mailing list archives
RE: Re: Microsoft Security, baby steps ?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 18 Mar 2004 23:13:42 +1300
"Full-Disclosure" <fd () weevers net> wrote:
In an corporate environment, you will have SUS or SMS running.
If so, no need for internet access.
But, need for general network access to get to those machines. thereby
breaking the "no general network access until secure" rule. You could
have a second SUS/SMS setup mirroring the configs off the general
netowrk ones and only allow that to synch off the general one when the
test/setup network is not being used for anything else _and_ no
"unfinished" boxes are attached to the test/setup network.
Also, in other "institutional" environments that are nmot strictly
"corporate" that distinction can be _very_ hard to meet for such a
setup (e.g. universities and the like).
If you don't have this, just place a firewall on the box, or before the
How hard can this be ? You do it the same way, as you would do before
would patch debian/*bsd/gentoo/ect/ect/ect.
It's easy to decide the level of exposure _you_ are comfortable with
and I was not saying tat everyone should do it that way, just that that
was a valid set of restrictions to have to work under.
There is no real problem here. Don't blame microsoft if you can't come
up with solutions to simple security "problems".
I was not blaming them for that. I was balming them for their own
failure (much like yours) to think outside their own level and realm of
experience and/or their faiulure (much like yours) to acknowledge that
there could be situations where the solution they were comfortable with
was not acceptable.
Think outside the box dude -- oh wait, it seems you cannot see it, so I
guess that is asking too much of you...
Full-Disclosure - We believe in it.
- RE: Re: Microsoft Security, baby steps ?, (continued)