RE: Patching internet facing MS systems
- From: "Dan Lynch" <DLynch@xxxxxxxxxxxxx>
- Date: Wed, 12 Mar 2008 15:25:42 -0700
Thanks to those who offered ideas for this issue. The more I learn, the
more it seems there are no real good options for this. I've learned for
example that it's not possible to remove IE from a Server 2003 system. I
remember when IE4 wrapped itself around Windows 95's Active Desktop, but
had assumed various lawsuits in the meantime had loosened its grip.
I'm curious though, can IE components be leveraged in an attack against
a Server 2003 web server? Privilege escalation, for example? Anyone
tried to wrestle IE out of Server 2003?
So far as updating the Windows servers in the DMZ, pointing to an
internal WSUS server requires us to allow inbound HTTP traffic from DMZ
web servers, to an IIS server in our core network, and on our domain.
This just makes our web servers an stepping-stone to the internal
network. This is an unacceptable risk to me. If a DMZ server were
compromised, the WSUS server's IIS install would be a great second
target.
Automatic updates is difficult for us to control, as the destination web
site is constantly rotating through IP addresses. I can't write a
firewall rule allowing our DMZ servers outbound only to Microsoft's
update servers by name. But I can limit the time they're allowed to
connect. I think this is the way we'll go, manually approving and
installing downloaded updates. It's cheaper than adding a WSUS server in
the DMZ.
- Dan
Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Dan Lynch
Sent: Monday, March 10, 2008 3:45 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Patching internet facing MS systems
Greetings group,
I'm looking for current best practice recommendations
regarding the maintenance and patching of internet-facing
Windows servers. In my environment, these are hardened,
stand-alone (i.e., non-domain member) servers, mainly running
IIS, and in at least one case, MS SQL Server.
They reside on a network segregated behind a firewall from
the internet, and from our core network. At this time, no
connections are allowed from them to the private network. All
unnecessary services are disabled, including the Server Service.
Currently, Remote Desktop is used for many maintenance tasks,
but patching remains a problem. Applicable patches are copied
to a USB memory stick, and an administrator at the server
console manually installs. This sneaker-net solution is the
source of much wailing and gnashing of teeth among our sysadmins.
A number of options are available that run the gamut from
turning on automatic updates and allowing them to make
outbound HTTP connections to microsoft.com, to making them
domain member servers and using SMS to push patches.
How do _you_ do it?
Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA
- Follow-Ups:
- Re: Patching internet facing MS systems
- From: Ansgar -59cobalt- Wiechers
- Re: Patching internet facing MS systems
- References:
- Patching internet facing MS systems
- From: Dan Lynch
- Patching internet facing MS systems
- Prev by Date: Re: Hard Drive Duplicators for computer forensic any recommendation?
- Next by Date: Re: Mangement security report
- Previous by thread: Re: Patching internet facing MS systems
- Next by thread: Re: Patching internet facing MS systems
- Index(es):
Relevant Pages
|
Loading
