Security Issues with Windows 2000 Datacenter?

alen asks: "The recent IIS security incidents got me thinking. Code Red and Nimda hit servers that weren't patched by their sys admins. If you get infected, you patch your server and end of story. But what if you're running Windows 2000 Datacenter Server? It's a customized solution that you can't change. All your service packs are customized by your vendor. What happens if you have a web or database server that needs to be patched immediately? Are you left out in the cold running unsecure software that you can't patch while you wait in line for your vendor to issue you a service pack or hotfix?" In a situation like this, the whole ball-o-wax resides with the vendor. If you have a good vendor who actually cares about customer satisfaction, these hotfixes will be available quickly. Would anyone out there actually recommend Datacenter for corporate environments?

"My company is currently looking to cluster our SQL 7 servers. We're considering Win2000 advanced server or datacenter. Around a month ago I sat in a meeting with our VP of IT, and the rest of the network admins I work with. Compaq tried to pitch their Windows 2000 Datacenter or Advanced Server solution. Here is the way the compaq people explained it:

You get datacenter only from an OEM. They look at the apps you're running and customize a solution for you in their lab. Every datacenter implementation is different, and every datacenter CD is different. Since we would be using an EMC SAN as our clustered storage system they said our implementation would take special customization. They would have to contact EMC engineers and work together. Once you deploy it, the OEM monitors it. And you can't install any service packs or anything without getting an OK from your OEM. Any service packs are customized for your enviroment. The SLA guarantees a 99.999% uptime or your money back. Part of your money at least. Datacenter isn't an OS, but a program in their words.

Now here is the problem. With Code Red and Nimda, how do you patch IIS running on datacenter in a timely manner? The reason IIS servers became infected was because the admins didn't patch them in the first place. So say a new worm comes out in a few months and it takes a few days for MS to create a hotfix. Datacenter admins can't install it until they get their customized copy from their OEM. And almost every 2000 server runs IIS for terminal server. It can take a few days and in the meantime your servers could be down. And I don't see the SLA covering a situation like this. Meanwhile you're explaining to your CEO how this $500K supposedly guaranteed solution is sitting dead in the water and you can't do a thing about.

Is there something I'm missing, or did Microsoft look over something like this? Especially when they are trying to push Datacenter as 'Big Iron'."

Datacenter

[fazil]

Keep these SQL apps behind the firewall.. turn off all IIS features on the sql boxes.. and at least Nimda should not be able to get at it. Any web interface would hopefully not use Datacenter, and use standard Advanced Server, which is easily patchable. If sql was available on the front line, well, they almost deserve it.

When you can't secure it, hide it.

[haruharaharu]

If you aren't allowed to patch your server, then you should isolate it behind a firewall of some sort, so that the chances of infection are minimized. This may not work well for IIS (beyond simply not running it), but it will serve you well in the general case.

Datacenter

[Nickodemus]

Is a locked down version of Windows. What happens when you lock it down? Well, intensive testing occurs first to determine what is being done with the box and what possible problems could arrise. Then those problems are solved. Also, only certain applications are certified to run on a datacenter box. The goal here is to achieve five nines. That is have this box up and running for 99.999% of the year. Without thorough testing of applications this level of availability would be impossible.

Part of what you get with a Datacenter purchase is a premier level of support. This includes a named engineer for support, and automatic escalation to the highest level for any support needs. It also includes any updates and or fixes on a priority basis - if you have a Datacenter server you get patches, updates, etc. before anyone else does.

Re:Datacenter?

[spongman]

yup, you shouldn't be running IIS and SQL Server one the same machine. Ideally, you'd run SQL Server alone on the big machine and have a cluster of load-balanced inexpensive boxes running stateless ASP/ISAPI pages connecting to the DB over the LAN. You'll be free to patch the IIS boxes as needed and you can put them in a DMZ for extra security.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Not only MS Datacenter

[ssimpson]

"I don't know of one bank that uses a non-IIS platform."

