[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]

To: fd@xxxxxxxxxx
Subject: Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]
From: James Tucker <jftucker@xxxxxxxxx>
Date: Fri, 19 Aug 2005 13:34:56 +0100

fd@xxxxxxxxxx wrote:

On Wed, 17 Aug 2005, Ron DuFresne wrote:

Perhaps it does realte considering the above and considering that the unix
world learned many of the evils of RCP services over ten years ago that
seem to hit the M$ realm every few months, repeatedly...

We used to call them rsploits when it was common in unix.  Friends and I
had a good chuckle when MS started repeating history, having rsploits of
its own.  I would love to deny all port 445 with layer-3 switches but this
would be like blocking portmap and expecting NFS to still mount.

Have you considered utilising the IPSec filters, this is a common suggestion from the beast themselves.

What have we learned from the past that we can apply to our MS networks, since they have become a (un)necessary evil? How neutered does an MS workstation become if the RPC port is completely blocked from the outside? Perhaps "mostly harmless" ?

Well it looses most of it's active directory integration if that's what you mean. Users can still log in though, and in fact can still access remote shares. Admins have trouble with remote administration however, but often a well configured Kerberos telnet session can be more useful that MMC plugins anyway. Just ensure the service is _properly_ configured.

What would it take to write an RPC filter to only accept RPCs which we
actually care about?  In addition, why is PnP even an RPC accessible from
the outside (no, upnp is not a good reason)!?  Most importantly, we need
to eliminate the entire RPC attack vector in the future for Microsoft
systems -- this is not the first MS rsploit and we will certainly see
more.

Er, you're gunna be trawling ALOT of RPC. You can do most anything through that port, it's very functional indeed. As above, I'd start with IPSec. Er, this is the system through which we provide most application and desktop management, to get to pnp is not a strange thing to have access to at all, moreover it get's used quite alot in big installations where driver deployment by audit is important.

Your thoughts?

The RPC functionality provided has been the biggest flaw in secuirty for MS in recent years. The RPC functionality provided has been the biggest contributor to reducing TCO in the enterprise where it's functionality is properly utilised.


-Eric

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]
  - From: Ron DuFresne
- Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]
  - From: fd

Prev by Date: Re: [Full-disclosure] Re: MS not telling enough
Next by Date: [Full-disclosure] morphed into certification argument (was : MS not telling enough - ethics)
Previous by thread: Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]
Next by thread: Re: It's not that simple... [Was: Re: [Full-disclosure] Disney Down?]
Index(es):
- Date
- Thread