RE: Patching internet facing MS systems

["Dan Lynch" <DLynch () placer ca gov>]

> Why not allow all outbound traffic from the webserver to port 
> 80/tcp, and set the proxy on the webserver statically to 
> 127.0.0.1:9 via local policies, with the domains required for 
> automatic updates as exceptions?

Not a bad idea, setting the network perimeter firewall to allow all
outbound HTTP from our DMZ servers, but configuring IE on each of them
with a proxy server setting of 127.0.0.1:(any). This will stop all
outbound HTTP. Then providing a short list of proxy exceptions in IE
(specifically, *.update.microsoft.com, and download.windowsupdate.com)
should enable the Windows Automatic Update feature.

But isn't the proxy setting configurable to anyone with user-level
rights? I suspect it wouldn't slow an attacker down too much if they
wanted to connect to "my-hacker-software.com" for a copy of their
rootkit dujour. Besides, there are other ways to make the web server
"upload" files.

Is there a way to prevent this? Or is it pointless? I'm under the
impression (please correct it if I'm wrong) that darn near any
vulnerability in a Windows system (especially IIS) can eventually be
leveraged into a full system compromise.

- Dan


Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Ansgar 
> -59cobalt- Wiechers
> Sent: Thursday, March 13, 2008 8:50 AM
> To: security-basics () securityfocus com
> Subject: Re: Patching internet facing MS systems
>
> On 2008-03-12 Dan Lynch wrote:
> > Thanks to those who offered ideas for this issue. The more I learn, 
> > the more it seems there are no real good options for this. I've 
> > learned for example that it's not possible to remove IE 
> from a Server
> > 2003 system. I remember when IE4 wrapped itself around Windows 95's 
> > Active Desktop, but had assumed various lawsuits in the 
> meantime had 
> > loosened its grip.
> >
> > I'm curious though, can IE components be leveraged in an attack 
> > against a Server 2003 web server? Privilege escalation, for example?
> > Anyone tried to wrestle IE out of Server 2003?
>
> I've heard that it is possible, but it will break several 
> things. For instance Windows' help system relies heavily on 
> IE components. Also there are several programs using 
> configuration frontends that are actually rendered by IE.
>
> [...]
> > Automatic updates is difficult for us to control, as the 
> destination 
> > web site is constantly rotating through IP addresses. I 
> can't write a 
> > firewall rule allowing our DMZ servers outbound only to Microsoft's 
> > update servers by name. But I can limit the time they're allowed to 
> > connect.
>
> Why not allow all outbound traffic from the webserver to port 
> 80/tcp, and set the proxy on the webserver statically to 
> 127.0.0.1:9 via local policies, with the domains required for 
> automatic updates as exceptions?
> That way it shouldn't be much of a security risk, IMHO.
>
> Regards
> Ansgar Wiechers
> --
> "All vulnerabilities deserve a public fear period prior to 
> patches becoming available."
> --Jason Coombs on Bugtraq