BlueKeep and Windows 2000 Server (Win2K)
Richard Wadsworth
ISO 22301\27001A Scrum SFPC, SDPC, SPOPC, SMPC, SSPC, USFC, CDSPC, KEPC KIKF, SPLPC, DEPC, DCPC, DFPC, DTPC, IMPC, CSFPC, CEHPC, SDLPC, HDPC, C3SA, CTIA, CSI Linux (CSIL-CI\CCFI), GAIPC, CAIPC, CAIEPC, AIRMPC, BCPC
Because there are so many companies still out there running very old hardware or moved old systems to run on a VM infrastructure I decided to build an VM lab, partly to help me learn how to use OpenVAS (which is a very intuitive piece of software by the way).
With all the news surrounding BlueKeep exploit I deployed a Windows 2000 server (Win2K) to do some tests. Although Win2K is reportedly affected by BlueKeep Microsoft have decided not to release a patch.
Instead they have released a patch for XP SP3, Win2K3 SP2, Vista, 2008 & 2008 R2 and Win7. But there are many systems running much older operating systems.
By default, Win2K server does not have Remote desktop (called terminal services in Win2K) installed so there is a chance you have mitigated the BlueKeep exploit already by doing nothing.
Before we go on BlueKeep does not affect Win2K workstation as the remote desktop didn’t come in for the desktop versions of windows until Win XP, Before you had to use something like VNC, Dameware or similar. Remember PC anywhere?
Back to the servers, the bad news is there is no other way to protect Win2K apart from deploying a software firewall (Good luck with that its 2019) or mess around with port filtering, so if you really need to be running Win2K you have to disable the service, meaning you have to start it every time if you watch the video I created you will see how painful that will be.
The video shows how "Terminal Services" is setup, disabled and removed. I've also got the vulnerabilities list created by OpenVAS on SP4 level install. I’ve added the link at the end of this article.
MS Updates
Microsoft still holds the updates for Win2K and still a selectable in WSUS, I’m using Windows Server 2019 and in the process of building a update server, I then intend to patch fully Win2K and rerun OpenVAS and see what pops up.
Win2K was a god send, when I started in IT it was DOS, 3.11, win 95 and windows NT 4.(“Plug and Pray” we used to call it. Just before Win2K came out you could have plug and pray ISA cards) Even just rebooting NT4 could end the life of the O\S!
Best thing anyone can do is to finally shuffle off all these legacy systems but that's a costly task and time consuming one at that.
But to make a Windows administrators (anyone involved with cyber security) day, sign off that upgrade budget!
Vulnerabilities report & the video are available by following the URL below. The spreadsheet is in a CSV format. Please maksure you have scanned with antivirus updates applied you can't be too sure.
https://drive.google.com/open?id=1VzYb6sl-H50EHqNnrzvb4MeNocAdwJ7j
I intend to rerun the report once everything is patched.
Lookout for other post regarding my experience with OpenVAS as i intend to test most MS operating systems and I will try a could of Linux builds as well. It will be interesting what I get.