ZOMG VIRUS

[sobrique]

We've just had an edict that a particular server we've got is generating a lot of network traffic, and therefore it's been firewalled and we've got to scan it for the latest virus that's doing the rounds.

Unfortuately, it's one of our domain controllers. So, really not all that suprising that got a lot of traffic on 'windows RPC' ports, to lots and lots of hosts.

Sometimes I despair.

And then I remember that I'm just a humble Unix admin, and therefore it's officially NMFP. (*smug mode*)

Comments

[warmage.livejournal.com]

Yes, I do realize that but IMHO, RPC need not be bound to the same network device as a webserver or practically any other outward-facing process. I'm a big fan of multi-home on any bastion server.

[warmage.livejournal.com]

Crap, I found the error in my thinking. For some reason I read "domain controller" and my mind heard "webserver."

You're right. Can't do jack on the inside without RPC, rendering my original comment null and void. How embarrassing!!

So that changes the complexion of the issue quite a bit and makes me wonder just how the hell a virus makes it's way to the domain controller without visiting a desktop (and thereby *multiple* desktops) before getting into the DC.

Good catch. Sorry for the improperly focused smarm.

[(Anonymous)]

Good point, however the point about MCSE training applies here.
Most of them dont seem to have a clue about things like selective filtering, Differing IP ranges for differing cards, or my personal favorate, redundant network cards.

However its fair to say, I dont much about these things under Windows either, other than the fact that i assume they can be done, and its probably not beyond the Wit of a normal person to figure it out with the Internet. (EG, I was under the impression forward facing RPC was essential for a DNS controller under AD, however if you say you can get away without it, i will accept that. I know its not nessesary under a real operating system :P )

[warmage.livejournal.com]

Correct, AD does make copious use of the RPC protocol, particularly at a Domain Controller (even though this technically is an Active Directory Provider - the term "Domain Controller" is not used). You are also correct that it can be filtered to prevent tunneling from servers it does not know, both by datagram and by IP.

IANAMCSE, but the ability to filter thusly has been around for several years in Windows - obviously it is typically a function of network design such that this type of traffic is secured with segmentation, subnet masking, and the other techniques as necessary (and is probably typical on a properly built *NIX network, eh?)