Microsoft DNS Vulnerability - Exploited!

If you didn't apply the registry hack on your Microsoft DNS servers yet (CERT VU#555920, Microsoft Security Bulletin #935964), now would be a good time. There is known exploit available and in use. Apparently, the Rinbot worm is now using the exploit and it's been added to Metasploit. I'd expect to see attacks pick up rather than decrease at this point.

For the blissfully unaware, the exploit uses a buffer overrun to elevate privileges. Being a DNS attack, this can allow DNS poisoning, pharming, and DOS. Since most people put the DNS server on their domain controller, an attacker who compromises your DNS server is able to compromise your Active Directory. At that point, you are looking at a very bad situation and a minimum of one very long night.

RyanVM Integrator

Ok, so I haven't spent a lot of time or energy creating an imaging system to rapidly deploy cloned PCs. When I started here, I thought it would be a must have item. It actually hasn't been that important. The procedure so far has been to use a slipstreamed Windows XP Service Pack 2 CD to install the OS while offline then use c't Offline Updater to patch the computer with post-SP2 critical patches. Once that's done, I plug into the LAN and go to Microsoft Update to get the rest of the patches. A couple software installs (anti-virus, Microsoft Office, Adobe Reader) from the NAS with one more MS Update hit (for Office patches) and we're off and running.


I think we can improve that system though and still not need to move to an imaging solution. That's where RyanVM Integrator comes in. From the site:

"This pack is designed to bring a Windows XP CD with SP2 integrated fully up to date with all of the latest hotfixes released by Microsoft since SP2's release. It accomplishes this task via direct integration, where files on the CD are directly overwritten by the updated files."

The beauty of this system is that there is zero lag time between installing the OS and installing patches. They are installed simultaneously with the OS! This saves:

• time by installing files once, rather than installing them then overwriting them with patches,
• space by not needing to download patches and extract them,
• headaches by providing a secure OS from the moment of installation.

TechRepublic has a nice howto article, so I won't bore you with the details of how to set the Integrator up.

The post-SP2 update pack, which includes the patches released after SP2, seems to lag behind Microsoft's patches slightly. As of today, the latest RyanVM pack (version 2.1.8) is dated 3/20/2007. That misses the .ANI fix and the patches that came out yesterday. I think that it might not hurt to run this in conjunction with c't. So, here's my new procedure:

1. Install the integrated Windows XP,
2. Run c't Offline Updater,
3. Plug into LAN,
   
4. Install software,
5. Go to Microsoft Updates for the latest Office updates.

What do you think? Do you have any improvements on that practice?

Microsoft Emergency Patch Released

Microsoft has released an unscheduled patch to fix several critical vulnerabilities. Do not wait. Go now and patch your systems. (If you've been following this blog, then you can do it from home!)

Oh, and don't worry, apparently Patch Tuesday is still on schedule so you won't be bored next week!

Windows Server 2003 SP 2, Part 2 (So Far, So Good)

I got SP2 installed, as promised. Only one weird thing in the Application Log, an Event ID 5603 complaining about RSOP Planning Mode Provider running as a Local Service. KB915148 says this is normal behavior for SP1 and XP SP2, so I'm thinking all is well in update land.

I'd stay and chat, but I've got four more servers to update!

Windows Server 2003 SP2 Released!

Maybe the reason there weren't any patches from Microsoft this week is because they were gearing up to release Service Pack 2 for Windows Server 2003.

I'm just downloading now. I have a server to test it on tonight. I'll let you know how it went!

c't Offline Update Project

The problem with new installs of Windows is that you know that you can't hook the computer to the Internet until it has all of the security patches. You also can't get the security patches until you hook up to the Internet. In the past, I've hooked machines up and raced to Microsoft Updates, praying that the updates take before the crackers find the computer.

The Solution

c't Offline Update Project (German page, English translation) is a collection of scripts that locates Critical and Security updates from Microsoft Update and downloads them to your PC. It then creates an ISO with the scripts and patches which you can burn to create your offline patch CD.

You can now install Windows on a computer and leave the network cable unplugged. Once Windows is installed, you can insert the c't Offline Update Project CD into the computer. The script autoruns, you click START, and then you can walk away. The scripts take care of finding what patches are needed, installing the needed patches, and rebooting the computer (as many times as necessary). When it's all done, a report appears on the screen to tell you what patches were installed and any problems that may have occurred.

In my experience, this not only gives you a more secure computer to go out and get the rest of your patches but it also patches more quickly. Without having to go online, check for patches, download, install, reboot, and repeat a few times, it shaves at least 30 minutes off of my prep time (note: I haven't actually timed that, YRMV).

Patch Management With WSUS

Q: How do you maintain the patches on your Windows PC?

A: You don't. Get Microsoft to do it for you.

Windows Server Update Service
WSUS is a free download from Microsoft that installs on a Windows 2000 or 2003 server and an Active Directory domain. If you are running Windows Server 2003, sign up for the release candidate of WSUS 3.0. It sounds like the reporting and administrative aspects have greatly improved. Unfortunately, I won't have a 2003 server to try this on until summer. I'm making do with 2.0.

Installation is easy. You'll need IIS installed on your server, then install MS SQL. For Windows 2000, you'll need MSDE Release A. For Server 2003, you'll need MS SQL 2005 (the Express version will work). Run the IIS Lockdown tool to harden your web server.

Once everything is set up, WSUS will use AD to find all the Windows computers in your domain. It then checks each computer for Microsoft patches. It lists all installed and missing patches for each computer. It also lists patches that failed to install. All patches can be allowed or denied by you, so you can block patches until you have had a chance to evaluate them.

I tried using ScriptLogic's DesktopAuthority patch management option. The big problem there was that patches could not be scheduled to occur overnight. Patching only occurred when the people were logging in or when they were logging out. This is a big problem in a school environment where students are logging in and out all day long. Some of the patches took so long to install, the class was over before anyone was able to use the computer. The best feature (IMHO) of WSUS is the scheduling of updates. I can have the computers patch overnight and the computers are ready to go when classes start in the morning.

So, there's another free offering that you really need to take advantage of in order to keep control of security in your organization. Hopefully, I'll be able to do a write-up on version 3.0 this summer.