Microsoft Security Advisory (911052)

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

• To help protect against anonymous network-based connection attempts to exploit this vulnerability, configure the RestrictAnonymous registry setting to a more restrictive setting:

  By default on Windows 2000, the RestrictAnonymous entry is set to a value of 0, which does not restrict Anonymous users. By setting the registry entry to a value of 2, Anonymous users will have no access without explicit anonymous permissions. For more information about how to use the RestrictAnonymous registry entry in Windows 2000, see Microsoft Knowledge Base Article 246261.

  Impact of Workaround: When the RestrictAnonymous registry value is set to 2, the access token built for non-authenticated users does not include the Everyone group, and because of this, the access token no longer has access to those resources which grant permissions to the Everyone group. This could cause undesired behavior because many Windows 2000 services, as well as third-party programs, rely on anonymous access capabilities to perform legitimate tasks.

• Block the following at the firewall:
  • UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593
  • All unsolicited inbound traffic on ports greater than 1024
  • Any other specifically configured RPC port
  • If installed, COM Internet Services (CIS) or RPC over HTTP, which listen on ports 80 and 443

  These ports are used to initiate a connection with RPC. Blocking them at the firewall will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. Also, make sure that you block any other specifically configured RPC port on the remote system. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about the ports that RPC uses, visit the following Web site. For more information about how to disable CIS, see Microsoft Knowledge Base Article 825819.

• To help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as the Internet Connection Firewall, which is included with Windows XP Service Pack 1.

  By default, the Internet Connection Firewall feature in Windows XP Service Pack 1 helps protect your Internet connection by blocking unsolicited incoming traffic. We recommend that you block all unsolicited incoming communication from the Internet.

  To configure Internet Connection Firewall manually for a connection, follow these steps:

  1. Click Start, and then click Control Panel.
  2. In the default Category View, click Networking and Internet Connections, and then click Network Connections.
  3. Right-click the connection on which you want to enable Internet Connection Firewall, and then click Properties.
  4. Click the Advanced tab.
  5. Click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box, and then click OK.

  Note If you want to enable certain programs and services to communicate through the firewall, click Settings on the Advanced tab, and then select the programs, the protocols, and the services that are required.

• To help protect from network-based attempts to exploit this vulnerability, enable advanced TCP/IP filtering on systems that support this feature.

  You can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798.

• To help protect from network-based attempts to exploit this vulnerability, block the affected ports by using IPsec on the affected systems.

  Use Internet Protocol security (IPsec) to help protect network communications. Detailed information about IPsec and about how to apply filters is available in Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base Article 813878.

• Customers in the U.S. and Canada who believe they may have been affected by this possible vulnerability can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support that is associated with security update issues or viruses." International customers can receive support by using any of the methods that are listed at Security Help and Support for Home Users Web site.
  
  All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site.
  
• Protect Your PC

  We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing anti-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site.

• For more information about staying safe on the Internet, customers can visit theMicrosoft Security Home Page.
• Keep Your System Updated

  All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.