Windows 2000 Server was installed on a Dell 8100. Windows 2000 Server was installed as a “Stand Alone” server and no additional options were added or removed during or after the install. This security patch added some improvement, but the administrator will have to take additional action to secure this system in NESSUS’s eyes. The Security Patch was released in January 2002, and can be found at Microsoft’s site or by clicking here. The security patch removed one Hole and one warning. Nessus reported the following:

Nessus Scan Report

--------------------------------------------------------------------------------

Number of security holes found : 3
Number of security warnings found : 10
Number of security notes found : 6

--------------------------------------------------------------------------------

10.10.1.1 :

List of open ports :

smtp (25/tcp) (Security notes found)
domain (53/tcp)
http (80/tcp) (Security hole found)
kerberos (88/tcp)
unknown (135/tcp)
netbios-ssn (139/tcp) (Security hole found)
ldap (389/tcp)
https (443/tcp)
microsoft-ds (445/tcp)
kpasswd (464/tcp)
unknown (593/tcp)
ldaps (636/tcp)
unknown (1026/tcp)
unknown (1029/tcp)
unknown (1057/tcp)
unknown (1063/tcp)
unknown (1074/tcp)
unknown (1079/tcp)
unknown (1081/tcp)
unknown (1095/tcp)
unknown (1096/tcp)
unknown (1097/tcp)
unknown (3268/tcp)
unknown (3269/tcp)
unknown (3372/tcp)
unknown (9490/tcp) (Security warnings found)
general/tcp (Security warnings found)
netbios-ns (137/udp) (Security warnings found)
general/udp (Security notes found)
general/icmp (Security warnings found)
bootps (67/udp) (Security notes found)

Information found on port smtp (25/tcp)

Remote SMTP server banner :
test-hfffhv9qds.headquarters.local Microsoft ESMTP MAIL Service, Version: 5.0.2195.4453 ready at Tue, 5 Feb 2002 22:31:32 -0800
214-This server supports the following commands:214 HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ATRN ETRN BDAT VRFY

[ back to the list of ports ]

Vulnerability found on port http (80/tcp)

The CGI /scripts/tools/newdsn.exe is present.

This CGI allows any attacker to create files
anywhere on your system if your NTFS permissions
are not tight enough, and can be used to overwrite
DSNs of existing dabases.

Solution : Remove newdsn.exe
Risk factor : High
CVE : CVE-1999-0191

[ back to the list of ports ]

Vulnerability found on port http (80/tcp)

The CGI /scripts/tools/mkilog.exe is present.

This CGI allows an attacker to view and modify SQL database
contents.

Solution : Remove it
Risk factor : Serious

[ back to the list of ports ]

Warning found on port http (80/tcp)

The IIS server appears to have the .IDA ISAPI filter mapped.

At least one remote vulnerability has been discovered for the .IDA (indexing
service) filter. This is detailed in Microsoft Advisory MS01-033, and gives
remote SYSTEM level access to the web server.

It is recommended that even if you have patched this vulnerability that you
unmap the .IDA extension, and any other unused ISAPI extensions if they are
not required for the operation of your site.

Solution:
To unmap the .IDA extension:
1.Open Internet Services Manager.
2.Right-click the Web server, and choose Properties from the context menu.
3.Master Properties
4.Select WWW Service | Edit | HomeDirectory | Configuration
and remove the reference to .ida from the list.

Risk Factor: Medium

[ back to the list of ports ]

Warning found on port http (80/tcp)

IIS 5 has support for the Internet Printing Protocol(IPP), which is
enabled in a default install. The protocol is implemented in IIS5 as an
ISAPI extension. At least one security problem (a buffer overflow)
has been found with that extension in the past, so we recommand
you disable it if you do not use this functionality.

Solution:
To unmap the .printer extension:
1.Open Internet Services Manager.
2.Right-click the Web server, and choose Properties from the context menu.
3.Master Properties
4.Select WWW Service | Edit | HomeDirectory | Configuration
and remove the reference to .printer from the list.

