Windows Server 2008 Services by Role

Windows Server 2008 has more than 100 available services that can be installed, depending on which roles and features are enabled. The document “Windows Server 2008 Services by Role” found on the companion CD contains a table that shows the status of the various services under each server role. Administrators can refer to the table when attempting to minimize the number of running services to reduce attack surface area.


Attacks on Services

Because Windows comes with so many default services that are started automatically with every Windows boot, malicious hackers know they are likely to be available and often target them. This section will cover the most prolific Windows service attack to date and the most common ways a service can be attacked.


Blaster Worm

Probably the most infamous Windows service attack was the so-called Blaster worm (Virus alert about the Blaster worm and its variants) of 2003. Blaster attacked a known buffer overflow vulnerability in the Windows DCOM RPC service on Windows 2000 and Windows XP computers. Although the vulnerability was known and a Microsoft security update was available, a large percentage of Windows computers were not updated. Adding to the lack of defense preparation was a mistaken belief that “correctly configured” perimeter firewalls would prevent the Blaster worm from infiltrating inside corporate networks.

The Blaster worm worked by connecting to the DCOM RPC service at TCP port 135 and initiating a buffer overflow attack. When the service was overflowed the Blaster worm was given Local System access to the compromised system, started a new shell on TCP port 4444, and downloaded the rest of the worm using TFTP on UDP port 67. The Trojan re-created itself in a file called msblaster.exe, which it referenced in one of the registry auto-start locations. The worm then rebooted the computer and began using the newly exploited host to infect other computers.

When Blaster was first reported, many organizations were slow to react because it was widely believed that an appropriately configured perimeter firewall (one that did not allow inbound access to TCP port 135) would prevent Blaster infections on local computers. But then infected computers joined the corporate network via VPNs and previously infected laptops were plugged into the “protected” corporate networks, unleashing Blaster on the corporate multitudes without security updates. One infected computer quickly infected every vulnerable computer on the network. Blaster was responsible for infecting hundreds of thousands of vulnerable computers in a few hours.

Complicating recovery efforts, a related worm called Nachi (Virus alert about the Nachi worm) was developed a few days later in a misguided attempt to update vulnerable PCs. It would infect vulnerable computers in the same way Blaster did, but then attempt to install the security update that prevented the Blaster infection. Unfortunately, Nachi became the storybook example of why automated malware should never be used to resolve computer issues without the expressed consent of the computer’s owner. Nachi essentially instructed every vulnerable computer on a network to begin downloading a security update, all at once, overwhelming network resources. And when it installed the update, it did so incorrectly, often leaving the system it was trying to protect vulnerable. In an ironic twist, Nachi was ultimately responsible for more problems and downtime than the Blaster worm it was designed to protect against.

Microsoft made significant changes to its operations following Blaster, choosing to be more aggressive in pushing out and automating security updates to computers. Although Windows users had long been using Windows Update and other updating clients (since Windows 98), Microsoft developed and pushed out even more auto-update services, including improved versions of Automatic Updates and introduced free Software Update Services/Windows Server Update Services (SUS/WSUS) for businesses that were not using other patch management solutions. Microsoft also made it easier for new operating system installations to be installed and updated with a minimum risk of exposure to the network by minimizing network access until after updates are installed.

Blaster’s biggest lesson to computer security analysts was to prove that perimeter firewall security was not enough. The “crunchy outer shell with the soft, chewy center” discussed by Bill Cheswick and Hal Burch (Bill Cheswick's Papers) in their seminal work on perimeter firewalls had finally come to light. Windows XP Service Pack 2 (SP2) and later Windows client computers enable the host-based Windows Firewall by default. This single measure is responsible for preventing millions of computers from becoming compromised by various remote malicious attacks.