By Paul Hirsch, Senior Network Engineer
Oh Windows Server 2003, I remember when you were young and vibrant. So stable, so quick(-ish), and so much more refined than Windows 2000. You bridged the gap between the era of the workgroup and the era of the Internet. When you were born there was no Facebook, no You Tube, and no Grumpy Cat. Yet you saw us through the coming of all these and more, running happily on 1GB of RAM and with only 20GB of disk space. As time passed, many an administrator clung to you tightly instead of moving on to Windows 2008, 2008R2, 2012…. And why not? You had just the right balance of features and simplicity.
Alas dear Windows Server 2003, now we must part ways. As of now the great mother-ship Microsoft has cast you off, never to receive another Patch Tuesday communique. All things must pass, and we must pass security audits, so fare thee well 2003! As I shut down my last Windows 2003 server, with the sweet sound of “It’s So Hard To Say Goodbye To Yesterday” playing (no, not on Napster), I will enter the following epitaph:
(If this is news to you, get informed! See Microsoft Server 2003 End Of Support Risks and Reasons to Upgrade )
By Paul Hirsch, Citon Senior Network Engineer
Patch Tuesday has been with us a long time. Many IT admins don’t scour the release notes anymore except to check for any nasty side effects. Take note admins: This month’s Patch Tuesday included one patch that requires IT intervention to work.
MS15-011 and MS15-014 add features to address a Group Policy Execution vulnerability, a.k.a. “jasbug”, that has existed in Windows as long as Group Policy has. Jasbug, when combined with the usual network spoofing techniques, allows an attacker to trick any Windows machine on an Active Directory domain to run any code the attacker chooses. Windows, up until now, had no method for members of a domain to verify the integrity and authenticity of Group Policy scripts.
The new features in MS15-011 and MS15-014 add the ability to specify “hardened” network share (UNC) paths and ignore items that can’t be verified. Here’s the catch: You need to define a Group Policy to enable UNC path hardening on the shares you want to protect. Oh, and one more catch: Windows 2003 is left out in the cold. Just another reason to get off of Windows 2003 and earlier as soon as possible.
See this nice write up by Microsoft on hardening group policy for the nitty gritty.