And which part of "some orgs I work in now use router ACLs or FW rules to restrict RPC traffic between VLANs" is difficult to understand?
Current organisation I am working in places each LOB application into a separate VLAN (of which there are now hundreds) and each VLAN has FW rules that permit traffic only from designated infrastructure servers (e.g. DCs for that security zone) and from nominated admin workstations. Admin workstations exist in VLANs that are similarly restricted from other VLANs. So, the idea that one VPNed machine can take down the entire enterprise is still a possibility, but much more remote. And there is pretty much no VPN access anyway - only a handful of users have the necessary access (RSA tokens + Citrix access + unfettered traffic) Cheers Ken From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Friday, 24 October 2008 10:22 AM To: NT System Admin Issues Subject: RE: Out of Cycle Critical Windows Patch to be released today, stay tuned All it takes is one VPN'ed computer that is infected to compromise the enterprise. Regards, Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP My blog: http://TheEssentialExchange.com/blogs/michael Link with me at: http://www.linkedin.com/in/theessentialexchange From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2008 7:17 PM To: NT System Admin Issues Subject: RE: Out of Cycle Critical Windows Patch to be released today, stay tuned I think having firewall enabled by default on Windows XP SP2+ and Windows Vista will help mitigate the issue in consumer land. Some of the orgs I work in now use router ACLs or FW rules to block RPC traffic across subnets/VLANs. That will help mitigate the issue as well Cheers Ken From: Kennedy, Jim [mailto:[EMAIL PROTECTED] Sent: Friday, 24 October 2008 8:42 AM To: NT System Admin Issues Subject: RE: Out of Cycle Critical Windows Patch to be released today, stay tuned Prior to me being here this district ignored Code Red. They got nailed bad and had to shut down for a week and go re-image 3000 computers. Feel free to quote me on that if you need to :) From: Ziots, Edward [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2008 5:28 PM To: NT System Admin Issues Subject: RE: Out of Cycle Critical Windows Patch to be released today, stay tuned I work at a hospital too, and this situation is a ohh well take NO for an answer, I have ran it all the way to the top here, and said its getting done, I don't care about the downtime its better to swallow the pill now then clean up the mess laters. I also come in early in mornings ( Like 3:00am or earlier to patch my systems each month) So I feel your pain. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 ________________________________ From: Chinnery, Paul [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2008 5:26 PM To: NT System Admin Issues Subject: RE: Out of Cycle Critical Windows Patch to be released today, stay tuned Must be nice. I work in a hospital so all of the clinical pc's are always on. The only thing we could do was to set up the reboot for 3:30 AM (same time as when I or my buddy have to do a real early shift to install patches and reboot servers.) ________________________________ From: Tim Vander Kooi [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2008 11:16 AM To: NT System Admin Issues Subject: RE: Out of Cycle Critical Windows Patch to be released today, stay tuned And it does require a reboot after install. I hate when out of cycle patches require reboots. I prefer when my users don't know. From: Ziots, Edward [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2008 6:28 AM To: NT System Admin Issues Subject: Out of Cycle Critical Windows Patch to be released today, stay tuned Importance: High Heads up gang, more patching for this month, this one out of cycle and critical no additional information yet. Z ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
