RE: Patching internet facing MS systems

["Dan Lynch" <DLynch () placer ca gov>]

Thanks to those who offered ideas for this issue. The more I learn, the
more it seems there are no real good options for this. I've learned for
example that it's not possible to remove IE from a Server 2003 system. I
remember when IE4 wrapped itself around Windows 95's Active Desktop, but
had assumed various lawsuits in the meantime had loosened its grip. 

I'm curious though, can IE components be leveraged in an attack against
a Server 2003 web server? Privilege escalation, for example? Anyone
tried to wrestle IE out of Server 2003?

So far as updating the Windows servers in the DMZ, pointing to an
internal WSUS server requires us to allow inbound HTTP traffic from DMZ
web servers, to an IIS server in our core network, and on our domain.
This just makes our web servers an stepping-stone to the internal
network. This is an unacceptable risk to me. If a DMZ server were
compromised, the WSUS server's IIS install would be a great second
target.

Automatic updates is difficult for us to control, as the destination web
site is constantly rotating through IP addresses. I can't write a
firewall rule allowing our DMZ servers outbound only to Microsoft's
update servers by name. But I can limit the time they're allowed to
connect. I think this is the way we'll go, manually approving and
installing downloaded updates. It's cheaper than adding a WSUS server in
the DMZ.

- Dan

Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Dan Lynch
> Sent: Monday, March 10, 2008 3:45 PM
> To: security-basics () securityfocus com
> Subject: Patching internet facing MS systems
>
> Greetings group,
>
> I'm looking for current best practice recommendations 
> regarding the maintenance and patching of internet-facing 
> Windows servers. In my environment, these are hardened, 
> stand-alone (i.e., non-domain member) servers, mainly running 
> IIS, and in at least one case, MS SQL Server.
> They reside on a network segregated behind a firewall from 
> the internet, and from our core network. At this time, no 
> connections are allowed from them to the private network. All 
> unnecessary services are disabled, including the Server Service. 
>
> Currently, Remote Desktop is used for many maintenance tasks, 
> but patching remains a problem. Applicable patches are copied 
> to a USB memory stick, and an administrator at the server 
> console manually installs. This sneaker-net solution is the 
> source of much wailing and gnashing of teeth among our sysadmins. 
>
> A number of options are available that run the gamut from 
> turning on automatic updates and allowing them to make 
> outbound HTTP connections to microsoft.com, to making them 
> domain member servers and using SMS to push patches. 
>
> How do _you_ do it?
>
>
>
> Dan Lynch, CISSP
> Information Technology Analyst
> County of Placer
> Auburn, CA