Re: Patching internet facing MS systems

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2008-03-12 Dan Lynch wrote:
> Thanks to those who offered ideas for this issue. The more I learn,
> the more it seems there are no real good options for this. I've
> learned for example that it's not possible to remove IE from a Server
> 2003 system. I remember when IE4 wrapped itself around Windows 95's
> Active Desktop, but had assumed various lawsuits in the meantime had
> loosened its grip. 
>
> I'm curious though, can IE components be leveraged in an attack
> against a Server 2003 web server? Privilege escalation, for example?
> Anyone tried to wrestle IE out of Server 2003?

I've heard that it is possible, but it will break several things. For
instance Windows' help system relies heavily on IE components. Also
there are several programs using configuration frontends that are
actually rendered by IE.

[...]
> Automatic updates is difficult for us to control, as the destination
> web site is constantly rotating through IP addresses. I can't write a
> firewall rule allowing our DMZ servers outbound only to Microsoft's
> update servers by name. But I can limit the time they're allowed to
> connect.

Why not allow all outbound traffic from the webserver to port 80/tcp,
and set the proxy on the webserver statically to 127.0.0.1:9 via local
policies, with the domains required for automatic updates as exceptions?
That way it shouldn't be much of a security risk, IMHO.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq