As I sit here with my fleet of computers beeping and playing the Windows
tune as I push patches and force reboots.....just a friendly
reminder.......
Most of the hacks from the outside are due to lousy passwords [ensure
that they are complex, longer than 8 characters] and from unpatched
systems. Most of the real security issues come from the inside......
unprotected systems, outdated A/V, not relying on "defense in depth"
[for example two passes of A/V over email, once in Exchange once on the
desktop]
If you have port 80 open.... [how do I know this? Go to www.grc.com
click on shields up/ports up and see what you have open.] ..... and
fast track yourself on patches.
That said... our recent 03-026 security bulletin having to do with a
vulnerability in RDP...that little sucker is a worm waiting to occur. A
Polish team of guys [see their web site at
http://lsd-pl.net/special.html] have not released the exploit but they
are threatening to do so after people have had time to patch. This
sucker hits ports 135, 139 and 445.... plain english that's how we talk
to other computers and while we can easily protect our server systems
from a port 135, 139 and 445 attack on the OUTSIDE by ensuring our
firewalls are installed properly, we ALL have a squishy creamy middle on
the inside that we can only protect with this patch...... all home users
that don't have a firewall..... anyone who VPNs into the office bypasses
all that protection. Also any one who has been getting Messenger
service popups on their server.....dude that's a sign that you've got a
squishy creamy outside that's not protected..... MAKE sure that "enable
netbios over tcp/ip" is unticked and only tcp/ip is checked if you are
running a two NIC setup. If you are running a 1 nic setup and a
hardware firewall and getting these messenger service popups [not to be
confused with back-ads on IE that are due to spybots] then dude your
firewall is not configured right. Go to www.grc.com [look for Shields
up go to shields up/ports up and if 135, 139 or 445 are open..... your
firewall is not installed right].
I cannot stress this enough..... SANS is stressing three biggies this
week... one is a CISCO router vulnerability ... Denial of service
affecting CISCO routers, then there's a couple of nasty Linux
vulnerabilities, and this one in the Windows world. It's just a real
unfriendly world out here on the Internet these days plain and simple
for everyone just trying to do their job.
<<Soapbox rant on>>
The days of installing systems and not monitoring them are over.
Welcome to the maturing of computing where we have to take care of these
little boxes that we've installed. I cannot stress this enough... even
us little guys have all the tools we need to do patch management [in
fact I would argue that we probably have more options at better prices
than the big guys.... we've got two options that are free]
SUS/Shavlik/St. Bernards.... if you don't have a patch managmement
solution in place for every single computer system attached to your
network, get one. SUS is free, Shavlik.com has a free hfnetchkLT that I
run from my workstation here. For those people that work from
home....get them to sign a statement in writing that they will patch
their systems. Force them to get WinXP and auto update in place.
http://www.microsoft.com/downloads/details.aspx?familyid=73ac38b7-5826-421d-99e8-cdcc608b8992
Guidance, tools, and templates for learning and performing security
patch management.
Last but not least... in this day and age of computing...if your server
is just acting plain ol' weird..... that's not normal. Start doing some
investigation, do a virus scan, go into the user/AD console and make
sure there's still a little red X on the Guest account. If that guest
account is enabled, and it's been added to the admin group, my friend,
go get a stiff drink 'cause you may have a mess on your hands.
We SBSers are NO different than any other system out here. Watch those
passwords, keep up to date on patching, and we do just fine. We are no
less secure than anyone else....we are no more secure than anyone
else..... unfortunately....
Let's just be real careful out here huh?
Sincerely,
Susan the real paranoid
P.S. If you are having problems running Windows Update from the server
[which is just fine these days], shut down Exchange. I personally shut
off Exchange, Officescan and ScanMail before installing patches.
Title: Buffer Overrun In RPC Interface Could Allow Code Execution
(823980)
Date: July 16, 2003
Software: Microsoft Windows NT(r) 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server(tm) 2003
Impact: Run code of attacker's choice
Maximum Severity Rating: Critical
Bulletin: MS02-026
The Microsoft Security Response Center has released Microsoft Security
Bulletin MS03-026
What Is It?
The Microsoft Security Response Center has released Microsoft Security
Bulletin MS03-026 which concerns a vulnerability in Microsoft Windows.
Customers are advised to review the information in the bulletin, test
and deploy the patch immediately in their environments, if applicable.
More information is now available at
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
--
"Don't lose sight of security. Security is a state of being,
not a state of budget. He with the most firewalls still does
not win. Put down that honeypot and keep up to date on your
patches. Demand better security from vendors and hold them
responsible. Use what you have, and make sure you know how
to use it properly and effectively."
~Rain Forest Puppy
http://www.wiretrip.net/rfp/txt/evolution.txt