You need to look harder then. The first 5 banks I could be bothered to look at:

• www.smile.co.uk - Solaris
• www.hsbc.com - HP-UX
• www.barclays.com - AIX
• www.bankofamerica.com - Solaris
• www.bankofny.com - NT / Netscape Enterprise

Think firewall + watchdog functionality

[chabotc]

Put the datacenter server behind a firewall, preferably with some string matching functionality (ie watchdog).

the later iptables have a string-patch included, which allow you to target certain port/string combo's, with this it is easy to block worms from the webserver, as long as you know what request it makes.

exampple to block cmd.exe access (taken from my own internal firewall scripts, this will block nimda)

$IPTABLES -A INPUT -p tcp -i ! $INTERNAL --dport 80 -m limit \
--limit $LIMITLEVEL -m string --string "/cmd.exe" \
-m state --state ESTABLISHED -j LOG \
--log-level $LOGLEVEL \
--log-prefix "MS IIS cmd.exe usage:"

$IPTABLES -A INPUT -p tcp -o ! $INTERNAL --dport 80 -m limit \
--limit $LIMITLEVEL -m string --string "/cmd.exe" \
m state --state ESTABLISHED -j LOG \
--log-level $LOGLEVEL \
--log-prefix "MS IIS cmd.exe usage:"

$IPTABLES -A INPUT -p tcp -i ! $INTERNAL --dport 80 -m string \
--string "/cmd.exe" -m state --state ESTABLISHED\
-j REJECT --reject-with tcp-reset

$IPTABLES -A INPUT -p tcp -o ! $INTERNAL --dport 80 -m string \
--string "/cmd.exe" -m state --state ESTABLISHED\
-j REJECT --reject-with tcp-reset

If you wanted to block codered, filter on /default.ida, filtering on global.asa is also a good idea ;-) etc ..

(see iptables docs for more info)

G'luck

Thank you for your answers

[alen]

I actually posted this question twice, and I'm glad they used this second posting with our actuall situation. The first one was more of a what if scenario.

As far as terminal server and IIS, you need IIS if you want to use the Terminal Server Advanced Client and go in through the web. I was originally taught to use TS through IE and forgot going in through the TS client.

If we do go with Datacenter, the servers will host SQL 2000 Enterprise in a clustered enviroment. We currently use SQL and have a propritery in house written app for it.

And as far as the Code Red holes being found months prior to infection, I just used this as an example. I remember in 1997 and 1998 NT had new security holes every week. Windows 2000 is slightly better. 6 months ago I remember downloading hotfixes that will appear in service pack 3.

My question still remains, if a new flaw in IIS, the kernel or any other part of the OS is found how long are we supposed to wait for a fix? I forgot the specifics, but I'm pretty sure the compaq people said they customize the source code for your enviroment. They will need a copy of our in-house app, get in touch with the EMC engineers because our EMC box will be our clustered storage and analyze everything else. Then we will get a CD with a customized copy of Windows 2000 Datacenter. Like EMC, the servers will be monitored by another company and they will most likely know of any problems before us. Every so often we will get a new CD with updates, service packs, etc customized for us. But if a new worm comes out in a few months that exploits some currently unknown flaw in Win2000 or any other part of the OS, will we be dead in the water while we wait for a patch? After September 11th we were calling EMC for tech support on our Symetrix and we were basically told get in line. They had richer customers to support first.

Get your facts straight first

[thesolo]

A few things here:

1. Datacenter machines will NEVER be running IIS. I've worked with several OEMs before, and none of them would EVER send out a datacenter machine with IIS running on it. If your OEM gives you a datacenter machine with IIS on it, run. Run as fast as you can to another OEM that doesn't.
2. Datacenter should NOT be available to the internet! If this is a mission-critical machine, why would you want it on the internet? So it can double as an EFNet server?! Machines like this should only be accessible to a select group of machines on its own network.
3. As stated before, Terminal Services does NOT require IIS to run. And also, you really shouldn't be using Terminal Services on this machine to do anything except possibly monitor performance--any changes made to the system would violate the uptime guarantee from your Vendor. This is a "LEAVE IT ALONE" situation.
4. If you are dumb enough to have a Datacenter machine running IIS, you deserve to get a worm on it. Anyone who has the kind of money to get one of these machines should have some active brain cells too.

The issues mentioned in this article are null & void, as a situation like that would most likely never, ever happen. (Then again, you picked Compaq as your OEM, so maybe...*insert rim shot here*)