[Dshield] Windoze Questions...SAMBA + Windows AD Question

Laurie Kennedy cblmaint at cblptyltd.com.au
Tue Feb 24 00:10:32 GMT 2004


Hello Al and List,

----- Original Message ----- 
From: "Al Reust" <areust at comcast.net>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Friday, February 20, 2004 1:35 PM
Subject: Re: [Dshield] Windoze Questions...SAMBA + Windows AD Question


> Laurie and the list
>
> At 08:15 AM 2/20/2004 +1000, you wrote:
> >Hello Al and List,
> >
> >The PC in question was the Win2000 pro hardware firewall Console/IDS
> >machine.
>
> Normally as with a router it would be a laptop plugged in through the
> console port. For Updates it would be unplugged from the console and then
> plugged into protected network behind the Firewall. Then You are not
> bridging network to the Firewall. Laurie, Yes I understand (this for those
> that have no idea what we are taking about). So yes, making sure that we
> can keep it "up to shape" and not risk the Firewall. I hope, only one
cable
> plugged in at a time.

Earlier on last week I sent an email to the CBL Administration Manager
stating that 'I cannot guarantee the security of the internal network while
XP/2000 boxes are connected to the network, until a patch is released for
the latest exploit'. I then removed server access to all Win 2000 boxes, but
have been overruled on blocking network access for the one XP box (that has
not been made available for maintenance for over 6 months despite numerous
requests (another overrule)). I have also been overruled on shutting down
the server and firewall during the day, disconnecting them from the network,
and re-setting passwords in the safest environment, whenever I notice the
Server HDD lights and the cable modem lights going crazy, with nobody
accessing them. Last Friday I tried to access the Win2000 IDS box (after a
safe reset of the Samba server root password, and safe password reset on the
Win2000 box/IDS) but received the message 'The Administrator has blocked
access to this computer'. I know that the person who uses the XP box is
incapable of administering the network. I am now on a win 98 box with
msasn1.dll removed.

>
> >All machines are patched/updated daily/as required, but it looks like the
> >main target was the firewall console.
>
> Stupid question, is the Win2K Pro in a "DMZ" or the "Internal" network?
> What you have stated is that it is visible to the outside world, thus
> attacked. That would also bring up questions about how much more is
visible
> to the outside world (unknown). Which reminds me, I am overdue in checking
> how visible (ports) my Firewall is.

Everything is on an internal network, separated from the firewall by a high
speed switch, which is then connected to several hubs then the PC's, nothing
is outside the firewall boundary.

>
> >Unless you use a laptop or another PC
> >that does not have access to both Win/Linux, your hardware firewall could
be
> >vulnerable. I have noticed that several of the latest 'hotfixes' appear
to
> >be processor specific and the patch is applied on one type of CPU but not
> >the other.
>

Regards,

Laurie




More information about the list mailing list