In a related topic, MS released another tool set today to help admins secure their boxen...
The rest of this comment is from the NTBugTraq newsgroup:
Microsoft have today announced a suite of initiatives intended to
address the issues their customers face from the threat of Worms and
other malcode like Nimda and Code Red.
About time.
I've been assured that substantial resources have been allocated to
this new effort, but one has to wonder just who was consulted in
coming up with what this program involves (if you were, drop me a
line.)
Announced today was the "Microsoft Security Tool Kit";
This "Greatest Hits" CD or network download contains all of the
things you should already have;
- - Latest Service Packs for OS, IIS, and IE.
- - Security Checklists for NT, W2K, and IIS.
- - A W2K-SP2 Deployment guide (the Update.msi section is worth reading
if you have an Active Directory environment and use Group Policies)
- - An NT 4.0-SP6a Deployment guide for SMS.
- - IE Deployment guides.
- - Several individual Hotfixes required for NT 4.0 Terminal Server
(even though they are included in the NT 4.0 SRP)
- - IIS Lockdown Tool
- - URLScan
- - HFNetchk
- - Critical Update Notification 3.0 (only applies to W98/W2K according
to the referenced KB article)
- - QChain
There's a difference between the download and the CD. According to
the announcement page, "It (CD) includes automation scripts to
quickly install all the security hotfixes recommended in the kit.",
but the CD may take from 3 to 6 weeks to arrive.
I was told there would also be a "Bootstrap Client for Windows
Update" within this package somewhere, but if its just the Critical
Update Notification 3.0 tool then its not a "Bootstrap Client" in the
sense I thought it was.
While there are additional things planned, the biggest thing missing
at this stage is a re-release of the NT 4.0 Option Kit CD which
contains;
1. Patched version of IIS 4.0 (one that's not vulnerable out of the
box)
2. Patched versions of MDAC
3. Modifications to the samples to eliminate RDS
4. Modified default installation that doesn't install in a way known
to be exploitable
5. Modified Setup program that doesn't re-install removed script
mappings and other components after the user has manually removed
them (since that's what many people have done to protect themselves)
In addition, what is desperately needed is some way to do the
following;
a) Probe your internal network to identify IIS installations (this
can be done with HFNetchk, but working with its output is no fun)
b) Completely remove the IIS installation on command (remotely!), or
render it stopped
c) Query the IIS installation and alter it, removing RDS keys,
updating MDAC, patching it, disabling/scripts, tightening
permissions, etc...
d) Report results in a comprehensive fashion
I don't know about the rest of you, but many people have thousands of
IIS boxes to deal with. While Microsoft does sell SMS, if you used
Ghost to distribute your installations it hardly seems reasonable for
MS to expect you to purchase SMS to secure what you thought was a
reasonable installation.
If you have more than 1000 hosts under your control, send me your
suggestions for the best product/method used to get patches and
service packs out.
Given that this whole initiative, supported at the highest levels in
Microsoft, is designed in response to Worms that required the
touching of every machine in your organization, the first thing out
the door should've been something that made that problem less
onerous.
There are plans in the works (for Q2-2002) for an internal version of
Windows Update. I've been calling for this with Microsoft for eons
now, and while its great they have finally been hit with the clue-bat
it seems ridiculous that its going to be 6 months plus before we see
it. Such a tool would allow Network Administrators to rely on the
client's Windows Update component to provide fixes (fixes decided on
by the Network Administrator). In addition, a new feature in that
client (still some 3 months out) allowing it to be setup to allow
automatic updates (a push mechanism), would give you a way to push
out a fix quickly to all clients.
Again, about time!
Also coming out of all of this was news that Windows 2000 SP3 is not
likely to ship this year.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
While the Borg references are clear in this essay, really the only way a global OS like this could work is with gigabit to the home.
That's the only way you could shuffle data (I'm thinking large files you may want that don't reside locally, and chances are, they wouldn't) fast enough to be useful...
And honestly, I don't see gigabit to the home any time in the near future. Do you?
If you are in Toronto... a not-for-profit charity called reBOOT Canada (Click Here to go to their site) will take ALL (even those 386's) of your hardware and refurbish it to be resold at cost to other non-profits and registered charities. They also have a retail store in a "less-fortunate" area of Toronto where a family can get a Pentium PC (good enough to do school work on, and email, etc.), keyboard, mouse, and monitor for about 40-50 bucks US.
If your machine is too old, too broken, or just plain crap it is sent to a recycler to be melted down into the various metals you can get from a PC (aluminum, iron, gold, etc.) They'll even pick it up if there's a bunch of it, and issue you a more than fair tax receipt for it's value. Worthwhile cause, for sure!
They also have other shops throughout Canada, so check out the site.
Why not let the game support decide which is the better box? Just more "If-it's-MS,-it's-gotta-be-bad" rhetoric on slashdot. It's called objectivity, people. Let the players decide what will be the better machine.
I believe I submitted a story suggestion this morning about the IBM/Nintendo tie-in... Friggin slashdorks...
Just venting my sour grapes... I'll get over it.
Re:my beautiful cock
on
Shirky On P2P
·
· Score: -1, Offtopic
I dunno about beautiful... a little deformed, for sure!
Until we can get rid of the nasty stigma Napster gave P2P...
The uneducated only think of P2P as a way to rip stuff off of the man. We need another P2P killer app to make the general populace fall in love all over again... Otherwise, any P2P app will get stomped all over.
Slashdot Mirror
(insert cheesy porn music here)"Pick up the phoooonnnneeee"
The rest of this comment is from the NTBugTraq newsgroup:
Microsoft have today announced a suite of initiatives intended to address the issues their customers face from the threat of Worms and other malcode like Nimda and Code Red.
About time.
I've been assured that substantial resources have been allocated to this new effort, but one has to wonder just who was consulted in coming up with what this program involves (if you were, drop me a line.)
Announced today was the "Microsoft Security Tool Kit";
Click here
This "Greatest Hits" CD or network download contains all of the things you should already have;
- - Latest Service Packs for OS, IIS, and IE.
- - Security Checklists for NT, W2K, and IIS.
- - A W2K-SP2 Deployment guide (the Update.msi section is worth reading if you have an Active Directory environment and use Group Policies)
- - An NT 4.0-SP6a Deployment guide for SMS.
- - IE Deployment guides.
- - Several individual Hotfixes required for NT 4.0 Terminal Server (even though they are included in the NT 4.0 SRP) - - IIS Lockdown Tool
- - URLScan
- - HFNetchk
- - Critical Update Notification 3.0 (only applies to W98/W2K according to the referenced KB article)
- - QChain
There's a difference between the download and the CD. According to the announcement page, "It (CD) includes automation scripts to quickly install all the security hotfixes recommended in the kit.", but the CD may take from 3 to 6 weeks to arrive.
I was told there would also be a "Bootstrap Client for Windows Update" within this package somewhere, but if its just the Critical Update Notification 3.0 tool then its not a "Bootstrap Client" in the sense I thought it was.
While there are additional things planned, the biggest thing missing at this stage is a re-release of the NT 4.0 Option Kit CD which contains;
1. Patched version of IIS 4.0 (one that's not vulnerable out of the box)
2. Patched versions of MDAC
3. Modifications to the samples to eliminate RDS
4. Modified default installation that doesn't install in a way known to be exploitable
5. Modified Setup program that doesn't re-install removed script mappings and other components after the user has manually removed them (since that's what many people have done to protect themselves)
In addition, what is desperately needed is some way to do the following;
a) Probe your internal network to identify IIS installations (this can be done with HFNetchk, but working with its output is no fun) /scripts, tightening
permissions, etc...
b) Completely remove the IIS installation on command (remotely!), or render it stopped
c) Query the IIS installation and alter it, removing RDS keys, updating MDAC, patching it, disabling
d) Report results in a comprehensive fashion
I don't know about the rest of you, but many people have thousands of IIS boxes to deal with. While Microsoft does sell SMS, if you used Ghost to distribute your installations it hardly seems reasonable for MS to expect you to purchase SMS to secure what you thought was a reasonable installation.
If you have more than 1000 hosts under your control, send me your suggestions for the best product/method used to get patches and service packs out.
Given that this whole initiative, supported at the highest levels in Microsoft, is designed in response to Worms that required the touching of every machine in your organization, the first thing out the door should've been something that made that problem less onerous.
There are plans in the works (for Q2-2002) for an internal version of Windows Update. I've been calling for this with Microsoft for eons now, and while its great they have finally been hit with the clue-bat it seems ridiculous that its going to be 6 months plus before we see it. Such a tool would allow Network Administrators to rely on the client's Windows Update component to provide fixes (fixes decided on by the Network Administrator). In addition, a new feature in that client (still some 3 months out) allowing it to be setup to allow automatic updates (a push mechanism), would give you a way to push out a fix quickly to all clients.
Again, about time!
Also coming out of all of this was news that Windows 2000 SP3 is not likely to ship this year.
Cheers, Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Glad I got to see it before then!
Now if only there were a Lego "holy hand grenade"...
And where the heck is Sir Robin???
That's the only way you could shuffle data (I'm thinking large files you may want that don't reside locally, and chances are, they wouldn't) fast enough to be useful...
And honestly, I don't see gigabit to the home any time in the near future. Do you?
If your machine is too old, too broken, or just plain crap it is sent to a recycler to be melted down into the various metals you can get from a PC (aluminum, iron, gold, etc.) They'll even pick it up if there's a bunch of it, and issue you a more than fair tax receipt for it's value. Worthwhile cause, for sure!
They also have other shops throughout Canada, so check out the site.
Why not let the game support decide which is the better box? Just more "If-it's-MS,-it's-gotta-be-bad" rhetoric on slashdot. It's called objectivity, people. Let the players decide what will be the better machine.
I believe I submitted a story suggestion this morning about the IBM/Nintendo tie-in... Friggin slashdorks...
Just venting my sour grapes... I'll get over it.
I dunno about beautiful... a little deformed, for sure!
Someone post a link, if they can remember...
Until we can get rid of the nasty stigma Napster gave P2P...
The uneducated only think of P2P as a way to rip stuff off of the man. We need another P2P killer app to make the general populace fall in love all over again... Otherwise, any P2P app will get stomped all over.