Security Basics mailing list archives
RE: Patching internet facing MS systems
From: "Dan Lynch" <DLynch () placer ca gov>
Date: Thu, 13 Mar 2008 10:48:02 -0700
Why not allow all outbound traffic from the webserver to port 80/tcp, and set the proxy on the webserver statically to 127.0.0.1:9 via local policies, with the domains required for automatic updates as exceptions?
Not a bad idea, setting the network perimeter firewall to allow all outbound HTTP from our DMZ servers, but configuring IE on each of them with a proxy server setting of 127.0.0.1:(any). This will stop all outbound HTTP. Then providing a short list of proxy exceptions in IE (specifically, *.update.microsoft.com, and download.windowsupdate.com) should enable the Windows Automatic Update feature. But isn't the proxy setting configurable to anyone with user-level rights? I suspect it wouldn't slow an attacker down too much if they wanted to connect to "my-hacker-software.com" for a copy of their rootkit dujour. Besides, there are other ways to make the web server "upload" files. Is there a way to prevent this? Or is it pointless? I'm under the impression (please correct it if I'm wrong) that darn near any vulnerability in a Windows system (especially IIS) can eventually be leveraged into a full system compromise. - Dan Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ansgar -59cobalt- Wiechers Sent: Thursday, March 13, 2008 8:50 AM To: security-basics () securityfocus com Subject: Re: Patching internet facing MS systems On 2008-03-12 Dan Lynch wrote:Thanks to those who offered ideas for this issue. The more I learn, the more it seems there are no real good options for this. I've learned for example that it's not possible to remove IEfrom a Server2003 system. I remember when IE4 wrapped itself around Windows 95's Active Desktop, but had assumed various lawsuits in themeantime hadloosened its grip. I'm curious though, can IE components be leveraged in an attack against a Server 2003 web server? Privilege escalation, for example? Anyone tried to wrestle IE out of Server 2003?I've heard that it is possible, but it will break several things. For instance Windows' help system relies heavily on IE components. Also there are several programs using configuration frontends that are actually rendered by IE. [...]Automatic updates is difficult for us to control, as thedestinationweb site is constantly rotating through IP addresses. Ican't write afirewall rule allowing our DMZ servers outbound only to Microsoft's update servers by name. But I can limit the time they're allowed to connect.Why not allow all outbound traffic from the webserver to port 80/tcp, and set the proxy on the webserver statically to 127.0.0.1:9 via local policies, with the domains required for automatic updates as exceptions? That way it shouldn't be much of a security risk, IMHO. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Patching internet facing MS systems Dan Lynch (Mar 11)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 11)
- Re: Patching internet facing MS systems Josh Haft (Mar 11)
- Re: Patching internet facing MS systems Kurt Buff (Mar 11)
- RE: Patching internet facing MS systems Dan Lynch (Mar 13)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- RE: Patching internet facing MS systems Dan Lynch (Mar 13)
- RE: Patching internet facing MS systems Dan Denton (Mar 13)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- <Possible follow-ups>
- RE: Patching internet facing MS systems Rob McShinsky (Mar 11)
- Re: Patching internet facing MS systems evilwon (Mar 11)
- Re: Patching internet facing MS systems nobledark (Mar 13)