Hi Jim, OK, so its correct that the RPC filter *does* protect outbound. <sigh of relief> I understand re: LCD. I tried that approach. I disabled all my protocol and Site and Content Rules, but my mail got stuck in the queue. I had to enable them again to send this. :-) Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Thursday, August 14, 2003 11:10 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: MS-Blast scripts http://www.ISAserver.org That's the bad part; I have to assume the "least capable" when I write these scripts. There are many folks who choose not to use FP1 and all its kewl toys. ..for that matter, I think if you disable all outbound policies, then you'd never infect anyone with anything (except maybe the occasional cold). ;-) Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, August 14, 2003 07:57 Subject: [isalist] RE: MS-Blast scripts http://www.ISAserver.org Hi Jim, Hmmmm. I had the impression that if you created a outbound RPC Protocol Rule, that the updated RPC filter included in FP1 created a special RPC Protocol Definition that prevented the attack. Like the FTP filter's protocol definitions are tied to the FTP Access application filter, I thought the RPC Protocol Definition was tied to the RPC filter and therefore denuded the exploit. Now I'm getting really confused! Given the number of exploits carried out on TCP 80, TCP 25 and TCP 110, do you think I should shut those ports too? ;-) (www.tacteam.net/openport.htm) Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Thursday, August 14, 2003 9:30 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: MS-Blast scripts http://www.ISAserver.org Yep.but if it's a choice between outbound RPC and litigation because you sourced an infection elsewhere, it's OWA time... Unfortunately, the RPC filter only acts on inbound RPC. <sigh> Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Thu, 14 Aug 2003 01:54:44 -0500 "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> wrote: http://www.ISAserver.org Hi Jim, One of the actions of the script blocks outbound access to TCP 135. Won't this disable outbound Exchange RPC? Since we have the RPC filter, why do that? Won't it whack the utility of outbound Exchange Server access? Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Thursday, August 14, 2003 1:02 AM To: [ISAserver.org Discussion List] Subject: [isalist] MS-Blast scripts http://www.ISAserver.org OK; I finally finished them: http://isatools.org/msblast.zip It contains two scripts: - block_msblast.vbs; this will prevent an internal infection from spreading outside your walls it likes all Enterprise variations and Standalone environments equally - fix_msblast.vbs; this will remove the little bugger and even validate your hotfix instalation (in the registry, anyway) ..take a look at the logic for the blocker script; you'll understand why scripting rules for Enterprise environments can get so hairy. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')