RE: MS-Blast scripts

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 14 Aug 2003 11:35:19 -0500

Hi Jim,

OK, so its correct that the RPC filter *does* protect outbound. <sigh of
relief>

I understand re: LCD.

I tried that approach. I disabled all my protocol and Site and Content
Rules, but my mail got stuck in the queue. I had to enable them again to
send this. :-)

Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: Thursday, August 14, 2003 11:10 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: MS-Blast scripts


http://www.ISAserver.org


That's the bad part; I have to assume the "least capable" when I write
these
scripts.
There are many folks who choose not to use FP1 and all its kewl toys.
..for that matter, I think if you disable all outbound policies, then
you'd
never infect anyone with anything (except maybe the occasional cold).

;-)

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message ----- 
From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, August 14, 2003 07:57
Subject: [isalist] RE: MS-Blast scripts


http://www.ISAserver.org


Hi Jim,

Hmmmm. I had the impression that if you created a outbound RPC Protocol
Rule, that the updated RPC filter included in FP1 created a special RPC
Protocol Definition that prevented the attack. Like the FTP filter's
protocol definitions are tied to the FTP Access application filter, I
thought the RPC Protocol Definition was tied to the RPC filter and
therefore denuded the exploit.

Now I'm getting really confused!

Given the number of exploits carried out on TCP 80, TCP 25 and TCP 110,
do you think I should shut those ports too? ;-)
(www.tacteam.net/openport.htm)

Thanks!
Tom

Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp




-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Thursday, August 14, 2003 9:30 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: MS-Blast scripts


http://www.ISAserver.org


Yep.but if it's a choice between outbound RPC and litigation because you
sourced an infection elsewhere, it's OWA time...

Unfortunately, the RPC filter only acts on inbound RPC.
<sigh>

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Thu, 14 Aug 2003 01:54:44 -0500
 "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org


Hi Jim,

One of the actions of the script blocks outbound access to TCP 135.
Won't this disable outbound Exchange RPC? Since we have the RPC filter,
why do that? Won't it whack the utility of outbound Exchange Server
access?

Thanks!
Tom

Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp



-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Thursday, August 14, 2003 1:02 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] MS-Blast scripts


http://www.ISAserver.org


OK; I finally finished them:
http://isatools.org/msblast.zip

It contains two scripts:
- block_msblast.vbs; this will prevent an internal infection from
spreading
outside your walls
    it likes all Enterprise variations and Standalone environments
equally
- fix_msblast.vbs; this will remove the little bugger and even validate
your
hotfix instalation (in the registry, anyway)

..take a look at the logic for the blocker script; you'll understand why
scripting rules for Enterprise environments can get so hairy.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » Re: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » RE: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts
• » Re: MS-Blast scripts

1. Home
2. isalist
3. Archive
4. 08-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---