Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Multiple ISA server bugs

From:MICROSOFT <secure_(at)_microsoft.com>
Date:11.06.2004
Subject:ISA Server 2000 Service Pack 2 Release Notes

 ISA Server 2000 Service Pack 2 Release Notes
 
 SUMMARY
 Microsoft Internet Security and Acceleration (ISA) Server 2000 Service Pack 2 (SP2) includes all the hotfixes and security bulletins that are released for ISA Server 2000, including all the hotfixes and security bulletins that were released as part of ISA Server Service Pack 1 (SP1). ISA Server 2000 SP2 also includes several additional fixes that are available only as part of ISA Server SP2.
 
 For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
 313139 How to obtain the latest Internet Security and Acceleration Server 2000 service pack
 
 MORE INFORMATION
 Installing ISA Server 2000 SP2
 
 Microsoft recommends that you install ISA Server SP2 on every ISA Server computer that you deploy in your organization, including on computers that are running only ISA Management or the Message Screener.
 
 Before you install ISA Server SP2 on a computer, make sure the computer is disconnected from the Internet. The computer must remain disconnected from the Internet until the ISA Server SP2 installation is completed successfully. After installation, the computer can be safely connected to the Internet.
 
 To install ISA Server SP2 on ISA Server 2000 Enterprise Edition, you must be logged on with an account that has domain administrator credentials.
 
 To install ISA Server SP2, follow these steps:
 Download the ISA Server SP2 self-extracting file from the Web. Use the file that matches the appropriate language, as described in the following table:Language File Name
 English ISASP2-ENU.exe
 French ISASP2-FRA.exe
 German ISASP2-DEU.exe
 Japanese ISASP2-JPN.exe
 Spanish ISASP2-ESN.exe
 
 Review the ISA Server SP2 Release Notes.
 To start the installation, run the ISA Server SP2 executable file.
 On the Welcome screen, click Next.
 In the ISA Server SP2 End-User License Agreement, click I Agree to accept the licensing terms and to run the installation. Click Next.
 ISA Server will inform you if it must restart any running services. Click Continue.
 Note
 ISA Server SP2 features a new installation tool. For more information about the installation tool, visit the following Microsoft Web site:
 http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deployment/winupdte.mspx
 
 The installation process updates relevant files and saves the original files in a folder that is named $ISA2000UninstallServicePack2$. This folder is located in the Microsoft Windows folder.
 You cannot install ISA Server SP2 on the evaluation version of ISA Server.
 You must reinstall ISA Server SP2 after you do any one of the following tasks:
 Add or remove ISA Server components.
 Install ISA Server Feature Pack 1.
 Change the ISA Server installation mode.
 When you install ISA Server SP2 on a computer that is running Microsoft Windows Server 2003, and you have not previously installed ISA Server SP1, you must manually restart the ISA Server services after you install ISA Server SP2.
 If you quit the ISA Server SP2 installation, you must restart the computer before you start another ISA Server SP2 installation.
 You must remove ISA Server updates in the reverse order that they were installed in. Otherwise, the removal process will fail.
 When you install ISA Server SP2 on a computer that is running Microsoft Windows 2000 Server, you must first install Windows 2000 Server Service Pack 4 (SP4).
 Removing ISA Server SP2
 
 To remove ISA Server SP2, follow these steps:
 In Control Panel, double-click Add/Remove Programs.
 Click Microsoft ISA Server 2000 Service Pack 2 (KB 816460), and then click Change/Remove.
 Click Next.
 Note
 If you remove ISA Server SP2 from a computer that is running Windows Server 2003, make sure to install ISA Server SP1 and ISA Server hotfix 255. Hotfix 255 is described in the following Microsoft Knowledge Base (KB) article:
 331062 Running ISA Server on Windows Server 2003
 
 The 2r.htm and Pathmappingeditor.hta files are not deleted when you remove ISA Server SP2.
 When you remove ISA Server SP2, a warning message indicates that some applications may not work correctly after you remove ISA Server SP2. Ignore this message.
 Upgrading Firewall Client for ISA Server SP2
 
 ISA Server SP2 enhances the stability of the Firewall Client software. Microsoft recommends that Firewall Client computers be updated with the ISA Server SP2 client hotfixes.
 
 The Firewall Client Setup program must be run directly from the mspclnt share. If you install the Firewall Client from any other location, the hotfixes that are included in ISA Server SP2 for the Firewall Client will not be installed. (This behavior also occurs if you install Firewall Client by using Add or Remove Programs in Control Panel.)
 
 To upgrade Firewall Client with the ISA Server SP2 hotfixes, follow these steps:
 Install ISA Server SP2 on the ISA Server computer.
 On the client computer, run the Setup.exe program from the client share folder, and then click Repair. The client share folder is \\ISA_Server\mspclnt\setup.exe, where ISA_Server is the server name of the ISA Server.
 Running ISA Server 2000 on Windows Server 2003
 
 The following issues apply when you run ISA Server 2000 on Windows Server 2003:
 
