Preventing rootkits from getting installed on servers

TheMSsForum.com: The Microsoft Software Forum

I have been looking into some issues that i have heard about from someone
running a windows 2003 server network. It seems that rootkits get installed
as quickly as they get removed. currently, they do not have an external
firewall but they are going to get one. Right now, i would like some advice
to stop the installation of these rootkits. The servers are up to date with
patches and antivirus. they keep getting turned into torrent servers. any
advice would be appreciated. as soon as the whatever thing that the hackers
install gets taken off the server, it comes back again usually within an
hour. It would appear that this is happening to all servers.
Top

Re: Preventing rootkits from getting installed on servers by Miha

Miha
Thu Nov 10 14:34:48 CST 2005

Hi George,

Few points:
- once the rootkit is on the server the only reliable way to remove it is to
format the server (you can't trust what operating system is telling you any
more)... Patching and updating and antiviruses currently won't help you
much...
- if rootkit is good at what it is doing -- you won't even know it is on the
server running... (for more information go to http://www.rootkit.com/)
- only administrators can install rootkits (the question here is how did
outsiders get this permissions)
- Windows 2003 has built in Firewall -- it is pretty 'damn good one -- they
should at least use this one :-) (Windows 2000 has IP Policies that you can
use to protect access to the server).
- when setting up the server -- don't plug it on the network (computer can
be infected before it is completely set up). Set it up offline and enable
built in firewall and only then connect it to the network. Now patch it and
only then disable personal firewall if you must...
- use strong hard to guess passwords (specially for administrators)
- don't run and surf from the server with administrator permissions (if you
must use tool and information from
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure11152004.asp
(Browsing the Web and Reading E-mail Safely as an Administrator)) ...

--
Mike
Microsoft MVP - Windows Security

"George" <George@discussions.microsoft.com> wrote in message
news:9A297AB8-8BC8-4F0F-984C-30C409FE8FD4@microsoft.com...
>I have been looking into some issues that i have heard about from someone
> running a windows 2003 server network. It seems that rootkits get
> installed
> as quickly as they get removed. currently, they do not have an external
> firewall but they are going to get one. Right now, i would like some
> advice
> to stop the installation of these rootkits. The servers are up to date
> with
> patches and antivirus. they keep getting turned into torrent servers.
> any
> advice would be appreciated. as soon as the whatever thing that the
> hackers
> install gets taken off the server, it comes back again usually within an
> hour. It would appear that this is happening to all servers.


Top

Re: Preventing rootkits from getting installed on servers by Imhotep

Imhotep
Thu Nov 10 21:31:50 CST 2005

George wrote:

> I have been looking into some issues that i have heard about from someone
> running a windows 2003 server network. It seems that rootkits get
> installed
> as quickly as they get removed. currently, they do not have an external
> firewall but they are going to get one. Right now, i would like some
> advice
> to stop the installation of these rootkits. The servers are up to date
> with
> patches and antivirus. they keep getting turned into torrent servers.
> any
> advice would be appreciated. as soon as the whatever thing that the
> hackers install gets taken off the server, it comes back again usually
> within an
> hour. It would appear that this is happening to all servers.


Chances are you were tricked into installing a trojan. Do "we" have our
local users in the local admin (or domain admin) groups. Stop being
foolish!!! This alone causes more problems than every other bad habit put
together......

90% or more of the rootkits need admin privs to install...

