Windows 2003 officially went EOL (end of life) July 2015, this is not exactly news. If your organisation still operates Windows 2003 then we would recommend you lock them up and enforce strict visitation rights.
What was interesting, and perhaps drove home the stark reality of the EOL announcement was the subsequent Microsoft software patch release. In that month alone, Microsoft issued 14 different bulletins covering a total of 58 different vulnerabilities. These updates addressed critical faults in Windows Server, Windows desktop versions and Internet Explorer versions 7 through 11. However, the vulnerabilities were already being used in the wild by attackers to gain entry or to install malware onto systems. Microsoft recommend immediate patches to systems. The release also addressed flaws in SQL Server and Microsoft Office, not necessarily critical but important all the same.
Many of the patches were triggered by a hack against the Italian security company Hacking Team. Hacking Team’s asset (for want of a better word) were it had in its possession a number of exploits against Microsoft products that would enable them to execute code or gain remote access to their targets. Having been hacked, their previously secret attack vectors have been divulged for every man and his dog to see,the outcome – other hackers and malware authors have new exploitation avenues.
In particular MS15-065 is a nasty vulnerability against Internet Explorer. To put this in perspective, an unpatched system could be vulnerable to a drive-by attack that can allow remote-code execution on your systems. Again, if a user browsed to a website with crafted code or browsed a compromised website containing crafted code – they could be infected. Antivirus, web-filtering and suchlike could be inconsequential.
We previously discussed security topics such as Next Generation Firewalls, IPS, Endpoint Protection and Advanced Threat Protection, otherwise known as Sandboxing. These technologies are designed to identify, diagnose and prevent potential attacks against enterprise systems. In the case of MS15-065, these solutions (IPS, Application Whitelisting, Sandboxing, IP Reputation, Web-Filtering) would go someway to preventing these zero-day type attacks. The defence in depth strategy is the best approach to secure against these attacks along with a least privilege approach to security. Only allow white-listed executables, white-listed websites, enforce network segmentation – at least with his approach if there was a breach, you can contain it.
What about Windows 2003?
Well this is the pertinent section of this article. Of the 14 critical bulletins, nine of them impacted Windows 2003, including the critical MS15-066. As before, someone on Windows 2003 who browses to a malicious website could be infected. Simple. Fortunately the patch addresses the vulnerability and you are safe, but that is where it stopped. After July 2015, Microsoft stopped issuing patches for Windows 2003.
- If you continue to run Windows 2003 you need to acknowledge that this is dangerous and almost negligent given the risk it poses to your business.
- Future patches for Windows 2008 or 2012 may allow attackers to infer or reverse-engineer prior vulnerabilities in Windows 2003; providing a solid pipeline of exploits going forward (making Windows 2003 a bigger target)
Lock him up!
Our advice for anyone running Windows 2003 is based on the principles of running a prison/jail.
1 – Update
This is obvious, but I figured it needs to be at number 1.
2 – Build big walls, cells and high security fences
Much like a prison, containment and segmentation. Keep him away from the public and other residents. In the IT world, this translates to network segmentation, isolated and a strict security policy. No exercise, no public outings, no fresh air and no visits to the country. Windows 2003 should be locked in a corner of your network hidden away from the internet. This could be in the form of an Internal Network Firewall or enforced network segmentation on your router/switches.
3 – Shackles
Once Windows 2003 is safely hidden in the depths of your network, protected from the outside world, you need to tie him down. This could consist of endpoint protection or application control that enforces the concept of least privilege. You define exactly what Windows 2003 can do, what it can launch and what applications it can run, also known as explicit white-listing. He can breathe, walk, eat and drink – but nothing else. If he tries, you will know.
4 – Food parcels prohibited, but possible
No one from the outside world is permitted to given him any parcels (or payloads), the policies in 2 and 3 prevent that. However, if it is a requirement; your guards should open the parcel, try the food and see what happens (a bit crude, but effective). If they die or if they exhibit strange behaviour, clearly it’s bad. In the infosec world, this would be a Sandboxing solution with payload analysis. Any files, applications or code that are required to run on Windows 2003 can first be tested in a Sandbox environment.
5 – Surveillance
Like most prisons, CCTV cameras and other detection equipment will be deployed around the prison. If he moves out of his cell or someone tries to visit his cell, the guards know and prevent this. The controls is 2, 3 and 4 can play a part. Surveillance will allow you to spot any attempted attacks or those already in progress (which is better than not knowing). This does not always work (as El Chapo shows) but it as part of a layered defence. In the IT world, surveillance is DLP (Data Leak Protection) and IPS (Intrusion Prevention System). These systems can identify anomalous behaviour, whether that be due to payload, IP reputation or other characteristics.
6 – Cryogenics
If all else fails, freeze him. Cryogenics allows you to freeze an object for use in the future (so the sci-fi people say). If your data is infrequently accessed and is only there for regulatory use, virtualise it. Convert it to a virtual-machine and archive it to disk. If you need to “fire it up”, do so in a self-contained virtual environment using VMWare or Hyper-V.
Advice and Post-2003 solutions
If your organisation or enterprise needs assistance or advice on how to continue to secure the remnants of their Windows 2003 infrastructure or if you need to upgrade(!), you should get in touch. The team at MTG can facilitate the upgrade or if that’s not possible (or if you need a quick fix), then we can implement a range of controls that help contain the risky platform.