"Full-Disclosure" <[EMAIL PROTECTED]> wrote: > In an corporate environment, you will have SUS or SMS running. > If so, no need for internet access.
But, need for general network access to get to those machines. thereby breaking the "no general network access until secure" rule. You could have a second SUS/SMS setup mirroring the configs off the general netowrk ones and only allow that to synch off the general one when the test/setup network is not being used for anything else _and_ no "unfinished" boxes are attached to the test/setup network. Also, in other "institutional" environments that are nmot strictly "corporate" that distinction can be _very_ hard to meet for such a setup (e.g. universities and the like). > If you don't have this, just place a firewall on the box, or before the > box. > How hard can this be ? You do it the same way, as you would do before > you > would patch debian/*bsd/gentoo/ect/ect/ect. Yeah, yeah. It's easy to decide the level of exposure _you_ are comfortable with and I was not saying tat everyone should do it that way, just that that was a valid set of restrictions to have to work under. > There is no real problem here. Don't blame microsoft if you can't come > up with solutions to simple security "problems". I was not blaming them for that. I was balming them for their own failure (much like yours) to think outside their own level and realm of experience and/or their faiulure (much like yours) to acknowledge that there could be situations where the solution they were comfortable with was not acceptable. Think outside the box dude -- oh wait, it seems you cannot see it, so I guess that is asking too much of you... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html