Re: Windows 2003 Server - MS Rulez?
From: Kurt Seifried (kurt_at_seifried.org)
Date: 05/24/03
- Previous message: Steve: "Re: Windows 2003 Server - MS Rulez?"
- In reply to: Kelly Fuller: "RE: Windows 2003 Server - MS Rulez?"
- Next in thread: Laura A. Robinson: "RE: Windows 2003 Server - MS Rulez?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Kelly Fuller" <kelly@ccgsecurity.com>, "Street" <streetseeker@mail.ru>, <focus-ms@securityfocus.com> Date: Fri, 23 May 2003 15:22:22 -0700
The primary vulnerabilities in such a system are not in the hash or
detection but in the management and configuration (like most good
encryption, you won't break the algos, but you may break the implmentation).
For example some older tools for UNIX systems that do change detection
actively (i.e. check files for sum and compare) did not do updates safely,
i.e. an attacker had a window of oppurtunity when signatures were updated,
for example if an update was installed. Many of these tools did not (and
still do not) support importing signatures from a secure source (i.e. a
secure machine that serves as a "baseline").
I'm working on the assumption here that the MS 2003 stuff works a lot like
SecureEXE (a third party product that's been around for a few years for
Windows). If this is the case the management is hard to subvert, usually a
trusted baseline system is used to create the signatures which are then
distributed, so for example if you had windows 2000 version foo, and all the
signatures for that installed you could add the signatures for windows 2000
version foo+1 from the baseline system, and support both versions (i.e.
during the transition of the end systems). This makes it very difficult for
an attacker as no window of oppurtunity exists on the end system, because
the signatures are imported securely from somewhere else.
Of course this all depends on users having secured baseline systems, which
can be tricky (say you have a large SMP box running 2003 datacenter with
Oracle, you may not have a spare system to serve as a baseline server). Plus
the users must ensure any updates installed are securely obtained, etc. Plus
we are depending on Microsoft to make sure this is secure, i.e. what happens
if/when someone subverts a program, and runs additional stuff within it, not
loading a new executable and thus possibly avoiding detection and blocking).
So there would still be oppurtunities for attackers, but they would be much
more difficult.
Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
-----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-focus-ms
------------------------------------------------------------------------------
- Previous message: Steve: "Re: Windows 2003 Server - MS Rulez?"
- In reply to: Kelly Fuller: "RE: Windows 2003 Server - MS Rulez?"
- Next in thread: Laura A. Robinson: "RE: Windows 2003 Server - MS Rulez?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
