Sounds then like it should be more specific. It would seem to make
sense not to expose services such as DNS, which run as SYSTEM and has
full rights, to RPC traffic on variably assigned ports higher than
1024. Maybe that makes more sense.
We're awfully lucky that stateful firewalls evolved and became generally
available before worms became prolific.
Based on what SANS says, they recommend option #1 of the recommendations
that says "Disable remote management over RPC for the DNS server via a
registry key setting." at https://isc.sans.org/diary.html?storyid=2627
It would also seem that if one is not running Windows DNS, then you are
not at risk from this particular threat. Note that this bug has the
potential of becoming another Code Red/Nimda/SQL Slammer if it is
worm-ified and pushed out before the eventual Windows Update is widely
implemented. Seems that spammers are more interested in owning boxes
rather than wreaking widespread havoc with worms these days though.
Matt
Sanford Whiteman wrote:
It is also odd and possibly grossly incompetent of Microsoft to
choose to use ports 1024+ for such purposes, but I'm thinking that
they have some weakly justifiable reason to do this as a "feature".
RPC endpoints always choose dynamic ports in the customary ephemeral
range, not the reserved range. This is by definition and common sense.
RPC is not a Microsoft invention. It was pioneered by Xerox & Sun and
was implemented using the same basic model across many OSs.
--Sandy
------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]
SpamAssassin plugs into Declude!
http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/
Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases!
http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/
http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.