News

SANS Posts Top 20 Vulnerabilities List

The SANS Institute on Friday unveiled its fifth annual list of the most commonly exploited vulnerable services in Windows, Unix and Linux systems. For Windows-based systems, Web servers and services topped the list as the biggest vulnerability.

SANS, a security certification and training organization that maintains the influential Internet Storm Center, originally released the list in conjunction with the National Infrastructure Protection Center of the FBI. The unveiling ceremony Friday in London marks the first time SANS didn't release the list at a White House or FBI ceremony.

"This is … the first time that the launch event for this authoritative study has taken place within Europe; reflecting both on the Top-20’s growing significance outside of the US and the essential leadership role played by British government agencies in this year’s study and in cyber-security, overall," according to a statement by the institute.

The list is billed as a consensus of security experts from security researchers at leading government security agencies worldwide, user groups and IT companies, including Microsoft, Symantec and Cisco.

After the release of the first list of ten vulnerabilities in 2000, the list has been organized as two separate top tens -- one for Windows-based systems and one for Unix or and Unix/Linux-based systems.

"Although there are thousands of security incidents each year affecting these operating systems, the overwhelming majority of successful attacks target one or more of these twenty vulnerable services," the institute said in a statement.

To justify listing Web servers and services as the top most vulnerable service on Windows systems, the institute noted that default installations of HTTP servers from Microsoft IIS to Apache to SunOne and other add-ons have proven vulnerable to serious attacks including complete compromise of the server, exposure of sensitive files or data and denial of service.

Each vulnerability includes recommended mitigation steps. For Web servers, the institute goes through several general steps, as well as platform-specific steps. For IIS, the institute recommends upgrading to IIS 6.0 where possible, using Microsoft's IIS Lockdown Wizard and filtering HTTP requests with Microsoft's URLScan tool.

The SANS list of Top Vulnerabilities to Windows Systems:

  • W1 Web Servers & Services
  • W2 Workstation Service
  • W3 Windows Remote Access Services
  • W4 Microsoft SQL Server (MSSQL)
  • W5 Windows Authentication
  • W6 Web Browsers
  • W7 File-Sharing Applications
  • W8 LSAS Exposures
  • W9 Mail Client
  • W10 Instant Messaging

    The SANS list of top vulnerabilities to Unix Systems:

  • U1 BIND Domain Name System
  • U2 Web Server
  • U3 Authentication
  • U4 Version Control Systems
  • U5 Mail Transport Service
  • U6 Simple Network Management Protocol (SNMP)
  • U7 Open Secure Sockets Layer (SSL)
  • U8 Misconfiguration of Enterprise Services NIS/NFS
  • U9 Databases
  • U10 Kernel

    The SANS list is available here.

  • About the Author

    Scott Bekker is editor in chief of Redmond Channel Partner magazine.

    Featured

    • Microsoft Offers Support Extensions for Exchange 2016 and 2019

      Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

    • An image of planes flying around a globe

      2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

      Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

    • Notebook

      Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

      Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

    • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

      As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.