OS passwords on web server

hypothetically, could a weak password (local OS windows admin account) on a web serverhosting public facing sites every be exploited by an external users, i.e. someone just browsing one of the web apps hosted on that windows/IIS server? i cant see how a local OS password on a web server could ever be exploited externally, but any insight would be interesting. we are doing some risk assessment work on the omportance of password security for all major server roles, and one of the risk factoes is threat agents, i.e. who could exploit such vulnerabilities.
LVL 3
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rindiCommented:
Servers are more likely to get hacked the more is installed on them. To act as a webserver, you'd have to add IIS, and probably other extra things like .net, asp etc. Security holes in all that software and weak passwords can get used to hack the server. So bsides requiring a strong password, you shoula also make sure your servers are fully patched so those security holes in the software get plugged.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dan McFaddenSystems EngineerCommented:
Ok, first off, weak passwords for any type of accounts are ALWAYS a vulnerability.  Why this is an issue, should be obvious and it should always raise a red flag.

With that said, someone looking to exploit a web server, isn't just browsing your web site.  Honest http traffic, meaning typical get & post operations, usually do not constitute trouble.

And yes, an external user (with a some knowledge and curiosity), can possibility breach your site.  You just have to read the paper about data breaches across the world to see that it can and is being done.

Many of the problems attributed to hacks/breaches are to do with 1 or more of the following:

1. unnecessary udp/tcp ports are configured open (edge/perimeter security)
2. improper communication path between Internet, DMZ & internal networks (edge/perimeter
     security)
3. failure to implement a regular OS patching routine (Operations)
4. failure to validate server configurations (Operations)
5. failure to validate application configurations [IIS, SQL, etc.] (Operations, Test/QA,
     Development)
6. installation of un-needed application functionality [IIS, SQL, etc.] (Operations, Test/QA,
     Development)
6. failure to implement proper input validation [application code] (Test/QA, Development)
7. improper implementation of multi-tier application [application code] (Test/QA, Development)

For example, you have a search function available on your web site.  I can quickly think of 3 potential issues:

1. search text field length is not limited to a finite size.
2. search text is not validated before submitting the search text into the search engine
3. the application uses SQL structure in the code instead of calling into stored procedures in the db

Those items above could potentially allow a buffer overrun or SQL injection attacks.

Those are just what I can image off the top of me head.

Dan
0
Dan McFaddenSystems EngineerCommented:
As a recommendation with respect to risk assessing publically available/accessible services...

- Anyone with a connected device is a potential threat.  Therefore, everyone is a threat agent.

You must assume that someone will attempt to scan your publically visible services.  Whether they do this knowingly or not, something can and will happen.

If you want proof, just create a simple web site with a single flat HTML page in it that says Hi.  Do not enable anything other than HTML mappings.  Let it sit on an open http port and scan your logs daily.  Within a few hours, you will start seeing IP addresses making specific http requests for specific files, hoping to get something other an a 404 file not found.

Many of this inquisitive devices are bots, hijacked private computers, compromised servers, etc.  Many people do not even know they have processes running in the background, using their network for some less than nice things.

Just something to think about.

Dan
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.