Learn How To Configure Your ISA 2004 Server To Block the Malicious URL described in MS05-005

  • Article

The ISA Server 2004 HTTP Filter can be successfully employed to block the malformed URL that is used to cause the problem described in MS05-005

The first course of action taken to defend against this attack must be protecting and patching all affected computers.  Security bulletin MS05-005 addresses this issue and how to obtain the related updates.

The following information explains how to use Microsoft Internet Security and Acceleration (ISA) Server 2004 to block MS05-005 requests.

Note

By default, ISA Server 2000 is not capable of blocking this traffic without a special plug-in. For examples of these, see ISA Server 2000 Partners.

Note

It is impossible for ISA Server 2004 to protect internal clients that connect to external malicious or compromised SSL-based web services.  This is due to the fact that outbound HTTPS traffic is passed through ISA Server using SSL Tunneling, not SSL Bridging.  Details of these are contained in the ISA Server help.

In addition, this article discusses the scenarios where ISA Server can mitigate this type of request:

  • Learn How To Configure Your ISA 2004 Server To Block MS05-005 Attacks 
  • Helping to Prevent Attacks through ISA Server 2004

This article also discusses:

  • How to Make Sure That ISA Server Is Correctly Configured

Disclaimer

Affected Ports

HTTP Filter Signatures

Helping to Prevent Attacks Through ISA Server

Protecting the ISA Server Computer from MS05-005

How to Make Sure that ISA Server Is Correctly Configured

For More Information

Disclaimer

Microsoft makes no warranties about this information. Microsoft will not be liable for any damages arising out of or with the use or spread of this information. Use of this information is at the user's own risk.

R0lGODlhBwAJAIABAAAzzP///yH5BAEAAAEALAAAAAAHAAkAAAIMjI+AoWrOooTr1QsLADs= Top of page

Affected Ports

MS05-005 attacks are normally carried in a standard HTTP request, and thus uses port 80 for its attack vector. It is impractical to close this port as doing so will block all Web site traffic.

# Port Number IP Protocol Known to Be Used

1

80

TCP

Yes

HTTP Filter Signatures

Table 2 lists the signatures known to block MS05-005. This data is current as of 12:01:54, Wednesday, June 15, 2005.

# Signature Known to Be Used

1

Request URL = “%00”

Yes

Helping to Prevent Attacks through ISA Server 2004

Default installations of ISA Server 2004 do not include the filter definition required to block MS05-005 requests.

To help prevent this traffic through ISA Server 2004:

  • Create a backup of your current Firewall Policies before making the recommended changes. This will allow you to revert to your previous configuration should adverse behavior occur as a result of them.
  • Create an HTTP Filter "Signatures" setting that includes the definitions as described below for each web publishing rule and each access that uses the HTTP protocol.

Protecting the ISA Server 2004 Computer from MS05-005

A computer that has ISA Server 2004 installed is vulnerable to MS05-005 if:

  • The System policy rules for HTTP are enabled
  • IE on the ISA itself is not configured to use the Web Proxy

Warning

Because the ISA Server itself makes use of System policies for Internet access and System policies cannot use HTTP Filters, you cannot apply the same filter settings to system rules. For this reason, it is advised that you not use the ISA Server itself for Web browsing.

How to Make Sure that ISA Server Is Correctly Configured

If you are using an "allow all" policy for outbound traffic, you only need to apply the HTTP Filter changes to your "Allow all" access rule. Otherwise, you will need to apply the HTTP Filter settings to any "Allow" Access Rule that includes the ISA Server-defined HTTP protocol.

You should only add HTTP Filter settings to rules that are:

  1. Array Rules
  2. Access Rules or Web Publishing Rules
  3. Allow Rules
  4. HTTP is included in the Protocols column

Deny rules, even those that specify All Except HTTP cannot use HTTP Filter settings.

To block MS05-005 traffic:

Note

ISATools.org hosts a Block_MS05-005 script that will automate the following steps.  This script will create the same policy rule changes as described below and will also create a backup of your current policies before changing them.

  1. In ISA Management, expand <ISA Server name> and then select Firewall Policy.
  2. Select the first rule that meets the rules requirements.
  3. Right-click the rule and then click Configure HTTP.
  4. Select the Signatures tab and then click Add.
  5. In the Name field, enter MS05-005-1.
  6. In the Description field, enter "Blocks ‘%00.’ In HTTP Request URLs".
  7. In the Search In drop-down list, select Request URL.
  8. In the Signature field, enter %00.
  9. Click OK, click Apply, and then click OK.
  10. Repeat steps 3 through 9 for each rule that meets the rules requirements.
  11. Click Apply in the ISA Management MMC immediately above the rules list.
  12. When the Apply New Configuration dialog box appears, click OK to "Changes to the configuration were successfully applied."

Note

Verify that your existing policies still perform as they did before you added the HTTP Filter changes.

For More Information

Review the Microsoft Security Bulletin MS05-005.