[Dshield] Windoze Questions...SAMBA + Windows AD Question

Al Reust areust at comcast.net
Fri Feb 20 03:35:05 GMT 2004


Laurie and the list

At 08:15 AM 2/20/2004 +1000, you wrote:
>Hello Al and List,
>
>The PC in question was the Win2000 pro hardware firewall Console/IDS
>machine.

Normally as with a router it would be a laptop plugged in through the 
console port. For Updates it would be unplugged from the console and then 
plugged into protected network behind the Firewall. Then You are not 
bridging network to the Firewall. Laurie, Yes I understand (this for those 
that have no idea what we are taking about). So yes, making sure that we 
can keep it "up to shape" and not risk the Firewall. I hope, only one cable 
plugged in at a time.

>All machines are patched/updated daily/as required, but it looks like the
>main target was the firewall console.

Stupid question, is the Win2K Pro in a "DMZ" or the "Internal" network? 
What you have stated is that it is visible to the outside world, thus 
attacked. That would also bring up questions about how much more is visible 
to the outside world (unknown). Which reminds me, I am overdue in checking 
how visible (ports) my Firewall is.

>Unless you use a laptop or another PC
>that does not have access to both Win/Linux, your hardware firewall could be
>vulnerable. I have noticed that several of the latest 'hotfixes' appear to
>be processor specific and the patch is applied on one type of CPU but not
>the other.

As you brought it up. MS stated that they would rename according to product 
ie.. IIS for you got it IIS server, ISA for ISA server OUT for Outlook etc 
ad infintum.. In cases of Win2K server versions I have seen SERVER appended 
for specific "server" only patches. As I still have Shavlik HFNetck 
(4.0.76.6) installed on this machine I did a quick comparison between 
Windows Update Catalog (which allows download of the specific patch(s)), 
Technet (which is a big sort out what you want and then download the patch 
one at a time) and Shavlik (HFNetchk which has "every one" of machines on 
your network {XP and 2003 have other specific problems}). SUS downloads 
"Everything Security for all the OS' above NT 4.0"
See example below.

q279328.exe - IE55 Sp1 Windows update
Q279328_IE55_SP1_x86_ENU.exe - Shavlik

Windows2000-KB828028-x86-ENU.EXE - Windows Update Catalog
WindowsXP-KB828028-ia64-ENU.exe - Windows Update Catalog
Windows2000-KB828028-x86-ENU.EXE - Technet
WindowsXP-KB828028-ia64-ENU.exe - Technet
Windows2000-KB828028.exe - Shavilk no i64

Yes there is an X86 for the Intel/AMD Processors in the case of this 
version of Shavilk they do not show i64 processors, Alpha, or heaven forbid 
MIPS.. Until Build (about 2183 Whistler) there was an Alpha version (Now, 
Server (2003) and Desktop {XP}). Yes I did have 9 Alphas running "Whistler" 
in a Miniature Large Enterprise Domain Model (MiniLe only 140 DC's).. Yes 
MS did kill off Alphas. Shavlik, also does some "renaming" to fit their 
software version.


>Regards,
>
>Laurie

Regards

Al

>----- Original Message -----
>From: "Al Reust" <areust at comcast.net>
>To: "General DShield Discussion List" <list at dshield.org>
>Sent: Thursday, February 19, 2004 11:16 AM
>Subject: Re: [Dshield] Windoze Questions...SAMBA + Windows AD Question
>
>
> > Laurence
> >
> > I take no offense and Thank You. Someday, I may have the opportunity to
> > take you up on the offer.
> >
> > My curiosity still asks, was it one machine or all? I have seen that in
>the
> > past with "hotfixes" on a single machine.
> >
> > Regards
> >
> > Al
> >
> > At 09:09 AM 2/19/2004 +1000, you wrote:
> > >----- Original Message -----
> > >From: "Al Reust" <areust at comcast.net>
> > >To: "General DShield Discussion List" <list at dshield.org>
> > >Sent: Tuesday, February 17, 2004 2:49 PM
> > >Subject: Re: [Dshield] Windoze Questions...SAMBA + Windows AD Question
> > >
> > >
> > > > Laurie
> > > >
> > > > If you use remote administration, it is Good thing that Snort tells
>you
> > > > someone hooked into IPC$. It should be (the remote IP) within your IP
> > >range
> > > > (DHCP or known remote IP's), if it outside your IP range then you have
>a
> > > > compromised system and the IP where it came from. Depending on your
>actual
> > > > setup you could be seeing something that is quite normal (internal
> > > > application touching the server).
> > >
> > >Al,
> > >
> > >I do NOT use remote administration and there is no external access
>allowed
> > >through the company hardware firewall. All machines are patched and have
>the
> > >latest AV updates every day, some with multiple AV's. There are many
>layers
> > >of protection in the network I maintain including S/w firewalls on all
> > >boxes. The Samba Server is locked up tight and no other servers are
>enabled.
> > >
> > > > However to remove those pesky administrative/hidden shares, Microsoft
> > > > explains how to create Hidden or Remove them (yes some registry
>editing is
> > > > required and once you have accomplished that you can replicate it)
> > >
> > >I never liked those shares and I have been working with software from
> > >Motorolla Assembler at Uni (B.Sc.(comp) 1993), to MS software from (DOS
> > >(Disk Operating System)) Basica, Quick Basic, Visual Basic Dos V1, MS-FP
> > >from FP2.6 to MS VFP Win 7.0 among others. I originally started working
>in
> > >databases with Kman (MDBS) then switched to other Xbase variants. I
>actually
> > >prefer CA's dBfast (on 95, 98a&b, 20000 and XP) because it has a basic
>rule
> > >set that doesn't change over time (since '95), not to mention speed and a
> > >very transparent code based event loop.
> > >
> > >I worked for Civil Engineering Consulting Engineers, prior to switching
>to
> > >comms in the field for Telecom Australia working on complex exchange
> > >cutovers (when the power went out our phones kept working), then I
>switched
> > >to software development and worked for the District Telecom
> > >Engineers/Engineering Managers on various Design office projects and
>finally
> > >the Queensland Networks manager. Our engineering section introduced the
> > >first cable TV network in Australia. I have been working on network
>security
> > >for the last couple of years.
> > >
> > >The only 'unauthorised' access to our network has been via our government
> > >and MS 'patches' as explained in my previous DSIELD post 'Unauthorised
> > >program access', while all of the multiple layers of (up to date)
>protection
> > >have said nothing is wrong. Lets face reality, the 'integration' of many
>MS
> > >products from Win2000/XP on has opened up a pandora's box for all kinds
>of
> > >hackers (I don't hack). The KIS rule has been broken and everybody faces
>the
> > >consequences.
> > >
> > > > So now that you have gotten that out of your system. Are there
>questions
> > > > that we can help with.
> > > >
> > >
> > >So now that you have gotten that out of your system. Are there any
>questions
> > >  that I can help you with.
> > >
> > >Regards,
> > >
> > >Laurence N. Kennedy
> > >Competency Based Learning
> > >
> > >p.s. Al and list, please note that this is not a 'flame', there are some
> > >very serious problems with things and unless the current 'sophist-icated'
> > >attitudes change, things will only get worse.
> > >
> > >_______________________________________________
> > >list mailing list
> > >list at dshield.org
> > >To change your subscription options (or unsubscribe), see:
> > >http://www.dshield.org/mailman/listinfo/list
> >
> >
> >
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list