Microsoft KB Archive/889189

= How to work around the ISA Server 2000 and Proxy Server 2.0 DNS spoofing vulnerability described in Microsoft Security Bulletin MS04-039 =

Article ID: 889189

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Service Pack 1
 * Microsoft Small Business Server 2000 Standard Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Proxy Server 2.0 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2000 Service Pack 2

-



Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
''Microsoft Internet Security and Acceleration (ISA) Server 2000 and Microsoft Proxy Server 2.0 are affected by the security vulnerability that is described in Microsoft Security Bulletin MS04-039. In this scenario, the DNS cache in ISA Server 2000 Service Pack 1 (SP1), ISA Server 2000 Service Pack 2 (SP2), or Proxy Server 2.0 Service Pack 1 (SP1) may be spoofed.

This vulnerability is described in Microsoft Security Bulletin MS04-039. Additionally, the Microsoft Security Bulletin contains the download links to the security updates that address this issue. This article contains instructions that you can use to help protect your systems from this issue until you can install the security update.

''

Microsoft Security Bulletin MS04-039



INTRODUCTION
This article describes how to work around the DNS cache vulnerability that is described in the following Microsoft Security Bulletin MS04-039:

Microsoft Security Bulletin MS04-039



MORE INFORMATION
Microsoft Security Bulletin MS04-039 describes a vulnerability that could let a malicious user spoof trusted Internet content. In this scenario, users might be led to believe that they are visiting a trusted Internet site when they are instead visiting a site that has been created for malicious purposes. To try to exploit this vulnerability, an attacker would first have to convince a user to view their malicious content or to click a link to malicious content.

To resolve this problem, install the security update that is described in Microsoft Security Bulletin MS04-039.

Microsoft Security Bulletin MS04-039

To work around this problem, use one of the following methods.

For Microsoft Internet Security and Acceleration Server 2000 Enterprise Edition installed in an array
Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

To work around this problem for ISA Server 2000 Service Pack 1 (SP1) or ISA Server 2000 Service Pack 2 (SP2) in an enterprise array, follow these steps:  Start the LDP tool. To do this, click Start, click Run, type ldp.exe, and then click OK.

Note Ldp.exe is included with the Microsoft Windows Support Tools. To install the Windows Support Tools in Windows 2000, double-click Setup.exe in the Support\Tools folder on the Windows 2000 CD. To install the Windows Support Tools in Windows Server 2003, double-click Supptools.msi in the Support\Tools folder on the Windows Server 2003 CD. Connect to the Active Directory directory service. To do this, follow these steps:  On the Connection menu, click Connect, leave the Server box blank, and then click OK. On the Connection menu, click Bind. In the User box, type the name of a user account that has write access to ISA Server objects in Active Directory. Typically, this is a domain administrator account. In the Password box, type the password that corresponds to the user account that has write access to ISA Server objects in Active Directory.</li> In the Domain box, type the domain where this ISA Server computer is located, and then click OK.</li> In the right pane, verify that the following message appears:

Authenticated as dn:' '.

Note If this message does not appear, you are not authenticated. You cannot continue until you have been successfully authenticated in Active Directory.</li></ol> </li> Access the Active Directory tree. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> On the View menu, click Tree, and then click OK.</li> In the left pane, expand DC= ,DC= , where. is the name of your domain.</li> Double-click CN=System,DC= ,DC=  to expand this object.</li> Double-click CN=Fpc,CN=System,DC= ,DC=  to expand this object.</li> Double-click CN=Arrays,CN=Fpc,CN=System,DC= ,DC=  to expand this object.</li></ol> </li> Access each array policy object. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Under each array object, double-click CN= ,CN=Arrays,CN=Fpc,CN=System,DC= ,DC=  to expand this object.

Replace  with a GUID that appears under the Arrays object. This GUID appears similar to the following:

{4014C4B7-BE69-4DCB-89B4-296651D8E59D}

</li> Double-click CN=ArrayPolicy,CN= ,CN=Arrays,CN=Fpc,CN=System,DC= ,DC=  to expand this object.</li></ol> </li> Modify the Firewall service DNS cache size. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Under CN=ArrayPolicy,CN= ,CN=Arrays,CN=Fpc,CN=System,DC= ,DC= , right-click CN=Proxy-WSP,CN=ArrayPolicy,CN= ,CN=Arrays,CN=Fpc,CN=System,DC= ,DC= , and then click Modify.</li> Leave the default value in the Dn box, type msFPCDnsCacheSize in the Attribute box, and then type 0 (zero) in the Values box.</li> Under Operation, click Replace, click Enter, and then click Run.</li></ol>

If the operation is successful, information that is similar to the following appears in the right pane:

<pre class="fixed_text">***Call Modify... ldap_modify_s(ld, 'CN=Proxy-WSP,CN=ArrayPolicy,CN={4014C4B7-BE69-4DCB-89B4-296651D8E59D},CN=Arrays,CN=Fpc,CN=System,DC=example,DC=com',[1] attrs); Modified

