Assuming the user doesn't have admin access, using group policies you can
disable access to the connections tab in IE, or disable access to entire
menus (tools, for instance).

This also has the added advantage of blocking access to changing the user's
home page and other functions.

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Dan Lynch
Sent: Thursday, March 13, 2008 12:48 PM
To: Ansgar -59cobalt- Wiechers; security-basics (at) securityfocus (dot) com [email concealed]
Subject: RE: Patching internet facing MS systems

> Why not allow all outbound traffic from the webserver to port
> 80/tcp, and set the proxy on the webserver statically to
> 127.0.0.1:9 via local policies, with the domains required for
> automatic updates as exceptions?

Not a bad idea, setting the network perimeter firewall to allow all
outbound HTTP from our DMZ servers, but configuring IE on each of them
with a proxy server setting of 127.0.0.1:(any). This will stop all
outbound HTTP. Then providing a short list of proxy exceptions in IE
(specifically, *.update.microsoft.com, and download.windowsupdate.com)
should enable the Windows Automatic Update feature.

But isn't the proxy setting configurable to anyone with user-level
rights? I suspect it wouldn't slow an attacker down too much if they
wanted to connect to "my-hacker-software.com" for a copy of their
rootkit dujour. Besides, there are other ways to make the web server
"upload" files.

Is there a way to prevent this? Or is it pointless? I'm under the
impression (please correct it if I'm wrong) that darn near any
vulnerability in a Windows system (especially IIS) can eventually be
leveraged into a full system compromise.

- Dan

Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Ansgar
> -59cobalt- Wiechers
> Sent: Thursday, March 13, 2008 8:50 AM
> To: security-basics (at) securityfocus (dot) com [email concealed]
> Subject: Re: Patching internet facing MS systems
>
> On 2008-03-12 Dan Lynch wrote:
> > Thanks to those who offered ideas for this issue. The more I learn,
> > the more it seems there are no real good options for this. I've
> > learned for example that it's not possible to remove IE
> from a Server
> > 2003 system. I remember when IE4 wrapped itself around Windows 95's
> > Active Desktop, but had assumed various lawsuits in the
> meantime had
> > loosened its grip.
> >
> > I'm curious though, can IE components be leveraged in an attack
> > against a Server 2003 web server? Privilege escalation, for example?
> > Anyone tried to wrestle IE out of Server 2003?
>
> I've heard that it is possible, but it will break several
> things. For instance Windows' help system relies heavily on
> IE components. Also there are several programs using
> configuration frontends that are actually rendered by IE.
>
> [...]
> > Automatic updates is difficult for us to control, as the
> destination
> > web site is constantly rotating through IP addresses. I
> can't write a
> > firewall rule allowing our DMZ servers outbound only to Microsoft's
> > update servers by name. But I can limit the time they're allowed to
> > connect.
>
> Why not allow all outbound traffic from the webserver to port
> 80/tcp, and set the proxy on the webserver statically to
> 127.0.0.1:9 via local policies, with the domains required for
> automatic updates as exceptions?
> That way it shouldn't be much of a security risk, IMHO.
>
> Regards
> Ansgar Wiechers
> --
> "All vulnerabilities deserve a public fear period prior to
> patches becoming available."
> --Jason Coombs on Bugtraq
>

[ reply ]