You can handle blocking access to resources in two ways. First, by using
IPSEC alone. With IPSEC alone you can set your systems so that they don't
communicate with any other systems that don't pass IPSEC authentication.
IPSEC authentication can be initiated by a certificate, pre-shared key or by
Kerberos authentication. If you use the latter (which is the default), the
system would have to be a domain member to communicate. The problem with
using IPSEC alone is that you may have to have a rather long exception list
and your allow list cannot be group based. You can also use the Windows
Firewall and enable the IPSEC passthrough setting. This setting is enable
only through the local computer policy or through a GPO. Its under Computer
Configuration->Administrative Templates->Templates->Network->Network
Connections->Windows Firewall->Windows Firewall: Allow authenticated IPSec
bypass. When enabled, any computer groups that you specify in the list will
be allowed access to the system if they are a member of the particular
group(s). Just turn the firewall on and block everything, including Ping's
if you wish. What we do here is on severs we allow Domain Computers and on
workstations we have a group called Trusted Computers that are allowed
Trusted Computers is a very small group. So, for a workstation/laptop to be
infected it would have to be from one of the few trusted computers. But
since the trusted computers don't allow incoming communication themselves,
that is very very unlikely.
------------------------------
*From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
Behalf Of *Steve Greenberg
*Sent:* Monday, August 14, 2006 1:45 AM
*To:* thin@xxxxxxxxxxxxx
*Subject:* [THIN] Re: New Critical MS Fix MS06-040 ?!?!
Can you explain a little more what "IPSEC pass-through from a specific
domain group" is exactly?
thanks
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85262
(602) 432-8649
www.thinclient.net
steveg@xxxxxxxxxxxxxx
------------------------------
*From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
Behalf Of *Monroe, Frank
*Sent:* Sunday, August 13, 2006 6:02 PM
*To:* thin@xxxxxxxxxxxxx
*Subject:* [THIN] Re: New Critical MS Fix MS06-040 ?!?!
Agreed, wrong choice of words. However, while the rest of the world was
being attacked over the past 5-6 years from the various known
Windows exploits due to the holes in the various Windows services, we were
sitting happy, not one attack and we have laptops that travel the world. We
due still patch. But one of our laptops may be out of the building for
weeks or even months at a time and it may not be patched for a while. With
this approach, they are about as immune to this type of threat as they can
be, short of disabling any service that has a listener port. Also, this
approach protects from exploits that MS doesn't even know exists (or at
least exists yet) which is why MS advises people to firewall at the system
level as well. This is a proactive and preventative approach not a reactive
one. And finally I can wait a few days while other companies apply the
emergency patch and report problems before I push a patch to a critical
service that has not had much user testing. If the disadvantage to this
approach is to inconvenience a few consultants with their own personal
equipment, its an easy call.
------------------------------
*From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
Behalf Of *Jeff Pitsch
*Sent:* Sunday, August 13, 2006 5:28 PM
*To:* thin@xxxxxxxxxxxxx
*Subject:* [THIN] Re: New Critical MS Fix MS06-040 ?!?!
'impossible', famous last words. Nothing is impossible and putting a
belief into that is what typically causes problems.
Jeff Pitsch
Microsoft MVP - Terminal Server
Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com
On 8/13/06, *Monroe, Frank* <Frank.Monroe@xxxxxxxxxxx> wrote:
I don' t think you understand. This in fact addresses non rouge systems.
It is impossible for a system with this design to get infected. Since all
corporate systems are configured this way, a user can drop their laptop off
on any network and not be infected. This is because the desktops/laptops
only answer to the few IT systems that are used to manage these systems.
So, in order for those laptops/desktops to be infected, it would have to be
infected from one of the management systems. And since the management
systems are configured in the same manner, they also can't be infected.
Believe me this works and it works quite while. We started this design
immediately after Windows 2000 was released and have not had one attack on
ANY system so far. Of course we still patch. But we don't have to worry
about rushing out a patch that has not been tes ted.
I understand what you say in your second paragraph because that's what we
here from consultants all the time. But, I really don't have a problem
inconveniencing a few consultants when the trade off is securing our
network. If we have a consultant that doesn't comply, then we move on to
the next vendor.
------------------------------
*From:* thin-bounce@xxxxxxxxxxxxx [mailto: thin-bounce@xxxxxxxxxxxxx] *On
Behalf Of *Joe Shonk
*Sent:* Friday, August 11, 2006 9:08 AM
*To:* thin@xxxxxxxxxxxxx
*Subject:* [THIN] Re: New Critical MS Fix MS06-040 ?!?!
That only addresses rougue machines.... A user can still take a trusted
laptop home, infect it, and bring it back to the trusted network. Most
viruses, worms and trojans are being designed to circumvent todays security
measures. Firewalls and AV software can only do so much against socially
engineered attacks.
Also, only allowing trusted machines on your network presents a problem
for us consultants. I prefer to use my laptop as it has all the tools and
resources I need on it. Trying to use customer provided machine with a
limited access, tools and resource has always been a nightmare. It's like
trying to soup up a Dodge Neon and expecting to run well in this weekend
Nascar race at Watkin Glen.
Joe
On 8/10/06, *Monroe, Frank* <Frank.Monroe@xxxxxxxxxxx > wrote:
That's why you should enable the Windows firewall on all desktops and
enable IPSEC pass-through from a specific domain group and do the same
on all servers but allow domain computers access. This isolates the
desktops so that they can only be infected by trusted systems (if
trusted they shouldn't be able to be infected). And isolates your
servers to all but domain member machines. When you do this, if a rogue
system enters your network, they may have the worm, but the cannot
infect anything (except other rouge systems).
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Landin, Mark
> Sent: Thursday, August 10, 2006 9:35 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: New Critical MS Fix MS06-040 ?!?!
>
> Any vulnerability which does NOT require user interaction to
> activate is critical. A firewall helps, but if you are on a
> corp network, and someone brings in an infected PC from
> outside or from the road, then now you have an infecting
> agent behind the firewall, and it will compromise any
> unpatched system.
>
> Firewalls are no substitute for patching.
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto: thin-bounce@xxxxxxxxxxxxx] On Behalf Of Matthew Shrewsbury
> Sent: Thursday, August 10, 2006 6:55 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: New Critical MS Fix MS06-040 ?!?!
>
> Any idea why this patch seems to be pushed as urgent? It
> sounds like if you have a firewall blocking ports 139 and 445
> there isn't any risk from the net?
>
> Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA Server+
> Network Manager
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Selinger, Stephen
> Sent: Wednesday, August 09, 2006 4:18 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: New Critical MS Fix MS06-040 ?!?!
>
> Any update on if this patch breaks anything. I have been
> advised by my security monitoring service to get this updated ASAP.
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Schneider, Chad M
> Sent: August 9, 2006 7:40 AM
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Re: New Critical MS Fix MS06-040 ?!?!
>
> We received the e-mail of this patch late yesterday....got a
> voice mail an hour later, and another follow-up this
> AM....this one is getting more attention from M$ than I can
> ever recall. They asked that we make every effort to get
> installed in the next 72 hours.
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Michael Pardee
> Sent: Wednesday, August 09, 2006 7:00 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: New Critical MS Fix MS06-040 ?!?!
>
> I just received an email from our MS rep asking us if we had
> tested this, what the reasons were if we hadn't, and when we
> plan on rolling it out.
> They consider this a Level 3 patch and said it is extremely critical.
>
> We'll focus more on our Internet accessible nodes first (non
> are TS) but will start the testing with it internally over time.
>
> This is the first I've ever had our TAM contact us with
> questions over why we wouldn't just deploy it.
>
>
> > From: Steve Greenberg < steveg@xxxxxxxxxxxxxx>
> > Reply-To: < thin@xxxxxxxxxxxxx>
> > Date: Wed, 9 Aug 2006 00:31:20 -0700
> > To: < thin@xxxxxxxxxxxxx >
> > Subject: [THIN] Re: New Critical MS Fix MS06-040 ?!?!
> >
> > As usual, this is a case where patience and logic do not
> rule :-) The
>
> > client is already in the process of applying the patch well over a
> hundred
> > non TS systems. It is the TS systems that we have some influence on
> and
> are
> > being requested to come back with field reports. So far on in house
> test
> > system, no problems.
> >
> >
> >
> > These are situations in which the client is being "ordered" to go
> ahead
> and
> > install the patches. Your explanation is perfect, but the
> bottom line
> is
> > that they are going to have to go ahead and do this, I am
> just hoping
> > someone else has jumped first and can tell us what the bottom of the
> cliff
> > looks like!
> >
> >
> >
> >
> >
> > Steve Greenberg
> >
> > Thin Client Computing
> >
> > 34522 N. Scottsdale Rd D8453
> >
> > Scottsdale, AZ 85262
> >
> > (602) 432-8649
> >
> > www.thinclient.net
> >
> > steveg@xxxxxxxxxxxxxx
> >
> >
> >
> > _____
> >
> > From: thin-bounce@xxxxxxxxxxxxx
> [mailto: thin-bounce@xxxxxxxxxxxxx] On
> Behalf
> > Of Rick Mack
> > Sent: Tuesday, August 08, 2006 11:36 PM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: New Critical MS Fix MS06-040 ?!?!
> >
> >
> >
> > Hi Steve,
> >
> >
> >
> > Patching the server service on file/print backend servers and TS is
> kind
> of
> > scary considering the things that could break.
> >
> >
> >
> > I'm fairly pragmatic about this sort of thing because at the end of
> the
> day,
> > it's all about risk management.
> >
> >
> >
> > I wouldn't disregard a critical update on my internet
> exposed systems
> but
> > production TS is a different story.
> >
> >
> >
> > Taking past experience into account, in an adequately
> secured internal
>
> > network, the Microsoft security hotfixes have caused more system
> outages
> > than any exploits.
> >
> >
> >
> > Any internet-exposed systems should have the server service disabled
> as a
> > matter of course, in addition to appropriate firewall filtering etc.
> > Educational environments with TS/Citrix should be using internal
> firewalls
> > to limit exposure to ICA/http only.
> >
> >
> >
> > It's a question of what's a bigger risk, a known exploit
> with defined
> > work-arounds or an unknown failure due to inadequate regression
> testing in
> > the fix?
> >
> >
> >
> > If potential buffer overflow vulnerabilities in the server service
> were
> the
> > only vulnerabilities in the average internal network, we'd be pretty
> darn
> > secure.
> >
> >
> >
> > My recommendation is don't be panicked into installing this
> hotfix in
> > production. Test it in a development environment, if that's okay
> install
> on
> > a single production server. If nothing has broken after a couple of
> weeks
> > and nobody else is hurting, then patch your production systems.
> >
> >
> >
> > I'll let you know what it breaks in a month's time ;-)
> >
> >
> >
> > regards,
> >
> >
> >
> > Rick
> >
> >
> >
> > Ulrich Mack
> > Volante Systems
> >
> > _____
> >
> > From: thin-bounce@xxxxxxxxxxxxx on behalf of Steve Greenberg
> > Sent: Wed 9/08/2006 16:04
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] New Critical MS Fix MS06-040 ?!?!
> >
> > Does anyone have experience yet with this new critical patch in
> production
> > 2003/PS4 environments?
> >
> >
> >
> > < http://www.microsoft.com/technet/security/Bulletin/ms06-040.mspx >
> > http://www.microsoft.com/technet/security/Bulletin/ms06-040.mspx
> >
> >
> >
> > We have customers who are asking for any available feedback on the
> effect
> of
> > installing this new critical fix as they are being required
> to deploy
> it
> > right away in production!!!
> >
> >
> >
> > Any experience? Any gotchas??
> >
> >
> >
> > thanks
> >
> >
> >
> > Steve Greenberg
> >
> > Thin Client Computing
> >
> > 34522 N. Scottsdale Rd D8453
> >
> > Scottsdale, AZ 85262
> >
> > (602) 432-8649
> >
> > www.thinclient.net
> >
> > steveg@xxxxxxxxxxxxxx
> >
> >
> >
> >
> ##############################################################
> ##########
> ####
> > #########
> >
> > This e-mail, including all attachments, may be confidential or
> privileged.
> > Confidentiality or privilege is not waived or lost because
> this e-mail
> has
> > been sent to you in error. If you are not the intended recipient any
> use,
> > disclosure or copying of this e-mail is prohibited. If you have
> received
> it
> > in error please notify the sender immediately by reply e-mail and
> destroy
> > all copies of this e-mail and any attachments. All liability for
> direct
> and
> > indirect loss arising from this e-mail and any attachments
> is hereby
> > disclaimed to the extent permitted by law.
> >
> >
> ##############################################################
> ##########
> ####
> > #########
> >
> >
> ##############################################################
> ##########
> ####
> > #########
> > This e-mail, including all attachments, may be confidential or
> privileged.
> > Confidentiality or privilege is not waived or lost because
> this e-mail
> has
> > been sent to you in error. If you are not the intended recipient any
> use,
> > disclosure or copying of this e-mail is prohibited. If you have
> received
> it
> > in error please notify the sender immediately by reply e-mail and
> destroy
> > all copies of this e-mail and any attachments. All liability for
> direct
> and
> > indirect loss arising from this e-mail and any attachments
> is hereby
> > disclaimed to the extent permitted by law.
> >
> ##############################################################
> ##########
> ####
> > #########
> >
> >
> >
> ##############################################################
> ##########
> ####
> > #########
> >
> > This e-mail, including all attachments, may be confidential or
> privileged.
> > Confidentiality or privilege is not waived or lost because
> this e-mail
> has
> > been sent to you in error. If you are not the intended recipient any
> use,
> > disclosure or copying of this e-mail is prohibited. If you have
> received
> it
> > in error please notify the sender immediately by reply e-mail and
> destroy
> > all copies of this e-mail and any attachments. All liability for
> direct
> and
> > indirect loss arising from this e-mail and any attachments
> is hereby
> > disclaimed to the extent permitted by law.
> >
> >
> ##############################################################
> ##########
> ####
> > #########
> >
> >
> ##############################################################
> ##########
> ####
> > #########
> > This e-mail, including all attachments, may be confidential or
> privileged.
> > Confidentiality or privilege is not waived or lost because
> this e-mail
> has
> > been sent to you in error. If you are not the intended recipient any
> use,
> > disclosure or copying of this e-mail is prohibited. If you have
> received
> it
> > in error please notify the sender immediately by reply e-mail and
> destroy
> > all copies of this e-mail and any attachments. All liability for
> direct
> and
> > indirect loss arising from this e-mail and any attachments
> is hereby
> > disclaimed to the extent permitted by law.
> >
> ##############################################################
> ##########
> ####
> > #########
> >
> >
>
>
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or set Digest or
> Vacation mode use the below link:
> //www.freelists.org/list/thin
> ************************************************
>
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or set Digest or
> Vacation mode use the below link:
> //www.freelists.org/list/thin
> ************************************************
>
>
>
> This communication is intended for the use of the recipient
> to which it is addressed, and may contain confidential,
> personal and or privileged information. Please contact us
> immediately if you are not the intended recipient. Do not
> copy, distribute or take action relying on it. Any
> communication received in error, or subsequent reply, should
> be deleted or destroyed.
>
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or set Digest or
> Vacation mode use the below link:
> //www.freelists.org/list/thin
> ************************************************
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or set Digest or
> Vacation mode use the below link:
> //www.freelists.org/list/thin
> ************************************************
>
> ************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or set Digest or
> Vacation mode use the below link:
> //www.freelists.org/list/thin
> ************************************************
>
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************
