RE: Patching internet facing MS systems
- From: "Dan Lynch" <DLynch@xxxxxxxxxxxxx>
- Date: Thu, 13 Mar 2008 10:48:02 -0700
Why not allow all outbound traffic from the webserver to port
80/tcp, and set the proxy on the webserver statically to
127.0.0.1:9 via local policies, with the domains required for
automatic updates as exceptions?
Not a bad idea, setting the network perimeter firewall to allow all
outbound HTTP from our DMZ servers, but configuring IE on each of them
with a proxy server setting of 127.0.0.1:(any). This will stop all
outbound HTTP. Then providing a short list of proxy exceptions in IE
(specifically, *.update.microsoft.com, and download.windowsupdate.com)
should enable the Windows Automatic Update feature.
But isn't the proxy setting configurable to anyone with user-level
rights? I suspect it wouldn't slow an attacker down too much if they
wanted to connect to "my-hacker-software.com" for a copy of their
rootkit dujour. Besides, there are other ways to make the web server
"upload" files.
Is there a way to prevent this? Or is it pointless? I'm under the
impression (please correct it if I'm wrong) that darn near any
vulnerability in a Windows system (especially IIS) can eventually be
leveraged into a full system compromise.
- Dan
Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Ansgar
-59cobalt- Wiechers
Sent: Thursday, March 13, 2008 8:50 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Patching internet facing MS systems
On 2008-03-12 Dan Lynch wrote:
Thanks to those who offered ideas for this issue. The more I learn,from a Server
the more it seems there are no real good options for this. I've
learned for example that it's not possible to remove IE
2003 system. I remember when IE4 wrapped itself around Windows 95'smeantime had
Active Desktop, but had assumed various lawsuits in the
loosened its grip.
I'm curious though, can IE components be leveraged in an attack
against a Server 2003 web server? Privilege escalation, for example?
Anyone tried to wrestle IE out of Server 2003?
I've heard that it is possible, but it will break several
things. For instance Windows' help system relies heavily on
IE components. Also there are several programs using
configuration frontends that are actually rendered by IE.
[...]
Automatic updates is difficult for us to control, as thedestination
web site is constantly rotating through IP addresses. Ican't write a
firewall rule allowing our DMZ servers outbound only to Microsoft's
update servers by name. But I can limit the time they're allowed to
connect.
Why not allow all outbound traffic from the webserver to port
80/tcp, and set the proxy on the webserver statically to
127.0.0.1:9 via local policies, with the domains required for
automatic updates as exceptions?
That way it shouldn't be much of a security risk, IMHO.
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to
patches becoming available."
--Jason Coombs on Bugtraq
- Follow-Ups:
- Re: Patching internet facing MS systems
- From: Ansgar -59cobalt- Wiechers
- RE: Patching internet facing MS systems
- From: Dan Denton
- Re: Patching internet facing MS systems
- References:
- Patching internet facing MS systems
- From: Dan Lynch
- RE: Patching internet facing MS systems
- From: Dan Lynch
- Re: Patching internet facing MS systems
- From: Ansgar -59cobalt- Wiechers
- Patching internet facing MS systems
- Prev by Date: ISO27001 based Linux/Solaris Server policies
- Next by Date: RE: Patching internet facing MS systems
- Previous by thread: Re: Patching internet facing MS systems
- Next by thread: RE: Patching internet facing MS systems
- Index(es):
Relevant Pages
|
