[SJF Logo]
Steve Friedl's Weblog
August 22, 2003
Idea for containing Microsoft exploits

With the exploit of yet another Microsoft bug (MSBLAST), it's prompted me to propose a solution that would go a long way in containing these problems: I've never figured out why Microsoft hasn't implemented it.

The NETBIOS, CIFS and RPC core engines should have a "Local connections only" flag somewhere, and reject all connections and probes from IP addresses not directly connected to a local interface (as determined by IP address and netmask). This flag would be TRUE by default, and would require the user to override in the TCP/IP properties or perhaps picked up by DHCP.

This approach would allow most of the networking services to be enabled by default, but they would not be usable by anybody outside the local network. Most home users would be functional and mostly secure even if they had no firewall: no "security versus functionality" tradeoff for most.

This wouldn't be a complete fix - cable modem users have "neighbors" on the same network - but would not allow The Great Unwashed to be exploited by script kiddies and worms from all over the world.

Can anybody think of a reason why this wouldn't work?

Posted by Steve at August 22, 2003 09:59 AM | TrackBack
Comments

I think it might work. What I think might be a little more secure to set it up so that the service just drops any requests stemming from non-LAN IPs by default. That way rather than looking for the IP scheme of the local interface (presumably a router, or broadband modem) it automatically has the accepted IPs hard coded into a config file somewhere. That way it (theoretically) wouldn't accept connections from any IPs originating from the internet so you don't have to worry about your cable modem neighbors.

Posted by: Techie2000 on August 23, 2003 11:10 PM

It's too easy.

Posted by: joat (the Cynic) on August 24, 2003 07:52 AM

It makes too much sense.

Posted by: Lissa on August 27, 2003 07:18 PM

Its a fine idea.

It would also be a good preventative measure for MS to turn off unnecessary ports and services by default.

Of course, MSs idea of prevention is to issue a patch after a few million systems have been compromised.

Posted by: Sneeze on August 28, 2003 01:25 AM

Actually, Microsoft issued a patch *before* the machines were compromised.

Posted by: Steve Friedl on August 28, 2003 10:16 AM
Post a comment
Name:


Email Address:


URL:


Comments:


Remember info?