|
Security Basics
Patching internet facing MS systems Mar 10 2008 10:44PM Dan Lynch (DLynch placer ca gov) (5 replies) RE: Patching internet facing MS systems Mar 27 2008 08:39PM Kevin Ortloff (Kevin Ortloff j2global com) RE: Patching internet facing MS systems Mar 12 2008 10:25PM Dan Lynch (DLynch placer ca gov) (1 replies) Re: Patching internet facing MS systems Mar 13 2008 03:49PM Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies) Re: Patching internet facing MS systems Mar 11 2008 02:32PM Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) |
|
|
Privacy Statement |
> 80/tcp, and set the proxy on the webserver statically to
> 127.0.0.1:9 via local policies, with the domains required for
> automatic updates as exceptions?
Not a bad idea, setting the network perimeter firewall to allow all
outbound HTTP from our DMZ servers, but configuring IE on each of them
with a proxy server setting of 127.0.0.1:(any). This will stop all
outbound HTTP. Then providing a short list of proxy exceptions in IE
(specifically, *.update.microsoft.com, and download.windowsupdate.com)
should enable the Windows Automatic Update feature.
But isn't the proxy setting configurable to anyone with user-level
rights? I suspect it wouldn't slow an attacker down too much if they
wanted to connect to "my-hacker-software.com" for a copy of their
rootkit dujour. Besides, there are other ways to make the web server
"upload" files.
Is there a way to prevent this? Or is it pointless? I'm under the
impression (please correct it if I'm wrong) that darn near any
vulnerability in a Windows system (especially IIS) can eventually be
leveraged into a full system compromise.
- Dan
Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Ansgar
> -59cobalt- Wiechers
> Sent: Thursday, March 13, 2008 8:50 AM
> To: security-basics (at) securityfocus (dot) com [email concealed]
> Subject: Re: Patching internet facing MS systems
>
> On 2008-03-12 Dan Lynch wrote:
> > Thanks to those who offered ideas for this issue. The more I learn,
> > the more it seems there are no real good options for this. I've
> > learned for example that it's not possible to remove IE
> from a Server
> > 2003 system. I remember when IE4 wrapped itself around Windows 95's
> > Active Desktop, but had assumed various lawsuits in the
> meantime had
> > loosened its grip.
> >
> > I'm curious though, can IE components be leveraged in an attack
> > against a Server 2003 web server? Privilege escalation, for example?
> > Anyone tried to wrestle IE out of Server 2003?
>
> I've heard that it is possible, but it will break several
> things. For instance Windows' help system relies heavily on
> IE components. Also there are several programs using
> configuration frontends that are actually rendered by IE.
>
> [...]
> > Automatic updates is difficult for us to control, as the
> destination
> > web site is constantly rotating through IP addresses. I
> can't write a
> > firewall rule allowing our DMZ servers outbound only to Microsoft's
> > update servers by name. But I can limit the time they're allowed to
> > connect.
>
> Why not allow all outbound traffic from the webserver to port
> 80/tcp, and set the proxy on the webserver statically to
> 127.0.0.1:9 via local policies, with the domains required for
> automatic updates as exceptions?
> That way it shouldn't be much of a security risk, IMHO.
>
> Regards
> Ansgar Wiechers
> --
> "All vulnerabilities deserve a public fear period prior to
> patches becoming available."
> --Jason Coombs on Bugtraq
>
[ reply ]