Security Basics mailing list archives
RE: Patching internet facing MS systems
From: "Dan Lynch" <DLynch () placer ca gov>
Date: Wed, 12 Mar 2008 15:25:42 -0700
Thanks to those who offered ideas for this issue. The more I learn, the more it seems there are no real good options for this. I've learned for example that it's not possible to remove IE from a Server 2003 system. I remember when IE4 wrapped itself around Windows 95's Active Desktop, but had assumed various lawsuits in the meantime had loosened its grip. I'm curious though, can IE components be leveraged in an attack against a Server 2003 web server? Privilege escalation, for example? Anyone tried to wrestle IE out of Server 2003? So far as updating the Windows servers in the DMZ, pointing to an internal WSUS server requires us to allow inbound HTTP traffic from DMZ web servers, to an IIS server in our core network, and on our domain. This just makes our web servers an stepping-stone to the internal network. This is an unacceptable risk to me. If a DMZ server were compromised, the WSUS server's IIS install would be a great second target. Automatic updates is difficult for us to control, as the destination web site is constantly rotating through IP addresses. I can't write a firewall rule allowing our DMZ servers outbound only to Microsoft's update servers by name. But I can limit the time they're allowed to connect. I think this is the way we'll go, manually approving and installing downloaded updates. It's cheaper than adding a WSUS server in the DMZ. - Dan Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Dan Lynch Sent: Monday, March 10, 2008 3:45 PM To: security-basics () securityfocus com Subject: Patching internet facing MS systems Greetings group, I'm looking for current best practice recommendations regarding the maintenance and patching of internet-facing Windows servers. In my environment, these are hardened, stand-alone (i.e., non-domain member) servers, mainly running IIS, and in at least one case, MS SQL Server. They reside on a network segregated behind a firewall from the internet, and from our core network. At this time, no connections are allowed from them to the private network. All unnecessary services are disabled, including the Server Service. Currently, Remote Desktop is used for many maintenance tasks, but patching remains a problem. Applicable patches are copied to a USB memory stick, and an administrator at the server console manually installs. This sneaker-net solution is the source of much wailing and gnashing of teeth among our sysadmins. A number of options are available that run the gamut from turning on automatic updates and allowing them to make outbound HTTP connections to microsoft.com, to making them domain member servers and using SMS to push patches. How do _you_ do it? Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA
Current thread:
- Patching internet facing MS systems Dan Lynch (Mar 11)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 11)
- Re: Patching internet facing MS systems Josh Haft (Mar 11)
- Re: Patching internet facing MS systems Kurt Buff (Mar 11)
- RE: Patching internet facing MS systems Dan Lynch (Mar 13)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- RE: Patching internet facing MS systems Dan Lynch (Mar 13)
- RE: Patching internet facing MS systems Dan Denton (Mar 13)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- <Possible follow-ups>
- RE: Patching internet facing MS systems Rob McShinsky (Mar 11)
- Re: Patching internet facing MS systems evilwon (Mar 11)
- Re: Patching internet facing MS systems nobledark (Mar 13)