Email back to that instructor and make sure that he/she is teaching with
the latest info... Win2k3 is vastly different than Win2k in it's
threat/risk/attack status.. etc. etc..
Sorry that's a "can"... 2000's can be attacked from anon connections....
the detail is in the security bulletins (and remember today is patch
Tuesday.. in about an hour.. turn towards Redmond and bow...)
Example...Microsoft Security Bulletin MS06-025: Vulnerability in Routing
and Remote Access Could Allow Remote Code Execution (911280):
http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx
Win2000 is "critical", Windows 2003 is "important"
On Windows XP Service Pack 2 and Windows Server 2003 systems, an
attacker must have valid logon credentials and be able to log on locally
to exploit this vulnerability. The vulnerability could not be exploited
remotely by anonymous users or by users who have standard user accounts.
However, the affected component is available remotely to users who have
administrative permissions.
*Who could exploit the vulnerability?*
On Windows 2000 Service Pack 4 and Windows XP Service Pack 1, any
anonymous user who could deliver a specially crafted message to the
affected system could try to exploit this vulnerability. In order to
exploit the vulnerability on Windows XP Service Pack 2 and Windows
Server 2003, an attacker must have valid login credentials to a target
system.
Murad Talukdar wrote:
The question arose in my mind during a recent SANS course where the
instructor bemoaned the fact that the EVERYONE group was just that-EVERYONE.
Now the caveat mentioned that the EVERYONE group is more secure than it USED
to be was not mentioned(I don't think think it was and I can't find it in
the SANS coursework either). It became highlighted this week as I'm setting
up some new software distro points. Which just shows me that things change
all the time and no-one can keep up with everything.
Sorry Susan-I got confused here;
Look at the last batch of patches and while the 2000's can' be nailed
from anon connections
can' or can't? Didn't know if a 't' got missed off here.
Regards
Murad Talukdar
-----Original Message-----
From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
Sent: Tuesday, July 11, 2006 2:47 AM
To: 'Jeffrey Wei'; focus-ms@securityfocus.com
Cc: talukdar_m@subway.com
Subject: RE: DACLS for software distribution points...
Domain Users != Authenticated Users. If you use Domain Users for the DACL,
users (and computers) from any other domain in the forest will not be able
to access the share. In a single-domain environment or when you only want
one domain to be able to access the share, this is fine, but otherwise,
using Authenticated Users may be a better approach.
Having said that, we've had many, many discussions on this list about the
exact differences between the Everyone group and the Authenticated Users
group, and the reality is very likely that you're just increasing your
maintenance without increasing security, depending on the composition of the
domain in question (e.g., Win2K3 versus Win2K versus NTSP4+ versus NTSP4-,
etc.). The difference between the two groups may simply be the built in
Guest account and nothing else.
Laura
-----Original Message-----
From: Jeffrey Wei [mailto:jeffrey.wei@cubic.com]
Sent: Thursday, July 06, 2006 6:29 PM
To: focus-ms@securityfocus.com
Cc: talukdar_m@subway.com
Subject: RE: DACLS for software distribution points...
What I normally do is remove the "Everyone" and replace it
with "Domain Users".. which in itself means that it will have
to be authenticated users before they can read file folders only.
Not sure how everyone else does it?
Jeffrey Wei
-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m@subway.com]
Sent: Wednesday, July 05, 2006 6:02 PM
To: focus-ms@securityfocus.com
Subject: DACLS for software distribution points...
Hi all,
MS says in this article that the DACLS for software
distribution points should be EVERYONE: READ and
Administrator: Full Control, Change, Read.
http://technet2.microsoft.com/WindowsServer/en/Library/45a873d
d-660d-4de
6-aa
c4-8a03974796121033.mspx?mfr=true
Why shouldn't the EVERYONE be removed and replaced with
Authenticated Users?
I was thinking of doing this and can't really see any adverse impact.
Kind Regards
Murad Talukdar
--------------------------------------------------------------
----------
---
--------------------------------------------------------------
----------
---
---
[This E-mail scanned for Spam and Viruses by
http://www.innovationnetworks.ca]
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will
hunt you down...
http://blogs.technet.com/sbs
---------------------------------------------------------------------------
---------------------------------------------------------------------------
