RE: MS should point windowsupdate.com to 127.0.0.1

[Paul Schmehl <pauls () utdallas edu>]

--On Friday, August 15, 2003 02:26:00 PM +0100 Richard Stevens 
<richard () tccnet co uk> wrote:

> 1.precisely what do you mean by "requires access to the internet"?
>
> 2.does the IIS have to be public..? do other machines need to intiate
> connections to this one?
The responses to my post were fascinating.  Many people missed the point 
entirely and immediately dove in trying to solve the puzzle.  Some began 
formulating solutions immediately.  Others, like Richard, (whose post I 
arbitrarily chose to respond to) asked for more information.  Almost 
everyone was thinking hard, trying to decide how they would handle such a 
problem.

But the point of my post was to get the *original posters* to think about 
what they were saying, *not* to solve this particular problem, which we 
solved well over a year ago.

Let's review, shall we?

Tobias Oetiker  oetiker () ee ethz ch posted (in this thread) "Because the 
local techs have no clue, it will
take the affected companies ages to get back on the net."


Jeroen Massar  jeroen () unfix org then responded with "Which is perfect 
actually as it points out all the stupid admins who get paid a lot of cash 
but really sit around all day with their finger up their noses."

(I'm guessing that Jeroen doesn't have an admin job, or he'd realize they 
don't "get paid a lot of cash" to do what they do unless they are *very* 
competent.  Most admins are paid grunt wages compared to the value they 
bring to a company.)

I responded to their smug posts by giving them a puzzle to solve.  A real 
world puzzle.  Something that many admins have to deal with *regularly*. 
(Anyone in the medical network security field knows *exactly* what I mean.)

Suddenly I got a tidal wave of responses from people who genuinely wanted 
to help.  (Not surprising, really, that's the way most people are.)  Some 
asked very intelligent questions.  Others offered well thought out 
suggestions.  A few offered what I would consider silly or unworkable 
suggestions (like use VMWare and just keep rebuilding, for example.)

But what about the original posters, Tobias and Jeroen?  The ones who think 
"local techs have no clue" and "sit around all day with their finger up 
their noses"?  What was their response?

Well, Tobias said "In the paragraph before you say, that there are not to 
be applied
*any* patches ... so how comes now you want to patch it ?

* If no patches are to be applied then all is well, you don't care
 about windowsupdate working or not.

* If patches are to be applied, I assume the vendor would certify
 the one which makes patching possible as well."

Well, no, Tobias, I want to know how to *secure* the box even though I am 
not *allowed* to patch it.  My preference is to patch everything to 
current.  In the real world that simply isn't possible in *some* cases.  As 
an admin, *those* are the cases you have to solve.  Patching is easy. 
*Securing things*, now that's a different kettle of fish.  Thanks for 
playing, but you get -20 for not even paying attention.

BTW, *love* mrtg.  Thanks for your contribution to the open source 
community.

Jeroen at least *tried* to think it through - he said "Simple solution: 
Firewall the hell out of it, run an IDS and
keep those fingers out of your nose and watch the daily security
logs. As you are using apparently only IIS as an incoming connection
put it behind a reverse http proxy, double NAT it if you want so
it still really thinks it is on the outside.

That should close the blaster worm from coming in directly.
Next thing to do is train those stupid employees of yours and
make them aware of certain problems. Oh oops, in your scenario
you forgot to say that I wasn't allowed to install viriicheckers
on the machines. Do so ofcourse and keep them updated, which
is one of the things you, (or do you have staff, cool) could
automate (which is one of the things IT people do) or do it
by hand if you want to do more than nothing."

Now, he didn't really address the problem directly, but at least he was 
giving it some thought.  (Note to Jeroen.  Not allowed to run virus 
scanning software on this equipment.  Sorry.  Must find alternate solution.)

BTW, guys, the box was secured over a year ago.  Blaster never got it, 
neither did Slammer, Code Red, Nimda, or any of the others.  I really 
*wasn't* asking for help.  I was *trying to get you to think before opening 
your mouth and insulting two thirds of the readers of this list.  Sadly, 
I'm not sure it worked.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html