[ale] OT: Microsoft announces new ways to bypass security controls

Greg runman at speedfactory.net
Mon Sep 15 23:49:37 EDT 2003 

no, you can turn it off, or even remove it.  I don't have it on my pc at
work (MS shop) and I am a web developer running Win 2K Pro (all work is on
the dept prod or dev box under Source Safe).

Web based outlook is old stuff, and so what is new ??  There are about 65k
of ports ... it's just a #, really. What is relevant is if a pc, or rather 2
PC's -  can utilize it ... so ... what is secure about this ???? Running a
web/mail server and RPC together ??? Something that MS has had no luck with
in the past ???? Huh ????  I think this lost something in the translation.

Is this an April Fool's Day joke ?

Greg

> -----Original Message-----
> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org]On Behalf Of Adrin
> Sent: Monday, September 15, 2003 9:29 PM
> To: Atlanta Linux Enthusiasts
> Subject: RE: [ale] OT: Microsoft announces new ways to bypass security
> controls
>
>
> Lets see I have read the email 3 times.  Looked over the link 2
> times.  I still wonder.
> Why would I pass port 80 through my firewall so that users can
> get email and access to the
> corporate network.  And while I am at it, I bet I would have to
> install and run IIS and
> have that wide open on the net, wait if you install IIS it runs
> even if you tell it not
> too. Why don't they just sale Neon signs?
>
> Adrin
>
> > -----Original Message-----
> > From: ale-bounces at ale.org [mailto:ale-bounces at ale.org]On Behalf Of
> > Geoffrey
> > Sent: Monday, September 15, 2003 8:23 PM
> > To: ALE
> > Subject: [ale] OT: Microsoft announces new ways to bypass security
> > controls
> >
> >
> > Someone want to explain to me how the following statement makes ANY
> > sense? (you will find it further down in this posting:
> >
> > "Outlook 2003 now offers a better alternative to VPN connections -- RPC
> > over HTTP"
> >
> >
> > Subject:
> > Microsoft announces new ways to bypass security controls
> > From:
> > Sean Donelan <sean at donelan.com>
> > Date:
> > Sun, 14 Sep 2003 22:03:32 -0400 (EDT)
> > To:
> > nanog at merit.edu
> >
> > For those not keeping up with Microsoft, because so many people have
> > started blocking Netbios, RPC, SMB, etc; Microsoft announced yet another
> > way to bypass security.
> >
> > On August 1, Microsoft introduced Exchange 2003.  With Outlook 2003 this
> > introduces an new implementation fo Exchange's MAPI protocol over HTTP
> > allowing clients to natively connect to Exchange servers without using a
> > virtual private network (VPN).
> >
> > Steve Conn, Microsoft's Product manager was quoted as "Since we
> have got a
> > good implementation, we're going to keep supporting it."  Microsoft will
> > evangelise the new protocol, and developers of other mail clients and
> > servers will be encouraged to implement it.
> >
> >
> > http://www.microsoft.com/office/ork/xp/beta/three/ch8/OutC07.htm
> >
> > "Outlook 2003 now offers a better alternative to VPN connections -- RPC
> > over HTTP. With this feature, users can have security-enhanced access to
> > their Exchange Server accounts from the Internet when they are working
> > outside your organization's firewall. Users do not need any special
> > connections or hardware, such as smart cards and security
> tokens, and they
> > can still get to their Exchange accounts even if the Exchange server and
> > client computer behind the firewall are on different networks."
> >
> > By the way, Microsoft's RPC-Over-HTTP uses one of the ports in another
> > Microsoft security advisory concerning RPC vulnerabilities.  Extending
> > the list of dangerous ports to include 593, RPC-over-HTTP.  A suggested
> > work around, use a virtual private network (VPN).
> >
> >
> >
> > Of course, Microsoft isn't the only one with mail protocol security
> > weaknesses.
> >
> > POP3 is probably responsible for more cleartext passwords being
> > transmitted over the Internet than any other network protocol.
> >
> >
> >
> >
> > --
> > Until later: Geoffrey		esoteric at 3times25.net
> >
> > The latest, most widespread virus?  Microsoft end user agreement.
> > Think about it...
> >
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>

More information about the Ale mailing list