RE: Patching networks redux

[John.Airey () rnib org uk]

> -----Original Message-----
> From: Nick FitzGerald [mailto:nick () virus-l demon co uk]
> Sent: 31 July 2003 22:41
> To: 
> Subject: RE: [Full-disclosure] Patching networks redux
[snip]
> Please explain what best practices he refers to?
>
> I'm sure he was referring to standard computer security best practices
> -- you know, things like ensuring least privilege, disabling unused 
> accounts created by a default install, having strong password policy 
> enforcement, uninstalling/disabling/etc unused services, firewalling 
> all but the truly necessary ports, etc, etc, etc.
>
> What in that can you see that would _not_ have "largely 
> mitigated" the 
> threat potential of this vuln?
Let's look at the facts shall we? Microsoft still say at
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS
03-026.asp


"The Windows 2000 patch can be installed on systems running Windows 2000
Service Pack 3, or Service Pack 4. "

What Paul and the other poster showed was that this isn't true. Specifically
Paul stated (as some may have forgotten what the original thread was about)
"testing has shown that some patch management tools are incorrectly
reporting that MS03-026 is installed when it's not".

Best practices is a complete red herring. Let's suppose I have good reason
to use DCOM on Windows 2000 for a public web site. Let's also suppose that I
have not completed testing SP4 (which is likely as it was released close to
the summer holidays). In fact we don't use 2000 server on anything public
facing, so this exact issue doesn't affect us.

Therefore criticising someone who gives useful information to the list is
incongruous at best.

My troll detector has now been upgraded to be able to spot two trolls at
once.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey () rnib org uk 

The trouble with postmodernism isn't just that no-one actually believes in
it, but no-one can believe in it.

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html