Full Disclosure mailing list archives
RE: MS should point windowsupdate.com to 127.0.0.1
From: "Jeroen Massar" <jeroen () unfix org>
Date: Fri, 15 Aug 2003 12:55:26 +0200
-----BEGIN PGP SIGNED MESSAGE----- Schmehl, Paul L [mailto:pauls () utdallas edu] wrote: <LARGE SNIP>
Given that scenario, please apply your scintillating logic to the problem of patching this machine to protect it against threats that were discovered *after* SP2.
You might be interrested in the fact that before SP2 gets packaged and released that you will already receive pre-sp3/post-sp2 patches via windowsupdate. But we'll leave that assumption out. Also, do we patch or don't we patch? Let's go for the no patcher which can be seen in many hospitals and the likes where not money, or your job is on the line, but real people's lives AND your job.
1) Minus points if you say "Don't use it." Not an option 2) Minus points if you say "Don't allow access to the Internet. It *requires* access to the Internet. (IOW, it has to be able to connect to "live" IP address ranges, not private IPs.)
These are requirements, you need a job and the thing needs to function for you to keep it's job. +0
3) Bonus points if you can figure out how to maintain this machine with no interruptions of service and with no breakins.
First, buy a very good UPS and generator, you are an american after all who apparently can't maintain power <evil grin> Then again Texas is downtown USA so you are in the free here ;) +1
4) Minus points if you say, "I'd patch it anyway. Screw the vendor." 5) Double minus points if you say, "I wouldn't work somewhere if they had those requirements."
These are also requirements of your scenario, so we won't do that either. +0 Simple solution: Firewall the hell out of it, run an IDS and keep those fingers out of your nose and watch the daily security logs. As you are using apparently only IIS as an incoming connection put it behind a reverse http proxy, double NAT it if you want so it still really thinks it is on the outside. That should close the blaster worm from coming in directly. Next thing to do is train those stupid employees of yours and make them aware of certain problems. Oh oops, in your scenario you forgot to say that I wasn't allowed to install viriicheckers on the machines. Do so ofcourse and keep them updated, which is one of the things you, (or do you have staff, cool) could automate (which is one of the things IT people do) or do it by hand if you want to do more than nothing. As you are apparently an aware admin, you know Tobias's cool and neat toys called mrtg and rrdtool. Use them, couple them together to some netflow graphs and let an alarm bell ring on unusual activitities, letting the app do it allows you to still pick your nose. And another thing Tobias pointed out which you could do to catch any still left over troubled msblast virii: point your internal dns to resolve windowsupdate.com to a special IP inside your network, if a box triggers it you know you got a worm. You were not using windowsupdate.com anyways ;)
Take your time. I'm not doing much. (I'm not asking for the solution either. I already have it. I'm just wondering if you can actually think outside the box, or if you're armchair quarterbacks without a nickle's worth of actual enterprise experience.)
I wonder, how does that work, twirling around in your armchair, while trying to look busy, now THERE is a difficult problem :) Do you have a solution for that?
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/
Oe that looks like a really daring job, looks like the aid of the janitor in charge of the announcement board, does that job also smell? <evil grin> </flame> Greets, Jeroen -----BEGIN PGP SIGNATURE----- Version: Unfix PGP for Outlook Alpha 13 Int. Comment: Jeroen Massar / jeroen () unfix org / http://unfix.org/~jeroen/ iQA/AwUBPzy8FymqKFIzPnwjEQJ0TQCgv3JbzIM/KRwPlgyH6VKR3WBhv2MAn06+ m5LamWEjp0If7IdD3BkXw9oH =xliD -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: MS should point windowsupdate.com to 127.0.0.1 Schmehl, Paul L (Aug 14)
- Re: MS should point windowsupdate.com to 127.0.0.1 Blue Boar (Aug 15)
- Re: MS should point windowsupdate.com to 127.0.0.1 Barry Irwin (Aug 15)
- RE: MS should point windowsupdate.com to 127.0.0.1 Steve Wray (Aug 15)
- RE: MS should point windowsupdate.com to 127.0.0.1 Tobias Oetiker (Aug 15)
- RE: MS should point windowsupdate.com to 127.0.0.1 Jason Coombs (Aug 15)
- Re: MS should point windowsupdate.com to 127.0.0.1 Barry Irwin (Aug 15)
- Re: MS should point windowsupdate.com to 127.0.0.1 Michael Renzmann (Aug 15)
- Re: MS should point windowsupdate.com to 127.0.0.1 vb (Aug 15)
- RE: MS should point windowsupdate.com to 127.0.0.1 Jeroen Massar (Aug 15)
- <Possible follow-ups>
- RE: MS should point windowsupdate.com to 127.0.0.1 Schmehl, Paul L (Aug 15)
- Re: MS should point windowsupdate.com to 127.0.0.1 David Hane (Aug 15)
- Re: MS should point windowsupdate.com to 127.0.0.1 vb (Aug 15)
- Re: MS should point windowsupdate.com to 127.0.0.1 Paul Schmehl (Aug 15)
- Re: MS should point windowsupdate.com to 127.0.0.1 David Hane (Aug 15)
- RE: MS should point windowsupdate.com to 127.0.0.1 Richard Stevens (Aug 15)
- RE: MS should point windowsupdate.com to 127.0.0.1 Paul Schmehl (Aug 15)
- Re: MS should point windowsupdate.com to 127.0.0.1 Jeremiah Cornelius (Aug 15)
- RE: MS should point windowsupdate.com to 127.0.0.1 Paul Schmehl (Aug 15)
- RE: MS should point windowsupdate.com to 127.0.0.1 Schmehl, Paul L (Aug 15)
- Re: MS should point windowsupdate.com to 127.0.0.1 Blue Boar (Aug 15)