TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Here's some interesting info from the person at ISS who we consider a "god"
when it comes to authentication and encryption. I removed his name so nobody
will try to steal him from us! Isn't it great to know smart people?
:)
-----Original Message-----
Sent: Wednesday, February 23, 2000 12:04 PM
To: Droski, Sheila (ISSTexas)
Subject: RE: RealSecure Console traffic to Microsoft-Global-Net
Sheila:
Ok .. as I suspected, it only poorly correlated with console to engine
connections (i.e., he probably saw it once and assumed it correlated (:>)).
If he'll uninstall the Windows Update wizard, it will quite making the
background connections to MS. No magic here .. and someone had to install
the wizard on his machine intentionally -- it's not installed by default
AFAIK.
-----Original Message-----
From: Droski, Sheila (ISSTexas)
Sent: Wednesday, February 23, 2000 12:57 PM
Subject: FW: RealSecure Console traffic to Microsoft-Global-Net
remember when I asked if something in our RSA authentication between console
and engine was trying to talk to MS on boot? Thought you'd get a kick out of
MS's answer!
-----Original Message-----
From: Marc Delince [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 18, 2000 10:44 AM
To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Subject: RE: RealSecure Console traffic to Microsoft-Global-Net
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
And if you contact Microsoft about it, here is their response:
"Good question, Marc.
It turns out that your machine is just being smart and is synch-ing up with
www.microsoft.com for any critical updates for your operating system.
Thanks for your time,
Celia
Global Network Operations."
I am still waiting for them to respond to my reply asking for a way to get
my station back to its "dumb" state.
============================================================
Marc Delince
[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
Sent: Thursday, February 17, 2000 4:25 PM
To: [EMAIL PROTECTED]
Subject: RealSecure Console traffic to Microsoft-Global-Net
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
In my lab while running down another problem in RealSecure with Microsoft
encryption, I am seeing an outbound HTTP_Post event from my console machine
whenever I communicate with an engine. Source port is 1406 (TCP)
destination is
207.46.133.14 (HTTP). Info Type is URL, Value is /objects/ocget.dll,
Partial ARIN listing for this address is:
Microsoft (NETBLK-MICROSOFT-GLOBAL-NET)
One Microsoft Way
Redmond, WA 98052-6399
US
Netname: MICROSOFT-GLOBAL-NET
Netblock: 207.46.0.0 - 207.46.255.255
I haven't torn the packets down to check, but I would guess this is
Microsoft's
cert checking process. Can anyone confirm that and save me the trouble of
running it down?
I'll leave the ranting about how easy it might be to find a console on a
network if my guess is correct to someone else.
Ken Stephens, CISSP
Sr. Security Manager
CSC
