Bugtraq mailing list archives
Re: Circumventing quarantine control in Windows 2003 and ISA 2004
From: "Memet Anwar" <mmta.gm () gmail com>
Date: Wed, 24 May 2006 15:07:00 +0700
I'm aware of Mark's and 3APA3A's points: anything accessible and executed locally can be circumvented. That's why I call such quarantine mechanism a design error. This maybe one of the reason of the complexity in TNC spec from TCG (https://www.trustedcomputinggroup.org/specs/TNC/).
Doing the grading at the server end, such as those offered by the agentless mode of StillSecure's product (thanks to Roger for the ref) does increases the bar, and I think should be considered for now until NAC/NAP matures enough.
For ISA/RRAS, one could write an rqs.exe replacement that initializes remote scanning tools (i.e. mbsacli.exe) against the quarantined machine's IP, and made the decision based on the result.
Cheers, MemetSide note to 3APA3A: admin access is not required to modify files from user's CM profile.
----- Original Message ----- From: "Mark Senior" <senatorfrog () gmail com>To: "Memet Anwar" <mmta.gm () gmail com> Cc: <bugtraq () securityfocus com> Sent: Tuesday, May 23, 2006 11:24 PM Subject: Re: Circumventing quarantine control in Windows 2003 and ISA 2004
Any such quarantine control can be circumvented. the Checkpoint VPN has a similar feature, which can be enabled if you pay a pound of flesh per annum. It can be circumvented in a similar way - you have to replace a Checkpoint DLL with a custom compiled one, such that the local checks will always return true. I think the specifics were posted either here or to FD a while ago. There is just no way of verifying these things reliably. You can raise the bar somewhat by doing the grading at the server end, rather than telling the client the passing answers, but an attacker who can figure out a reasonable set of answers will always win. Cheers Mark
Current thread:
- Circumventing quarantine control in Windows 2003 and ISA 2004 Memet Anwar (May 22)
- Re: Circumventing quarantine control in Windows 2003 and ISA 2004 3APA3A (May 23)
- RE: Circumventing quarantine control in Windows 2003 and ISA 2004 Roger A. Grimes (May 23)
- Re: Circumventing quarantine control in Windows 2003 and ISA 2004 Mark Senior (May 24)
- Re: Circumventing quarantine control in Windows 2003 and ISA 2004 Memet Anwar (May 25)
- Re: Circumventing quarantine control in Windows 2003 and ISA 2004 Andreas Beck (May 24)