FYI- dustin
Too little, too late. Microsoft have today announced a suite of initiatives intended to address the issues their customers face from the threat of Worms and other malcode like Nimda and Code Red. About time. I've been assured that substantial resources have been allocated to this new effort, but one has to wonder just who was consulted in coming up with what this program involves (if you were, drop me a line.) Announced today was the "Microsoft Security Tool Kit"; http://www.microsoft.com/security/default.asp This "Greatest Hits" CD or network download contains all of the things you should already have; - - Latest Service Packs for OS, IIS, and IE. - - Security Checklists for NT, W2K, and IIS. - - A W2K-SP2 Deployment guide (the Update.msi section is worth reading if you have an Active Directory environment and use Group Policies) - - An NT 4.0-SP6a Deployment guide for SMS. - - IE Deployment guides. - - Several individual Hotfixes required for NT 4.0 Terminal Server (even though they are included in the NT 4.0 SRP) - - IIS Lockdown Tool - - URLScan - - HFNetchk - - Critical Update Notification 3.0 (only applies to W98/W2K according to the referenced KB article) - - QChain There's a difference between the download and the CD. According to the announcement page, "It (CD) includes automation scripts to quickly install all the security hotfixes recommended in the kit.", but the CD may take from 3 to 6 weeks to arrive. I was told there would also be a "Bootstrap Client for Windows Update" within this package somewhere, but if its just the Critical Update Notification 3.0 tool then its not a "Bootstrap Client" in the sense I thought it was. While there are additional things planned, the biggest thing missing at this stage is a re-release of the NT 4.0 Option Kit CD which contains; 1. Patched version of IIS 4.0 (one that's not vulnerable out of the box) 2. Patched versions of MDAC 3. Modifications to the samples to eliminate RDS 4. Modified default installation that doesn't install in a way known to be exploitable 5. Modified Setup program that doesn't re-install removed script mappings and other components after the user has manually removed them (since that's what many people have done to protect themselves) In addition, what is desperately needed is some way to do the following; a) Probe your internal network to identify IIS installations (this can be done with HFNetchk, but working with its output is no fun) b) Completely remove the IIS installation on command (remotely!), or render it stopped c) Query the IIS installation and alter it, removing RDS keys, updating MDAC, patching it, disabling /scripts, tightening permissions, etc... d) Report results in a comprehensive fashion I don't know about the rest of you, but many people have thousands of IIS boxes to deal with. While Microsoft does sell SMS, if you used Ghost to distribute your installations it hardly seems reasonable for MS to expect you to purchase SMS to secure what you thought was a reasonable installation. If you have more than 1000 hosts under your control, send me your suggestions for the best product/method used to get patches and service packs out. Given that this whole initiative, supported at the highest levels in Microsoft, is designed in response to Worms that required the touching of every machine in your organization, the first thing out the door should've been something that made that problem less onerous. There are plans in the works (for Q2-2002) for an internal version of Windows Update. I've been calling for this with Microsoft for eons now, and while its great they have finally been hit with the clue-bat it seems ridiculous that its going to be 6 months plus before we see it. Such a tool would allow Network Administrators to rely on the client's Windows Update component to provide fixes (fixes decided on by the Network Administrator). In addition, a new feature in that client (still some 3 months out) allowing it to be setup to allow automatic updates (a push mechanism), would give you a way to push out a fix quickly to all clients. Again, about time! Also coming out of all of this was news that Windows 2000 SP3 is not likely to ship this year. Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
