Why Sasser did not infect Windows Server 2003

The Sasser worm took advantage of a defect in logging code within the Local Security Authority Subsystem (LSASS.) The entry point for this functionality is through an RPC interface, which is open by default for all users to access on Windows 2000 and Windows XP. The code existed in Windows Server 2003 prior to the security update (MS04-011, https://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx); however, the Sasser worm did not affect Windows Server 2003!

 

Why?

 

To me, the answer is very important. Some years ago I realized that fixing code is honorable, and nothing is better than writing great code from the get-go. But people are imperfect, and code will be imperfect, so we need to do more than simply create better code, we need extra defenses, “just in case.”

 

And this is where attack surface reduction enters the picture. The RPC interface in question is NOT accessible by anyone on the Internet in Windows Server 2003. Even if the firewall is not turned on, only local administrators can access the RPC endpoint.

 

This is a very important point, attack surface reduction is not just about turning stuff off and shutting things down; it’s also about limiting who can access what by default. In this case, the RPC endpoint is an administrative interface into DCPromo, and it made perfect sense to limit the code to local admins only in Windows Server 2003.

 

SSSOOOoooo…. to attack this code in Windows Server 2003 requires the attacker be a local admin. In others a user with administrative rights seated at the console. Let’s be honest, if you have people attacking systems this way, a bug in DCPromo is the least of your problems!