An update regarding zotob and null sessions

Earlier today SANS spread some information that the zotob worm uses null sessions and null sessions could be enabled in Windows 2003 with Exchange and SQL. They said that this allowed risk of infection.

This went against their earlier advice that Windows 2003 was not vulnerable. As a result, we declared emergency downtime for tonight to patch the Windows 2003 servers. (The 2000 servers had been done during emergency downtime on Sunday).

Well, as it turns out we have a correction. Microsoft has updated their bulletin and pointed it out to SANS that even if NULL sessions were enabled on 2003, it is not like a 2000 null session. Account credentials with local logon permissions is necessary.

In the "heat of battle," sometimes people get information wrong, even the experts. I do think next time, I'll remember that the ISC Handlers aren't necessarily Windows Security Experts. And if I have a question about the best course of action, I'll at least try to contact my Microsoft TAM.

The good news is all the servers are patched a day earlier than they would have been otherwise. The bad news is some users will complain about the emergency downtime. I feel like I've lost some credibility. But hey, I made a decision with the best available information at that time. And having downtime on monday at 8pm instead of tuesday at 8pm isn't a big deal in the grand scheme of things.