Educause Security Discussion mailing list archives

Re: DHS --> Updated MS Advisory

From: Omar Herrera <omar_herrera () BANXICO ORG MX>
Date: Fri, 1 Aug 2003 13:03:35 -0500

Blocking these ports on the perimeter of your network is necessary, we
have done so as well without any repercussions.

The problem with this vulnerability, however, is on the internal side of
the network. Most of our students have laptops of their own, and it is
not likely that all of them will patch them (hopefully many of them
will).

 

Suggesting students and professors to patch their own machines while we
patch the servers is the best solution I can think of, because if a worm
appears on the internet, several personal computers will be infected.
The attack is not targeted at servers but rather at almost any windows
machine, and personal computers will most likely be the ones getting
infected.

 

Dangerous scenario if a well programmed worm appears would be: 

a)       students with unpatched machines connect to the internet from
their homes and get infected

b)       the students then come to the university and they eventually
connect to the internal network

c)       many other unpatched machines connected to the internal network
get infected

 

We just cant block these ports internally on all switches and routers
because many MS windows applications rely on them, including file
sharing over the network  (if I remember correctly).

 

In conclusion, my recommendations would be:

a)       block these ports on your perimeter firewall (this shouldnt
affect OWA)

b)       patch your systems (make all proper tests before applying to
critical servers)

c)       promote the patch among your community (post patch on your
intranet and send warnings through printed publications on your campus)

 

 

 

Omar Herrera, CISSP

 

Instituto Tecnológico y de Estudios Superiores de Monterrey, 

Mexico City Campus 

Information security topic and laboratory

 

-----Mensaje original-----
De: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] En nombre de Barros, Jacob
Enviado el: Viernes, 01 de Agosto de 2003 11:44 AM
Para: SECURITY () LISTSERV EDUCAUSE EDU
Asunto: Re: [SECURITY] DHS --> Updated MS Advisory

 

 

DHS and Microsoft further suggest that Internet Service Providers and
network administrators consider blocking TCP and UDP ports 135, 139, and
445 for inbound connections unless absolutely needed for business or
operational purposes.  

Can anyone say that they have done this and what are any reprocussions
you've felt?  I might be missing something in my research but is there
any traffic on those ports that I might care about?  Will this effect
OWA?

 

Jacob Barros

Grace College and Seminary

574-372-5100

 

 

********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.

Current thread:

DHS --> Updated MS Advisory Bruhn, Mark S. (Jul 31)
- <Possible follow-ups>
- Re: DHS --> Updated MS Advisory Barros, Jacob (Aug 01)
- Re: DHS --> Updated MS Advisory Tim St. Laurent (Aug 01)
- Re: DHS --> Updated MS Advisory Gary Flynn (Aug 01)
- Re: DHS --> Updated MS Advisory Omar Herrera (Aug 01)
- Re: DHS --> Updated MS Advisory Barros, Jacob (Aug 01)
- Re: DHS --> Updated MS Advisory Bruhn, Mark S. (Aug 06)