Yes, ‘pay it forward’ was originally a week-long deal, but it is a lot of fun and turned out to be pretty successful so I’ve made it a permanent fixture of the site.

This month’s security bulletins from Microsoft include a bulletin and patch regarding a vulnerability in the Server service. The server service is enabled by default and on file and print servers, is a critical service that can neither be firewalled nor disabled.

Therefore I have recommended to the IT teams where I work to patch laptops first, servers second, and workstations last, which is 180 degrees from what is normally recommended. The thinking behind this is that a worm will most likely be brought into the network by a compromised laptop (ours or a visitors). Once the worm is inside our network, if it compromises servers, this has the potential to impact many users and cause much more financial damage than if even several dozen individual workstations get owned.

When a server is compromised, data availability and integrity are in question. Since it is a central point for many workstations, it is also a great location to spread further evil through file shares, etc. Also consider that trust relationship between server and workstation. Workstations usually implicitly trust servers, therefore lines of communication aren’t routinely filtered.

In cases like MS06-04 in which a critical service is vulnerable you need to evaluate and prioritize your risks very carefully. Would you rather have your help desk scrambling to re-image workstations or have engineers scrambling to bring your file servers offline for forensics, system recovery and then data recovery? This isn’t necessarily radical thinking but folks tend to get into ruts and stick with what has always worked. ‘In the past we’ve always patched workstations and laptops first and servers last, after a long and meticulous testing process.’ Great! Keep on keepin’ on. But don’t get blinders and loose touch of reality. When warranted you need to be prepared to modify your processes so that you address the problem appropriately.

Lastly, its always very important to have defense-in-depth. Solid firewall rules, network IPS devices, host IPS applications (especially on laptops), GPO’s to firewall workstations, network access control, effective patch management, etc will all help prevent a major outbreak on your network. If one system fails, you have three more to back it up.

For more information about this topic

• No Related Post