These policies detect issues for Microsoft Windows 2000 and NT that are on the SANS Top 20 list.

The SANS Institute and the FBI have compiled a list of the most commonly exploited vulnerabilities that affect Microsoft Windows platforms. This list assists administrators in prioritizing repairs to systems that may be vulnerable to attacks. The original list is available on the SANS Institute web site.

Download Intruder Alert Policies

Download ITA W2K_SANS Policy
Download ITA WinNT_SANS Policy

Affected Platforms

Windows 2000
Windows NT

W2K_SANS Policy

This policy contains rules that detect Microsoft Windows 2000 issues from the SANS Top 20 list.

Policy Rules include:

• IIS_Printer_ISAPI_Extension_BO
  This rule detects an attempted buffer overflow to the Internet Printing ISAPI extension.
  
  
• IIS_ASP_SourceCode
  This rule detects a request to view ASP source code on an Internet Information Server (IIS) system. ASP requests with "::$DATA" appended can return the source code if permissions are improperly set on the shared web directory.
  
  
• MSSQL_Service_Object_Changed
  This rule detects changes to the Microsoft SQL Server service start object in the registry. Incorrectly set default permissions on these keys can allow an attacker to change the credentials used when starting the SQL Server (7.0 and 2000).
  
  
• LMHash_Storing_Enabled
  This rule detects changes to the Windows registry that enable the storing of LM Hashes. It is recommended that customers disable the caching of LM Hashes on Microsoft Windows Systems.
  
  
• VBScript_Script_File_Changed
  This rule detects changes to the "\HKEY_CLASSES_ROOT\.VBS" key. The majority of email-based viruses are often written in VBScript, a scripting language used to automate tasks without user intervention.
  
  
• Remote_Registry_Access_Change
  This rule detects changes to the registry that may allow unauthorized users to connect and modify the Windows registry remotely. The values stored under the 'HKLM\CurrentControlSet\Control\SecurePipeServers\winreg' hive control remote access.
  
  
• HTTP_Administration_Recon
  This rule detects any HTTP requests which attempt to use sample applications which are included with the Internet Information Server. It is recommended that they are removed as there are many known vulnerabilities associated with the provided samples.
  
  
• HTTP_Configuration_Recon
  This rule detects any HTTP requests which attempt to retrieve configuration files from the remote system. These configuration files may provide the attacker with additional information to further penetrate the system.
  
  

WinNT_SANS Policy

This policy contains rules that detect Microsoft Windows NT issues from the SANS Top 20 list.

Policy Rules include:

• HTTP_Configuration_Recon
  This rule detects any HTTP requests which attempt to retrieve configuration files from the remote system. These configuration files may provide the attacker with additional information to further penetrate the system.
  
  
• HTTP_Administration_Recon
  This rule detects any HTTP requests which attempt to use sample applications which are included with the Internet Information Server. It is recommended that they are removed as there are many known vulnerabilities associated with the provided samples.
  
  
• Remote_Registry_Access_Change
  This rule detects changes to the registry that may allow unauthorized users to connect and modify the Windows registry remotely. The values stored under the 'HKLM\CurrentControlSet\Control\SecurePipeServers\winreg' hive control remote access.
  
  
• VBScript_Script_File_Changed
  This rule detects changes to the "\HKEY_CLASSES_ROOT\.VBS" key. The majority of email-based viruses are often written in VBScript, a scripting language used to automate tasks without user intervention.
  
  
• Newdsn_File_Creation
  This rule detects the use of the newdsn sample application that is included with Microsoft Internet Information Server (IIS) 3.0. With a properly formatted request, an attacker can overwrite files on the victim system.
  
  
• Showcode_ASP_FileAccess
  This rule detects an attempt to use the showcode.asp file to view possibly sensitive files on the victim machine. Showcode.asp is a sample file that is included in a default installation of Microsoft Internet Information Server (IIS) 4.0.
  
  
• IIS_ASP_SourceCode
  This rule detects a request to view ASP source code on an Internet Information Server (IIS) system. ASP requests with "::$DATA" appended can return the source code if permissions are improperly set on the shared web directory.
  
  
• IIS_ISM_Authentication
  This rule detects a request to ISM.DLL, an artifact from an upgrade to Internet Information Server (IIS) 4.0 from versions 2.0 or 3.0. The file ISM.DLL in the /iisadmin folder is no longer used for IIS 4.0 administration and can be removed.
  
  
• IIS_MDAC_RDS_RemoteAccess
  This rule detects a successful request to the MDAC RDS service. MDAC RDS is vulnerable to remote data access without requiring user authentication and the ability to run arbitrary commands on the target system.
  
  
• MSSQL_Weak_Password_Storage
  This rule detects a Microsoft SQL Server password that is written to the registry. Passwords are weakly encrypted in MSSQL 7.0 and plain text for MSSQL 6.5. It is recommended that the 'Always prompt for login name and password' function is set.
  
  
• MSSQL_Service_Object - Changed
  This rule detects changes to the Microsoft SQL Server service start object in the registry. Incorrectly set default permissions on these keys can allow an attacker to change the credentials used when starting the SQL Server (7.0 and 2000).