Re: DHS --> Updated MS Advisory

["Barros, Jacob" <jkbarros () GRACE EDU>]

Thanks for your detailed response.
 

        -----Original Message-----
        From: Omar Herrera [mailto:omar_herrera () BANXICO ORG MX] 
        Sent: Friday, August 01, 2003 1:04 PM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: Re: [SECURITY] DHS --> Updated MS Advisory
        
        

        Blocking these ports on the perimeter of your network is necessary, we have done so as well without any 
repercussions.

        The problem with this vulnerability, however, is on the internal side of the network. Most of our students have 
laptops of their own, and it is not likely that all of them will patch them (hopefully many of them will).

         

        Suggesting students and professors to patch their own machines while we patch the servers is the best solution 
I can think of, because if a worm appears on the internet, several personal computers will be infected. The attack is 
not targeted at servers but rather at almost any windows machine, and personal computers will most likely be the ones 
getting infected.

         

        Dangerous scenario if a well programmed worm appears would be: 

        a)       students with unpatched machines connect to the internet from their homes and get infected

        b)       the students then come to the university and they eventually connect to the internal network

        c)       many other unpatched machines connected to the internal network get infected

         

        We just can't block these ports internally on all switches and routers because many MS windows applications 
rely on them, including file sharing over the network  (if I remember correctly).

         

        In conclusion, my recommendations would be:

        a)       block these ports on your perimeter firewall (this shouldn't affect OWA)

        b)       patch your systems (make all proper tests before applying to critical servers)

        c)       promote the patch among your community (post patch on your intranet and send warnings through printed 
publications on your campus)

         

         

         

        Omar Herrera, CISSP

         

        Instituto Tecnológico y de Estudios Superiores de Monterrey, 

        Mexico City Campus 

        Information security topic and laboratory

         

        -----Mensaje original-----
        De: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] En nombre de 
Barros, Jacob
        Enviado el: Viernes, 01 de Agosto de 2003 11:44 AM
        Para: SECURITY () LISTSERV EDUCAUSE EDU
        Asunto: Re: [SECURITY] DHS --> Updated MS Advisory

         

         

        DHS and Microsoft further suggest that Internet Service Providers and network administrators consider blocking 
TCP and UDP ports 135, 139, and 445 for inbound connections unless absolutely needed for business or operational 
purposes.  

        Can anyone say that they have done this and what are any reprocussions you've felt?  I might be missing 
something in my research but is there any traffic on those ports that I might care about?  Will this effect OWA?

         

        Jacob Barros

        Grace College and Seminary

        574-372-5100

         

                 

        ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be 
found at http://www.educause.edu/memdir/cg/. ********** Participation and subscription information for this EDUCAUSE 
Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.