Why ‘Sasser’ does not affect Win2003


As you may be aware, a new worm has emerged named, ‘Sasser’, and Windows Server 2003 is not infected. Why? Because the RPC interface, which is accessible to anyone (ie; anonymous) on Windows XP and Win2000, was changed in Win2003 so that it requires a local admin to access. Not a remote admin, a local admin using the server’s keyboard.

Comments (16)

  1. Ilya says:

    Are there any chances to have the same for XP?

  2. Dana Epp's ramblings at the Sanctuary says:

    Michael had a quick blurb on his blog on the fact that with the latest ‘Sasser’ worm, Windows Server 2003 was not infected. Why? As he says, "Because the RPC interface, which is accessible to anyone (ie; anonymous) on Windows XP and Win2000, was changed in Win2003 so that it requires a local admin to access. Not a remote admin, a local admin using the server’s keyboard." Here is where Microsoft’s change in stance in applying infosec principles to the design, defaults and deployment of their operating systems start to show real benefits. The rule of least privilege applies a harness to the RPC interface and lessens the attack surface by explicitly knowing the difference between local and remote admins and confining the abilities of such foreign bodies of code. In this way, attack patterns built into Sasser are useless against Microsoft’s latest OS. This is where their policy of "Secure by Default" limits new unknown attack vector such as this. Are we beginning to see a change? Time will only tell….

  3. Michael Howard says:

    For XPSP2 we’ve done a number of things, all in the interest of reducing attack surface. First, RPC endpoints require authentication, and because the firewall is on by default you can’t get to the ports anyway. Next we simply removed that code from LSASS in XPSP2!

  4. Ilya says:

    Thanks. It’s great to see such SP2 features indeed.

  5. Michael Howard has a blurb on why the Sasser worm does not affect Windows Server 2003. This is because Microsoft made a change to the RPC interface that requires local admin access instead of remote admin….

  6. Anonymous says:

    If security to you means removing bloated features that should have never been implemented, that’s saying a lot!

  7. Michael Howard says:

    There’s a little bit more than removing code!

  8. Lots of efforts of everyone involved, right?

    Not only removing peaces/hardening the defaults there are much more of challenges, you know. I think Microsoft is now proactively taking actions to make things secure.

    Microsoft is now hearing what we are saying in all aspects. It is not limited to security, though.

    If you have opinions write down in newsgroups, blogs, and so on. They are looking and taking our feedbacks. Or, pls rely on us MVPs. Pls tell us. 😉

    Well, another thing which I want to express that is more important is that security is not an independent piece of puzzles of computer system, but a component (which should be )integrated into design, dev, deploy, management, support, and all the other scenes of computer life in general.

    Microsoft is a software vendor and they are doing what they are expected to do, acting proactively. I mean this applies to Michael and people around security within Microsoft.

    I am looking forward to seeing more of the results of their effort in the future. 😉