Isolating vulnerable systems

lupacexi4lupacexi4 Banned Posts: 1 ■□□□□□□□□□
We have a windows server (we'll call it ServerA) that has a critical vulnerability. For the next few months, we cannot patch this system. I was thinking about this. The only two systems that need to access this system are ServerB and the vulnerability scanner.

I was thinking about using Windows firewall to allow traffic from ServerB to ServerA over the specific TCP port it needs. This seems easy enough. My confusion is, how do I allow this for the vulnerability scanner? I think would need to allow all ports, but then I'm allowing the scanner full access to the system. Not sure that makes sense

The other thing I thought of was creating an ACL on the L3 switch that only allows traffic with those source addresses to ServerA, but network management doesn't seem to want to be bothered with that

How would you all isolate this?

Comments

  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Member Posts: 494 ■■■■■□□□□□
    A Remediation VLAN will solve your problems.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • PCTechLincPCTechLinc Senior Member King City, CAMember Posts: 646 ■■■■■■□□□□
    You do need to allow the scanner full access to the system, which is how it scans for vulnerabilities. Otherwise it throws "access denied" errors. As long as you're ONLY allowing those two systems access to the vulnerable server, you shouldn't have any issues.

    If your infrastructure is set up, you could also apply NAC policies with a remediation network. If not now, maybe something to think about in the future.
    Master of Business Administration in Information Technology Management - Western Governors University
    Master of Science in Information Security and Assurance - Western Governors University
    Bachelor of Science in Network Administration - Western Governors University
    Associate of Applied Science x4 - Heald College
  • shochanshochan Member Posts: 955 ■■■■■■■□□□
    Turn if off & see if anyone yells
    2021 Goal ~ OSCP

    Urban Achiever~ A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+
    A.A.S - CIS
  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,179 ■■■■■■■■□□
    shochan wrote: »
    Turn if off & see if anyone yells

    That's not necessarily a bad idea. Conduct a survey to find out who in your organization needs to access it. If it's nobody, no worries. Otherwise, make accommodations for those who need it.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    tedjames wrote: »
    That's not necessarily a bad idea. Conduct a survey to find out who in your organization needs to access it. If it's nobody, no worries. Otherwise, make accommodations for those who need it.

    This actually can work from time to time. Early in my career there was a report that I had to manually generate each morning for 30 people at the company. Even my boss said to the best of his knowledge no one actually read it, but he would still do it and thus I had to do it. In one meeting I was talking to his boss and the report came up. He told me for two weeks I could not do the report and see if I heard anything. Two weeks later I heard from exactly two people: one person only asked about the report because he noticed he received one less email every morning and the other person actually did read the report everyday, but figured I was on vacation.

    Any chance you could virtualize the server? Then you could wrap something around it to mitigate the vulnerability.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • ottucsakottucsak Member Posts: 146 ■■■■□□□□□□
    The vuln scanner probably doesn't need full access if you use a local scanner agent. This way you can close down almost everything.
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■□□□
    if you are not able to patch the server then probably there's no point in scanning for vulns much.
  • mnashemnashe Member Posts: 136 ■■■□□□□□□□
    Umm it's interesting (and weird) that this is the same exact post I created back in February. Word for word

    http://www.techexams.net/forums/off-topic/131281-isolating-vulnerable-systems.html
  • jamshid666jamshid666 A+, CCDA, CCNA-R&S, CCNA-Security, CIW-SDA, i-Net+, Network+, Project+, Security+, Server+, Splunk C Fayetteville, NCMember Posts: 48 ■■■□□□□□□□
    mnashe wrote: »
    Umm it's interesting (and weird) that this is the same exact post I created back in February. Word for word

    http://www.techexams.net/forums/off-topic/131281-isolating-vulnerable-systems.html

    I guess that's one way to get one's post count started. :P
    WGU BS - Network Operations and Security Estimated completion: May 2019
    Remaining courses: C846 (ITIL), C768 (OA), C850 (OA), C769 (Capstone)
    Active Certifications: A+, CCDA, CCNA-R&S, CCNA-Security, CIW-SDA, i-Net+, Network+, Project+, Security+, Server+, Splunk Certified User, VCP-DCV
    Expired Certifications: CCNP, LPIC-1, MCSE, RHCSE,
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 12,080 Admin
    Crazy things get posted from Vietnam IPs.

    BANNED!
Sign In or Register to comment.