If you thought Microsoft NT Server and Internet Information Server were secure enough to use straight out of the box--think again. Businesses which deploy those products for their Internet presence and do not keep a constant watch on security issues are "putting a gun to their heads" according to a visiting security expert.
In a private briefing for Computerworld, Mark Fabro, a Canadian hacker-turned-security-expert, demonstrated an ftp hack on NT Server 3.51 which was only fixed in a Service Pack in March (Ref Q140818 in the Microsoft Knowledge Base). The error in the server code was never officially referred to as a security issue, but Fabro says it could be used to gain access to any files on a server.
Although Microsoft has promoted NT solutions as inherently more secure than Unix, Fabro says there are "a whole lot" of potential NT attacks known to the hacker underground. The accelerated development cycles demanded by the current market will only increase the level of hazard, he says.
"The new things are always going to cause problems, whether it's a piece of security equipment, or an office enhancement utility or something like that. I think there is a very large contribution to the security issue now because NT 4.0's out and everyone wants it and everybody's running it, but the only real security is that no one has the source code.
"And you have the Internet Information Server, this great Webserver which Microsoft just put out there and it's ... crap. It's great, but it's full of holes. People are producing things to meet everybody's immediate needs really fast--especially the need to get on the Internet. And there are these people in the underground just sitting there with opening arms, saying c'mon, give me your best shot."
Fabro says the most secure Webservers operating on the Internet are MacOS-based, "not because the Mac is inherently superior--but because it's inherently stupid. It would be more difficult to circumvent the inner workings of a Macintosh. All you can really do is perhaps bring a Website down, a denial of service attack--but you can't exploit the inner workings of the machine it's on.
"But the big companies out there, because of interconnectivity, are not going to put their Website up on a Mac. They're going to put it up on a corporate-sponsored NT server. Microsoft says to Ford Motors, we want your business, what say we just we put IIS on top of NT server for free? And Ford says, hey, for free! So they take IIS and put it on top of NT, right out of the box. And that is just ... a gun to the head."
Microsoft New Zealand NT product manager Guy Haycock agrees that "people should not just pick up the product CD and assume that all the angles are covered. My advice is that people should be aware of what they're doing--and the more complex the technology they're deploying, the more help they need."
Haycock says he would expect a major customer deploying NT Server for Internet use to "buy some time" with Microsoft Consulting Service in conjunction with one of Microsoft's approved solution providers, such as Southmark, Digital, EDS or Wang. He also points to Microsoft's technical certification programmes and its monthly Premier Partner Bulletin.
One NT system administrator invited to the briefing confessed to feeling that he was under a "cone of silence" from Microsoft when it came to security news. Fabro's advice was to monitor relevant mailing lists and newsgroups.
"If the traffic on the lists is too high, split up responsibility for them, so that each staff member is responsible for monitoring two or three lists. If you do get wind of something, search the Microsoft Knowledge Base--you may actually find information Microsoft doesn't know is there. The load is so high they sometimes chuck postings on verbatim."
It is by no means only Microsoft products which are vulnerable, Fabro says. There is, for example, already an attack for the POP3 mail protocol, around which the Internet industry is standardising.
See this week's Friday Fry-Up for a fuller interview with Fabro.