NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-MS> 2003-q2

RE: SUS server

From: Bill Mote (bill.motemem.com)
Date: Thu Apr 10 2003 - 07:32:33 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dennis,

Thanks for the reply. My problem, however, is not with talking to my DMZ;
it's letting my DMZ talk anywhere else. Right now that's not allowed for
any reason. Nor can my dB network talk "in" to my network.

Is your fear that the SUS server on the DMZ could be compromised and thus
provide bad patches?

Bill

-----Original Message-----
From: Depp, Dennis M. [mailto:deppdmornl.gov]
Sent: Wednesday, April 09, 2003 3:15 PM
To: Bill Mote; focus-mssecurityfocus.com
Subject: RE: SUS server

Bill,

I would probably NOT place my SUS server in the DMZ. Instead I would place
it on my pc network. The SUS server pulls the information from the
Microsoft update site. This places it similar to a client PC accessing
Windows Update. Because SUS uses a pull technology, you can limit the
firewall exceptions to connections the SUS server initiates. This then
limits all your pc's having to regularly access the DMZ to get updates from
the SUS server.

Dennis

-----Original Message-----
From: Bill Mote [mailto:bill.motemem.com]
Sent: Wednesday, April 09, 2003 2:48 PM
To: focus-mssecurityfocus.com

Where in my network should I place the SUS server? It seems to me the
logical place would be the DMZ as I want to use this server to patch my
workstations, laptops, and my servers.

Everything inside my network can talk to the DMZ, but the inverse is not
true. The DMZ can only talk to the DB network on the DB protocol. Neither
the DMZ nor the DB network can talk to our internal LAN at all. The DB
network and the LAN can talk to machines in the DMZ though.

-----Original Message-----
From: Brian W. Spolarich [mailto:bspolarichnephrostherapeutics.com]
Sent: Monday, April 07, 2003 2:31 PM
To: Thane Walkup; focus-mssecurityfocus.com
Subject: RE: SUS server

Thane Walkup wrote:
> One VERY good reason not to run SP3 is possible HIPAA and 21CFR11
> regulation issues - since the license for SP3 technically gives
> Microsoft unfettered access to your PC, any company under those
> regulations could be in violation of those regulations.
>
> This affects just about any medical facility.

One can configure the SUS client to point at an internal SUS server via
Active Directory GPOs. I suspect that if you point it at a non-functional
URL the auto-update component will essentially be disabled, and it may be
possible to disable it completely via GPO (haven't looked).

-bws

<b>
----------------------------------------------------------------------
Block Spam, Smut & Viruses
SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers of
technology including filtering embedded and attached file content. Rid your
enterprise of unwanted content.
http://www.securityfocus.com/SurfControl-focus-ms2
Download your free fully functional trial, complete with 30-days of free
technical support.
----------------------------------------------------------------------
</b>

----------------------------------------------------------------------
Block Spam, Smut & Viruses
SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers of
technology including filtering embedded and attached file content. Rid your
enterprise of unwanted content.
http://www.securityfocus.com/SurfControl-focus-ms2
Download your free fully functional trial, complete with 30-days of free
technical support.
----------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]