-----BEGIN PGP SIGNED MESSAGE-----

This is a bit of help.

http://windowsupdate.microsoft.com/?IE

This site will give you most of the updates you need and keep the
reboots to a minimum. However the security patches are another story.
Microsoft is a little slow on applying them to the windowsupdate
site.

IE 5.5 Sp1 is recommended, and go to this site for regularly updated
patches as well as info.

http://www.microsoft.com/technet/security/default.asp

Particular note on the MIME vulnerability, and the necessity of
having the right version of IE installed. When you download the patch
it has 2 IE versions that you can select from IE 5.01 sp1 and IE 5.5
sp 1 the latter of the 2 I recommend. It should be painfully obvious
that this means these are the versions you should be running but
since I have seen countless e-mails and buleetins flaming Microsoft
for their patch not working, I thought it best to bring it up.

Also.....to manually lock down ports on the box please do this:

Double Click 'My Computer' click 'Tools' Click 'Folder Options' click
the 'View' tab, enable display compressed files and folders with
alternate colors, display full path in address bar, display full path
in title bar, enable show hidden files and folders, disable hide file
extensions for known file types, disable hide protected operating
system files(your gonna need this and can disable when finished and
is recommended espescially if you will have others messing with
stuff). Leave everything else like it is and click 'APPLY' then click
'LIKE CURRENT FOLDER'. This will then propagate the same view to any
location you open up via a double click on my computer and browsing
down the file tree.

Now, for the meat of it. Browse down the file tree to:
C:\WINNT\system32\drivers\etc (this was copied and pasted because of
the ease of use brought upon by enabling some of the afore mentioned
features)
here you will see files you will want to modify to lock down the
server at the port level.
Most specifically, 'protocol' and 'networks', these will open up
simply enough with 'notepad.exe'.

This should help somewhat, good luck.

- -----Original Message-----
From: Focus on Microsoft Mailing List
[mailto:FOCUS-MSSECURITYFOCUS.COM]On Behalf Of Kyle Buehler
Sent: Monday, April 02, 2001 11:09 AM
To: FOCUS-MSSECURITYFOCUS.COM
Subject: Windows 2000 Server Questions

 So here's the situation. I'm the "New IT Guys". There have been 3
before me, and I'm working on a Windows 2000 Server that has been
setup via a tagteam of consultants. I'm not a Miscrosoftie by nature,
but I deal with it here and there and in Advanced Windows 2000 at
school. *joke* None the less, I'm getting into it. Anyway, here's
some problems that are confusing me at the current moment ...

 1. I did a security audit against the server using Nessus and it
came back with ports 34555/udp, 27444/udp, 18753/udp, and 10498/tcp
possibly running Trin00, Trin00, Shaft, and mstream respectively. I
ran a few nmap scans against it and did not find the port open.
netstat -an didn't yield any info either. I thought at first it was
just catching normal traffic , but multiple scans have come out the
same. Any idea what this could be? McAfee is up to date and running
full scans once a night, and research shows that it should catch all
the possible trojans.

 2. Ports 6666 and 6667 are open also, but yield no warnings from
Nessus. I know we are not running an irc server, so is there any 2k
serive that claims those ports? Again, netstat didn't show anything
useful.

  In my scan I found that only SP1 had been applied and the server
was in desperate need of netbios-ssn hotfixes since I'm not quite
sure wheather I have a cracker on my tail or not. I downloaded the
required patches and applied them individually.

 3. Is there a way to apply the patches without having to reboot
everytime? This is a server that takes 5-10 minutes for a full cycle.
Once I applied the patches I ran my scans again and the "problem"
hadn't been fixed. Am I doing something wrong just running them?

 4. Nessus found /_vti_bin/_vti_aut/dvwssr.dll ... I read up on this,
except I can't find it in the directory shown, and that file doesn't
come up by name in a find. Does it have another alias or counterpart?

 5. The server is running Exchange, and it allows open relaying which
I am kind of concerned about. Currently the consultant is the one
working the Exchange Setup ( I plan to remedy that eventually), but
where can I get some info on configuring something like that. Just
looking at the Server Manager really looks like he got it working,
and didn't go any farther than that.

 An help would be appreciated.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQEVAwUBOspie1Dumg0FbJxvAQFOAAf+NGGHaNM1EtOBitIYTCjQxwZP1Y2a6ZKC
6OafAvyR+EG+Uk+45eHgsBM5RCfmFfwLUDOy/jFTKPO1Tuqfh467RuLOilzB9SRe
sVaf5TL3JRRjsZIGX/Tws0Cc1/RVE9gIZt1aEwN/thXSfbt89fZgVX4cHHeHIKT4
gMBf5O45YSW0Ms5u1LloImIhLcyhGq5ejNi+u1z7XmGdnXuNvK1dy11qoRhoAQE1
g0dAwMId5deNXjZlvgGypEQs8NN9u/4yhNdZwTXRtUkOK16ye652P5QGihwbXvVL
cRZhPboXSdIkhFnYo6OqMYG+RcAuPuSOnFGTYauDolByqefEgSsLkA==
=ib31
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]