Ah no. In fact that is absolutely incorrect to the nth decimal place.
This has been coming up a lot lately and I have been fielding quite a few questions on it.
Plain and simple, if you have a Windows Server 2003 RTM Server and you have not disabled the DNS RPC Management Interface you are in immediate danger of being DOS’ed or being hacked. The code is out there. There is no patch for it for you. I blew up the DNS Service on a Windows Server 2003 RTM box about 15 times in a row today just to authoritatively prove it out. If I had the right offset values, I would be able to execute a remote shell as localsystem.
So what are the arguments that make you feel you are safe with Windows Server 2003 RTM?
1. I ran Shavlik and it didn’t say there was any patches needed on my Windows Server 2003 RTM Server. It must be safe!
1A: NO, you aren’t safe. This is very simple, Shavlik doesn’t do a security test of your machine, it does a patch list check. It looks at what MSFT has available for your machine and looks at what is installed on your machine, any delta is highlighted as something that needs to be installed.
2. I looked at the TSB (Technical Security Bulletin) and it does not mention Windows Server 2003 RTM in the affected software category. It must be safe!
2A: NO, you aren’t safe… Correct, it isn’t mentioned in the affected software category. That category looks like:
Affected Software:
• Microsoft Windows 2000 Server Service Pack 4 — Download the update
• Microsoft Windows Server 2003 Service Pack 1 and Microsoft Windows Server 2003 Service Pack 2 — Download the update
• Microsoft Windows Server 2003 with SP1 for Itanium-based Systems and Microsoft Windows Server 2003 with SP2 for Itanium-based Systems — Download the update
• Microsoft Windows Server 2003 x64 Edition Service Pack 1 and Microsoft Windows Server 2003 x64 Edition Service Pack 2 — Download the update
However you also need to look at the Non-Affected Software category as well. It looks like:
Non-Affected Software:
• Microsoft Windows 2000 Professional Service Pack 4
• Microsoft Windows XP Service Pack 2
• Microsoft Windows XP Professional x64 Edition and Microsoft Windows XP Professional x64 Edition Service Pack 2
• Windows Vista
• Windows Vista x64 Edition
What don’t you see in the non-affected software list? You don’t see Windows Server 2003 RTM…. It isn’t specified on either list… There is a very simple reason.
Both 1 and 2 are related to the fact that Windows Server 2003 RTM went out of support on April 10, 2007. Yes, exactly one month ago. That means you will no longer see any hotfixes for that version of Windows. Period. Your option is to load either Service Pack 1 or Service Pack 2. Service Pack 1 will be supported until April 14, 2009. For a list of all support dates, check out http://support.microsoft.com/gp/lifesupsps#Windows
Something that confuses people is that Windows Server 2003 RTM is unsupported but Windows 2000 Server SP4 is supported. They think, hey Windows 2000 is older, if that is supported, obviously Windows Server 2003 RTM is supported. That isn’t how it works. I am not going to explain Microsoft Software Lifecycle policy but just trust me, it doesn’t work that way.
So if you take anything away from this blog post take these three things….
1. Windows Server 2003 RTM is NOT safe from the DNS Management RPC Interface Exploit.
2. Shavlik doesn’t do a security check, it does a patch check. If a patch doesn’t exist for your version of Windows, you won’t be told you need to patch that issue. Since Windows Server 2003 RTM is no longer supported, you should see no more patches listed as needed for it in Shavlik once you patch up to last months patch batch.
3. The Microsoft KBs do not specifically mention Software that is out of support. If you don’t see it, don’t assume that means you aren’t at risk.
