Security TechCenter > Security Bulletins > Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-028)

Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-028)

What's this bulletin about?
Microsoft Security Bulletin MS99-028 announces the availability of a patch that eliminates a vulnerability affecting Microsoft® Windows NT Server 4.0, Terminal Server Edition. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker could use it to consume all the memory on a Windows NT Terminal Server. This would have two chief effects: it would prevent new legitimate connections from being made, and it would hinder the ability of already-connected users to do useful work on the server. The attack could be mounted remotely if the target's firewall allows Terminal Server connection requests to pass through its firewall.
In some cases, such an attack could cause the Terminal Server to crash. In other cases, processing returns to normal once the attack stops. There is no capability via this vulnerability to usurp administrative control of the server or to destroy data on it, although any work in progress would be lost if the server crashed.
The vulnerability affects only Terminal Servers. There is no corresponding vulnerability in Windows NT Workstation or in non-Terminal Server editions of Windows NT Server.

What is the vulnerability?
The vulnerability has to do with the way that Windows NT 4.0 Server, Terminal Server Edition, processes requests for new terminal connections. When a request is received to add a new session, the Terminal Server starts work immediately, even before authenticating that the requester is a legitimate user. The process of creating a new session is fairly resource-intensive, and Terminal Server does not limit how much of the system's resources it will devote to setting up new sessions.
If an attacker flooded the server with bogus requests to open a large number of terminal server sessions, the server would devote more and more resources to servicing the requests. The attacker would not need a powerful machine or a high-speed network connection to mount such an attack, because of the disproportionate nature of the request and response - constructing a new connection request takes almost no resources, where responding to the resource takes significant resources.

What does the patch do?
The patch changes the order in which processing occurs. It causes the Terminal Server to authenticate the requester and ensure that it originated from a legitimate user before spending any significant processing time on the request.

Could someone attack my network from the Internet via this vulnerability?
Yes, unless your firewall filters Terminal Server connection requests. (By default, these are made via port 3389). Of course, the attacker would need to know some of the internal details of your network in order to carry out such an attack. For example, the attacker would need to know the IP address of the Terminal Server that they want to target.

What lasting damage would such an attack cause?
An attacker could not cause lasting damage via this attack. There's no capability to change, add or delete data via this vulnerability, nor could an attacker usurp any administrative control. They would be able to prevent other users from doing useful work only as long as they continued the attack.

What would a system administrator need to do to stop an attack in progress?
An external attack could be stopped by filtering connection requests at the firewall. Stopping an internal attack would require that the administrator determine the source of the attack and disconnect the attacker. However, keep in mind that an attacker might be able to spoof the source address of the requests.

What should customers do?
Microsoft recommends that customers assess the risk that this vulnerability poses to their safe computing and determine whether or not to apply the patch. The download location for the patch is provided in the security bulletin.
Customers may also wish to consider other security best practices such as:

  • Deploying a high-quality intrusion detection software package that will detect and stop attacks that exploit known security vulnrabilities such as this one.
  • Deploying a firewall and filtering unnecessary traffic. For example, system administrators may wish to filter TCP port 3389, and only allow traffic on that port from IP addresses that are known to have a legitimate need to set up Terminal Server sessions.

What is Microsoft doing about this issue?

  • Microsoft has developed a patch that eliminates the vulnerability.
  • Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch.
  • Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
  • Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail.
  • Microsoft will provide technical details about the vulnerability to the International Computer Security Association's Intrusion Detection Consortium, to ensure that security vendors can incorporate this information into their products.

Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.