On April 14, 2017 the Shadow Brokers released another cache of files. This cache of files apparently contains the Windows tools and exploits hinted at in the January 8, 2017 directory listing of files, very few of which were released.
Early reports indicated that the Windows files contained multiple zero day exploits. However, this was later discovered to be incorrect. All Microsoft exploits were either patched or only target unsupported operating systems. It is the latter category that most businesses need to examine.
Windows Server 2003 will never be patched
There will always be 0-days discovered. However, most often these exploits will be patched. Several of the exploits released in the Shadow Brokers dump target Windows Server 2003 over SMB (server message block, Windows file sharing). This means that these servers will be perpetually vulnerable to these remotely exploitable vulnerabilities. Though the reliability of the exploits is not known, one source notes that the one exploit script makes reference to fish in a barrel. We should assess with high confidence that the exploits are reliable.
How prevalent is Windows Server 2003?
Rendition Infosec sees Windows server 2003 machines in practically every penetration test we perform. Many organizations rushed to upgrade away from Windows XP, but paid little attention to migrating away from Windows Server 2003. Though this may have been an acceptable risk before the latest Shadow Brokers dump, this dump changes the facts surrounding that decision. Any risk decision should be reevaluated in light of new data available.
But it’s not just our anecdotal data that shows how many Windows Server 2003 machines are left in the wild. A quick check of Shodan for “IIS/6.0” shows that as of this writing there are 584,293 Windows Server 2003 machines directly connected the Internet. The number inside internal networks is doubtless orders of magnitude higher.
Upgrade legacy Windows Server 2003 or take other action
Any remaining Windows Server 2003 machines should be upgraded immediately. If they can’t be upgraded, they should be removed from domains and placed in a stand alone configuration. They should not share accounts and passwords with other production servers that can actually be patched. Windows Server 2003 machines can be segmented away from the corporate network. Organizations should place strict controls on access to these servers over TCP port 139 and TCP port 445. Jump hosts may be useful in allowing remote management while segmenting the servers.
Enhanced monitoring of your Windows Server 2003 machines is also critical. Just as a cancer patient in remission has more frequent check ups than a regular healthy patient, your Windows Server 2003 machines should receive special attention from your monitoring and threat hunting teams. We’ll stop short of calling Windows Server 2003 a cancer in your network – but just short of that. Whatever analogy you prefer, don’t ignore the fact that your Windows Server 2003 servers will require special care and monitoring. Use IP access control lists on an external device to restrict communications to these servers to only that which is specifically required for critical business functions – and note that this should never include TCP port 139 or TCP port 445.
If you aren’t sure if you have Windows Server 2003 machines in your environment, contact Rendition Infosec for help – we can help you find and secure this and other vulnerabilities in your network. Rendition Infosec works with clients to take the guesswork out of their information security programs, changing “we think we’re secure” to “we know we’re secure.”