At this time, our understanding is that this presentation describes design issues and does not describe a new vulnerability," he said. "It describes methods to elevate from a NetworkService account to a LocalSystem account. NetworkService and LocalService accounts are trusted accounts, and should be treated as administrator equivalents. The presentation does not describe methods for an attacker to gain access to these trusted accounts."
He reiterated Microsoft's claim that Windows Server 2008 is the most secure Windows server to date, developed under the Security Development Lifecycle (SDL) to ensure strict security and privacy standards from the ground up. "Windows Server 2008 installs only the needed services for the roles the server is performing," he said. "Enhanced auditing, drive encryption, event forwarding, and rights management services are just some of the technologies that help organizations adhere to today's strict IT compliance standards."
He said the Microsoft Security Response Center (MSRC) is prepared to investigate further and take the appropriate action to protect customers as needed.
Cerrudo said Microsoft has invited him to present his findings at the company's Blue Hat security conference but that a schedule conflict will prevent him from doing so.