OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Frank Knobbe (FKnobbeKnobbeITS.com)
Date: Thu Aug 16 2001 - 00:16:22 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    > -----Original Message-----
    > From: Andrew Langton [mailto:andrew.langtonBabcockBrown.com]
    > Sent: Wednesday, August 15, 2001 11:58 PM
    >
    > So how did you avoid the Code Red worms? The way I
    > understand it, they
    > worked by utilising the .ida vulnerability - that works over port
    > 80.

    Some IIS 4 machines had the IDA mapping removed (during install), so
    Code Red could not do its dirty deed. (and I admit, one machine was
    running IIS 3 :P)

    Even if the web server would have been infected with Code Red, it
    would not have been able to spread out to other servers because the
    firewall does not allow outbound connections from the web server
    (except to a certain AV vendor at 4am for 15 minutes).

    Part of server hardening is the removal of unused mappings, sample
    sites, unneeded virtual directories. In my case, just having the IDA
    mapping removed on an IIS 4 box turned out to be enough to prevent
    the worm. It's just a tiny, simple thing. However, when you add all
    those tiny things up, you get a decently secured system. If you then
    add additional layers of defenses (like firewall rules), then it's
    gonna be pretty hard to get into the box and the level of security is
    pretty good.

    And that configuration, once set up, does not need to be tended with
    patches every time. If there is a vulnerability in a component that
    you do use, sure, a patch is recommended. I remember there one being
    for OWA recently (and the first and only big security patch for OWA
    afaik). But you don't have to run to the system every time MS issues
    a bulletin.

    The secret is in the layering of the defenses. If you erect several
    fences, then there is not need to panic when vandals tear one down.
    You can fix that fence at your leisure.

    Regards,
    Frank

    -----BEGIN PGP SIGNATURE-----
    Version: PGP Personal Privacy 6.5.8
    Comment: PGP or S/MIME encrypted email preferred.

    iQA/AwUBO3tXJpytSsEygtEFEQLPZACcDyiQ+Ktfxs/topuyuNDuYfkVoeYAnA3M
    l6a8GHhWZOmhzbsoIRWkw0OO
    =eomN
    -----END PGP SIGNATURE-----