RE: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1
From: Paul Schmehl (pauls_at_utdallas.edu)
Date: 08/15/03
- Previous message: Sam Pointer: "RE: [Full-Disclosure] MS should point windowsupdate.com to 127.0. 0.1"
- In reply to: Richard Stevens: "RE: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1"
- Next in thread: Jeremiah Cornelius: "Re: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1"
- Reply: Jeremiah Cornelius: "Re: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Fri, 15 Aug 2003 09:46:39 -0500
--On Friday, August 15, 2003 02:26:00 PM +0100 Richard Stevens
<richard@tccnet.co.uk> wrote:
>
> 1.precisely what do you mean by "requires access to the internet"?
>
> 2.does the IIS have to be public..? do other machines need to intiate
> connections to this one?
>
>
The responses to my post were fascinating. Many people missed the point
entirely and immediately dove in trying to solve the puzzle. Some began
formulating solutions immediately. Others, like Richard, (whose post I
arbitrarily chose to respond to) asked for more information. Almost
everyone was thinking hard, trying to decide how they would handle such a
problem.
But the point of my post was to get the *original posters* to think about
what they were saying, *not* to solve this particular problem, which we
solved well over a year ago.
Let's review, shall we?
Tobias Oetiker oetiker@ee.ethz.ch posted (in this thread) "Because the
local techs have no clue, it will
take the affected companies ages to get back on the net."
Jeroen Massar jeroen@unfix.org then responded with "Which is perfect
actually as it points out all the stupid admins who get paid a lot of cash
but really sit around all day with their finger up their noses."
(I'm guessing that Jeroen doesn't have an admin job, or he'd realize they
don't "get paid a lot of cash" to do what they do unless they are *very*
competent. Most admins are paid grunt wages compared to the value they
bring to a company.)
I responded to their smug posts by giving them a puzzle to solve. A real
world puzzle. Something that many admins have to deal with *regularly*.
(Anyone in the medical network security field knows *exactly* what I mean.)
Suddenly I got a tidal wave of responses from people who genuinely wanted
to help. (Not surprising, really, that's the way most people are.) Some
asked very intelligent questions. Others offered well thought out
suggestions. A few offered what I would consider silly or unworkable
suggestions (like use VMWare and just keep rebuilding, for example.)
But what about the original posters, Tobias and Jeroen? The ones who think
"local techs have no clue" and "sit around all day with their finger up
their noses"? What was their response?
Well, Tobias said "In the paragraph before you say, that there are not to
be applied
*any* patches ... so how comes now you want to patch it ?
* If no patches are to be applied then all is well, you don't care
about windowsupdate working or not.
* If patches are to be applied, I assume the vendor would certify
the one which makes patching possible as well."
Well, no, Tobias, I want to know how to *secure* the box even though I am
not *allowed* to patch it. My preference is to patch everything to
current. In the real world that simply isn't possible in *some* cases. As
an admin, *those* are the cases you have to solve. Patching is easy.
*Securing things*, now that's a different kettle of fish. Thanks for
playing, but you get -20 for not even paying attention.
BTW, *love* mrtg. Thanks for your contribution to the open source
community.
Jeroen at least *tried* to think it through - he said "Simple solution:
Firewall the hell out of it, run an IDS and
keep those fingers out of your nose and watch the daily security
logs. As you are using apparently only IIS as an incoming connection
put it behind a reverse http proxy, double NAT it if you want so
it still really thinks it is on the outside.
That should close the blaster worm from coming in directly.
Next thing to do is train those stupid employees of yours and
make them aware of certain problems. Oh oops, in your scenario
you forgot to say that I wasn't allowed to install viriicheckers
on the machines. Do so ofcourse and keep them updated, which
is one of the things you, (or do you have staff, cool) could
automate (which is one of the things IT people do) or do it
by hand if you want to do more than nothing."
Now, he didn't really address the problem directly, but at least he was
giving it some thought. (Note to Jeroen. Not allowed to run virus
scanning software on this equipment. Sorry. Must find alternate solution.)
BTW, guys, the box was secured over a year ago. Blaster never got it,
neither did Slammer, Code Red, Nimda, or any of the others. I really
*wasn't* asking for help. I was *trying to get you to think before opening
your mouth and insulting two thirds of the readers of this list. Sadly,
I'm not sure it worked.
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Sam Pointer: "RE: [Full-Disclosure] MS should point windowsupdate.com to 127.0. 0.1"
- In reply to: Richard Stevens: "RE: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1"
- Next in thread: Jeremiah Cornelius: "Re: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1"
- Reply: Jeremiah Cornelius: "Re: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
