Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MS05-039 spreading was: AV Reaction Times of the latest MS05-039-based Worm Attacks

From: trains () doctorunix com
Date: Thu, 25 Aug 2005 07:22:46 -0500
Quoting Andreas Marx <gega-it () web de>:
Of course, we know that the problem related to MS05-039 is not primary an AV problem, but something for (Personal) Firewalls, IDS/IPS systems and a better patch management. :-)
This is sometimes hard to sit through. It is an access control problem. The rule of least access was violated by the IT staff of the infected organization. There was no valid business reason for end user X and end user Y to have access to one another's ports 135-445. Organizations that used some kind of NPAR technology to cut the network into zones sucessfully limited the spread of the worm from one machine to a few hundred machines.
We routinely cut our networks into (up to) 4000 zones, putting (typically) one end user machine on each zone. The solution is not to patch more often (that is necessary but not sufficient).
The solution is not to make LSA, DCOM, or whatever safe (can't be done and you are kidding yourself if you are waiting for that MS patch)
The solution becomes apparent only after the network team decides to adopt the attitude of "Windows cannot be made safe, and I cannot remove windows from my network, and all my laptop users are bringing worms in every day, and every idiot user out there is clicking on attachments that look interesting, and it's not going to get any better."
It is an Access control problem. If anybody on this list has not heard the principle of 'first block everything, then allow only what's necessary' it would surprise me greatly.
And yet we see IT organizations slapping in PCs by the boatload without thinking, "maybe I have allowed too much access". 

I throw this out for discussion and flames.

tc

-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact:    services () doctorunix com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: