Security Basics mailing list archives
Re: Patching internet facing MS systems
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Thu, 13 Mar 2008 16:49:57 +0100
On 2008-03-12 Dan Lynch wrote:
Thanks to those who offered ideas for this issue. The more I learn, the more it seems there are no real good options for this. I've learned for example that it's not possible to remove IE from a Server 2003 system. I remember when IE4 wrapped itself around Windows 95's Active Desktop, but had assumed various lawsuits in the meantime had loosened its grip. I'm curious though, can IE components be leveraged in an attack against a Server 2003 web server? Privilege escalation, for example? Anyone tried to wrestle IE out of Server 2003?
I've heard that it is possible, but it will break several things. For instance Windows' help system relies heavily on IE components. Also there are several programs using configuration frontends that are actually rendered by IE. [...]
Automatic updates is difficult for us to control, as the destination web site is constantly rotating through IP addresses. I can't write a firewall rule allowing our DMZ servers outbound only to Microsoft's update servers by name. But I can limit the time they're allowed to connect.
Why not allow all outbound traffic from the webserver to port 80/tcp, and set the proxy on the webserver statically to 127.0.0.1:9 via local policies, with the domains required for automatic updates as exceptions? That way it shouldn't be much of a security risk, IMHO. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Patching internet facing MS systems Dan Lynch (Mar 11)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 11)
- Re: Patching internet facing MS systems Josh Haft (Mar 11)
- Re: Patching internet facing MS systems Kurt Buff (Mar 11)
- RE: Patching internet facing MS systems Dan Lynch (Mar 13)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- RE: Patching internet facing MS systems Dan Lynch (Mar 13)
- RE: Patching internet facing MS systems Dan Denton (Mar 13)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- Re: Patching internet facing MS systems Ansgar -59cobalt- Wiechers (Mar 13)
- <Possible follow-ups>
- RE: Patching internet facing MS systems Rob McShinsky (Mar 11)
- Re: Patching internet facing MS systems evilwon (Mar 11)
- Re: Patching internet facing MS systems nobledark (Mar 13)