Rapid Increase in Windows 2000 in Overall NT Defacements

As for comments re: shift from NT4 to W2K - I honestly think that a significant change will appear. I do not need a crystal ball. Baring the sudden development of W2K vulnerabilities hereto unknow [sic] and the sudden lack of MS response to them (which has been markedly better than NT4 days), I can't see how you could figure that W2K defacments would remain at a lower level than NT4. As people upgrade they gain two things; one, all the enhancments to security W2K brings inherently and two, easy access to patches via windows update and the hotfix checker.
--Windows 2000 Advocate, via email October 25, 2000

I expect the trend in exploiting NT Web servers to peak again soon, unless the unlikely happens. That is, all operators of IIS quickly install the patch and secure their Web servers.
--Rik Farrow, IIS Unicode Bug Worst this Year (http://www2.itworld.com/cma/ett_content_article/0,2849,1_3225,00.html), October 30, 2000 Edition of ITWorld

Rik Farrow was unfortunately correct: NT defacements peaked again this November (http://www.attrition.org/mirror/attrition/os-graphs.html#SPECIAL) . Riding this new wave of IIS website defacements is Windows 2000, which has a growing percent of all NT defacements:

  Month         NT        Win2k        of NT
 -------       -----      -----        ------
 Jan2000        255          0           0.0  
 Feb2000        261          1           0.4  
 Mar2000        321          4           1.2  
 Apr2000        224          2           0.9  
 Jun2000        246          4           1.6  
 Jul2000        225          7           3.0  
 Aug2000        210          9           4.1  
 Sep2000        168         13           7.2  
 Oct2000        306         15           4.7  
 Nov2000        411         61          12.9  
 Dec2000        258         42          14.0  

All figures are January 2000 through December 21, 2000
Windows 2000 was released in February of 2000
The 'NT' column refers to all NT defacements other than Windows 2000
The 'Win2k' column refers to all Windows 2000 defacements
The percentage column is a percent of total figure, and is calculated in this manner: 100*Win2k/(NT+Win2k)

For a graphic perspective of the percent and the cumulative total of Windows 2000 defacements for the year up to December 21, 2000:


It is inevitable that Windows 2000 will come to dominate NT defacements: simple attrition of NT 4.0 and earlier versions guarantee that. The rapid increase in Windows 2000 defacements is probably attributable to the fact that virtually all new installations of NT will be Windows 2000, and new installations will often be the most insecure and unpatched. It's also very likely that Windows 2000 administrators are relatively inexperienced in Windows 2000 security (I take this as a reasonable assumption).

Rik Farrow was correct: administrators didn't quickly patch their webservers, even under the spector of defacements of major commercial websites, or much worse, intrusions into large commercial websites to pilfer financial or proprietary data, in the Infosec and IT news on an almost weekly basis.


© 2000, 2001 Matt Dickerson for Attrition.org
Permission is granted to quote, reprint or redistribute provided the text is not altered, and the author and Attrition.org are credited. The opinions expressed in this text are not necessarily the opinion of all Attrition staff members.

To subscribe to this list, send mail to majordomo@attrition.org with subscribe defaced-commentary in the BODY of the mail.

Last modified: Thu Dec 28 19:29:45 EST 2000