Re: It's not that simple... [Was: Re: Disney Down?]

[fd () ew nsci us]

On Wed, 17 Aug 2005, Ron DuFresne wrote:
> Perhaps it does realte considering the above and considering that the unix
> world learned many of the evils of RCP services over ten years ago that
> seem to hit the M$ realm every few months, repeatedly...

We used to call them rsploits when it was common in unix.  Friends and I
had a good chuckle when MS started repeating history, having rsploits of
its own.  I would love to deny all port 445 with layer-3 switches but this
would be like blocking portmap and expecting NFS to still mount.

What have we learned from the past that we can apply to our MS networks,
since they have become a (un)necessary evil?  How neutered does an MS
workstation become if the RPC port is completely blocked from the outside?  
Perhaps "mostly harmless" ? 

What would it take to write an RPC filter to only accept RPCs which we
actually care about?  In addition, why is PnP even an RPC accessible from
the outside (no, upnp is not a good reason)!?  Most importantly, we need
to eliminate the entire RPC attack vector in the future for Microsoft
systems -- this is not the first MS rsploit and we will certainly see
more.

Your thoughts?

-Eric



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/