How to protect and NOT patch

Everyone aware that there is an issue with a unpatched vulnerability in DNS correct?


http://blogs.technet.com/msrc/archive/2007/04/13/more-information-on-microsoft-security-advisory-935964.aspx


Okay everyone aware that the attacks thus far have been on big Universities?


Okay, everyone aware that SBS IS a DNS server, DHCP server, Exchange server, Kitchen Sink server?


Okay, everyone aware that while this is something to be aware of, looking out for, given the fact that while most of us who fell in love with the RWW goodness of SBS have our port 4125 sitting there on our routers open in that range between 1000 and 5000, it also looks as “closed” from a grc.com scan because it only listens/opens up after someone authenticates on 443.



Even when I have someone authenticate and RWWing to the system, I’m still seeing the port closed:


One of the mitigation techniques says to “Block TCP and UDP port 445 as well as all unsolicited inbound traffic on ports greater than 1024.”.. remember though RWW is at 4125, and doesn’t accept unsolicited traffic…but just because we like to have a smidge of tinfoil and paranoia so lets keep reading that advisory and look at the other mitgation techniques. (Besides this is an excellent exercise in showcasing how mitigation provides you with lots of options) The risk as I see it is more from potentially infected client machines VPNing back into the network, not from remote.  At this time I don’t see any Blasterish/Slammerish thing built to take advantage of this.


Knowing that we have a lesser risk there is still no need to panic..but if you want to see how a smidge of mitigation NOW means you aren’t rushing to PATCH LATER then all you need to do is follow this post:


http://msmvps.com/blogs/bradley/archive/2007/04/13/vulnerability-in-rpc-on-windows-dns-server-could-allow-remote-code-execution.aspx


Disable remote management over RPC capability for DNS Servers through the registry key setting.


Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.


For information about how to edit the registry, view the “Changing Keys And Values” Help topic in Registry Editor (Regedit.exe) or view the “Add and Delete Information in the Registry” and “Edit Registry Data” Help topics in regedit.exe.


Note We recommend backing up the registry before you edit it.


1.

On the start menu click ‘Run’ and then type ‘Regedit’ and then press enter.

2.

Navigate to the following registry location:
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters”

3.

On the ‘Edit’ menu select ‘New’ and then click ‘DWORD Value’

4.

Where ‘New Value #1′ is highlighted type ‘RpcProtocol’ for the name of the value and then press enter.

5.

Double click on the newly created value and change the value’s data to ‘4’ (without the quotes).

6.

Restart the DNS service for the change to take effect.

http://msmvps.com/blogs/bradley/archive/2007/04/13/vulnerability-in-rpc-on-windows-dns-server-could-allow-remote-code-execution.aspx

 (screenshots are there)


No reboot.  Just a stop and restart of the DNS service.  If the patch later comes out you can sit there and go.. “you know.. I already HAVE protection so there is no need to go rushing to that server, disrupting my client”


The drawback?


If you are managing several DNS servers from one location you won’t be able to do so. (do many of us down in this space do that?)


Uh…. yeah…..when’s the last time you went into that DNS MMC snap in?  What year was it?  Do you even remember?  If it’s a typical SBS box… my guess is not that often at all. I can count on one hand the number of times I’ve been in that DNS MMC snap in here at home.  Most of the time the CEICW wizard takes care of it and then I’m managing the DNS of ONE server at a time.


Mitigation: Easy to do.  No reboot.  A registry key add, stop/restart DNS server service. 


Protection to our boxes:  Effective.  Gives a tad more warm fuzzy feeling.  Showcases how mitigation techniques gives you more options.  Proactive versus reactive.


Gives us the ability to have choices to NOT patch, not disrupt the client once the real patch is done: Priceless.


Keep in mind that this is MY risk analysis of the servers under MY control knowing what ports I have open from the outside and listening.  You need to evaluate for YOUR networks, YOUR risks, YOUR needs, YOUR paranoia and tinfoil level.

Comments are closed.

Post Navigation