http://blogs.msdn.com/michael_howard/archive/2004/05/02/124892.aspxAs you may be aware, a new worm has emerged named, 'Sasser', and Windows Server 2003 is not infected. Why? Because the RPC interface, which is accessible to anyone (ie; anonymous) on Windows XP and Win2000, was changed in Win2003 so that it requires aen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/michael_howard/archive/2004/05/02/124892.aspx#124920Mon, 03 May 2004 07:23:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:124920IlyaAre there any chances to have the same for XP?http://blogs.msdn.com/michael_howard/archive/2004/05/02/124892.aspx#124924Mon, 03 May 2004 10:38:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:124924Daniele Bochicchiohttp://blogs.msdn.com/michael_howard/archive/2004/05/02/124892.aspx#125067Mon, 03 May 2004 18:50:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:125067Dana Epp's ramblings at the Sanctuary Michael had a quick blurb on his blog on the fact that with the latest 'Sasser' worm, Windows Server 2003 was not infected. Why? As he says, &quot;Because the RPC interface, which is accessible to anyone (ie; anonymous) on Windows XP and Win2000, was changed in Win2003 so that it requires a local admin to access. Not a remote admin, a local admin using the server's keyboard.&quot; Here is where Microsoft's change in stance in applying infosec principles to the design, defaults and deployment of their operating systems start to show real benefits. The rule of least privilege applies a harness to the RPC interface and lessens the attack surface by explicitly knowing the difference between local and remote admins and confining the abilities of such foreign bodies of code. In this way, attack patterns built into Sasser are useless against Microsoft's latest OS. This is where their policy of &quot;Secure by Default&quot; limits new unknown attack vector such as this. Are we beginning to see a change? Time will only tell....http://blogs.msdn.com/michael_howard/archive/2004/05/02/124892.aspx#125233Mon, 03 May 2004 22:51:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:125233Sam Gentile's Bloghttp://blogs.msdn.com/michael_howard/archive/2004/05/02/124892.aspx#125292Tue, 04 May 2004 00:26:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:125292Shaitan's Blog :-)http://blogs.msdn.com/michael_howard/archive/2004/05/02/124892.aspx#125459Tue, 04 May 2004 04:28:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:125459Michael HowardFor XPSP2 we've done a number of things, all in the interest of reducing attack surface. First, RPC endpoints require authentication, and because the firewall is on by default you can't get to the ports anyway. Next we simply removed that code from LSASS in XPSP2!http://blogs.msdn.com/michael_howard/archive/2004/05/02/124892.aspx#125521Tue, 04 May 2004 10:55:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:125521Gary Shorthttp://blogs.msdn.com/michael_howard/archive/2004/05/02/124892.aspx#125619Tue, 04 May 2004 15:37:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:125619Donna's SecurityFlashhttp://blogs.msdn.com/michael_howard/archive/2004/05/02/124892.aspx#126217Wed, 05 May 2004 07:23:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:126217IlluminatiLandMichael Howard has a blurb on why the Sasser worm does not affect Windows Server 2003. This is because Microsoft made a change to the RPC interface that requires local admin access instead of remote admin....http://blogs.msdn.com/michael_howard/archive/2004/05/02/124892.aspx#126242Wed, 05 May 2004 05:44:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:126242IlyaThanks. It's great to see such SP2 features indeed.http://blogs.msdn.com/michael_howard/archive/2004/05/02/124892.aspx#126251Wed, 05 May 2004 08:55:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:126251Sergey Simakov bloghttp://blogs.msdn.com/michael_howard/archive/2004/05/02/124892.aspx#126263Wed, 05 May 2004 09:10:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:126263Sergey Simakov bloghttp://blogs.msdn.com/michael_howard/archive/2004/05/02/124892.aspx#126270Wed, 05 May 2004 09:43:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:126270Server: Microsoft-IIS/6.0\r\nhttp://blogs.msdn.com/michael_howard/archive/2004/05/02/124892.aspx#128483Sat, 08 May 2004 16:50:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:128483AnonymousIf security to you means removing bloated features that should have never been implemented, that's saying a lot!http://blogs.msdn.com/michael_howard/archive/2004/05/02/124892.aspx#128496Sat, 08 May 2004 17:35:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:128496Michael HowardThere's a little bit more than removing code!http://blogs.msdn.com/michael_howard/archive/2004/05/02/124892.aspx#128564Sat, 08 May 2004 22:08:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:128564Kenji Yamamoto [MVP]Lots of efforts of everyone involved, right? <br> <br>Not only removing peaces/hardening the defaults there are much more of challenges, you know. I think Microsoft is now proactively taking actions to make things secure. <br> <br>Microsoft is now hearing what we are saying in all aspects. It is not limited to security, though. <br>If you have opinions write down in newsgroups, blogs, and so on. They are looking and taking our feedbacks. Or, pls rely on us MVPs. Pls tell us. ;-) <br> <br>Well, another thing which I want to express that is more important is that security is not an independent piece of puzzles of computer system, but a component (which should be )integrated into design, dev, deploy, management, support, and all the other scenes of computer life in general. <br> <br>Microsoft is a software vendor and they are doing what they are expected to do, acting proactively. I mean this applies to Michael and people around security within Microsoft. <br> <br>I am looking forward to seeing more of the results of their effort in the future. ;-)