Full Disclosure mailing list archives
RE: Avoiding being a good admin - was DCOM RPC exploit (dcom.c)
From: Ron DuFresne <dufresne () winternet com>
Date: Wed, 30 Jul 2003 17:19:45 -0500 (CDT)
Still the best defensive porture is taken at the entrance and exit points as pertains to most all these 'services'. If the ports 135 and 1433 etc are blocked, both tcp and udp protocols, then patching becomes far less dramatic, even if a few machines inside get infected due to laptops or what have you. when the flow on the wire for a segmentPerimeter blocking is not everything. It's an important part of your security policy, but I think you're overstating that. Is it too difficult to write a worm which will spread through RPC DCOM (this is just to stay OT) *AND* mass e-mailing. See that? Mass e-mails ... You can have the best port blocking in the world and still be infected in a second.
Cool, perimiter security and forcing users to text only based e-mail clients liek e-mail was intended <grin>.
The solution for this is long term improvement of security, strong security policies *AND* education.
Eucation works poorly. Educate you users and then 30 minutes later some of thm will go to their everything-AND-the-kitchen-sink desktop OS, click on that same mass mailed exe you just told them not to click on, and reopen the need to once again re-educte your userbase cycle. Of course 9 out of 10 times it;s going to be one of the upper mgt folks that pushed for the employee education project that does the uncondoned clicking of that exe... Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c), (continued)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Justin (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Jason (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Jason (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPCexploit (dcom.c) Darren Bennett (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPCexploit (dcom.c) Ron DuFresne (Jul 30)
- RE: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Bojan Zdrnja (Jul 30)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) yossarian (Jul 30)
- RE: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Ron DuFresne (Jul 30)
- RE: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Bojan Zdrnja (Jul 31)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Valdis . Kletnieks (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Nick FitzGerald (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Scott M. Algatt (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Larry W. Cashdollar (Jul 29)
- Re: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Jason (Jul 29)
- RE: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Andy Wood (Jul 29)
- RE: Avoiding being a good admin - was DCOM RPC exploit (dcom.c) Michal Zalewski (Jul 30)