For instance, on Compaq (and now Hewlett-Packard Co.) servers, there's an interesting server and infrastructure management service called Compaq Insight Manager (or, more recently, called HP Systems Insight Manager). This service is sometimes poorly configured, either because manufacturer default credentials remain unchanged, or because busy administrators fail to understand the importance of choosing difficult-to-guess passwords. A Web browser interface to this service, in fact, can often be found on TCP ports 2301 and 2381. Older versions have a default administrator password of "administrator," permitting an unauthorised user to gain control of a server remotely, read or alter the SNMP strings (thus defeating any hardening of SNMP that may have been implemented) and even power down a server.
Another example of a potentially unused service is Internet Information Server (IIS), which is installed by default on many Windows servers. Since it's a huge job to patch every Windows system in a corporate network, an understaffed or overburdened organisation's focus is typically
on Internet-facing devices. This leaves unpatched servers (and sometimes workstations) vulnerable to a significant number of IIS vulnerabilities, which provide attackers with administrative access, and thus the ability to install a Trojan or rootkit that can subsequently harvest all the data they want.
|
||||
For these reasons, it's imperative to properly secure or remove unused or unpatched services after they are identified. This need can be addressed by the selective and careful use of one of many commonly available vulnerability scanners. Nessus remains one of the most popular free scanners and provides a good overview of an enterprise's network exposure by highlighting missing patches and out-of-date software, and by listing all the services running on each device. Inexperienced users should ensure they understand how their scanner works and which of its many settings are appropriate for their environment. Occasionally, overzealous administrators have been known to cause system outages and even crashes by running improperly configured vulnerability scanners. Alternatively, an occasional visit by a third party to conduct a vulnerability assessment and penetration test can be a cost-effective alternative, especially where the IT department is already over-stretched or may not have the necessary security skills to interpret a scanner's results accurately.
About the author:
Peter Wood is Chief of Operations at First Base Technologies, an ethical hacking firm based in the UK. He is a world-renowned security evangelist, speaking at conferences and seminars on ethical hacking techniques and social engineering. He has appeared in documentaries for BBC television, provided commentary on security issues for TV and radio and written many articles on a variety of security topics. He has also been rated the British Computer Society's number one speaker.
This was first published in November 2009