Risk Factor: Low

[ back to the list of ports ]

Warning found on port http (80/tcp)

The remote web server appears to be running with
Frontpage extensions.

You should double check the configuration since
a lot of security problems have been found with
FrontPage when the configuration file is
not well set up.

Risk factor : High if your configuration file is
not well set up
CVE : CVE-1999-0386

[ back to the list of ports ]

Information found on port http (80/tcp)

The remote web server type is :
Microsoft-IIS/5.0

We recommend that you configure your web server to return
bogus versions, so that it makes the cracker job more difficult

[ back to the list of ports ]

Vulnerability found on port netbios-ssn (139/tcp)

. It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

. All the smb tests will be done as ''/''

[ back to the list of ports ]

Warning found on port netbios-ssn (139/tcp)

Here is the browse list of the remote host :

TEST-HFFFHV9Q -

This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for

Solution : filter incoming traffic to this port
Risk factor : Low

[ back to the list of ports ]

Warning found on port netbios-ssn (139/tcp)

The host SID can be obtained remotely. Its value is :

HEADQUARTERS : 5-21-2000478354-789336058-839522115

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139
Risk factor : Low

[ back to the list of ports ]

Warning found on port unknown (9490/tcp)

a web server is running on this port

[ back to the list of ports ]

Warning found on port unknown (9490/tcp)

It seems that it's possible to disclose fragments
of source code of your web applications which
should otherwise be inaccessible. This is done by
appending +.htr to a request for a known .asp (or
.asa, .ini, etc) file.

Solution : install patches from Microsoft (see MS00-044)
Risk factor: Serious
CVE : CVE-2000-0630

[ back to the list of ports ]

Information found on port unknown (9490/tcp)

The remote web server type is :
Microsoft-IIS/5.0

We recommend that you configure your web server to return
bogus versions, so that it makes the cracker job more difficult

[ back to the list of ports ]

Warning found on port general/tcp

The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.

An attacker may use this feature to determine if the remote
host sent a packet in reply to another request. This may be
used for portscanning and other things.

Solution : Contact your vendor for a patch
Risk factor : Low

[ back to the list of ports ]

Information found on port general/tcp

Nmap found that this host is running Windows Me or Windows 2000 RC1 through final release, Windows Millenium Edition v4.90.3000

[ back to the list of ports ]

Warning found on port netbios-ns (137/udp)

. The following 12 NetBIOS names have been gathered :
TEST-HFFFHV9QDS = This is the computer name registered for workstation services by a WINS client.
TEST-HFFFHV9QDS
HEADQUARTERS = Workgroup / Domain name
HEADQUARTERS = Workgroup / Domain name (Domain Controller)
HEADQUARTERS
TEST-HFFFHV9QDS = Computer name that is registered for the messenger service on a computer that is a WINS client.
HEADQUARTERS = Workgroup / Domain name (part of the Browser elections)
ADMINISTRATOR = Computer name that is registered for the messenger service on a computer that is a WINS client.
INet~Services = Workgroup / Domain name (Domain Controller)
HEADQUARTERS
IS~ST-HFFFHV9QD
__MSBROWSE__
. The remote host has the following MAC address on its adapter :
0x00 0xb0 0xd0 0xe6 0xc4 0x01

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium

[ back to the list of ports ]

Information found on port general/udp

For your information, here is the traceroute to 10.10.1.1 :
10.10.1.1

[ back to the list of ports ]

Warning found on port general/icmp

The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.

This may help him to defeat all your
time based authentifications protocols.

Solution : filter out the icmp timestamp
requests (13), and the outgoing icmp
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524

[ back to the list of ports ]

Information found on port bootps (67/udp)

Here is the information we could gather from the remote DHCP
server. This allows an attacker on your local network to gain
information about it easily :

Master DHCP server of this network : 10.10.1.1
IP address the DHCP server would attribute us : 10.0.0.3
netmask = 255.0.0.0
DHCP server(s) identifier = 10.10.1.1
domain name server(s) = 10.10.1.1
domain name = headquarters.local

Solution : remove the options that are not in use in your DHCP server
Risk factor : Low