Monday, January 09, 2006

Windows security fix MS05-051 can cause you problems

I have been meaning to blog this for the last 6 weeks, but have been distracted with writing, in-law visting, traveling, Christmas / New Years parties, deck staining, Exchange 12 betas, snowboarding, trying to squeak out an honest living, and the usual holiday dramas. (Actually, I went in to hiding for Christmas this year; I hid out at Steamboat Springs.)

Anywho, I had a conversation with Mark Minasi and Steve Riley (yes, I'm name dropping, but how often does one get to talk to Mark and Steve) back in October about MS05-051. It plugs a fairly nasty little bug that can allow remote code to be executed. See KB 902400: "MS05-051: Vulnerabilities in MS DTC and COM+ could allow remote code execution" for more information on the fix.

However, this fix assumes that the default permissions still exist on the \Windows subdirectory structure, particularly the %windir%\registration folder. See KB article 909444: "Systems that have changed the default Access Control List permissions on the %windir%\registration directory may experience various problems after you install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC" (Whew! That was a mouthful!) for more information on some of the problems.

I have seen this fix cause problems on many occaisions since it was released a few months ago. And most of the symptons are not the same from one incident to another. On one Windows 2003 clustered system, the passive node would not rejoin the cluster after applying the fix. On an Exchange 2003 server, the web service would not start. Almost all of these situations, though, if you bring up the properties of My Network Places or explore the Network Connections, you will NOT see any network adapters in the list, nor will the New Connection Wizard show up.

In one situation, we simply removed the hotfix and everything went back to normal. However, the long term fix is to reapply the default permissions to the %windir%\registration folder so that it includes allowing the Everyone group "Read" permissions. (See KB 909444 for more information.)

You may be asking yourself "Self, why is Jim seeing this problem, but I'm not". The problem has only been appearing in situations where the default NTFS file system permissions for the %windir% folder have been changed. This used to be a fairly common practice and is still performed in some large environments, especially government systems where a security template is often provided for you by someone else.

My advice to people applying custom security templates is to remove the NTFS permission changes for the Windows directories and leave them at the default.


Post a Comment

<< Home