Microsoft Strategic Technology Protection Program

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 10/03/01 

Message-ID:  <E9A01F52DC939448BBDE44ED2E1C468F1F176C@muskie.rc.on.ca>
Date:         Wed, 3 Oct 2001 12:49:07 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
Subject:      Microsoft Strategic Technology Protection Program
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

-----BEGIN PGP SIGNED MESSAGE-----

Too little, too late.

Microsoft have today announced a suite of initiatives intended to
address the issues their customers face from the threat of Worms and
other malcode like Nimda and Code Red.

About time.

I've been assured that substantial resources have been allocated to
this new effort, but one has to wonder just who was consulted in
coming up with what this program involves (if you were, drop me a
line.)

Announced today was the "Microsoft Security Tool Kit";

http://www.microsoft.com/security/default.asp

This "Greatest Hits" CD or network download contains all of the
things you should already have;

- - Latest Service Packs for OS, IIS, and IE.
- - Security Checklists for NT, W2K, and IIS.
- - A W2K-SP2 Deployment guide (the Update.msi section is worth reading
if you have an Active Directory environment and use Group Policies)
- - An NT 4.0-SP6a Deployment guide for SMS.
- - IE Deployment guides.
- - Several individual Hotfixes required for NT 4.0 Terminal Server
(even though they are included in the NT 4.0 SRP)
- - IIS Lockdown Tool
- - URLScan
- - HFNetchk
- - Critical Update Notification 3.0 (only applies to W98/W2K according
to the referenced KB article)
- - QChain

There's a difference between the download and the CD. According to
the announcement page, "It (CD) includes automation scripts to
quickly install all the security hotfixes recommended in the kit.",
but the CD may take from 3 to 6 weeks to arrive.

I was told there would also be a "Bootstrap Client for Windows
Update" within this package somewhere, but if its just the Critical
Update Notification 3.0 tool then its not a "Bootstrap Client" in the
sense I thought it was.

While there are additional things planned, the biggest thing missing
at this stage is a re-release of the NT 4.0 Option Kit CD which
contains;

1. Patched version of IIS 4.0 (one that's not vulnerable out of the
box)
2. Patched versions of MDAC
3. Modifications to the samples to eliminate RDS
4. Modified default installation that doesn't install in a way known
to be exploitable
5. Modified Setup program that doesn't re-install removed script
mappings and other components after the user has manually removed
them (since that's what many people have done to protect themselves)

In addition, what is desperately needed is some way to do the
following;

a) Probe your internal network to identify IIS installations (this
can be done with HFNetchk, but working with its output is no fun)
b) Completely remove the IIS installation on command (remotely!), or
render it stopped
c) Query the IIS installation and alter it, removing RDS keys,
updating MDAC, patching it, disabling /scripts, tightening
permissions, etc...
d) Report results in a comprehensive fashion

I don't know about the rest of you, but many people have thousands of
IIS boxes to deal with. While Microsoft does sell SMS, if you used
Ghost to distribute your installations it hardly seems reasonable for
MS to expect you to purchase SMS to secure what you thought was a
reasonable installation.

If you have more than 1000 hosts under your control, send me your
suggestions for the best product/method used to get patches and
service packs out.

Given that this whole initiative, supported at the highest levels in
Microsoft, is designed in response to Worms that required the
touching of every machine in your organization, the first thing out
the door should've been something that made that problem less
onerous.

There are plans in the works (for Q2-2002) for an internal version of
Windows Update. I've been calling for this with Microsoft for eons
now, and while its great they have finally been hit with the clue-bat
it seems ridiculous that its going to be 6 months plus before we see
it. Such a tool would allow Network Administrators to rely on the
client's Windows Update component to provide fixes (fixes decided on
by the Network Administrator). In addition, a new feature in that
client (still some 3 months out) allowing it to be setup to allow
automatic updates (a push mechanism), would give you a way to push
out a fix quickly to all clients.

Again, about time!

Also coming out of all of this was news that Windows 2000 SP3 is not
likely to ship this year.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBO7tBgxBh2Kw/l7p5AQErggQAsMuaRTP2bGwcS1lhtSME6cCluAb8FNdw
ZV+cilZvmpewshtfS6Z86+BNq8LvlWsG2o3eJpzwsM0pYsKNbQl4w/7H6gQ8/s2X
ztdbcaU2w+lkpA1cQAYG/UM8AzV1dfa6UYHBuntilchmhCeZZfvhBfTSMWXySDYI
ja/6GzGg/18=
=o3vN
-----END PGP SIGNATURE-----

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&BI;=245&UL;=http://www.ant
ivirus.com/smex2000_rebate

Relevant Pages

  • Re: SBS 2003, lost companyweb
    ... Please kindly help me collect the IIS Log and IIS Metabase and I will check ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... <believe its only warning and the installation will pass that. ...
    (microsoft.public.windows.server.sbs)
  • Re: Project isnt showing project data; just a white pane. Any id
    ... Microsoft Support. ... Project 2002 and went to Windows Update to finish up. ... my Project 2002 installation? ... This includes new Project files and Project files I have ...
    (microsoft.public.project)
  • Secunia Software Inspector OS Security Assessment problem
    ... need java and no installation or ... Operation system is up to date with all security related patches from Microsoft ... is the process which will try to connect to the windows update servers. ...
    (Bugtraq)
  • Re: Problem with connect computer wizard
    ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... Please double-check the default application pool in IIS. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003, lost companyweb
    ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... Click Start, click Server Management. ... Collect IIS Log: ...
    (microsoft.public.windows.server.sbs)