Default configurations all have one thing in common: they are predictable and can thus be studied for vulnerabilities. Many exploits depend on systems having unpatched defaults. In the past, Windows shipped with less-restrictive defaults that were easier to exploit. For example, administrator passwords could be simple (or even blank) and non-expiring. Unnecessary services, such as IIS, were installed by default, sometimes with disastrous consequences. One of the most notable examples was IIS 5.0, which was part of any default Windows Server 2000 installation. It allowed directory traversal, information leakage, privilege escalation, and arbitrary code execution—all through the URL of a browser. This default helped spread the infamous nimda worm, one of the fastest-moving and costliest computer viruses of all time.

Over the years, Microsoft shifted their default configurations from being more permissive to more restrictive. However, all default installations must be followed up by applying patches and additional security policies. Not all administrators do this. In some cases, default configurations are relaxed to permit backward compatibility or extra functionality, especially for legacy applications that cannot be updated.

Vulnerable defaults that still persist include:

  • Unnecessary services—Default installations of Windows have always included services that you might not actually need. Use the following to identify and disable unnecessary services:
  • PowerShell get-service | fl and set-service cmdlets
  • msconfig.exe
  • Support for SMB v1.0—This weak file and print protocol has been the subject of many exploits, the latest being EternalBlue. It still ships with all Windows operating systems, including Server 2016.
  • Domain account password caching—Domain user credentials that have been cached on the local machine can be dumped and used by an attacker.
  • Default accounts—Accounts such as administrator, guest, krbtgt, and others have Security IDs (SIDs) that cannot be changed. This makes them a target for dumping hashes and passing-the-hash.
  • Default security logging—Windows security logging does not include sensitive file/folder access. Additionally, log file sizes are often too small for an enterprise organization, and logging is not automatically forwarded to a central server. All of these things make it easier for an attacker to go unnoticed or cover their tracks.
Unicode exploit example

Note: For more information on disabling unnecessary server services, see https://blogs.technet.microsoft.com/secguide/2017/05/29/guidance-on-disabling-system-services-on-windows-server-2016-with-desktop-experience/