[70178] in North American Network Operators' Group
RE: FW: Worms versus Bots
daemon@ATHENA.MIT.EDU (Smith, Donald)
Tue May 4 12:21:34 2004
Date: Tue, 4 May 2004 10:20:52 -0600
From: "Smith, Donald" <Donald.Smith@qwest.com>
To: "Sean Donelan" <sean@donelan.com>
Cc: <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
Sean thanks I just reread XP sp2 details and your right sp2 starts the
firewall SOONER during boot (like before it starts
most network services :-)
http://msdn.microsoft.com/security/default.aspx?pull=3D/library/en-us/dnw=
x
p/html/securityinxpsp2.asp
Boot time security. In earlier versions of Windows there is a window of
time between when the network stack started and when ICF provided
protection. Consequently, a packet could have been received and
delivered to a service without ICF filtering it, potentially exposing
the computer to vulnerabilities. In SP2, the firewall driver has a
static rule called a boot-time policy to perform stateful filtering.
This will allow the computer to perform basic networking tasks such as
DNS and DHCP and communicate with a Domain Controller to obtain policy.
Once the firewall service is running, it will load and apply the
run-time ICF policy and remove the boot-time filters. This change should
increase system security without affecting applications.=20
Donald.Smith@qwest.com GCIA
http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xAF00EDCC
pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC
kill -13 111.2=20
> -----Original Message-----
> From: Sean Donelan [mailto:sean@donelan.com]=20
> Sent: Tuesday, May 04, 2004 8:55 AM
> To: Smith, Donald
> Cc: nanog@merit.edu
> Subject: RE: FW: Worms versus Bots
>=20
>=20
> On Tue, 4 May 2004, Smith, Donald wrote:
> > If you follow these steps outlined by SANS you should be able to=20
> > successfully update and NOT get infected. This is short,=20
> easy, fully=20
> > documented (with pictures :)
> > http://www.sans.org/rr/papers/index.php?id=3D1298
>=20
> The risk is smaller, but still exists if you follow these=20
> directions for XP pre-SP2. See the Microsoft release notes=20
> for XP SP2 for details about the fix.
>=20
> If you do not have XP SP2, you need to disconnect your=20
> computer from the network prior to every boot cycle until it=20
> is fully patched.
>=20
>=20
