Security Basics mailing list archives
Re: Patching internet facing MS systems
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Thu, 13 Mar 2008 19:35:31 +0100
On 2008-03-13 Dan Lynch wrote:
Why not allow all outbound traffic from the webserver to port 80/tcp, and set the proxy on the webserver statically to 127.0.0.1:9 via local policies, with the domains required for automatic updates as exceptions?Not a bad idea, setting the network perimeter firewall to allow all outbound HTTP from our DMZ servers, but configuring IE on each of them with a proxy server setting of 127.0.0.1:(any). This will stop all outbound HTTP. Then providing a short list of proxy exceptions in IE (specifically, *.update.microsoft.com, and download.windowsupdate.com) should enable the Windows Automatic Update feature. But isn't the proxy setting configurable to anyone with user-level rights?
Normally yes. However, defining the proxy in the local policies (via gpedit.msc) should prevent users from changing that setting. Mark Russinovich has blogged that limited users may still be able to modify some policies [1], but I don't know if the proxy setting is affected by this if you change it from per-user to system-wide. [...]
Is there a way to prevent this? Or is it pointless? I'm under the impression (please correct it if I'm wrong) that darn near any vulnerability in a Windows system (especially IIS) can eventually be leveraged into a full system compromise.
Although some vulnerabilities allow for privilege elevation it's not as common as one may think. In most cases code is executed with the privileges of the exploited process. However, if the exploited process is running with admin privileges (e.g. because the user who spawned it is logged in with an admin account) the difference is practically void. [1] http://blogs.technet.com/markrussinovich/archive/2005/12/12/circumventing-group-policy-as-a-limited-user.aspx Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Patching internet facing MS systems Dan Lynch (Mar 11)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 11)
- Re: Patching internet facing MS systems Josh Haft (Mar 11)
- Re: Patching internet facing MS systems Kurt Buff (Mar 11)
- RE: Patching internet facing MS systems Dan Lynch (Mar 13)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- RE: Patching internet facing MS systems Dan Lynch (Mar 13)
- RE: Patching internet facing MS systems Dan Denton (Mar 13)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- <Possible follow-ups>
- RE: Patching internet facing MS systems Rob McShinsky (Mar 11)
- Re: Patching internet facing MS systems evilwon (Mar 11)
- Re: Patching internet facing MS systems nobledark (Mar 13)