Here I am at the AICPA Tech conf in Las Vegas at the Venetian hotel.

News this week… I’m passing along an email from the MS listserve….

If you have port 443 open on your SBS 2k system … watch out as we’re seeing exploits.

How do I know if port 443 is open?

Go to https://grc.com/x/ne.dll?bh0bkyd2 and click on proceed, then on “common ports”.  If port 443 is closed or stealth, you are in good shape.  If you have open port 443, then you need  to patch NOW.
——————

Hello all~

With Brett’s permission, I wanted to take a brief moment to reach as many IIS 5.0 administrators as possible to warn them against not having the MS04-011 fix.  Microsoft is currently seeing an increase in customers who are being hit by the exploits released within the past two weeks which creates a Denial of Service (DoS) against servers who are using SSL.  It is important to note that this exploit does not impact your servers which are ONLY using HTTP (non-secure).

With that said, I would like to personally ask all IIS administrators to take the time to test and install MS04-011.  The critical update is located here:

MS04-011 Information: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Critical Update: http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en

Considerations:

If you are using SSL on your IIS 5.0 servers and have not patched your systems you will be vulnerable to the DoS against exploits.  The symptoms are easily recognized by the following in your System event viewer:

Source: LsaSrv

Event ID: 5000

Description: The security package Microsoft Unified Security Protocol Package generated an exception. The package is now disabled. The exception information is the data.

The method to correct this problem is the following:

   a).  Rebooting the server will recycle the SSL components and allow your site to resume service (but unpatched)

   b).  Install MS04-011 which mitigates the exploit

Current Investigations:

Microsoft is currently investigating problems related to installations of IIS 5.0 and SSL with Client Certificates.

In short, IIS 5.0 installations which use large Certificate Revocation Lists (CRL) might lead to client certificates failing.  However, it is still recommended that you install the hotfix if at all possible to avoid not having important fixes above and beyond the SSL fix.

Situations where Microsoft has seen Client Certificates fail:

   a).  Certificate Trust List’s failures – Resolve this by disabling use of CTL’s (http://support.microsoft.com/default.aspx?scid=kb;en-us;216485)

   b).  CA’s are getting restricted to no longer accept Client Certs – No Documentation, but using the Certificates Snap-In and editing the Usage can mitigate – contact me if you need more details.

   c).  CRL lookup problems:  Occurs with large CRL files.  Disable CRL Checking on your IIS 5.0 Server ((http://support.microsoft.com/default.aspx?scid=kb;en-us;295070)

At this time, we have not currently released a update that addresses all of the issues which are listed in this mail.  There are also other random issues which we have not confirmed as being related to MS04-011 but lack confirmation.  It is suggested that you monitor the Technet security center at www.microsoft.com/technet/security to watch for updates to resolve these problems.

In conclusion, most IIS installations will not be effected by the few considerations listed in this email.  This is the reason we are requesting that all customers test and install MS04-011 on their Windows 2000 SP 2, 3, or 4 machines.

Thanks in advance for your time,

~Chris Adams

Web Platform Supportability Lead

IIS:  www.microsoft.com/iis

 

4 Responses to Heads up … check out your port 443!!!

  1. Colby says:

    Is this only an issue for SBS 2k? or should this be applied to 2k3 aswell?

  2. Xavier says:

    "… Disable CRL Checking on your IIS 5.0 Server…"

    hoops ….. Is it a joke ?

    In fact, there are realy critical side effects (on IIS and client certificate managment) after the installation of ms04-011 on W2000 SP3.

    – CTL failures

    – CRL failures

    – CRL cache managment trouble

    – CRL managment with LocalMachine\CA store (need IIS restart)

    – Winhttp proxy settings configuration (it seems there is an interaction with Wininet settings)

    Xavier.

  3. Susan says:

    Xavier … I have 04-011 on a Windows 2000 sp4 machine and have no issues. Get fully patched. If you are experiencing problems with a security bulletin, call Microsoft PSS it will be a free call.

    GET PATCHED. GET PROTECTED.

  4. Xavier says:

    Susan,

    you’re right, using CTL and CRL with IIS works is "OK again" with SP4.

    Am just a bit "perplexed" when i read this kind of solution (disable CRL Checking) and when a security patch have so much side effects on key security features.

    Thanks.