[Dshield] Secure computing (was: Port 135)

John Hardin johnh at aproposretail.com
Mon Oct 28 18:54:08 GMT 2002


On Mon, 2002-10-28 at 07:34, Jan Johansson wrote:
> 
> >>>135:139 SHOULD NOT be permitted in from or out to the Internet.
> >>
> >>How should my students then be able to access their files from
> >>home? Mapping shares over the Internet works and is easy to
> >>use for the computer illiterate.
> >
> >This part really got my attention and you have not addressed it. 
> >Using all those technologies I've snipped from your message are good.
> > If you now want to dig yourself out of the hole you're in by saying
> >you do it by AFS, SSH or a Kerberized solution, simply explain why
> >did you respond in that way to John's "135:139" line?  
> 
> Frustration over that people try to solve every computer problem
> with firewalls and laws. In this case (spam by windows message
> server) I see that the source of the problem as (yet again) bad
> implementation from Microsoft. So why is noone complaining? Fix
> the real problem don't make a workaround. (Or rather make them
> fix the problem).

...as if MS give a hoot about this problem.

...as if the existence of this problem causes MS any financial or PR
discomfort in any way.

...as if, even if MS redesigned the protocol to incorporate
authentication, or shut it off by default, more than some miniscule
portion of the installed base would be updated with the fix.

The firewall is a concentration point, a point of control. Granted, it
is not a panacaea. I do not rely on it to do everything. It's only one
part of the defenses - the moat filled with stinky sewage, if you will.

But it *is* the place that I enforce policy about the distinction
between local traffic and internet traffic. And my firewall is under my
control, which the 1.5e8 misconfigured Windows boxen out there are not.

> This says that of 1200 students 0 has choosen to use the samba
> server from home. In other words they use AFS and Kerberos FTP.
>
> >You make no mention of how you enforce any policies about
> >Windows drive sharing.
> 
> Computer policies make it impossible for Joe User to share a
> drive. We also audit our network for shares on user maintained
> machines. When found we educate the user on howto do without it.

So why are you *not* blocking 135:137, and not worrying about the
problems those protocols cause you or others? You don't appear to be
using them.

-- 
John Hardin  KA7OHZ                           <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
 ...people confuse "security" and "Trustworthy Computing."
                                 - Craig Mundie, MS Senior VP and CTO
-----------------------------------------------------------------------
 51 days until The Two Towers




More information about the list mailing list