Why 'Sasser' does not affect Win2003

Why 'Sasser' does not affect Win2003.

Michael had a quick blurb on his blog on the fact that with the latest 'Sasser' worm, Windows Server 2003 was not infected. Why? As he says, “Because the RPC interface, which is accessible to anyone (ie; anonymous) on Windows XP and Win2000, was changed in Win2003 so that it requires a local admin to access. Not a remote admin, a local admin using the server's keyboard.”

Here is where Microsoft's change in stance in applying infosec principles to the design, defaults and deployment of their operating systems start to show real benefits. The rule of least privilege applies a harness to the RPC interface and lessens the attack surface by explicitly knowing the difference between local and remote admins and confining the abilities of such foreign bodies of code. In this way, attack patterns built into Sasser are useless against Microsoft's latest OS. This is where their policy of “Secure by Default” limits new unknown attack vector such as this.

Are we beginning to see a change? Time will only tell. [Dana Epp's ramblings at the Sanctuary]

Leave a comment