Re: 3 new crucal updates today for Server 2003
- From: "Andrew English" <andrew@xxxxxxxxxxxxxxxxxxxxxx>
- To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
- Date: Tue, 11 Jan 2005 20:16:27 -0500
Here the problem with your analogy.
Microsoft releases security updates for a reason. There has been many
cases were production servers has fallen to attacks which resulted in
Microsoft being blamed for unjustly because the server admins failed to
apply the posted security patches from Microsoft.
Security patches are released for a reason. If you wish to jeopardize
your own companies security by failing to apply any security patch
Microsoft releases then you have to realize it will be your job online
if something were to back fire and your production servers security were
to be breached because you failed to patch them.
I agree you should test the patches on non-production servers first,
however I don't agree that you should never apply them at all.
I heard one on a Tech show that MS wanted Congress to pass a bill that
would allow the US Government to lay files on Corporations that bitched
about their productions servers security being compromised if they
failed to install a any of the Microsoft security patches which
addressed the issue. Honestly it's too bad something this couldn't
happen, it sure as hell would change the way things are done for the
good! :)
Andrew
-----Original Message-----
From: Danny [mailto:nocmonkey@xxxxxxxxx]
Sent: Tuesday, January 11, 2005 8:00 PM
To: [ExchangeList]
Subject: [exchangelist] Re: 3 new crucal updates today for Server 2003
http://www.MSExchange.org/
On Tue, 11 Jan 2005 18:19:38 -0500, Andrew English
<andrew@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> There are three new critical updates today posted on Windows Updates
for
> Windows 2003 Server.
Might I add that if you don't want to install these on your production
servers yet, you can mitigate your risk to these vulnerabilities - and
many others (know and unknown) - by following these simple best
practices:
1) Do no use Internet Exploiter on your servers unless you are viewing
a trusted website, such as windowsupdate.microsoft.com.
2) Do not install or use email client software on any of your servers.
Do not view emails on your server.
3) Do not allow untrusted (external networks/Internet) unrestricted
access to any unessential UDP or TCP ports on your server. For more
info read the workaround section of the recently released
vulnerabilities, or just see this:
Microsoft has tested the following workarounds. While these
workarounds will not correct the underlying vulnerability, they help
block known attack vectors. When a workaround reduces functionality,
it is identified below.
*
Block the following at the firewall:
*
UDP ports 137 and 138 and TCP ports 139 and 445
These ports could be used to initiate a connection with the Indexing
Service to perform file system based queries. Blocking them at the
firewall will help prevent systems that are behind that firewall from
attempts to exploit this vulnerability through these ports. We
recommend that you block all unsolicited inbound communication from
the Internet to help prevent attacks that may use other ports.
*
Use a personal firewall such as the Internet Connection Firewall,
which is included with Windows XP and Windows Server 2003.
If you use the Internet Connection Firewall feature in Windows XP or
in Windows Server 2003 to help protect your Internet connection, it
blocks unsolicited inbound traffic by default. We recommend that you
block all unsolicited inbound communication from the Internet.
To enable the Internet Connection Firewall feature by using the
Network Setup Wizard, follow these steps:
1.
Click Start, and then click Control Panel.
2.
In the default Category View, click Network and Internet Connections,
and then click Setup or change your home or small office network. The
Internet Connection Firewall feature is enabled when you select a
configuration in the Network Setup Wizard that indicates that your
system is connected directly to the Internet.
To configure Internet Connection Firewall manually for a connection,
follow these steps:
1.
Click Start, and then click Control Panel.
2.
In the default Category View, click Networking and Internet
Connections, and then click Network Connections.
3.
Right-click the connection on which you want to enable Internet
Connection Firewall, and then click Properties.
4.
Click the Advanced tab.
5.
Click to select the Protect my computer or network by limiting or
preventing access to this computer from the Internet check box, and
then click OK.
Note If you want to enable the use of some programs and services
through the firewall, click Settings on the Advanced tab, and then
select the programs, protocols, and services that are required.
*
Enable advanced TCP/IP filtering on systems that support this feature.
You can enable advanced TCP/IP filtering to block all unsolicited
inbound traffic. For more information about how to configure TCP/IP
filtering, see Microsoft Knowledge Base Article 309798.
*
Block the affected ports by using IPSec on the affected systems.
Use Internet Protocol security (IPSec) to help protect network
communications. Detailed information about IPSec and how to apply
filters is available in Microsoft Knowledge Base Article 313190 and
Microsoft Knowledge Base Article 813878.
*
Remove the Indexing Service if you do not need it:
If the Indexing Service is no longer needed, you could remove it by
following this procedure.
To configure components and services:
1.
In Control Panel, open Add or Remove Programs.
2.
Click Add/Remove Windows Components.
3.
Click to clear the Indexing Service check box to remove the Indexing
Service.
4.
Complete the Windows Components Wizard by following the instructions
on the screen.
*
You could modify any web pages that use the Index Service to block
queries longer than 60 characters. Microsoft Knowledge Base Article
890621 provides more information on how to perform these steps.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
andrew@xxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx
Other related posts:
