Re: DACLS for software distribution points...



Email back to that instructor and make sure that he/she is teaching with the latest info... Win2k3 is vastly different than Win2k in it's threat/risk/attack status.. etc. etc..

Sorry that's a "can"... 2000's can be attacked from anon connections.... the detail is in the security bulletins (and remember today is patch Tuesday.. in about an hour.. turn towards Redmond and bow...)

Example...Microsoft Security Bulletin MS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280):
http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx

Win2000 is "critical", Windows 2003 is "important"

On Windows XP Service Pack 2 and Windows Server 2003 systems, an attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users or by users who have standard user accounts. However, the affected component is available remotely to users who have administrative permissions.


*Who could exploit the vulnerability?*
On Windows 2000 Service Pack 4 and Windows XP Service Pack 1, any anonymous user who could deliver a specially crafted message to the affected system could try to exploit this vulnerability. In order to exploit the vulnerability on Windows XP Service Pack 2 and Windows Server 2003, an attacker must have valid login credentials to a target system.


Murad Talukdar wrote:

The question arose in my mind during a recent SANS course where the
instructor bemoaned the fact that the EVERYONE group was just that-EVERYONE.
Now the caveat mentioned that the EVERYONE group is more secure than it USED
to be was not mentioned(I don't think think it was and I can't find it in
the SANS coursework either). It became highlighted this week as I'm setting
up some new software distro points. Which just shows me that things change
all the time and no-one can keep up with everything.

Sorry Susan-I got confused here;


Look at the last batch of patches and while the 2000's can' be nailed

from anon connections

can' or can't? Didn't know if a 't' got missed off here.


Regards
Murad Talukdar

-----Original Message-----
From: Laura A. Robinson [mailto:larobins@xxxxxxxxxxxxxxxx] Sent: Tuesday, July 11, 2006 2:47 AM
To: 'Jeffrey Wei'; focus-ms@xxxxxxxxxxxxxxxxx
Cc: talukdar_m@xxxxxxxxxx
Subject: RE: DACLS for software distribution points...

Domain Users != Authenticated Users. If you use Domain Users for the DACL,
users (and computers) from any other domain in the forest will not be able
to access the share. In a single-domain environment or when you only want
one domain to be able to access the share, this is fine, but otherwise,
using Authenticated Users may be a better approach.

Having said that, we've had many, many discussions on this list about the
exact differences between the Everyone group and the Authenticated Users
group, and the reality is very likely that you're just increasing your
maintenance without increasing security, depending on the composition of the
domain in question (e.g., Win2K3 versus Win2K versus NTSP4+ versus NTSP4-,
etc.). The difference between the two groups may simply be the built in
Guest account and nothing else.

Laura



-----Original Message-----
From: Jeffrey Wei [mailto:jeffrey.wei@xxxxxxxxx] Sent: Thursday, July 06, 2006 6:29 PM
To: focus-ms@xxxxxxxxxxxxxxxxx
Cc: talukdar_m@xxxxxxxxxx
Subject: RE: DACLS for software distribution points...

What I normally do is remove the "Everyone" and replace it with "Domain Users".. which in itself means that it will have to be authenticated users before they can read file folders only.

Not sure how everyone else does it?

Jeffrey Wei

-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m@xxxxxxxxxx]
Sent: Wednesday, July 05, 2006 6:02 PM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: DACLS for software distribution points...

Hi all,
MS says in this article that the DACLS for software distribution points should be EVERYONE: READ and Administrator: Full Control, Change, Read.

http://technet2.microsoft.com/WindowsServer/en/Library/45a873d
d-660d-4de
6-aa
c4-8a03974796121033.mspx?mfr=true

Why shouldn't the EVERYONE be removed and replaced with Authenticated Users?
I was thinking of doing this and can't really see any adverse impact.

Kind Regards
Murad Talukdar






--------------------------------------------------------------
----------
---
--------------------------------------------------------------
----------
---

---
[This E-mail scanned for Spam and Viruses by http://www.innovationnetworks.ca]


--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------








---------------------------------------------------------------------------
---------------------------------------------------------------------------





--
Letting your vendors set your risk analysis these days? http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...
http://blogs.technet.com/sbs


---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • SecurityFocus Microsoft Newsletter #163
    ... MICROSOFT VULNERABILITY SUMMARY ... Bugzilla Javascript Buglists Remote Information Disclosure V... ... Microsoft Internet Explorer DHTML Drag and Drop Local File S... ... Microsoft Windows Workstation Service Remote Buffer Overflow... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #176
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #158
    ... Gamespy 3d IRC Client Remote Buffer Overflow Vulnerability ... Microsoft Windows PostThreadMessage() Arbitrary Process Kill... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #123
    ... Spooked about Windows security? ... Rediff Bol URL Handling Denial Of Service Vulnerability ... Finjan SurfinGate File Extension File Filter Circumvention... ... MIT Kerberos Key Distribution Center Remote Format String... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #177
    ... RobotFTP Server Username Buffer Overflow Vulnerability ... Ipswitch IMail Server Remote LDAP Daemon Buffer Overflow Vul... ... Microsoft Windows XP Help And Support Center Interface Spoof... ...
    (Focus-Microsoft)