</li> Modify the Web Proxy service DNS cache size. To do this, follow the instructions in step 5. However, in this step, replace all instances of CN=Proxy-WSP with CN=WebProxy.</li> <li>Follow steps 4 through 6 to modify the Firewall service DNS cache size and the Web Proxy service DNS cache size for every one of the CN=  objects that appear under the CN=Arrays object.</li> <li>Quit LDP.</li> <li>Restart the ISA Server services in your enterprise. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Start the ISA Management tool. To do this, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.</li> <li>Expand Servers and Arrays, expand your array, expand Monitoring, and then click Services.</li> <li>Right-click an ISA Server's Web Proxy service, and then click Stop.</li> <li>When the service has stopped successfully, right-click that same service, and then click Start.</li> <li>Right-click an ISA Server's Firewall service, and then click Stop.</li> <li>When the service has stopped successfully, right-click that same service, and then click Start.</li> <li>Follow steps c through f to restart the services for all the ISA servers in your array.</li> <li>Follow steps b through g to restart the services for all the ISA servers in your other arrays.</li></ol> </li> <li>Quit the ISA Management Microsoft Management Console (MMC) snap-in.</li></ol>

For Microsoft Internet Security and Acceleration Server 2000 Standard Edition or ISA Server 2000 Enterprise Edition in stand-alone mode
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To work around this problem for a computer that is running ISA Server 2000 Standard Edition (SP1) or ISA Server 2000 Standard Edition SP2, follow these steps: <ol> <li>Start Registry Editor. To do this, click Start, click Run, type regedit, and then click OK.</li> <li>Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Arrays\<ArrayGUID>\ArrayPolicy

Replace  with the GUID that appears under the Arrays registry subkey. This GUID appears similar to the following:

{88F55145-3365-4D10-8DE5-FD433537CFC6}

</li> <li>Change the value for the Web Proxy service DNS cache size to zero. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Under ArrayPolicy, click WebProxy.</li> <li>In the right pane, right-click msFPCDnsCacheSize, and then click Modify.</li> <li>In the Value data box, type 0 (zero), and then click OK.</li></ol> </li> <li>Change the value for the Firewall service DNS cache size to zero. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Under ArrayPolicy, click Proxy-WSP.</li> <li>In the right pane, right-click msFPCDnsCacheSize, and then click Modify.</li> <li>In the Value data box, type 0 (zero), and then click OK.</li></ol> </li> <li>Quit Registry Editor.</li> <li>Start the ISA Management tool. To do this, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.</li> <li>Expand Servers and Arrays, expand your server, expand Monitoring, and then click Services.</li> <li>On the View menu, click Advanced.</li> <li>Right-click the Web Proxy service, and then click Stop.</li> <li>When the service has stopped successfully, right-click that same service, and then click Start.</li> <li>Right-click the Firewall service, and then click Stop.</li> <li>When the service has stopped successfully, right-click that same service, and then click Start.</li></ol>

For Microsoft Proxy Server 2.0
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To work around this problem for a computer that is running Microsoft Proxy Server 2.0 Service Pack 1 (SP1), follow these steps: <ol> <li>Start Registry Editor. To do this, click Start, click Run, type regedit, and then click OK.</li> <li>Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters

</li> <li>Change the value for the Web Proxy service DNS cache size to zero. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>In the right pane, right-click DnsCacheSize, and then click Modify.</li> <li>In the Value data box, type 0 (zero), and then click OK.</li></ol> </li> <li>Quit Registry Editor.</li> <li>Start the Proxy management tool. To do this, click Start, point to Programs, point to Microsoft Proxy Server, and then click Microsoft Management Console.</li> <li>Expand the node for the computer that is running Proxy Server 2.0 SP1.</li> <li>Click Winsock proxy, and then click Stop on the Action menu.</li> <li>When the service has stopped successfully, click Start on the Action menu.</li> <li>Click Web Proxy, and then click Stop on the Action menu.</li> <li>When the service has stopped successfully, click Start on the Action menu.</li></ol>

Note A script is available to automate the steps that are described in this article. This script is designed to work on ISA Server 2000 and Proxy Server 2.0. Microsoft Internet Security and Acceleration (ISA) Server 2004 is not affected by this vulnerability, and this script is not designed to run on ISA Server 2004. To obtain this script, visit the following Web site:

http://isatools.org

To clear the ISA Server 2000 Web proxy cache, use the Clrcache.cmd tool. To obtain this tool, visit the following Web site:

http://isatools.org

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

For additional information about how to clear the Web proxy cache in Proxy Server 2.0, click the following article number to view the article in the Microsoft Knowledge Base:

811086 How to clear the cache in Microsoft Proxy Server 2.0

For additional information about the product support life cycle for Proxy Server 2.0, visit the following Microsoft Web site:

http://www.microsoft.com/isaserver/evaluation/previousversions/ending.mspx

Additional query words: Firewall, security, vulnerability, hole, poison, cache,

Keywords: kbinfo kbbug kbqfe kbfirewall kbprb kbhotfixserver KB889189

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.