Why WINS is still in use: Organizations still using WINS are likely to fall into one of two categories: those using it to support old technologies with long lifecycles such as operational technology (OT) systems, and those that have simply half-forgotten that they are still using it.”For OT stacks built around WINS/NetBIOS, replacing them isn’t trivial because changing name resolution touches safety”‘critical systems and bespoke integrations,” said Kieran Bhardwaj, head of security engineering at UK cyber security consultancy Bridewell, which specializes in advising on critical infrastructure.”Legacy technologies persist because some niche systems like industrial/OT environments are engineered for multi”‘decade lifecycles. Many control systems are architecturally fixed and can’t be re”‘platformed,” he said. “It’s also hard for Microsoft: WINS sits deep in the networking stack which means removing a once”‘core component demands exhaustive regression to avoid unintended breakage.”Equally, according to William Wright of pen-testing company Closed Door Security, WINS was still running on some networks for the same reason that many legacy technologies overstay their usefulness: migration apathy.”Most organizations running WINS today probably aren’t actively using it for anything critical. They’ve just never had a compelling reason to turn it off,” he said. “It’s been quietly replicating in the background, consuming minimal resources, causing no obvious problems. That’s the nature of legacy infrastructure: It persists not because it’s needed, but because removing it requires effort and carries risk, while leaving it alone is free,” said Wright.
WINS is a security risk: WINS had major design limitations that made it a security risk, said Wright. “WINS has no mechanism to verify the legitimacy of name registrations, which makes it vulnerable to spoofing attacks,” said Wright.”An attacker on the network can register malicious entries, including Web Proxy Auto-Discovery (WPAD) records to intercept web traffic, or redirect connections to systems they control. It’s a straightforward path for lateral movement,” he said.Finding WINS still turned on inside a network was a godsend to hackers using open-source tools such as Responder to conduct name resolution poisoning attacks against legacy Windows protocols such as Link-Local Multicast Name Resolution (LLMNR) and the NetBIOS Name Service (NBT-NS), Wright added.Worse, the presence of WINS often indicated that a target was using other vulnerable legacy protocols. “Systems often fall back to NetBIOS broadcast queries when WINS isn’t available, which are spoofable on local networks. This is exactly what tools like Responder exploit, and it remains a common technique in penetration testing and real-world attacks alike.”
Network inventory: Organizations looking to rip WINS out should start with an inventory to find out where it is being used, Bhardwaj said: “Many organizations don’t realize a legacy asset still relies on WINS, so proactively inventory older segments and OT/ICS networks and verify resolution paths before the next upgrade window.””The trade-off is that customers still using WINS must put in the work to move to DNS by auditing dependencies, modernizing or isolating legacy workloads, and implementing DNS. But the payoff is a simpler, more secure platform.In the end, even the brightest and best-performing technologies will one day be legacy. Migrating from WINS is a test of how well organizations are dealing with this wider problem. “There’s way too much legacy that is unused and that presents an attack surface for no reason,” said Bhardwaj.This article first appeared on Computerworld.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4098729/microsoft-gives-windows-admins-a-legacy-migration-headache-with-wins-sunset-2.html
