[THIN] Re: New Critical MS Fix MS06-040 ?!?!
- From: "Monroe, Frank" <Frank.Monroe@xxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Mon, 14 Aug 2006 09:30:35 -0400
By the way, catching the original executable or website that launches
the code is prevented by good anti-virus software and/or proper
configuration of your desktops.
________________________________
From: Monroe, Frank
Sent: Monday, August 14, 2006 9:28 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: RE: [THIN] Re: New Critical MS Fix MS06-040 ?!?!
If you are saying someone can run an executable locally that
doesn't require admin privs to exploit one of these holes, you are
correct. But, in reality, thats not how these types of exploits are
started in an organization. They are started from systems on the
internet that where purposely infected with the worm, not accidentally
infected as you are saying. Thats why they are called worms and not
called viruses. And like I keep saying, this approach doesn't make you
totally immune. But you are certainly a lot closer to being immune than
not doing this. In reality, there is nothing you can do to totally stop
these exploits even with patching because there aren't patches available
for every exploit. And, again, we have never had a worm hit one of our
systems since we started this. They have defiantly been in the
buildings, (our ISS censors show it and its always a contractor or
personal system) but have never once been able to penetrate one of our
domain member systems. We have been doing this a few years before MS
started pushing this. But you may find it helpful to peruse the
Microsoft site. There is a lot of information regarding this approach.
________________________________
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Pitsch
Sent: Monday, August 14, 2006 8:59 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: New Critical MS Fix MS06-040 ?!?!
So, because I'm stupid and ahven't done much with IPSEC,
help me understand this. A PC goes out and gets infected from a website
or an email attachment. The computer talks with a file server, print
server, and application servers for the user to be able to function
during the day. How does this setup prevent the workstation from
spreading the virus up to the servers and then back down to the other
PC's?
Jeff Pitsch
Microsoft MVP - Terminal Server
Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com
<http://jeffpitschconsulting.com/>
On 8/14/06, Monroe, Frank <Frank.Monroe@xxxxxxxxxxx>
wrote:
You can handle blocking access to resources in
two ways. First, by using IPSEC alone. With IPSEC alone you can set
your systems so that they don't communicate with any other systems that
don't pass IPSEC authentication. IPSEC authentication can be initiated
by a certificate, pre-shared key or by Kerberos authentication. If you
use the latter (which is the default), the system would have to be a
domain member to communicate. The problem with using IPSEC alone is
that you may have to have a rather long exception list and your allow
list cannot be group based. You can also use the Windows Firewall and
enable the IPSEC passthrough setting. This setting is enable only
through the local computer policy or through a GPO. Its under Computer
Configuration->Administrative Templates->Templates->Network->Network
Connections->Windows Firewall->Windows Firewall: Allow authenticated
IPSec bypass. When enabled, any computer groups that you specify in the
list will be allowed access to the system if they are a member of the
particular group(s). Just turn the firewall on and block everything,
including Ping's if you wish. What we do here is on severs we allow
Domain Computers and on workstations we have a group called Trusted
Computers that are allowed Trusted Computers is a very small group.
So, for a workstation/laptop to be infected it would have to be from one
of the few trusted computers. But since the trusted computers don't
allow incoming communication themselves, that is very very unlikely.
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:
thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx> ] On Behalf
Of Steve Greenberg
Sent: Monday, August 14, 2006 1:45 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: New Critical MS Fix
MS06-040 ?!?!
Can you explain a little more what
"IPSEC pass-through from a specific domain group" is exactly?
thanks
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85262
(602) 432-8649
www.thinclient.net
<http://www.thinclient.net/>
steveg@xxxxxxxxxxxxxx
________________________________
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Monroe, Frank
Sent: Sunday, August 13, 2006 6:02 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: New Critical MS Fix
MS06-040 ?!?!
Agreed, wrong choice of words. However,
while the rest of the world was being attacked over the past 5-6 years
from the various known Windows exploits due to the holes in the various
Windows services, we were sitting happy, not one attack and we have
laptops that travel the world. We due still patch. But one of our
laptops may be out of the building for weeks or even months at a time
and it may not be patched for a while. With this approach, they are
about as immune to this type of threat as they can be, short of
disabling any service that has a listener port. Also, this approach
protects from exploits that MS doesn't even know exists (or at least
exists yet) which is why MS advises people to firewall at the system
level as well. This is a proactive and preventative approach not a
reactive one. And finally I can wait a few days while other companies
apply the emergency patch and report problems before I push a patch to a
critical service that has not had much user testing. If the
disadvantage to this approach is to inconvenience a few consultants with
their own personal equipment, its an easy call.
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:
thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx> ] On Behalf
Of Jeff Pitsch
Sent: Sunday, August 13, 2006 5:28 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: New Critical MS Fix
MS06-040 ?!?!
'impossible', famous last words.
Nothing is impossible and putting a belief into that is what typically
causes problems.
Jeff Pitsch
Microsoft MVP - Terminal Server
Forums not enough?
Get support from the experts at your
business
http://jeffpitschconsulting.com
<http://jeffpitschconsulting.com/>
On 8/13/06, Monroe, Frank <
Frank.Monroe@xxxxxxxxxxx <mailto:Frank.Monroe@xxxxxxxxxxx> > wrote:
I don' t think you understand. This in
fact addresses non rouge systems. It is impossible for a system with
this design to get infected. Since all corporate systems are configured
this way, a user can drop their laptop off on any network and not be
infected. This is because the desktops/laptops only answer to the few
IT systems that are used to manage these systems. So, in order for
those laptops/desktops to be infected, it would have to be infected from
one of the management systems. And since the management systems are
configured in the same manner, they also can't be infected. Believe me
this works and it works quite while. We started this design immediately
after Windows 2000 was released and have not had one attack on ANY
system so far. Of course we still patch. But we don't have to worry
about rushing out a patch that has not been tes ted.
I understand what you say in your second
paragraph because that's what we here from consultants all the time.
But, I really don't have a problem inconveniencing a few consultants
when the trade off is securing our network. If we have a consultant
that doesn't comply, then we move on to the next vendor.
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:
thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx> ] On Behalf
Of Joe Shonk
Sent: Friday, August 11, 2006 9:08 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: New Critical MS Fix
MS06-040 ?!?!
That only addresses rougue machines....
A user can still take a trusted laptop home, infect it, and bring it
back to the trusted network. Most viruses, worms and trojans are being
designed to circumvent todays security measures. Firewalls and AV
software can only do so much against socially engineered attacks.
Also, only allowing trusted machines on
your network presents a problem for us consultants. I prefer to use my
laptop as it has all the tools and resources I need on it. Trying to
use customer provided machine with a limited access, tools and resource
has always been a nightmare. It's like trying to soup up a Dodge Neon
and expecting to run well in this weekend Nascar race at Watkin Glen.
Joe
On 8/10/06, Monroe, Frank <
Frank.Monroe@xxxxxxxxxxx <mailto:Frank.Monroe@xxxxxxxxxxx> > wrote:
That's why you should enable the Windows
firewall on all desktops and
enable IPSEC pass-through from a
specific domain group and do the same
on all servers but allow domain
computers access. This isolates the
desktops so that they can only be
infected by trusted systems (if
trusted they shouldn't be able to be
infected). And isolates your
servers to all but domain member
machines. When you do this, if a rogue
system enters your network, they may
have the worm, but the cannot
infect anything (except other rouge
systems).
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Landin, Mark
> Sent: Thursday, August 10, 2006 9:35
AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: New Critical MS
Fix MS06-040 ?!?!
>
> Any vulnerability which does NOT
require user interaction to
> activate is critical. A firewall
helps, but if you are on a
> corp network, and someone brings in an
infected PC from
> outside or from the road, then now you
have an infecting
> agent behind the firewall, and it will
compromise any
> unpatched system.
>
> Firewalls are no substitute for
patching.
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto: thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Matthew Shrewsbury
> Sent: Thursday, August 10, 2006 6:55
AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: New Critical MS
Fix MS06-040 ?!?!
>
> Any idea why this patch seems to be
pushed as urgent? It
> sounds like if you have a firewall
blocking ports 139 and 445
> there isn't any risk from the net?
>
> Matthew Shrewsbury, MCSE+Internet MCSE
2000 CCA Server+
> Network Manager
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Selinger, Stephen
> Sent: Wednesday, August 09, 2006 4:18
PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: New Critical MS
Fix MS06-040 ?!?!
>
> Any update on if this patch breaks
anything. I have been
> advised by my security monitoring
service to get this updated ASAP.
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Schneider, Chad M
> Sent: August 9, 2006 7:40 AM
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Re: New Critical MS
Fix MS06-040 ?!?!
>
> We received the e-mail of this patch
late yesterday....got a
> voice mail an hour later, and another
follow-up this
> AM....this one is getting more
attention from M$ than I can
> ever recall. They asked that we make
every effort to get
> installed in the next 72 hours.
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Michael Pardee
> Sent: Wednesday, August 09, 2006 7:00
AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: New Critical MS
Fix MS06-040 ?!?!
>
> I just received an email from our MS
rep asking us if we had
> tested this, what the reasons were if
we hadn't, and when we
> plan on rolling it out.
> They consider this a Level 3 patch and
said it is extremely critical.
>
> We'll focus more on our Internet
accessible nodes first (non
> are TS) but will start the testing
with it internally over time.
>
> This is the first I've ever had our
TAM contact us with
> questions over why we wouldn't just
deploy it.
>
>
> > From: Steve Greenberg <
steveg@xxxxxxxxxxxxxx>
> > Reply-To: < thin@xxxxxxxxxxxxx
<mailto:thin@xxxxxxxxxxxxx> >
> > Date: Wed, 9 Aug 2006 00:31:20 -0700
> > To: < thin@xxxxxxxxxxxxx >
> > Subject: [THIN] Re: New Critical MS
Fix MS06-040 ?!?!
> >
> > As usual, this is a case where
patience and logic do not
> rule :-) The
>
> > client is already in the process of
applying the patch well over a
> hundred
> > non TS systems. It is the TS systems
that we have some influence on
> and
> are
> > being requested to come back with
field reports. So far on in house
> test
> > system, no problems.
> >
> >
> >
> > These are situations in which the
client is being "ordered" to go
> ahead
> and
> > install the patches. Your
explanation is perfect, but the
> bottom line
> is
> > that they are going to have to go
ahead and do this, I am
> just hoping
> > someone else has jumped first and
can tell us what the bottom of the
> cliff
> > looks like!
> >
> >
> >
> >
> >
> > Steve Greenberg
> >
> > Thin Client Computing
> >
> > 34522 N. Scottsdale Rd D8453
> >
> > Scottsdale, AZ 85262
> >
> > (602) 432-8649
> >
> > www.thinclient.net
<http://www.thinclient.net/>
> >
> > steveg@xxxxxxxxxxxxxx
> >
> >
> >
> > _____
> >
> > From: thin-bounce@xxxxxxxxxxxxx
> [mailto: thin-bounce@xxxxxxxxxxxxx
<mailto:thin-bounce@xxxxxxxxxxxxx> ] On
> Behalf
> > Of Rick Mack
> > Sent: Tuesday, August 08, 2006 11:36
PM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: New Critical MS
Fix MS06-040 ?!?!
> >
> >
> >
> > Hi Steve,
> >
> >
> >
> > Patching the server service on
file/print backend servers and TS is
> kind
> of
> > scary considering the things that
could break.
> >
> >
> >
> > I'm fairly pragmatic about this sort
of thing because at the end of
> the
> day,
> > it's all about risk management.
> >
> >
> >
> > I wouldn't disregard a critical
update on my internet
> exposed systems
> but
> > production TS is a different story.
> >
> >
> >
> > Taking past experience into account,
in an adequately
> secured internal
>
> > network, the Microsoft security
hotfixes have caused more system
> outages
> > than any exploits.
> >
> >
> >
> > Any internet-exposed systems should
have the server service disabled
> as a
> > matter of course, in addition to
appropriate firewall filtering etc.
> > Educational environments with
TS/Citrix should be using internal
> firewalls
> > to limit exposure to ICA/http only.
> >
> >
> >
> > It's a question of what's a bigger
risk, a known exploit
> with defined
> > work-arounds or an unknown failure
due to inadequate regression
> testing in
> > the fix?
> >
> >
> >
> > If potential buffer overflow
vulnerabilities in the server service
> were
> the
> > only vulnerabilities in the average
internal network, we'd be pretty
> darn
> > secure.
> >
> >
> >
> > My recommendation is don't be
panicked into installing this
> hotfix in
> > production. Test it in a development
environment, if that's okay
> install
> on
> > a single production server. If
nothing has broken after a couple of
> weeks
> > and nobody else is hurting, then
patch your production systems.
> >
> >
> >
> > I'll let you know what it breaks in
a month's time ;-)
> >
> >
> >
> > regards,
> >
> >
> >
> > Rick
> >
> >
> >
> > Ulrich Mack
> > Volante Systems
> >
> > _____
> >
> > From: thin-bounce@xxxxxxxxxxxxx on
behalf of Steve Greenberg
> > Sent: Wed 9/08/2006 16:04
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] New Critical MS Fix
MS06-040 ?!?!
> >
> > Does anyone have experience yet with
this new critical patch in
> production
> > 2003/PS4 environments?
> >
> >
> >
> > <
http://www.microsoft.com/technet/security/Bulletin/ms06-040.mspx
<http://www.microsoft.com/technet/security/Bulletin/ms06-040.mspx> >
> >
http://www.microsoft.com/technet/security/Bulletin/ms06-040.mspx
> >
> >
> >
> > We have customers who are asking for
any available feedback on the
> effect
> of
> > installing this new critical fix as
they are being required
> to deploy
> it
> > right away in production!!!
> >
> >
> >
> > Any experience? Any gotchas??
> >
> >
> >
> > thanks
> >
> >
> >
> > Steve Greenberg
> >
> > Thin Client Computing
> >
> > 34522 N. Scottsdale Rd D8453
> >
> > Scottsdale, AZ 85262
> >
> > (602) 432-8649
> >
> > www.thinclient.net
<http://www.thinclient.net/>
> >
> > steveg@xxxxxxxxxxxxxx
> >
> >
> >
> >
>
##############################################################
> ##########
> ####
> > #########
> >
> > This e-mail, including all
attachments, may be confidential or
> privileged.
> > Confidentiality or privilege is not
waived or lost because
> this e-mail
> has
> > been sent to you in error. If you
are not the intended recipient any
> use,
> > disclosure or copying of this e-mail
is prohibited. If you have
> received
> it
> > in error please notify the sender
immediately by reply e-mail and
> destroy
> > all copies of this e-mail and any
attachments. All liability for
> direct
> and
> > indirect loss arising from this
e-mail and any attachments
> is hereby
> > disclaimed to the extent permitted
by law.
> >
> >
>
##############################################################
> ##########
> ####
> > #########
> >
> >
>
##############################################################
> ##########
> ####
> > #########
> > This e-mail, including all
attachments, may be confidential or
> privileged.
> > Confidentiality or privilege is not
waived or lost because
> this e-mail
> has
> > been sent to you in error. If you
are not the intended recipient any
> use,
> > disclosure or copying of this e-mail
is prohibited. If you have
> received
> it
> > in error please notify the sender
immediately by reply e-mail and
> destroy
> > all copies of this e-mail and any
attachments. All liability for
> direct
> and
> > indirect loss arising from this
e-mail and any attachments
> is hereby
> > disclaimed to the extent permitted
by law.
> >
>
##############################################################
> ##########
> ####
> > #########
> >
> >
> >
>
##############################################################
> ##########
> ####
> > #########
> >
> > This e-mail, including all
attachments, may be confidential or
> privileged.
> > Confidentiality or privilege is not
waived or lost because
> this e-mail
> has
> > been sent to you in error. If you
are not the intended recipient any
> use,
> > disclosure or copying of this e-mail
is prohibited. If you have
> received
> it
> > in error please notify the sender
immediately by reply e-mail and
> destroy
> > all copies of this e-mail and any
attachments. All liability for
> direct
> and
> > indirect loss arising from this
e-mail and any attachments
> is hereby
> > disclaimed to the extent permitted
by law.
> >
> >
>
##############################################################
> ##########
> ####
> > #########
> >
> >
>
##############################################################
> ##########
> ####
> > #########
> > This e-mail, including all
attachments, may be confidential or
> privileged.
> > Confidentiality or privilege is not
waived or lost because
> this e-mail
> has
> > been sent to you in error. If you
are not the intended recipient any
> use,
> > disclosure or copying of this e-mail
is prohibited. If you have
> received
> it
> > in error please notify the sender
immediately by reply e-mail and
> destroy
> > all copies of this e-mail and any
attachments. All liability for
> direct
> and
> > indirect loss arising from this
e-mail and any attachments
> is hereby
> > disclaimed to the extent permitted
by law.
> >
>
##############################################################
> ##########
> ####
> > #########
> >
> >
>
>
>
************************************************
> For Archives, RSS, to Unsubscribe,
Subscribe or set Digest or
> Vacation mode use the below link:
> //www.freelists.org/list/thin
>
************************************************
>
>
************************************************
> For Archives, RSS, to Unsubscribe,
Subscribe or set Digest or
> Vacation mode use the below link:
> //www.freelists.org/list/thin
>
************************************************
>
>
>
> This communication is intended for the
use of the recipient
> to which it is addressed, and may
contain confidential,
> personal and or privileged
information. Please contact us
> immediately if you are not the
intended recipient. Do not
> copy, distribute or take action
relying on it. Any
> communication received in error, or
subsequent reply, should
> be deleted or destroyed.
>
>
************************************************
> For Archives, RSS, to Unsubscribe,
Subscribe or set Digest or
> Vacation mode use the below link:
> //www.freelists.org/list/thin
>
************************************************
>
************************************************
> For Archives, RSS, to Unsubscribe,
Subscribe or set Digest or
> Vacation mode use the below link:
> //www.freelists.org/list/thin
>
************************************************
>
>
************************************************
> For Archives, RSS, to Unsubscribe,
Subscribe or set Digest or
> Vacation mode use the below link:
> //www.freelists.org/list/thin
>
************************************************
>
************************************************
For Archives, RSS, to Unsubscribe,
Subscribe or
set Digest or Vacation mode use the
below link:
//www.freelists.org/list/thin
************************************************
Other related posts:
