Network Admin Nightmare #4 - Unused and Unpatched Services

The large number of services running on a typical Windows or UNIX server is more than enough to discourage a network admin with too little time and too few resources from determining which are needed and which are redundant. As a result there are many different routes into an otherwise secure server or workstation.

For instance, on Compaq, and now HP servers there’s an interesting service called Compaq Insight Manager (or more recently HP Systems Insight Manager), which may have been poorly configured. A web browser interface to this service can often be found on TCP port 2301. Older versions have a default Administrator password of “administrator”, permitting an unauthorised user to gain control of the server remotely, read the SNMP strings (and thus defeat any hardening of SNMP you may have done) and even power down the server.

Many Windows 2000 installations have Internet Information Server (IIS) installed by default. Since it’s a huge job to patch every Windows system in a corporate network, the focus is typically on Internet-facing devices and perhaps internal servers. This leaves unpatched desktops vulnerable to the significant number of IIS vulnerabilities which will give the attacker administrative access, and thus the ability to install a Trojan or root kit and harvest all the information they want.