E-Bitz - SBS MVP the Official Blog of the SBS "Diva"

What's the real risk?

Risk.

Entry points.

We all have them.  But ... honestly.. I don't think we truly understand them well enough to be doing the proper things about them.  So many times I see people so worried about the outside wall, the firewall, the perimeter. 

Too often I see folks blindly refuse to look at SSL or RDP as oh, they are subject to Man in the Middle attacks so we just have to use this technology over there..without really understanding the REAL and TRUE risks to the network.  I talk about SMB signing and that's often touted as being able to deflect man in the middle attacks.. and where's the REAL risk of MITM attacks via smb?  With non Windows clients.  That's right, the main thing SMB signing deflects in man in the middle attacks done by non Windows workstations.

Okay...so how many non Windows workstations do I have in my full 100% Borg network?

Hm... do we remember?

Yes?

Yeah.. Zippo...nada...zilch.

So why do we worry about things over 'there' when because I'm having to still run a lot of desktops with local administrator, or hacking registry hives in a manner that even afterwards,  I'm not sure that opening up classes roots like I have to is the wisest thing in the world.  And yet we get so caught up in these threats ...that because either we don't get good enough information about them... or we don't understand them that we put our resources in the wrong place.

Today someone was saying that they didn't set up their clients with Remote Web Workplace because they didn't feel it was secure enough and never got an answer back from the sources they contacted at Microsoft regarding RWW [my question...uh..who did you talk to at Microsoft, because honestly even the Security bulletin on the RDP vulnerability didn't understand that SBS doesn't 'listen' on 4125.  The bulletin's “mitigation“ for SBS is not right at all.  That port never “listens“.  That's the beauty of it.  It waits for authentication]. 

Next the comment was made that SSL and RDP are both susceptible to Man in the Middle attacks....but with server based certificates they are not.  Okay...but in SBSland we have a self signed server certificate that you can add to the local certificate store on your computer.  So where's the Man in the Middle risk? 

Remember what happens during the installation of SBS 2003 sp1 if you don't export out those self signed certs and ISA 2004's wizard kicks in and builds new ones?  Remember how Outlook over http suddenly fails?

Remember the warnings from the SP1 premium notes?

• To maintain the current authentication experience for your users, it is highly recommended that you save your existing certificate by exporting it before you begin to set up ISA Server 2004.
• During the ISA Server installation process, you will need to indicate that you are creating a new certificate. Later, you will import your saved certificate in order to maintain your current authentication experience for your users.

So ... tell me... how much of a risk of Man in the Middle attacks over our Remote Web Workplace is there truly? In REALITY?

Truly ... I've never seen a MITM attack in the SBS newsgroups.  What is the true reality of that kind of attack happening?

Malware.. oh yeah.... SMTP auth attacks.. heavens yes... Stupid passwords... all the time... but MITM?

I guess what I“m saying is, one size of paranoia ...does not fit all.

We've got to stop following something just because it's the super duper high security right thing to do over there without looking to see if it's the RIGHT SECURITY thing to do over here. 

Read between the lines of what Dana is doing in this post.  He's not throwing stuff on his system just because he can, he sat down and made a risk analysis of what his concerns were, what his threats were, and what protection he felt was reasonable.  We'll actually be talking a bit about this at SMBnation where he and I will be presenting. 

I love the comment that several attendees of the SMB Technology Network session..they wanted real solutions that would deliver real value to their clients.  They didn't want to use scare tactics to sell anything and especially solutions that really didn't help the real risk.

So truly... what's your REAL risk for your clients?

Are you solving that?

Hope to see you there at SMBnation!

I'm a security news junkie [part two]

So in the mailbox tonight, I was asked...how did I sign up for the McAfee alerts on IM.

Step on, on the MSN IM, scroll down to the alert window and click on 'go to site'.  From there you'll want to click on 'additonal alerts'.  From there...see that McAfee icon?

Click there...sign into your passport to sign up...and voila.

Virus Alerts: Keep you up-to-date on important virus news. Subscription Alerts: Notify you when it's time to renew your subscription.

..okay if you want even MORE instant paranoia there's also the Terralert for $39.99

But Joe, they do!

