[THIN] Re: New Critical MS Fix MS06-040 ?!?!
- From: "Monroe, Frank" <Frank.Monroe@xxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Sun, 13 Aug 2006 14:48:54 -0400
I don' t think you understand. This in fact addresses non rouge
systems. It is impossible for a system with this design to get
infected. Since all corporate systems are configured this way, a user
can drop their laptop off on any network and not be infected. This is
because the desktops/laptops only answer to the few IT systems that are
used to manage these systems. So, in order for those laptops/desktops
to be infected, it would have to be infected from one of the management
systems. And since the management systems are configured in the same
manner, they also can't be infected. Believe me this works and it works
quite while. We started this design immediately after Windows 2000 was
released and have not had one attack on ANY system so far. Of course we
still patch. But we don't have to worry about rushing out a patch that
has not been tested.
I understand what you say in your second paragraph because that's what
we here from consultants all the time. But, I really don't have a
problem inconveniencing a few consultants when the trade off is securing
our network. If we have a consultant that doesn't comply, then we move
on to the next vendor.
________________________________
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Joe Shonk
Sent: Friday, August 11, 2006 9:08 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: New Critical MS Fix MS06-040 ?!?!
That only addresses rougue machines.... A user can still take a
trusted laptop home, infect it, and bring it back to the trusted
network. Most viruses, worms and trojans are being designed to
circumvent todays security measures. Firewalls and AV software can only
do so much against socially engineered attacks.
Also, only allowing trusted machines on your network presents a
problem for us consultants. I prefer to use my laptop as it has all the
tools and resources I need on it. Trying to use customer provided
machine with a limited access, tools and resource has always been a
nightmare. It's like trying to soup up a Dodge Neon and expecting to
run well in this weekend Nascar race at Watkin Glen.
Joe
On 8/10/06, Monroe, Frank <Frank.Monroe@xxxxxxxxxxx> wrote:
That's why you should enable the Windows firewall on all
desktops and
enable IPSEC pass-through from a specific domain group
and do the same
on all servers but allow domain computers access. This
isolates the
desktops so that they can only be infected by trusted
systems (if
trusted they shouldn't be able to be infected). And
isolates your
servers to all but domain member machines. When you do
this, if a rogue
system enters your network, they may have the worm, but
the cannot
infect anything (except other rouge systems).
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of
Landin, Mark
> Sent: Thursday, August 10, 2006 9:35 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: New Critical MS Fix MS06-040 ?!?!
>
> Any vulnerability which does NOT require user
interaction to
> activate is critical. A firewall helps, but if you are
on a
> corp network, and someone brings in an infected PC
from
> outside or from the road, then now you have an
infecting
> agent behind the firewall, and it will compromise any
> unpatched system.
>
> Firewalls are no substitute for patching.
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto: thin-bounce@xxxxxxxxxxxxx] On Behalf Of
Matthew Shrewsbury
> Sent: Thursday, August 10, 2006 6:55 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: New Critical MS Fix MS06-040 ?!?!
>
> Any idea why this patch seems to be pushed as urgent?
It
> sounds like if you have a firewall blocking ports 139
and 445
> there isn't any risk from the net?
>
> Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA
Server+
> Network Manager
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of
Selinger, Stephen
> Sent: Wednesday, August 09, 2006 4:18 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: New Critical MS Fix MS06-040 ?!?!
>
> Any update on if this patch breaks anything. I have
been
> advised by my security monitoring service to get this
updated ASAP.
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of
Schneider, Chad M
> Sent: August 9, 2006 7:40 AM
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Re: New Critical MS Fix MS06-040 ?!?!
>
> We received the e-mail of this patch late
yesterday....got a
> voice mail an hour later, and another follow-up this
> AM....this one is getting more attention from M$ than
I can
> ever recall. They asked that we make every effort to
get
> installed in the next 72 hours.
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of
Michael Pardee
> Sent: Wednesday, August 09, 2006 7:00 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: New Critical MS Fix MS06-040 ?!?!
>
> I just received an email from our MS rep asking us if
we had
> tested this, what the reasons were if we hadn't, and
when we
> plan on rolling it out.
> They consider this a Level 3 patch and said it is
extremely critical.
>
> We'll focus more on our Internet accessible nodes
first (non
> are TS) but will start the testing with it internally
over time.
>
> This is the first I've ever had our TAM contact us
with
> questions over why we wouldn't just deploy it.
>
>
> > From: Steve Greenberg < steveg@xxxxxxxxxxxxxx>
> > Reply-To: <thin@xxxxxxxxxxxxx>
> > Date: Wed, 9 Aug 2006 00:31:20 -0700
> > To: < thin@xxxxxxxxxxxxx>
> > Subject: [THIN] Re: New Critical MS Fix MS06-040
?!?!
> >
> > As usual, this is a case where patience and logic do
not
> rule :-) The
>
> > client is already in the process of applying the
patch well over a
> hundred
> > non TS systems. It is the TS systems that we have
some influence on
> and
> are
> > being requested to come back with field reports. So
far on in house
> test
> > system, no problems.
> >
> >
> >
> > These are situations in which the client is being
"ordered" to go
> ahead
> and
> > install the patches. Your explanation is perfect,
but the
> bottom line
> is
> > that they are going to have to go ahead and do this,
I am
> just hoping
> > someone else has jumped first and can tell us what
the bottom of the
> cliff
> > looks like!
> >
> >
> >
> >
> >
> > Steve Greenberg
> >
> > Thin Client Computing
> >
> > 34522 N. Scottsdale Rd D8453
> >
> > Scottsdale, AZ 85262
> >
> > (602) 432-8649
> >
> > www.thinclient.net
> >
> > steveg@xxxxxxxxxxxxxx
> >
> >
> >
> > _____
> >
> > From: thin-bounce@xxxxxxxxxxxxx
> [mailto: thin-bounce@xxxxxxxxxxxxx
<mailto:thin-bounce@xxxxxxxxxxxxx> ] On
> Behalf
> > Of Rick Mack
> > Sent: Tuesday, August 08, 2006 11:36 PM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: New Critical MS Fix MS06-040
?!?!
> >
> >
> >
> > Hi Steve,
> >
> >
> >
> > Patching the server service on file/print backend
servers and TS is
> kind
> of
> > scary considering the things that could break.
> >
> >
> >
> > I'm fairly pragmatic about this sort of thing
because at the end of
> the
> day,
> > it's all about risk management.
> >
> >
> >
> > I wouldn't disregard a critical update on my
internet
> exposed systems
> but
> > production TS is a different story.
> >
> >
> >
> > Taking past experience into account, in an
adequately
> secured internal
>
> > network, the Microsoft security hotfixes have caused
more system
> outages
> > than any exploits.
> >
> >
> >
> > Any internet-exposed systems should have the server
service disabled
> as a
> > matter of course, in addition to appropriate
firewall filtering etc.
> > Educational environments with TS/Citrix should be
using internal
> firewalls
> > to limit exposure to ICA/http only.
> >
> >
> >
> > It's a question of what's a bigger risk, a known
exploit
> with defined
> > work-arounds or an unknown failure due to inadequate
regression
> testing in
> > the fix?
> >
> >
> >
> > If potential buffer overflow vulnerabilities in the
server service
> were
> the
> > only vulnerabilities in the average internal
network, we'd be pretty
> darn
> > secure.
> >
> >
> >
> > My recommendation is don't be panicked into
installing this
> hotfix in
> > production. Test it in a development environment, if
that's okay
> install
> on
> > a single production server. If nothing has broken
after a couple of
> weeks
> > and nobody else is hurting, then patch your
production systems.
> >
> >
> >
> > I'll let you know what it breaks in a month's time
;-)
> >
> >
> >
> > regards,
> >
> >
> >
> > Rick
> >
> >
> >
> > Ulrich Mack
> > Volante Systems
> >
> > _____
> >
> > From: thin-bounce@xxxxxxxxxxxxx on behalf of Steve
Greenberg
> > Sent: Wed 9/08/2006 16:04
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] New Critical MS Fix MS06-040 ?!?!
> >
> > Does anyone have experience yet with this new
critical patch in
> production
> > 2003/PS4 environments?
> >
> >
> >
> >
<http://www.microsoft.com/technet/security/Bulletin/ms06-040.mspx >
> >
http://www.microsoft.com/technet/security/Bulletin/ms06-040.mspx
> >
> >
> >
> > We have customers who are asking for any available
feedback on the
> effect
> of
> > installing this new critical fix as they are being
required
> to deploy
> it
> > right away in production!!!
> >
> >
> >
> > Any experience? Any gotchas??
> >
> >
> >
> > thanks
> >
> >
> >
> > Steve Greenberg
> >
> > Thin Client Computing
> >
> > 34522 N. Scottsdale Rd D8453
> >
> > Scottsdale, AZ 85262
> >
> > (602) 432-8649
> >
> > www.thinclient.net
> >
> > steveg@xxxxxxxxxxxxxx
> >
> >
> >
> >
>
##############################################################
> ##########
> ####
> > #########
> >
> > This e-mail, including all attachments, may be
confidential or
> privileged.
> > Confidentiality or privilege is not waived or lost
because
> this e-mail
> has
> > been sent to you in error. If you are not the
intended recipient any
> use,
> > disclosure or copying of this e-mail is prohibited.
If you have
> received
> it
> > in error please notify the sender immediately by
reply e-mail and
> destroy
> > all copies of this e-mail and any attachments. All
liability for
> direct
> and
> > indirect loss arising from this e-mail and any
attachments
> is hereby
> > disclaimed to the extent permitted by law.
> >
> >
>
##############################################################
> ##########
> ####
> > #########
> >
> >
>
##############################################################
> ##########
> ####
> > #########
> > This e-mail, including all attachments, may be
confidential or
> privileged.
> > Confidentiality or privilege is not waived or lost
because
> this e-mail
> has
> > been sent to you in error. If you are not the
intended recipient any
> use,
> > disclosure or copying of this e-mail is prohibited.
If you have
> received
> it
> > in error please notify the sender immediately by
reply e-mail and
> destroy
> > all copies of this e-mail and any attachments. All
liability for
> direct
> and
> > indirect loss arising from this e-mail and any
attachments
> is hereby
> > disclaimed to the extent permitted by law.
> >
>
##############################################################
> ##########
> ####
> > #########
> >
> >
> >
>
##############################################################
> ##########
> ####
> > #########
> >
> > This e-mail, including all attachments, may be
confidential or
> privileged.
> > Confidentiality or privilege is not waived or lost
because
> this e-mail
> has
> > been sent to you in error. If you are not the
intended recipient any
> use,
> > disclosure or copying of this e-mail is prohibited.
If you have
> received
> it
> > in error please notify the sender immediately by
reply e-mail and
> destroy
> > all copies of this e-mail and any attachments. All
liability for
> direct
> and
> > indirect loss arising from this e-mail and any
attachments
> is hereby
> > disclaimed to the extent permitted by law.
> >
> >
>
##############################################################
> ##########
> ####
> > #########
> >
> >
>
##############################################################
> ##########
> ####
> > #########
> > This e-mail, including all attachments, may be
confidential or
> privileged.
> > Confidentiality or privilege is not waived or lost
because
> this e-mail
> has
> > been sent to you in error. If you are not the
intended recipient any
> use,
> > disclosure or copying of this e-mail is prohibited.
If you have
> received
> it
> > in error please notify the sender immediately by
reply e-mail and
> destroy
> > all copies of this e-mail and any attachments. All
liability for
> direct
> and
> > indirect loss arising from this e-mail and any
attachments
> is hereby
> > disclaimed to the extent permitted by law.
> >
>
##############################################################
> ##########
> ####
> > #########
> >
> >
>
>
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or set
Digest or
> Vacation mode use the below link:
> //www.freelists.org/list/thin
> ************************************************
>
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or set
Digest or
> Vacation mode use the below link:
> //www.freelists.org/list/thin
> ************************************************
>
>
>
> This communication is intended for the use of the
recipient
> to which it is addressed, and may contain
confidential,
> personal and or privileged information. Please
contact us
> immediately if you are not the intended recipient. Do
not
> copy, distribute or take action relying on it. Any
> communication received in error, or subsequent reply,
should
> be deleted or destroyed.
>
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or set
Digest or
> Vacation mode use the below link:
> //www.freelists.org/list/thin
> ************************************************
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or set
Digest or
> Vacation mode use the below link:
> //www.freelists.org/list/thin
> ************************************************
>
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or set
Digest or
> Vacation mode use the below link:
> //www.freelists.org/list/thin
> ************************************************
>
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************
Other related posts:
