[THIN] Re: New Critical MS Fix MS06-040 ?!?!
- From: "Monroe, Frank" <Frank.Monroe@xxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Mon, 14 Aug 2006 10:11:49 -0400
Not true. You can block those as well and that is what we do. And even
if you don't, remember Domain Computers are added to the allowed group
to servers not Domain Controllers.
________________________________
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Edward VanDewars
Sent: Monday, August 14, 2006 9:30 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: New Critical MS Fix MS06-040 ?!?!
But you still can't block/restrict access to: DNS, DHCP, or
Domain Controllers, right? So if an infected computer gets plugged into
your lan it can still do major damage.
On 8/14/06, Monroe, Frank <Frank.Monroe@xxxxxxxxxxx> wrote:
You can handle blocking access to resources in two ways.
First, by using IPSEC alone. With IPSEC alone you can set your systems
so that they don't communicate with any other systems that don't pass
IPSEC authentication. IPSEC authentication can be initiated by a
certificate, pre-shared key or by Kerberos authentication. If you use
the latter (which is the default), the system would have to be a domain
member to communicate. The problem with using IPSEC alone is that you
may have to have a rather long exception list and your allow list cannot
be group based. You can also use the Windows Firewall and enable the
IPSEC passthrough setting. This setting is enable only through the
local computer policy or through a GPO. Its under Computer
Configuration->Administrative Templates->Templates->Network->Network
Connections->Windows Firewall->Windows Firewall: Allow authenticated
IPSec bypass. When enabled, any computer groups that you specify in the
list will be allowed access to the system if they are a member of the
particular group(s). Just turn the firewall on and block everything,
including Ping's if you wish. What we do here is on severs we allow
Domain Computers and on workstations we have a group called Trusted
Computers that are allowed Trusted Computers is a very small group.
So, for a workstation/laptop to be infected it would have to be from one
of the few trusted computers. But since the trusted computers don't
allow incoming communication themselves, that is very very unlikely.
________________________________
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Greenberg
Sent: Monday, August 14, 2006 1:45 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: New Critical MS Fix MS06-040
?!?!
Can you explain a little more what "IPSEC pass-through
from a specific domain group" is exactly?
thanks
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85262
(602) 432-8649
www.thinclient.net
steveg@xxxxxxxxxxxxxx
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:
thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx> ] On Behalf
Of Monroe, Frank
Sent: Sunday, August 13, 2006 6:02 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: New Critical MS Fix MS06-040 ?!?!
Agreed, wrong choice of words. However, while the rest
of the world was being attacked over the past 5-6 years from the various
known Windows exploits due to the holes in the various Windows services,
we were sitting happy, not one attack and we have laptops that travel
the world. We due still patch. But one of our laptops may be out of
the building for weeks or even months at a time and it may not be
patched for a while. With this approach, they are about as immune to
this type of threat as they can be, short of disabling any service that
has a listener port. Also, this approach protects from exploits that MS
doesn't even know exists (or at least exists yet) which is why MS
advises people to firewall at the system level as well. This is a
proactive and preventative approach not a reactive one. And finally I
can wait a few days while other companies apply the emergency patch and
report problems before I push a patch to a critical service that has not
had much user testing. If the disadvantage to this approach is to
inconvenience a few consultants with their own personal equipment, its
an easy call.
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:
thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx> ] On Behalf
Of Jeff Pitsch
Sent: Sunday, August 13, 2006 5:28 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: New Critical MS Fix MS06-040
?!?!
'impossible', famous last words. Nothing is
impossible and putting a belief into that is what typically causes
problems.
Jeff Pitsch
Microsoft MVP - Terminal Server
Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com
<http://jeffpitschconsulting.com/>
On 8/13/06, Monroe, Frank <
Frank.Monroe@xxxxxxxxxxx <mailto:Frank.Monroe@xxxxxxxxxxx> > wrote:
I don' t think you understand. This in fact
addresses non rouge systems. It is impossible for a system with this
design to get infected. Since all corporate systems are configured this
way, a user can drop their laptop off on any network and not be
infected. This is because the desktops/laptops only answer to the few
IT systems that are used to manage these systems. So, in order for
those laptops/desktops to be infected, it would have to be infected from
one of the management systems. And since the management systems are
configured in the same manner, they also can't be infected. Believe me
this works and it works quite while. We started this design immediately
after Windows 2000 was released and have not had one attack on ANY
system so far. Of course we still patch. But we don't have to worry
about rushing out a patch that has not been tes ted.
I understand what you say in your second
paragraph because that's what we here from consultants all the time.
But, I really don't have a problem inconveniencing a few consultants
when the trade off is securing our network. If we have a consultant
that doesn't comply, then we move on to the next vendor.
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:
thin-bounce@xxxxxxxxxxxxx <mailto:thin-bounce@xxxxxxxxxxxxx> ] On Behalf
Of Joe Shonk
Sent: Friday, August 11, 2006 9:08 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: New Critical MS Fix
MS06-040 ?!?!
That only addresses rougue machines.... A user
can still take a trusted laptop home, infect it, and bring it back to
the trusted network. Most viruses, worms and trojans are being designed
to circumvent todays security measures. Firewalls and AV software can
only do so much against socially engineered attacks.
Also, only allowing trusted machines on your
network presents a problem for us consultants. I prefer to use my
laptop as it has all the tools and resources I need on it. Trying to
use customer provided machine with a limited access, tools and resource
has always been a nightmare. It's like trying to soup up a Dodge Neon
and expecting to run well in this weekend Nascar race at Watkin Glen.
Joe
On 8/10/06, Monroe, Frank <
Frank.Monroe@xxxxxxxxxxx <mailto:Frank.Monroe@xxxxxxxxxxx> > wrote:
That's why you should enable the Windows
firewall on all desktops and
enable IPSEC pass-through from a specific domain
group and do the same
on all servers but allow domain computers
access. This isolates the
desktops so that they can only be infected by
trusted systems (if
trusted they shouldn't be able to be infected).
And isolates your
servers to all but domain member machines. When
you do this, if a rogue
system enters your network, they may have the
worm, but the cannot
infect anything (except other rouge systems).
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto: thin-bounce@xxxxxxxxxxxxx
<mailto:thin-bounce@xxxxxxxxxxxxx> ] On Behalf Of Landin, Mark
> Sent: Thursday, August 10, 2006 9:35 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: New Critical MS Fix
MS06-040 ?!?!
>
> Any vulnerability which does NOT require user
interaction to
> activate is critical. A firewall helps, but if
you are on a
> corp network, and someone brings in an
infected PC from
> outside or from the road, then now you have an
infecting
> agent behind the firewall, and it will
compromise any
> unpatched system.
>
> Firewalls are no substitute for patching.
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto: thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Matthew Shrewsbury
> Sent: Thursday, August 10, 2006 6:55 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: New Critical MS Fix
MS06-040 ?!?!
>
> Any idea why this patch seems to be pushed as
urgent? It
> sounds like if you have a firewall blocking
ports 139 and 445
> there isn't any risk from the net?
>
> Matthew Shrewsbury, MCSE+Internet MCSE 2000
CCA Server+
> Network Manager
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto: thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Selinger, Stephen
> Sent: Wednesday, August 09, 2006 4:18 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: New Critical MS Fix
MS06-040 ?!?!
>
> Any update on if this patch breaks anything. I
have been
> advised by my security monitoring service to
get this updated ASAP.
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto: thin-bounce@xxxxxxxxxxxxx
<mailto:thin-bounce@xxxxxxxxxxxxx> ] On Behalf Of Schneider, Chad M
> Sent: August 9, 2006 7:40 AM
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Re: New Critical MS Fix
MS06-040 ?!?!
>
> We received the e-mail of this patch late
yesterday....got a
> voice mail an hour later, and another
follow-up this
> AM....this one is getting more attention from
M$ than I can
> ever recall. They asked that we make every
effort to get
> installed in the next 72 hours.
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto: thin-bounce@xxxxxxxxxxxxx
<mailto:thin-bounce@xxxxxxxxxxxxx> ] On Behalf Of Michael Pardee
> Sent: Wednesday, August 09, 2006 7:00 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: New Critical MS Fix
MS06-040 ?!?!
>
> I just received an email from our MS rep
asking us if we had
> tested this, what the reasons were if we
hadn't, and when we
> plan on rolling it out.
> They consider this a Level 3 patch and said it
is extremely critical.
>
> We'll focus more on our Internet accessible
nodes first (non
> are TS) but will start the testing with it
internally over time.
>
> This is the first I've ever had our TAM
contact us with
> questions over why we wouldn't just deploy it.
>
>
> > From: Steve Greenberg <
steveg@xxxxxxxxxxxxxx>
> > Reply-To: < thin@xxxxxxxxxxxxx>
> > Date: Wed, 9 Aug 2006 00:31:20 -0700
> > To: < thin@xxxxxxxxxxxxx >
> > Subject: [THIN] Re: New Critical MS Fix
MS06-040 ?!?!
> >
> > As usual, this is a case where patience and
logic do not
> rule :-) The
>
> > client is already in the process of applying
the patch well over a
> hundred
> > non TS systems. It is the TS systems that we
have some influence on
> and
> are
> > being requested to come back with field
reports. So far on in house
> test
> > system, no problems.
> >
> >
> >
> > These are situations in which the client is
being "ordered" to go
> ahead
> and
> > install the patches. Your explanation is
perfect, but the
> bottom line
> is
> > that they are going to have to go ahead and
do this, I am
> just hoping
> > someone else has jumped first and can tell
us what the bottom of the
> cliff
> > looks like!
> >
> >
> >
> >
> >
> > Steve Greenberg
> >
> > Thin Client Computing
> >
> > 34522 N. Scottsdale Rd D8453
> >
> > Scottsdale, AZ 85262
> >
> > (602) 432-8649
> >
> > www.thinclient.net
<http://www.thinclient.net/>
> >
> > steveg@xxxxxxxxxxxxxx
> >
> >
> >
> > _____
> >
> > From: thin-bounce@xxxxxxxxxxxxx
> [mailto: thin-bounce@xxxxxxxxxxxxx] On
> Behalf
> > Of Rick Mack
> > Sent: Tuesday, August 08, 2006 11:36 PM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: New Critical MS Fix
MS06-040 ?!?!
> >
> >
> >
> > Hi Steve,
> >
> >
> >
> > Patching the server service on file/print
backend servers and TS is
> kind
> of
> > scary considering the things that could
break.
> >
> >
> >
> > I'm fairly pragmatic about this sort of
thing because at the end of
> the
> day,
> > it's all about risk management.
> >
> >
> >
> > I wouldn't disregard a critical update on my
internet
> exposed systems
> but
> > production TS is a different story.
> >
> >
> >
> > Taking past experience into account, in an
adequately
> secured internal
>
> > network, the Microsoft security hotfixes
have caused more system
> outages
> > than any exploits.
> >
> >
> >
> > Any internet-exposed systems should have the
server service disabled
> as a
> > matter of course, in addition to appropriate
firewall filtering etc.
> > Educational environments with TS/Citrix
should be using internal
> firewalls
> > to limit exposure to ICA/http only.
> >
> >
> >
> > It's a question of what's a bigger risk, a
known exploit
> with defined
> > work-arounds or an unknown failure due to
inadequate regression
> testing in
> > the fix?
> >
> >
> >
> > If potential buffer overflow vulnerabilities
in the server service
> were
> the
> > only vulnerabilities in the average internal
network, we'd be pretty
> darn
> > secure.
> >
> >
> >
> > My recommendation is don't be panicked into
installing this
> hotfix in
> > production. Test it in a development
environment, if that's okay
> install
> on
> > a single production server. If nothing has
broken after a couple of
> weeks
> > and nobody else is hurting, then patch your
production systems.
> >
> >
> >
> > I'll let you know what it breaks in a
month's time ;-)
> >
> >
> >
> > regards,
> >
> >
> >
> > Rick
> >
> >
> >
> > Ulrich Mack
> > Volante Systems
> >
> > _____
> >
> > From: thin-bounce@xxxxxxxxxxxxx on behalf of
Steve Greenberg
> > Sent: Wed 9/08/2006 16:04
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] New Critical MS Fix MS06-040
?!?!
> >
> > Does anyone have experience yet with this
new critical patch in
> production
> > 2003/PS4 environments?
> >
> >
> >
> > <
http://www.microsoft.com/technet/security/Bulletin/ms06-040.mspx
<http://www.microsoft.com/technet/security/Bulletin/ms06-040.mspx> >
> >
http://www.microsoft.com/technet/security/Bulletin/ms06-040.mspx
> >
> >
> >
> > We have customers who are asking for any
available feedback on the
> effect
> of
> > installing this new critical fix as they are
being required
> to deploy
> it
> > right away in production!!!
> >
> >
> >
> > Any experience? Any gotchas??
