http://www.ISAserver.org ------------------------------------------------------- (retitled) Bad Tom - you kicked of a "Jim Tech-talk" - now what will I do at Tech Ed? :-p This individual seems to believe that "because it's BITS, it has special permissions through firewalls". This is nothing more than yet another case of "too ill-informed to speak about the technology or 'issue', so I'll publicize that fact". Sound like anyone we know? The point he makes regarding BITS having free access through a firewall (or having the ability to "poke through" is based on the assumption that the "firewall" in question: 1. is configured to apply policies based on the process making the request. What's interesting in this statement is that "BITS" is never the process name; it's "svchost". How many of you allow "svchost" requests to exit your firewall? If you raised your hand, use it to slap yourself (or each other). Continue doing that until my grandson reaches the age of majority (he's three weeks old this past Wed). If you said "I dunno - how do I tell?", then that's a different (and more responsible) answer which we'll deal with in the second installment of this diatribe. 2. is UPnP-enabled. ISA ain't. PIX, Juniper, Checkpoint ain't. Starting to see the trend? "Real" firewalls eschew "firewall UPnP" like the malware it is. Before you go down the road of "you said <PickYourIsaCompetitor>!", remember; these are what ISA was built to compete against and the fact is, they still outnumber ISA in the firewall marketplace and go a long way in setting customer expectations for firewalls. Reality hurts; deal with it and move on. 3. allows requests to anywhere based on the HTTP User-Agent data that identifies itself as a BITS request. ISA doesn't provide such a mechanism (although I'm sure many proxies do), and so offers you better protection against this technique. You can see this in your ISA logs if you filter for "Client-Agent contains bits" in the web proxy log. To the remaining issue of "vulnerable component in Windows"... -- What exactly is "BITS"? Contrary to the author's assertion that this is specific to the AU/WU/MU process (although it is certainly used by them as well as WSUS), the acronym refers to "Background Intelligent Transfer Service" and has been a client/server HTTP component since Windows 2003 shipped (XP included the client side in preparation for WS03). If you look in your services, you'll find it there; set to "Automatic" and may or may not be running (it only runs when downloading). If you examine your WS03 Add/Remove Windows Components, Application Server, IIS "Details", you'll find it as an add-on (not installed by default). -- How does BITS operate? As of WS00, there are two HTTP libraries provided by Windows; WinInet (IE, XMLHTTP use this) and WinHTTP (BITS, ServerXMLHTTP, RPC/HTTP use this). What BITS provides that you don't get easily with direct access to WinInet or WinHTTP is the ability to handle data in smaller pieces over time to limit immediate bandwidth consumption. This is accomplished through an HTTP/1.1 feature called "range requests". If you're having trouble sleeping, it's described in RFC 2616 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35). Basically, range requests are used by the client to request the resource in pieces (not "chunks"; this is a different HTTP/1.1 mechanism) described in byte-ranges. If the server (and intermediate proxies) supports range requests, the content is served as requested. ISA 2004 SP2+ and 2006 include limited support for range requests. So instead of tying up your bandwidth by downloading the data *right now*, components using BITS can do it over an extended time using range requests and reassemble the data as it's received. Again; this is also possible via WinInet and WinHTTP, but the range request / receipt / reassembly process is managed for you in BITS. This is exactly how WSUS and Automatic Updates download 300MB service packs without tying up your ISP bandwidth - by requesting and reassembling small pieces of it over time. Three very import points that place this article firmly into the FUD category are: 1. You *must* have malware on your box that calls into BITS. If you have this malware, you probably have much worse, and thus BITS abuse is the least of your worries. 2. While BITS *is* the component being abused for the purpose of making these requests, WinInet and WinHTTP are just as "vulnerable" <gag>. The process may be more difficult, but no less "secure". 3. Your firewall / proxy has to allow the request made by the BITS-abusing malware. If you operate with an "allow-all" policy, then what can I say? HTH, JimmyJoeBobAlooba -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Saturday, May 12, 2007 7:57 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Computerworld writer gets high at work http://www.ISAserver.org ------------------------------------------------------- What exactly is the feature that allows it to "get past" firewalls? Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Saturday, May 12, 2007 9:27 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Computerworld writer gets high at work > > http://www.ISAserver.org > ------------------------------------------------------- > > > http://www.computerworld.com/action/article.do?command=viewArt > icleBasic& > articleId=9019118 > > it's actually pretty encouraging when the pickin's are this slim... > > All mail to and from this domain is GFI-scanned. > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx