Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Cisco Security Response: Mitigating Exploitation of the MS06-040 Ser

from [Tina Bird] Network Security [Permanent Link]
Subject: RE: Cisco Security Response: Mitigating Exploitation of the MS06-040 Service Buffer Vulnerability
Date: Wed, 16 Aug 2006 13:09:54 -0700 
 

We have SSL VPN (SVC, Tunneling)
remote users that establish sessions with our corporate network. They
need the ability to map drives to servers once the session is
established. In order to map drives it requires that TCP ports 139 and
445 to be open and there in lies the problem so I cannot filter these
ports. Cisco's ASA Secure Desktop allows me to check for the 
presence of
service packs and any registry entry on the remote client PC's and can
restrict access if they are not installed. 


I have not yet played with Cisco's ASA endpoint-audit functionality, so I
can't speak to that directly. However, be *very* careful in trusting
registry entries only as a check of whether or not a patch is installed. If
you're relying on Microsoft/Windows Update as your patching system, there
are a number of scenarios in which the registry entry for an update is
created, but the patch itself is not installed (as many of us learned to our
torment during Blaster) -- and of course, the registry doesn't indicate
whether the system has been rebooted since the patch was applied. And even
if Microsoft has improved the validity of the reg key (I haven't checked in
a year or so)...registry keys related to updates are *not* guaranteed to
survive the application of new service packs, which can wreak havoc with
your infrastructure whenever they get around to creating new SPs for your
operating systems.

At the time XP SP2 was released I was working for a company that sells an
endpoint enforcement system. One of our large customers used reg keys for
their patch checks. They did in fact knock a large subset of their endusers
off line, because SP2 removed a bunch of reg keys they were checking.

It's more labour intensive, but my vote for the best "easy" way to check for
patches is to check file versions. YMMV. Even more effective is a mechanism
to validate the file versions *and* the version running in memory, but
that's a lot more work.

HTH -- tbird


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Clueless firewall configuration ?, Smith, Michael J.
Next by Date:  Re: How to check an Executive's notebook, killy
Previous by Thread:  Cisco Security Response: Mitigating Exploitation of the MS06-040 Service Buffer Vulnerability, Paul Guibord
Next by Thread:  Re: Cisco Security Response: Mitigating Exploitation of the MS06-040 Service Buffer Vulnerability, krymson
Indexes:  [Date] [Thread] [Top] [All Lists]