Learn How Your ISA Server Helps Block MS05-021 (X-Link2State Vulnerability) Traffic

The first course of action taken against MS05-021 must be protecting and patching all affected computers.  Details of this issue can be found here.

The following information explains how to use Microsoft Internet Security and Acceleration (ISA) Server 2000 and 2004 to help block malicious traffic as described in MS05-021 and to protect computers on internal networks. Servers running ISA Server 2000 in cache mode cannot restrict MS05-021 traffic. Additionally, ISA Server does not apply SMTP Filtering to outbound SMTP traffic.

The first section of this article contains technical details about MS05-021:

• Affected Traffic

This article also discusses how ISA Server can mitigate a MS05-021 attack:

• Protecting internal networks from external attack with ISA Server
• Helping to prevent outbound MS05-021 attacks through ISA Server
• Protecting the ISA Server computer from MS05-021 attacks

This article also discusses:

• How to Make Sure ISA Server 2000 Is Correctly Configured
• How to Make Sure that ISA Server 2004 Is Correctly Configured

Disclaimer

Affected Traffic

Protecting Internal Networks from External Attack with ISA Server

Helping to Prevent Outbound MS05-021 Attacks Through ISA Server

Protecting the ISA Server Computer from MS05-021 Attacks

How to Make Sure that ISA Server 2000 Is Correctly Configured

How to Make Sure that ISA Server 2004 Is Correctly Configured

For More Information

Disclaimer

Microsoft makes no warranties about this information. In no event shall Microsoft be liable for any damages whatsoever arising out of or with the use or spread of this information. Any use of this information is at the user’s own risk.

Affected Traffic

Table 1 lists affected traffic known to be used by MS05-021. This data is current as of 10:40 AM Wednesday, March 30, 2005.

Protecting Internal Networks from External Attack with ISA Server

ISA Server 2000 in firewall or integrated modes and ISA Server 2004 in multi-network topologies will block MS05-021 traffic if the following is true:

• The SMTP Filter is enabled and includes a definition to deny X-Link2State commands
• (ISA 200x) SMTP services are server-published
• (ISA 2004) the SMTP Filter is bound to the SMTP protocol

For ISA 2000 and 2004:

• DO enable the SMTP Filter.
• DO use server-publishing for ISA-local SMTP services if possible 

Helping to Prevent Outbound MS05-021 Attacks Through ISA Server

Because outbound SMTP traffic is not filtered by the SMTP Filter, ISA Server cannot block outbound MS05-021 traffic.

Protecting the ISA Server Computer from MS05-021 Attacks

A Windows server that has ISA Server 2000 or ISA Server 2004 installed is only vulnerable to attack by MS05-021 if the server hosts an Exchange SMTP service.

How to Make Sure that ISA Server 2000 Is Correctly Configured

To enable SMTP Filtering and X-LINK2STATE filtering for server-published SMTP servers:

1. In ISA Management, expand Servers and Arrays, <ISA Server name>, Extensions.
2. Select Application Filters
3. Right-click SMTP Filter, select Properties.
4. Check the Enable this filter box.
5. Select the SMTP Commands tab, click Add
6. Uncheck Enable an SMTP command
7. In the Command name field, enter X-LINK2STATE
8. In the Maximum Length field, enter 1
9. Click OK, then Apply, Then OK

How to Make Sure that ISA Server 2004 Is Correctly Configured

To enable SMTP filtering for server-published SMTP servers:

1. In ISA Management, expand <ISA Server or Array name>, select Firewall Policy.
2. In the middle pane, select the first SMTP server publishing rule
3. Under the Protocols column, right-click SMTP, select Properties.
4. In the SMTP Properties dialog, selct the Parameters tab
5. In the Application Filters field, select SMTP Filter
6. Click Apply, then OK
7. Repeat steps (2) through (6) for all remaining SMTP publisihing rules

To enable Filtering of the X-LINK2STATE command:

1. In ISA Management, expand <ISA Server or Array name>, Configuration, select Add-ins.
2. In the middle pane, select Application Filters
3. Right-click SMTP Filter, select Properties.
4. Check the Enable this filter box.
5. Select the SMTP Commands tab, click Add
6. Uncheck Enable an SMTP command
7. In the Command name field, enter X-LINK2STATE
8. In the Maximum Length field, enter 1
9. Click OK, then Apply, then OK
10. When the Apply and Discard buttons appear, click Apply

For More Information

• Microsoft Knowledge Base Article 894549
• Microsoft Security Bulletin MS05-021
• ISA Server 2000 Product Documentation
• ISA Server 2004 Product Documentation