Isolating vulnerable systems

lupacexi4

We have a windows server (we'll call it ServerA) that has a critical vulnerability. For the next few months, we cannot patch this system. I was thinking about this. The only two systems that need to access this system are ServerB and the vulnerability scanner.

I was thinking about using Windows firewall to allow traffic from ServerB to ServerA over the specific TCP port it needs. This seems easy enough. My confusion is, how do I allow this for the vulnerability scanner? I think would need to allow all ports, but then I'm allowing the scanner full access to the system. Not sure that makes sense

The other thing I thought of was creating an ACL on the L3 switch that only allows traffic with those source addresses to ServerA, but network management doesn't seem to want to be bothered with that

How would you all isolate this?

McxRisley

A Remediation VLAN will solve your problems.

PCTechLinc

You do need to allow the scanner full access to the system, which is how it scans for vulnerabilities. Otherwise it throws "access denied" errors. As long as you're ONLY allowing those two systems access to the vulnerable server, you shouldn't have any issues.

If your infrastructure is set up, you could also apply NAC policies with a remediation network. If not now, maybe something to think about in the future.

shochan

Turn if off & see if anyone yells

tedjames

shochan wrote: »

Turn if off & see if anyone yells

That's not necessarily a bad idea. Conduct a survey to find out who in your organization needs to access it. If it's nobody, no worries. Otherwise, make accommodations for those who need it.

the_Grinch

tedjames wrote: »

That's not necessarily a bad idea. Conduct a survey to find out who in your organization needs to access it. If it's nobody, no worries. Otherwise, make accommodations for those who need it.

This actually can work from time to time. Early in my career there was a report that I had to manually generate each morning for 30 people at the company. Even my boss said to the best of his knowledge no one actually read it, but he would still do it and thus I had to do it. In one meeting I was talking to his boss and the report came up. He told me for two weeks I could not do the report and see if I heard anything. Two weeks later I heard from exactly two people: one person only asked about the report because he noticed he received one less email every morning and the other person actually did read the report everyday, but figured I was on vacation.

Any chance you could virtualize the server? Then you could wrap something around it to mitigate the vulnerability.

ottucsak

The vuln scanner probably doesn't need full access if you use a local scanner agent. This way you can close down almost everything.

gespenstern

if you are not able to patch the server then probably there's no point in scanning for vulns much.

mnashe

Umm it's interesting (and weird) that this is the same exact post I created back in February. Word for word

http://www.techexams.net/forums/off-topic/131281-isolating-vulnerable-systems.html

jamshid666

mnashe wrote: »

Umm it's interesting (and weird) that this is the same exact post I created back in February. Word for word

http://www.techexams.net/forums/off-topic/131281-isolating-vulnerable-systems.html

I guess that's one way to get one's post count started. :P

JDMurray

Crazy things get posted from Vietnam IPs.

BANNED!