Windows Server 2008 security not as advertised, says researcher

By Bill Brenner, Senior News Writer 26 Mar 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft boasts that Windows Server 2008 is the most secure Windows server yet, but a researcher who put it to the test claims the product isn't as ironclad as advertised.

Design weaknesses can be abused on Windows XP, Vista, Internet Information Services 7 and Windows Server 2003 and 2008 Cesar Cerrudo, CEO, Argeniss Information Security

Cesar Cerrudo, founder and CEO of Argeniss Information Security in Argentina, said he'll show off flaws he discovered April 17 at the HITBSecConf2008 in Dubai during a presentation entitled "Token Kidnapping."

Windows Server 2008 does include a host of security improvements, he said. Nevertheless, Cerrudo said he found design flaws Microsoft engineers failed to catch during its Security Development Lifecycle (SDL). The flaws allow accounts commonly used by Windows to bypass new Windows services protection mechanisms and elevate privileges to achieve complete control over the operating system.

"The design weaknesses can be abused on Windows XP, Vista, Internet Information Services 7 (IIS 7) and Windows Server 2003 and 2008," he said. Among other things, he said, "an attacker could exploit this by uploading an ASP.NET Web page and running it with an IIS 7 default configuration."

Cerrudo said the problem is especially severe because any Windows service, even when running under a low-privileged account, can potentially break through the security protections and fully compromise the operating system. This includes all Web applications deployed on IIS 6.

Windows Server 2008: Microsoft touts security in Windows Server 2008: Windows Server 2008, expected to release Feb. 27, is first server product built from scratch since the advent Trustworthy Computing at Microsoft.

He said the only way to mitigate the threat is to restrict ASP.NET functionality, prevent users from executing dangerous system calls that are allowed by default and preventing binary content from being uploaded. On IIS 7, the threat can be avoided by running Web applications under a different account than NetworkService, LocalService and LocalSystem.

Microsoft notes on its Windows Server 2008 Web page that the product comes with IIS 7, a Web server and security-enhanced, easy-to-manage platform for developing and reliably hosting Web applications and services. Furthermore, Microsoft said, IIS 7 plays a central role in unifying Microsoft's Web platform technologies -- ASP.NET, Windows Communication Foundation Web services, and Windows SharePoint Services.

Microsoft also claims that Windows Server 2008 is the most secure server yet. It comes with Network Access Protection (NAP) to help ensure that computers that try to connect to the network comply with the organization's security policy, Microsoft said.

Bill Sisk, security response communications manager for Microsoft, said the company is aware of Cerrudo's upcoming presentation and is working with researchers to fully understand the findings.

"At this time, our understanding is that this presentation describes design issues and does not describe a new vulnerability," he said. "It describes methods to elevate from a NetworkService account to a LocalSystem account. NetworkService and LocalService accounts are trusted accounts, and should be treated as administrator equivalents. The presentation does not describe methods for an attacker to gain access to these trusted accounts."

He reiterated Microsoft's claim that Windows Server 2008 is the most secure Windows server to date, developed under the Security Development Lifecycle (SDL) to ensure strict security and privacy standards from the ground up. "Windows Server 2008 installs only the needed services for the roles the server is performing," he said. "Enhanced auditing, drive encryption, event forwarding, and rights management services are just some of the technologies that help organizations adhere to today's strict IT compliance standards."

He said the Microsoft Security Response Center (MSRC) is prepared to investigate further and take the appropriate action to protect customers as needed.

Cerrudo said Microsoft has invited him to present his findings at the company's Blue Hat security conference but that a schedule conflict will prevent him from doing so.

Tags: Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Security: Alerts, Updates and Best Practices Microsoft to fix 26 flaws in Windows, Office Microsoft warns that IE zero-day vulnerability causes data leakage Microsoft issues critical security update, blocks IE 6 attacks Microsoft emergency IE update to block latest corporate attacks Latest zero-day attacks only target IE 6, Microsoft says Hackers used IE zero-day in Google, Adobe attacks, McAfee says Microsoft issues advisory on Internet Explorer zero-day Microsoft releases Windows OpenType Font Engine patch Microsoft to patch single Windows 2000 vulnerability IIS configuration error leads to increased threat, Microsoft says

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary