[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] Windows DNS server advisory - THE OFFICIAL BLOG OF THE SBS "DIVA"
Thu, Apr 12 2007 23:28 bradley

Windows DNS server advisory

Microsoft Security Advisory (935964): Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution.: http://www.microsoft.com/technet/security/advisory/935964.mspx

Block the following at the firewall:

All unsolicited inbound traffic on ports between 1024 to 5000

The RPC interface of Windows DNS is bound to a port in this range. Blocking them at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. 

http://isc.sans.org/diary.html?storyid=2584

Keep in mind that we don't expose those ports in a SBS network externally anyway, so don't panic. 

Filed under:

# re: Windows DNS server advisory

Friday, April 13, 2007 7:16 AM by Dave Dabour

Thanks for adding the last sentence - saved me some research!!

# re: Windows DNS server advisory

Friday, April 13, 2007 8:49 AM by Chris Knight

Let's see:

3389/tcp - RDP

4125/tcp - RWW

So only block 1024 through 5000 if you don't want remote access to your SBS network.

Really, everyone should be running their firewalls in a default deny mode, and only opening ports as needed on a protocol by protocol basis. Then we don't need these ridiculous workarounds.

Software designed with a least privilege model would be nice too.

Ditto an implementation of MAC, which if done properly will migitate any impact of a breach. No, Mr DNS server, you cannot write a file into the system32, nor can you add a value into the Run key in the registry.

We need better designed software, not more workarounds.