On 2008-03-13 Dan Lynch wrote:
>> Why not allow all outbound traffic from the webserver to port 80/tcp,
>> and set the proxy on the webserver statically to 127.0.0.1:9 via
>> local policies, with the domains required for automatic updates as
>> exceptions?
>
> Not a bad idea, setting the network perimeter firewall to allow all
> outbound HTTP from our DMZ servers, but configuring IE on each of them
> with a proxy server setting of 127.0.0.1:(any). This will stop all
> outbound HTTP. Then providing a short list of proxy exceptions in IE
> (specifically, *.update.microsoft.com, and download.windowsupdate.com)
> should enable the Windows Automatic Update feature.
>
> But isn't the proxy setting configurable to anyone with user-level
> rights?

Normally yes. However, defining the proxy in the local policies (via
gpedit.msc) should prevent users from changing that setting.

Mark Russinovich has blogged that limited users may still be able to
modify some policies [1], but I don't know if the proxy setting is
affected by this if you change it from per-user to system-wide.

[...]
> Is there a way to prevent this? Or is it pointless? I'm under the
> impression (please correct it if I'm wrong) that darn near any
> vulnerability in a Windows system (especially IIS) can eventually be
> leveraged into a full system compromise.

Although some vulnerabilities allow for privilege elevation it's not as
common as one may think. In most cases code is executed with the
privileges of the exploited process. However, if the exploited process
is running with admin privileges (e.g. because the user who spawned it
is logged in with an admin account) the difference is practically void.

[1] http://blogs.technet.com/markrussinovich/archive/2005/12/12/circumventin
g-group-policy-as-a-limited-user.aspx

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

[ reply ]