Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ms > 03 > 040606.html (Request Expert securityfocus.com Support)

RE: SUS server

From: Depp, Dennis M. <deppdm(at)ornl.gov>
Date: Thu Apr 10 2003 - 11:28:21 EDT


Bill,

I condiser a DMZ to be where outside users interact with my server. The SUS server does not meet this definition. I can understand not allowing your DMZ to talk with anyone else. Consider the following senario. You have a machine in your DMZ which gets hacked. (We woln't worry about how.) One of the firs things a hacker will often do is announce the machines availablility to other hackers. They may use this machine as a launch pad to attack other machines. The announcements or attacks require initiating a connection from you DMZ. Preventing these connections eliminates these follow on attacks. I assume your PCs can talk with the internet. Correct? If so, then placing your SUS server on the same network as your PCs will allow the SUS server to connect to the Windows Update site for updates.

Dennis

-----Original Message-----
From: Bill Mote [mailto:bill.mote@mem.com] Sent: Thursday, April 10, 2003 8:33 AM
To: Depp, Dennis M.; focus-ms@securityfocus.com

Dennis,

Thanks for the reply. My problem, however, is not with talking to my DMZ; it's letting my DMZ talk anywhere else. Right now that's not allowed for any reason. Nor can my dB network talk "in" to my network.

Is your fear that the SUS server on the DMZ could be compromised and thus provide bad patches?

Bill

Do you need help?X

-----Original Message-----
From: Depp, Dennis M. [mailto:deppdm@ornl.gov] Sent: Wednesday, April 09, 2003 3:15 PM
To: Bill Mote; focus-ms@securityfocus.com Subject: RE: SUS server

Bill,

I would probably NOT place my SUS server in the DMZ. Instead I would place it on my pc network. The SUS server pulls the information from the Microsoft update site. This places it similar to a client PC accessing Windows Update. Because SUS uses a pull technology, you can limit the firewall exceptions to connections the SUS server initiates. This then limits all your pc's having to regularly access the DMZ to get updates from the SUS server.

Dennis

-----Original Message-----
From: Bill Mote [mailto:bill.mote@mem.com] Sent: Wednesday, April 09, 2003 2:48 PM
To: focus-ms@securityfocus.com

Where in my network should I place the SUS server? It seems to me the logical place would be the DMZ as I want to use this server to patch my workstations, laptops, and my servers.

Everything inside my network can talk to the DMZ, but the inverse is not true. The DMZ can only talk to the DB network on the DB protocol. Neither the DMZ nor the DB network can talk to our internal LAN at all. The DB network and the LAN can talk to machines in the DMZ though.

BM

Do you need more help?X

-----Original Message-----
From: Brian W. Spolarich [mailto:bspolarich@nephrostherapeutics.com] Sent: Monday, April 07, 2003 2:31 PM
To: Thane Walkup; focus-ms@securityfocus.com Subject: RE: SUS server

Thane Walkup wrote:
> One VERY good reason not to run SP3 is possible HIPAA and 21CFR11
> regulation issues - since the license for SP3 technically gives
> Microsoft unfettered access to your PC, any company under those
> regulations could be in violation of those regulations.
>
> This affects just about any medical facility.

  One can configure the SUS client to point at an internal SUS server via Active Directory GPOs. I suspect that if you point it at a non-functional URL the auto-update component will essentially be disabled, and it may be possible to disable it completely via GPO (haven't looked).

  -bws

<b>


Block Spam, Smut & Viruses
SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers of technology including filtering embedded and attached file content. Rid your enterprise of unwanted content. http://www.securityfocus.com/SurfControl-focus-ms2 Download your free fully functional trial, complete with 30-days of free technical support.

</b>

Block Spam, Smut & Viruses
SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers of technology including filtering embedded and attached file content. Rid your enterprise of unwanted content. http://www.securityfocus.com/SurfControl-focus-ms2 Download your free fully functional trial, complete with 30-days of free technical support.

Block Spam, Smut & Viruses
SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers of technology including filtering embedded and attached file content. Rid your enterprise of unwanted content. http://www.securityfocus.com/SurfControl-focus-ms2 Download your free fully functional trial, complete with 30-days of free technical support.

Block Spam, Smut & Viruses
SurfControl E-mail Filter for SMTP & Exchange leverages multiple layers of technology including filtering embedded and attached file content. Rid your enterprise of unwanted content.
http://www.securityfocus.com/SurfControl-focus-ms2 Download your free fully functional trial, complete with 30-days of free technical support.
Received on Thu Apr 10 14:00:44 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:28 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library