> >
> >
> >
> > thanks
> >
> >
> >
> > Steve Greenberg
> >
> > Thin Client Computing
> >
> > 34522 N. Scottsdale Rd D8453
> >
> > Scottsdale, AZ 85262
> >
> > (602) 432-8649
> >
> > www.thinclient.net
<http://www.thinclient.net/>
> >
> > steveg@xxxxxxxxxxxxxx
> >
> >
> >
> >
>
##############################################################
> ##########
> ####
> > #########
> >
> > This e-mail, including all attachments, may
be confidential or
> privileged.
> > Confidentiality or privilege is not waived
or lost because
> this e-mail
> has
> > been sent to you in error. If you are not
the intended recipient any
> use,
> > disclosure or copying of this e-mail is
prohibited. If you have
> received
> it
> > in error please notify the sender
immediately by reply e-mail and
> destroy
> > all copies of this e-mail and any
attachments. All liability for
> direct
> and
> > indirect loss arising from this e-mail and
any attachments
> is hereby
> > disclaimed to the extent permitted by law.
> >
> >
>
##############################################################
> ##########
> ####
> > #########
> >
> >
>
##############################################################
> ##########
> ####
> > #########
> > This e-mail, including all attachments, may
be confidential or
> privileged.
> > Confidentiality or privilege is not waived
or lost because
> this e-mail
> has
> > been sent to you in error. If you are not
the intended recipient any
> use,
> > disclosure or copying of this e-mail is
prohibited. If you have
> received
> it
> > in error please notify the sender
immediately by reply e-mail and
> destroy
> > all copies of this e-mail and any
attachments. All liability for
> direct
> and
> > indirect loss arising from this e-mail and
any attachments
> is hereby
> > disclaimed to the extent permitted by law.
> >
>
##############################################################
> ##########
> ####
> > #########
> >
> >
> >
>
##############################################################
> ##########
> ####
> > #########
> >
> > This e-mail, including all attachments, may
be confidential or
> privileged.
> > Confidentiality or privilege is not waived
or lost because
> this e-mail
> has
> > been sent to you in error. If you are not
the intended recipient any
> use,
> > disclosure or copying of this e-mail is
prohibited. If you have
> received
> it
> > in error please notify the sender
immediately by reply e-mail and
> destroy
> > all copies of this e-mail and any
attachments. All liability for
> direct
> and
> > indirect loss arising from this e-mail and
any attachments
> is hereby
> > disclaimed to the extent permitted by law.
> >
> >
>
##############################################################
> ##########
> ####
> > #########
> >
> >
>
##############################################################
> ##########
> ####
> > #########
> > This e-mail, including all attachments, may
be confidential or
> privileged.
> > Confidentiality or privilege is not waived
or lost because
> this e-mail
> has
> > been sent to you in error. If you are not
the intended recipient any
> use,
> > disclosure or copying of this e-mail is
prohibited. If you have
> received
> it
> > in error please notify the sender
immediately by reply e-mail and
> destroy
> > all copies of this e-mail and any
attachments. All liability for
> direct
> and
> > indirect loss arising from this e-mail and
any attachments
> is hereby
> > disclaimed to the extent permitted by law.
> >
>
##############################################################
> ##########
> ####
> > #########
> >
> >
>
>
>
************************************************
> For Archives, RSS, to Unsubscribe, Subscribe
or set Digest or
> Vacation mode use the below link:
> //www.freelists.org/list/thin
>
************************************************
>
>
************************************************
> For Archives, RSS, to Unsubscribe, Subscribe
or set Digest or
> Vacation mode use the below link:
> //www.freelists.org/list/thin
>
************************************************
>
>
>
> This communication is intended for the use of
the recipient
> to which it is addressed, and may contain
confidential,
> personal and or privileged information.
Please contact us
> immediately if you are not the intended
recipient. Do not
> copy, distribute or take action relying on it.
Any
> communication received in error, or subsequent
reply, should
> be deleted or destroyed.
>
>
************************************************
> For Archives, RSS, to Unsubscribe, Subscribe
or set Digest or
> Vacation mode use the below link:
> //www.freelists.org/list/thin
>
************************************************
>
************************************************
> For Archives, RSS, to Unsubscribe, Subscribe
or set Digest or
> Vacation mode use the below link:
> //www.freelists.org/list/thin
>
************************************************
>
>
************************************************
> For Archives, RSS, to Unsubscribe, Subscribe
or set Digest or
> Vacation mode use the below link:
> //www.freelists.org/list/thin
>
************************************************
>
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************
Other related posts:
