Anyone who has ever run Windows update is well aware of
the frequent security issues with Microsoft's OS. Some of those
issues make Windows more open to hackers, others simply make DoS
attacks easier. Fortunately, Microsoft provides patches for the
flaws it can control - but you too have to take some of the
responsibility.
Many serious OS vulnerabilities are the result of poor
management, lax administration, or poor configuration. These
problems exist for Windows, and they exist for Unix and Linux as
well as other operating systems. In addition, some significant
vulnerabilities exist in applications that run on top of these
operating systems.
The following items come from the list available at
sans.org and the Mitre Corporation
Common Vulnerabilities and Exposures database. Both of these
sources include information about determining whether or not you're
affected by the vulnerabilities. This list represents just a
sampling of potential vulnerabilities.
Microsoft Windows
Data access components. This vulnerability is
related to Microsoft database access. It can be disabled or
patched. Only Windows 2003 seems to have avoided it.
IIS. All but the latest version of IIS have
known vulnerabilities that must be patched. If you don't need IIS,
you can avoid problems completely by removing it. (In all but the
newest Windows installs, it was included and often enabled by
default.)
Remote access. Until very recently, Windows
allowed a variety of remote access methods by default. Fix this
vulnerability by manually turning access off and by making sure
Windows is patched.
Windows scripting. Host Installed by default on
newer Windows installs -- many applications require this
capability, so removal, although possible, can be problematic. An
updated version is available that solves the problem.
Novell Inc. NetWare
NetWare Enterprise Server. Unpatched versions
of NetWare 5.1 can allow command execution by using malformed
URLs.
NetWare NFS. Errors in the "read only" flag can
give intruders root access. Update NFS or disable it if you don't
need it.
Remote Web Administration Utility. Buffer
overflows can be forced. Update the utility or remove it if you
don't need it.
Unix/Linux
Apache. All versions of Unix and Linux include
the Apache Web server, and in many cases it's installed by default.
Older versions must have the latest patches to be secure. Several
other OSes, including Windows and NetWare, may also run versions of
Apache that share many of these vulnerabilities.
BIND DNS Server. All versions of Unix and Linux
include this DNS software to enable name resolutions. Older
versions have been shown to have a number of vulnerabilities. The
best solution is to use the software only on servers where it's
needed (look for it with the name "named") and then ensure that you
use only the latest version.
RPC Services. Nearly every Unix and Linux
install includes RPC; in many cases, it's enabled by default.
Disable these services unless you absolutely must use them. Install
patches and updates from your manufacturer in that case.
Sendmail. Older, unpatched versions of this
mail transfer service have buffer overflow problems. Updates are
available.
Wayne Rash writes for InfoWorld