RE: Security hole at boot

  • From: Dar Scott <dsc@xxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 1 Jan 2002 14:24:31 -0700




At 10:57 AM -0800 1/1/02, Jim Harrison wrote:
I wouldn't mess with the services start codes; those directly relate to how
the services start up (automatic, manual, disabled).

0 boot 1 system 2 auto 3 manual 4 disabled

changing that data
will have very unpredictable effects.

Yeah. That's why I was asking folks about this.

As far as dependencies, ISA still depends on the bas TCP/IP services; that's
why the dependencies exist as they do.

That's true. But if I approach this as keeping the window between TCP/IP starting and ISA IP Filtering started to a minimum, I want to know what has to start in between. Basically, I want the SCM to start ISA IP Filtering as soon as it can, to force it to start before all TCP using services.


Unfortunately, dependencies are driven by the service doing the depending, not the service inserting a level in below.

The thing to bear in mind here, is that until Windows is finished its
startup, no services are answering even if the TCP/IP ports are showing
"active".

Let's see. I got time & date before. I can telnet and dir. I can pcAnywhere and get the desktop. I didn't get far with any since I was doing both, but with scripts I could.


Those are two different issues.

Even so, traffic like AV file requests give away what type of Anti-virus I'm using and might present a chance for a bogus AVdef file to be sent back.


If you can actually obtain more data than OS fingerprinting, I'd love to
know what you get.  That would certainly be something to pass on to the ISA
and/or Windows teams.

I admit that this is a vulnerability that is only half way. The other half might be something already known, like knowing passwords normally used from the inside, or the other half is gained because of what is learned from this vulnerability. Just knowing what services are running on the computer can be an edge in a social engineering attack. Also, services on the average are running only during the last half of that minute window. However, I see it as not having a firewall for up to a minute.


The ISA team may have to be the one to solve it, but I see it as a Windows problem. IPSec Policy filters have this same problem. So does another firewall. (If the ISA team solves it, it might be an ISA specific solution, so a general solution might be better.)

(For that other firewall, I see a 2 or 4 second window at shutdown, too.)

Dar Scott


Other related posts: