[HTML formatting removed] I should have been more clear [comments about nit-picky bit-heads, removed]. Win2K Active Directory clients run some parts of IIS, in order to support Active Directory. Even if, you never installed IIS explicitly. Especially, there is some serious LDAP/IIS integration here. Note the option to share a directory on the web, how do you think that happens? Also note that, users very often don't understand the difference between SMB file sharing and Web Sharing and Win2K goes to great lengths to obfuscate those two anyway. Win2K is a major re-write of the Domain Controller and its clients. Expect large bugs, roaches the size of small dogs. MSFT [lack of] design QA is well known. If you've never built large software systems, you'd not know that you can integration-test the hell out of one [large software system] and still never catch design flaws because it all meets specification. It is the specifications that are wrong. The exploit that CodeRed uses is a classic example. The only thing that works there is remorseless/ruthless high-level architectural peer review. MSFT doesn't do those. They replace that process with a bazillion integration testers. -----Original Message----- From: Tim Devries [mailto:Tim.Devries@Q9.com] Sent: Friday, August 10, 2001 8:23 AM To: 'Roeland Meyer'; 'up@3.am'; nanog@merit.edu Subject: RE: Code Red 2 cleanup; reporting.. -----Original Message----- From: Roeland Meyer [mailto:rmeyer@mhsc.com] Sent: Friday, August 10, 2001 11:22 AM To: 'up@3.am'; nanog@merit.edu Subject: RE: Code Red 2 cleanup; reporting..
From: up@3.am [mailto:up@3.am] Sent: Friday, August 10, 2001 8:09 AM
On Fri, 10 Aug 2001, Roeland Meyer wrote:
Win2K boxen are ALWAYS running IIS. It doesn't matter whether you have Pro or Server. ALL Win2K systems need to run the patch. MSFT chose to integrate much of the IIS stuff into DLLs with other system critical stuff. As a result, IIS can't be completely removed without killing off other critical functions. Yes, what they proved in court is even more true with Win2K than with Win98 (Duh! MSFT didn't lie, but they didn't tell the whole truth either). WinXP is even more in that direction, from all reports.
I admit to knowing very little about Win2k, but on the only box I've installed Win2k on, it doesn't *appear* to be running:
Port State Protocol Service 135 open tcp loc-srv 139 filtered tcp netbios-ssn 445 open tcp microsoft-ds 1025 open tcp list
...unless it runs on one of those 3 other open ports? This was Win2k Client, not server, BTW...perhaps you mean every Win2k Server? Win2k proffesional can run IIS. Goto add remove programs -->add/remove windows components ---> IIS. You probably did not select the component on the install. So I guess that means that not every w2k box is vulnerable. Tim
Note the option to share a directory on the web, how do you think that happens? Also note that, users very often don't understand the difference between SMB file sharing and Web Sharing and Win2K goes to great lengths to obfuscate those two anyway.
This particular example implies that file-and-print sharing has to be installed. This is off by default for my boxes. Other ways to get it installed are to run the IIS service, the FTP service, or one of the other related services (SMTP, NNTP). IOW, it's not installed without installing one of the related services. I've got several Win2k Pro boxes and none of them have IIS running. They do have the program in the ServicePackFiles directory, but its not installed or running. You can find out it if its running by looking for inetinfo.exe (the IIS proggy) in the services tab in taskmgr.exe. You can find out if it's installed by searching for inetinfo.exe on your hard drive. --- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
"Eric A. Hall" <ehall@ehsco.com> writes:
You can find out it if its running by looking for inetinfo.exe (the IIS proggy) in the services tab in taskmgr.exe. You can find out if it's installed by searching for inetinfo.exe on your hard drive.
Eric, Where would it be installed? How big would it be? I checked my W2k box and it isn't running - nor have I ever seen it running - but it is found on my hard drive: D:\WINNT\system32\dllcache\inetinfo.exe D:\WINNT\$NtServicePackUninstall$\inetinfo.exe D:\WINNT\ServicePackFiles\i386\inetinfo.exe They're all 15 KB... -jon -- ------------------ Jon Allen Boone tex@delamancha.org
participants (3)
-
Eric A. Hall
-
Jon Allen Boone
-
Roeland Meyer