Joe Wilcox talks about how this worm in reality shines the light on customers and patch management:

'The real spotlight should be on customers and patch management. If Microsoft doesn't provide tools these customers deem adequate to quickly deploy patches, then Microsoft competitors and partners should seize the opportunity to do so. Regardless, no one should delay patching systems once they are available. The risks are too great, as this week's limited, but high-profile infections demonstrate.'

Excuse me Joe?  What do you think Windows Update and Microsoft Update is?  What about WSUS?  And ..Joe? WSUS is a free download.  That's right Joe, even though I truly like Shavlik better, you CAN get a free patch tool from Microsoft NOW.

As little as I am, I've had a patch management tool for like... something like THREE YEARS now.  How come I got the cluestick via Shavlik so long ago and these companies haven't figured out you can automate this gunk?  I just don't get it.

I truly don't get it.  I rant all the time about making GUIs for me because I hate command line and scripting...but I as heck know for certain the power under the Engine.  It's Group Policy, it's scripting.  Heck it's even the upcoming Monad.  It's controlling the desktops and testing patches, deploying them, we have the tools and the power to do this.

So Joe...the tools are there...the partners are there... the community at patchmanagement.org is there....

Tell those firms to get on board and get the cluestick.

MS Advisory on IE and a kill bit

Microsoft Security Advisory (906267): A COM Object (Msdds.dll) Could Cause Internet Explorer to Unexpectedly Exit:
http://www.microsoft.com/technet/security/advisory/906267.mspx

So I'm hit on IM with that new Advsiory today and it says in part three:

Disable attempts to instantiate the Microsoft DDS Library Shape (Msdds.dll) control in Internet Explorer by setting the kill bit for the control

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

The CLSID for the Microsoft DDS Library Shape Control (Msdds.dll) COM object is EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F.

For detailed steps about stopping a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps and create a Compatibility Flags value in the registry to prevent the Microsoft DDS Library Shape Control (Msdds.dll) COM object from being instantiated in Internet Explorer.

Impact of Workaround: The Microsoft DDS Library Shape Control is not marked safe for scripting and is not intended to be instantiated in Internet Explorer. No adverse effects should occur as a result of this workaround.

Now I'm not big on manual stuff but http://isc.sans.org/diary.php?date=2005-08-18 has a GUI [ah yes, GUI] kill bit interface.

Now MIND YOU, I'M STILL NOT VULNERABLE so while I'm doing this just for grins [and to see if truly no adverse affects occur [none do] just merely under the 'if ya don't need it, get rid of it' rule, I still think this is a bit too much Chicken Little in one week.

Today on the download site an interesting document on IE Security.... truly that is not an oxymoron and there's good stuff to come in IE7.

Incidents.org reports 0-Day.. Rover says... what 0-Day?

So over on Incidents.org they are reporting a new 'zero day' IE vulnerability......

Yesterday, FrSIRT (aka K-otik) released a working 0-day exploit against a .Net component with is accessible remotely via Microsoft Internet Explorer.

Impact

The exploit will open a remote shell if you visit a malicious website. Other payloads are possible. The exploit will have all the privileges assigned to the user running Internet Explorer. We do not see any use of the exploit at this time, but consider widespread use imminent.

Am I Vulnerable ?

You are only vulnerable if you have "msdds.dll" installed on your system. By default, Windows will not install this DLL. See below for details. The DLL can be found in Program Files\Common Files\MicrosoftShared\MSDesigners7

The vulnerable version is: 7.0.9064.9112 . Later versions are not vulnerable (in particular 7.10.x)

 So I fired up ol' trusty Rover and on my XP sp2, with Office 2003 with Access 2000 runtime... and Rover says my version is 7.00.9466.  hmmm... let's see... 7.00.9466 versus 7.0.9064.. I think I'm just fine.

Do we see an interesting pattern to all these latest 'stuff' going on the web?  Do you see how being fully borg means that the issues are less, I'm not running screaming to the server, nor to the workstations.

Patching is easier... I'm more secure... the bad things have to work a heck of a lot harder to get me, they would have to use authentication methods that are harder to attack on... see what is going on here? 

I rant about Windows NT being dead... personally... I think Windows 2000 is on major life support and someone should pull the plug.  It's a 5 year old operating system that businesses just should not be deploying today.  Not in this environment.