Title: Message
Agreed Rick.
Windows is probably no less secure than other OS
(dons flame suit), however as Windows systems are often in the hands of people
who know nothing about / dont care about security, this will be a continuing
problem. Removing the plethora of "overflow" based exploit
Title: Message
I
believe the SUS install *requires* IIS lockdown be run
first.
--
Roger D. Seielstad -
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
-Original Message-From: Jennifer
Fountain [mailto:[EM
Title: Message
Oh, I
definitely agree. But that's a solution.
The
fundamental flaw with RPC is that by its very nature, it has to have access to
the entire system. You can't concevably run the RPC service as a non-privileged
user nor in a jailed environment. It is still going to require ac
Title: Message
See
my other posts, but RPC *is* the issue, because it was designed without any
significant forethought towards security. The Microsoft implementation wraps
some degree of security around it, but that security is nearly worthless as the
end point mapper requires a fairly high
Title: Message
I
agree with a lot of what you both have said, however the fact remains that RPC
is, in and of itself, an insecure system - RPC is built around the assumption of
trust - it must implicitly trust everyone to do its job.
Using
RPC, a client connects to a server and requests in
Title: Message
Actually, RPC over HTTP is one of the scariest concepts I've heard in a
long time.
"Let's take a very insecure protocol and tunnel it through a protocol
that everyone implicitly trusts"
RPC
at its core was a bad idea, born in a time when everyone on the network trusted
eve
Title: Message
Glad I
have heard this from you. I always thought his was a bad idea just tunnelling
RPC through HTTP. That means most firewalls will let it through unless you inspect the RPC instructions.
Paul
-Original Message-From: Roger Seielstad
[mailto:[EMAIL PROTECTED]Sen
Title: Message
Howdy!
As you
may or may not know there is an attribute in Active Directory tied to computer
objects called operatingSystemHotFix
(Operating-System-Hotfix).
As you
may or may not know MS does not currently use this attribute though they do use
operatingSystem and operatin
Title: Message
Well, I certainly wouldnt use it unless
I had a RPC proxy sitting in the DMZ. :)
- Original Message -
From:
Bendall,
Paul
To: '[EMAIL PROTECTED]'
Sent: Friday, September 12, 2003 8:44
AM
Subject: RE: [ActiveDir] New RPC
DOS
Glad
I ha
Title: Message
Can
you inspect the traffic if you secure the transmission? Some of the newer
layer-7 firewalls allow you to bridge SSL, but many do not.
I
agree that just changing to a transport that is implicitly trusted is a bad
security move. It's tantamount to security by obscurit
Title: Message
In
general, I like the concept. A few thoughts.
First
- what's the size limit of the attribute? Some Win2k systems have required
upwards of 30 patches, if not more, between service packs - which is 30x9 +1 =
271 bytes. So if that's a 255 char limit, you're going to overflow
Title: Message
Good
thoughts.
1. I
have tested the attribute to greater than 2048 ascii characters. I should have
mentioned this in the original post. That should be a considerable number of
hotfixes. I have gone back and forth in my head on dropping the prefix letters
since no one will b
Weird, I was talking to some colleagues today about this very thing.
I like the idea. The important thing is for the information in AD to accurately
reflect the hotfixes on the server, otherwise the information is worse than useless.
This means the update mechanism must be robust. We were thi
Title: Message
Ah, thanks! I realized that the DCOM
utility I was using to identify vulnerabilities was showing false positives
when running against a PC with the MS03-039 patch. I ran the new DCOM
utility and found that both patches are working successfully.
Thanks for the post!
Actually I did the ipconfig /flushdns - no effect.
nbtstat -RR would reregister my NETBIOS names, I didn't think it would help but I did
it anyway. - No result.
ROute print looks fine too.
What kills me is that the IP stack won't even recognize the hosts file entries.
GetHostByName() won't funct
Title: Message
Best
bet is to create an OU that has no GPO's to clear that out of the
troubleshooting process. Move the server into that OU and test
again.
Be
sure to refresh the GPO's so you can be sure that all have been
removed.
Al
-Original Message-From: Ninet Seg
Title: Message
Yeah
- application layer inspection is still far from prime time at this point.
Change that to SSL, and you're doubly screwed.
--
Roger D. Seielstad -
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
-
Title: Message
LOL... I can see why that makes your head hurt. I like the idea in
general, and I think all the info is in existance somewhere within the registry,
too, so it might be easy enough to do, but I do see the point about pending
updates verses actually installed updates (i.e. has it
Title: Message
Typically the better patch management tools use more than just whats in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix to
determine if patch is really applied. For example, they will use hash checks or
version checks of the actual patched system files th
Good Idea, Hopefully whatever is doing this doesn't tattoo the registry.
Thx
-Original Message-
Best bet is to create an OU that has no GPO's to clear that out of the troubleshooting
process. Move the server into that OU and test again.
Be sure to refresh the GPO's so you ca
The different tools usually use a combination of determinate factors like Darren said,
I usually look at the xml files to see what they use for hfnetchek or
\wwwroot\dictionaries\autoupdate\win2k\items.txt file from a SUS server to see what
the flavor of the day is for the expression used for de
Thanks Bob/Darren.
Roger you see now why I didn't want to focus on the method of getting
the current patches. I have literally been in multihour meetings with
people from MS concerning that determination. The post here was more to
work out the format of the data in AD and how it gets there. :op
Joe-
On your request to MS, have you already looked at the mssecure.xml file
that is used by hfnetchk? This may get you part of the way--doesn't have
everything you're after but does have the crc, date/filever stuff in
there for all hotfixes since nearly the beginning of time ;-)
-Original M
>From what I understand, that xml file only maintains security specific
hotfix information. I haven't personally dumped it and gone through it
but the folks I heard that from I find to be pretty credible.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behal
Title: Message
Darren,
yuo would think so, and this is one thing that
s**ts me about the current way MS handle hotfixes. A number of the
hotfixes installed dont appear to leave any trace in the registry or otherwise,
and cant actually be verified if the patch is installed. Run the base
s
Title: Message
"Even the MS
BSA tool cant verify that a number of patches are installed, even though they
are. We currently have about 6-10 patches as part of the build that cant
actually be verified that they are installed or not. Makes it a bit
difficult to ensure patches are installed w
Title: Message
Bingo! Well said. Can I add ANYTHING to what
Roger has already indicated?
Nope.
Oh - RPC over HTTP sucks. And yes - that is a
Technical term. But, then - he pretty much said that in a rather eloquent
way. =)
Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active
Dire
I think you're right Joe. I guess I forget that sometimes MS releases a
hotfix that's not plugging a security hole :-)
-Original Message-
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Friday, September 12, 2003 4:26 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Any AD GURUS who Patch Syst
Title: Message
Of
course, you realize that RPC over HTTP is basically the same thing as the latest
craze in application integration--SOAP--part of the pantheon of Web Services
protocols. The encoding may be different, but that's about all. And SOAP usage
is exploding. So, the problem of secu
Title: Message
Darren,
Yes, I do realize that SOAP and RPC over HTTP do share many
elements. Unfortunately, it's a protocol soup born out of feature-itis,
not true need for function. And, if the past few years have taught us
anything - Security and Human Comfort are diametrically
opposed
Title: Message
I cant say that I have Rick...up until sp3 (which
is the lastest build we currently have) its crap. I'll check
again.
G.
- Original Message -
From:
Rick Kingslan
To: [EMAIL PROTECTED]
Sent: Saturday, September 13, 2003 10:10
AM
Subject: RE:
Title: Message
Actually, looking "solely" in the registry would make this exercise "worse than useless". It is this same reliance on registry entries that makes me hate Windows Update and some other Patch Mgt Tools I would not like to mention here. The registry check is a 50-50 hit or miss as fa
Title: Message
Rick, I actually run MBSA/SP4 in my test Lab. One of the things it couldn't find today was a directx hotfix on XP Corp Edition. granted, it's much better than the one in my production environment, still . those whacky stuffs are not entirely gone - at least not from my Lab.
33 matches
Mail list logo
