As I read the documentation...the virus scans for TCP 135 and uses that for its initial infection. Why would it be a bad thing to close this port until all your patching was complete? -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, August 12, 2003 11:05 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Blocking w32.blaster.worm? http://www.ISAserver.org Hi Jim, I like this one, although they do make the same sort of a rediculous statement at the end regarding 135. Somewhat like the dopes at CERT and other places who say "close 135, etc". I haven't "closed the port" (cf. www.tacteam.net/openport.htm) for RPC because I use ISA firewalls, so I'm not going to get whacked from external hosts. Of course patches are applied and viruses/worms are scanned for, but I certainly would not deprive myself, nor my customers the utility of Exchange RPC when there is no need to. Its like putting bolts on the doors in the ladies dormitory. The boys will just come in through the windows ;-) The issue is the "services" inside the room, not the number on the door in front of the service. You got to make the "girls" inside resistent to attack, not just close the door. This "how do I open/close a port" mentality has to stop! Ports are just a number on a door, it's the service that's the issue, not the door number, and if a smart layer 7 aware firewall handles the issue, the "door number" is immaterial. Leave the "open/close the port" shenanigans to PIX admins :-). Arrrgh. Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, August 12, 2003 9:26 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Blocking w32.blaster.worm? http://www.ISAserver.org This is the best description I've seen so far. http://www.eeye.com/html/Research/Advisories/AL20030811.html Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Matthew Bunce" <isa.mailinglist@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, August 12, 2003 06:10 Subject: [isalist] Blocking w32.blaster.worm? http://www.ISAserver.org I have done all I can to secure my internal network, patching everything that even looks like a computer (believe me the toaster did not like having a CD with the patch on it inserted!) VPN has been suspended until futher notice while we make sure that all our partners are secured and patched and all laptops are being checked in a sandbox enviroment until we are sure they are clean. What ports on our external ISA can I block to stop incoming/outgoing activity by this worm if for any reason we have an infection? Will failed connections to RPC on the ISA cause any DoS? Is there anything I can do to limit the damage of an infection coming in via VPN? Are there port filters I can apply to VPN traffic? Many thanks. Matthew Bunce Kluster (UK) Limited ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rogersb@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')