The large number of services running on a typical Windows or UNIX server is more than enough to discourage a network admin with too little time and too few resources from determining which are needed and which are redundant. As a result there are many different routes into an otherwise secure server or workstation.
For instance, on Compaq, and now HP servers there’s an interesting service called Compaq Insight Manager (or more recently HP Systems Insight Manager), which may have been poorly configured. A web browser interface to this service can often be found on TCP port 2301. Older versions have a default Administrator password of “administrator”, permitting an unauthorised user to gain control of the server remotely, read the SNMP strings (and thus defeat any hardening of SNMP you may have done) and even power down the server.
Many Windows 2000 installations have Internet Information Server (IIS) installed by default. Since it’s a huge job to patch every Windows system in a corporate network, the focus is typically on Internet-facing devices and perhaps internal servers. This leaves unpatched desktops vulnerable to the significant number of IIS vulnerabilities which will give the attacker administrative access, and thus the ability to install a Trojan or root kit and harvest all the information they want.
In many sites we have tested, we find business systems running on UNIX operating systems whilst the majority of in-house technical expertise is on Windows systems. As a result these UNIX systems are sometimes remotely administered by the third parties who supplied the business application, and unfortunately they are not always motivated to install the latest patches or to harden the operating system configuration. This results in a variety of older services all ripe for exploitation, often on business critical systems running finance applications.
The solution? Unused and Unpatched Services can be addressed by the selective and careful use of one of many commonly available vulnerability scanners. Nessus remains one of the most popular free scanners and provides you with a good overview of your network exposure. Alternatively, an occasional visit by a third party to conduct a vulnerability assessment and penetration test can be a cost-effective alternative.