Imhotep
Top

Re: Preventing rootkits from getting installed on servers by Roger

Roger
Sat Nov 12 09:58:10 CST 2005

You mention Windows 2003 so these comment are specifc for it, as
it is pretty simple to keep a server clean.
First, you need to do a fresh install, format on up.
During this, install from W2k3 with Sp1 integrated if at all possible,
else disconnect the network until Sp1 has been installed.
If you has Sp1 integrated, then follow its recommendations and
immediately update the machine, while it is under the temporary
cloak from the firewall, else if you do not have the integrated
media then after installing Sp1 turn on the firewall and go get the
machine updated.
Install the optional SCW (security configuration wizard).
Use the SCW, locally if a stand-alone, or, if you have a defined
process for the infrastructure to use SCW, follow that process.
Turn on the firewall and make certain that there are no unnecessary
network exposures. If you need to allow remote management, then
limit the scope of the firewall exposure for this to only the machines
that are necessary.
Define
- password expectations for all accounts able to log into the machine
- update process / schedule for the machine
- change control process for altering the services and/or firewall config
- appropriate use for the machine, which includes no non-management
use - no IE, no OE, no Firefox, no Opera, etc. It is a server, it should
serve, not be used as a client system.
With this little bit of effort you can place that box on the open internet
with no masking by other layers and its public IPs will get used only as
you have defined for them to be used. If you keep a little awareness as
to whether there are any MS or third-party code vulnerabilities, and you
either patch or take work-around action when such do exist and have
active exploit code in the wild, that machine will stay out there on the
open internet for a very long time in full health.

"George" <George@discussions.microsoft.com> wrote in message
news:9A297AB8-8BC8-4F0F-984C-30C409FE8FD4@microsoft.com...
>I have been looking into some issues that i have heard about from someone
> running a windows 2003 server network. It seems that rootkits get
> installed
> as quickly as they get removed. currently, they do not have an external
> firewall but they are going to get one. Right now, i would like some
> advice
> to stop the installation of these rootkits. The servers are up to date
> with
> patches and antivirus. they keep getting turned into torrent servers.
> any
> advice would be appreciated. as soon as the whatever thing that the
> hackers
> install gets taken off the server, it comes back again usually within an
> hour. It would appear that this is happening to all servers.


Top

Re: Preventing rootkits from getting installed on servers by Phillip

Phillip
Mon Nov 14 14:51:07 CST 2005

"Imhotep" <Imhotep@nospam.net> wrote in message
news:WPqdndYPnI80jenenZ2dnUVZ_t-dnZ2d@adelphia.com...
> Chances are you were tricked into installing a trojan. Do "we" have our
> local users in the local admin (or domain admin) groups. Stop being
> foolish!!! This alone causes more problems than every other bad habit put
> together......

That would be fine, in a perfect world. But before we can do that we have to
get developers to write stuff properly so that the Applications they write
don't require the user to be a local Admin. In specialized industries (like
TV) we don't always have a competing Application that we can turn to,...or
if there is, it is just as bad. Worse yet, those Applications are decided
upon by people who would never ask (and never know to ask) those questions
of the company trying to sell it to them,...they are only concerned about if
it performs whatever "stuff" they want it to do, and can get it for the
price they want.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------



Top

Re: Preventing rootkits from getting installed on servers by Roger

Roger
Fri Nov 18 07:51:49 CST 2005

Perhaps part of the solution is for IT departments to translate
from their experience/requirements into a simple set of management
bullet point what are in fact the companies information infrastructure
policy. This would include objectives to meet imposes legal compliance,
insure corporate exclusivity of proprietary information, etc. and also
include requirements for implementations that might support these,
such as "All software must allow systems to be configured so that
objectives of this policy are attainable".

It will not stop IT from being force to make exemptions for the
badly designed application that is dictated as necessary.
It will require an exemption to be made at a high management
level - which will cause future purchases to become better
informed.

Roger
"Phillip Windell" <@.> wrote in message
news:%234M6j0V6FHA.736@TK2MSFTNGP10.phx.gbl...
> "Imhotep" <Imhotep@nospam.net> wrote in message
> news:WPqdndYPnI80jenenZ2dnUVZ_t-dnZ2d@adelphia.com...
>> Chances are you were tricked into installing a trojan. Do "we" have our
>> local users in the local admin (or domain admin) groups. Stop being
>> foolish!!! This alone causes more problems than every other bad habit put
>> together......
>
> That would be fine, in a perfect world. But before we can do that we have
> to
> get developers to write stuff properly so that the Applications they write
> don't require the user to be a local Admin. In specialized industries
> (like
> TV) we don't always have a competing Application that we can turn to,...or
> if there is, it is just as bad. Worse yet, those Applications are decided
> upon by people who would never ask (and never know to ask) those questions
> of the company trying to sell it to them,...they are only concerned about
> if
> it performs whatever "stuff" they want it to do, and can get it for the
> price they want.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/ISA2004_AccessRules.html
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
> http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
> -----------------------------------------------------
>
>
>


Top