RE: MS should point windowsupdate.com to 127.0.0.1

["Jeroen Massar" <jeroen () unfix org>]

-----BEGIN PGP SIGNED MESSAGE-----

Schmehl, Paul L [mailto:pauls () utdallas edu] wrote:

<LARGE SNIP>

> Given that scenario, please apply your scintillating logic to the
> problem of patching this machine to protect it against 
> threats that were discovered *after* SP2.

You might be interrested in the fact that before SP2 gets packaged
and released that you will already receive pre-sp3/post-sp2 patches
via windowsupdate. But we'll leave that assumption out.
Also, do we patch or don't we patch? Let's go for the no patcher
which can be seen in many hospitals and the likes where not money,
or your job is on the line, but real people's lives AND your job.

> 1) Minus points if you say "Don't use it."  Not an option
> 2) Minus points if you say "Don't allow access to the Internet.  It
> *requires* access to the Internet.  (IOW, it has to be able to connect
> to "live" IP address ranges, not private IPs.)

These are requirements, you need a job and the thing needs
to function for you to keep it's job.

+0

> 3) Bonus points if you can figure out how to maintain this 
> machine with no interruptions of service and with no breakins.

First, buy a very good UPS and generator, you are an american
after all who apparently can't maintain power <evil grin>
Then again Texas is downtown USA so you are in the free here ;)

+1

> 4) Minus points if you say, "I'd patch it anyway.  Screw the vendor."
> 5) Double minus points if you say, "I wouldn't work somewhere if they
> had those requirements."

These are also requirements of your scenario, so we won't do that either.

+0

Simple solution: Firewall the hell out of it, run an IDS and
keep those fingers out of your nose and watch the daily security
logs. As you are using apparently only IIS as an incoming connection
put it behind a reverse http proxy, double NAT it if you want so
it still really thinks it is on the outside.

That should close the blaster worm from coming in directly.
Next thing to do is train those stupid employees of yours and
make them aware of certain problems. Oh oops, in your scenario
you forgot to say that I wasn't allowed to install viriicheckers
on the machines. Do so ofcourse and keep them updated, which
is one of the things you, (or do you have staff, cool) could
automate (which is one of the things IT people do) or do it
by hand if you want to do more than nothing.

As you are apparently an aware admin, you know Tobias's cool
and neat toys called mrtg and rrdtool. Use them, couple them
together to some netflow graphs and let an alarm bell ring
on unusual activitities, letting the app do it allows you
to still pick your nose. And another thing Tobias pointed out
which you could do to catch any still left over troubled
msblast virii: point your internal dns to resolve windowsupdate.com
to a special IP inside your network, if a box triggers it
you know you got a worm. You were not using windowsupdate.com
anyways ;)

> Take your time.  I'm not doing much.  (I'm not asking for the solution
> either.  I already have it.  I'm just wondering if you can actually
> think outside the box, or if you're armchair quarterbacks without a
> nickle's worth of actual enterprise experience.)

I wonder, how does that work, twirling around in your
armchair, while trying to look busy, now THERE is a
difficult problem :) Do you have a solution for that?

> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/

Oe that looks like a really daring job, looks like
the aid of the janitor in charge of the announcement
board, does that job also smell? <evil grin>

</flame>

Greets,
 Jeroen

-----BEGIN PGP SIGNATURE-----
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / jeroen () unfix org / http://unfix.org/~jeroen/

iQA/AwUBPzy8FymqKFIzPnwjEQJ0TQCgv3JbzIM/KRwPlgyH6VKR3WBhv2MAn06+
m5LamWEjp0If7IdD3BkXw9oH
=xliD
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html