 ISA Server can be installed on computers that are running Windows Server 2003. However, the packet filter extension driver (Mspfltex.sys) in the release version of ISA Server is incompatible with computers that are running Windows Server 2003. The driver does not load when you install ISA Server on a Windows Server 2003-based computer. Because ISA Server SP1 includes a compatibility fix for the driver, you may ignore all error messages that are related to this issue and that are displayed during ISA Server installation. After ISA Server installation, some services will not start. ISA Server SP1 or ISA Server SP2 solves the issue with this driver.
 You must install ISA Server SP1 or ISA Server SP2 before you upgrade an ISA Server computer that is running Windows 2000 Server or Windows 2000 Advanced Server to Windows Server 2003.
 ISA Server 120-Day Evaluation is supported only on Windows 2000 Advanced Server. ISA Server 120-Day Evaluation must be removed from any computer that is running Windows 2000 Server or Windows 2000 Advanced Server before you upgrade to Windows Server 2003.
 If you plan to run ISA Server on computers that are running Windows Server 2003, make sure that the Internet Connection Firewall (ICF) is disabled when you install ISA Server. The Firewall service cannot start if ICF is enabled. If this condition occurs, the Firewall service will generate an event that indicates that the Firewall service will not start if the ICF is enabled. Follow the instructions in the event log to start the Firewall service.
 Performance alerts in the ISA Server Performance Monitor snap-in must run under an account that is a member of the Administrators group. By default, Windows Server 2003 performance alerts are configured to run under the Network Service account. The Network Service account lacks sufficient credentials. To resolve this issue, follow these steps:
 Run the ISA Server Performance Monitor.
 Expand Performance Logs and Alerts, and then click Alerts.
 In the right pane, right-click an alert, and then click Properties.
 In the Properties dialog box, click the General tab.
 In the Run As text box, type the user name of an account that belongs to the Administrators group on the computer, and then click the Set Password button.
 In the Set Password dialog box, type the password, and then click OK.
 In the Properties dialog box, click OK.
 Note
 ISA Server SP2 includes the updates that are mentioned on the following Microsoft Web site:
 http://www.microsoft.com/downloads/details.aspx?FamilyID=77d89f87-5205-4779-b1ab-fc338283b2d9&DisplayLang=en
 
 If you install ISA Server SP2, you do not have to install ISA Server hotfix 255. Hotfix 255 is described in the following Microsoft Knowledge Base (KB) article:
 331062 Running ISA Server on Windows Server 2003
 
 Configuring H.323 application filter settings
 
 For security reasons, ISA Server SP2 configures the H.323 application filter to stop listening for incoming and outgoing calls. Therefore, ISA Server SP2 minimizes the risk of introducing potential vulnerabilities, such as those described in the following Microsoft Security Bulletin:
 Microsoft Security Bulletin MS04-001
 
 The updates that are described in the bulletin are included in ISA Server SP2.
 
 To configure the H.323 application filter settings after you install ISA Server SP2, follow these steps:
 In ISA Management, click Internet Security and Acceleration Server, click Servers and Arrays, click the name of the applicable array, click Extensions, and then click Application Filters.
 In the details pane, right-click H.323 Filter, and then click Properties.
 On the Call Control tab, click to select one or both of the following options:
 Allow incoming calls
 Allow outgoing calls
 ISA Server SP2 hotfixes
 
 ISA Server SP2 includes all ISA Server SP1 hotfixes and also hotfixes that were released after the release of ISA Server SP1. Hotfixes that are included in ISA Server SP1 are listed in ISA Server SP1 Release Notes
 
 The following table lists the Microsoft Knowledge Base (KB) articles that are associated with some of the hotfixes that are included in ISA Server SP2:
 
 284831 The ISA Server Control service may report Event 14158 after you have installed ISA Server
 
 313318 Cannot relay mail through ISA Server if authentication is required
 
 317122 Web proxy sends TCP reset instead of only closing session
 
 317822 Problems with Web browser if ISA Server 2000 is chained to an upstream Web proxy server
 
 318005 ISA Firewall service cannot start with more than 85 IP addresses on the external network adapter
 
 318319 Access violations occur in the Web proxy service if an impersonation failure occurs
 
 319374 Web Proxy service stops responding
 
 319375 The CERT_CONTEXT structure variable is not available for Web filters in ISA
 
 319376 How to automatically authenticate a user against all trusted domains in ISA
 
 319380 ISA Server 2000 Feature Pack 1 overview
 
 319381 Server-side playlists do not work with ISA Server
 
 321844 ISA Server may cause non-paged pool memory peaks
 
 321846 Incorrect canonicalization in Rules engine
 
 323889 Unchecked buffer in Gopher protocol handler can run code of attacker's choice
 
 324642 Macintosh clients who use MAPI cannot connect to Exchange 2000 with ISA Server
 
 331062 Running ISA Server on Windows Server 2003
 
 331064 ISA reports may span unexpected date range or show incomplete data
 
 331065 MS03-009: A problem in the ISA Server DNS intrusion detection filter may cause denial of service
 
 331066 MS03-012: Flaw in Winsock Proxy service can cause denial of service
 
 331067 ISA reports may contain negative numbers in the 'All Others' row
 
 331068 ISA Firewall causes handle leak in LSASS
 
 331069 Hotfix to permit URL path redirection in Web publishing rules
 
 331070 Authentication does not succeed when the user name contains a space
 
 331073 Description of the standard terminology that is used to describe Microsoft software updates
 
 810493 Update rollup for ISA Server services
 
 810559 Slow responses and failures when you use server publishing UDP protocols
 
 810561 RemoveAllProxyAuthorization not applied to SSL tunneling (CONNECT) requests
 
 813864 Site and content rules do not filter based on file name extensions
 
 813865 Multiple registered Web filters in Active Directory are handled incorrectly
 
 815051 The Firewall Client does not support the ConnectEx and WSARecvMsg APIs
 
 816454 Proxy service logs an Event ID 14146 message after link translation rules are enabled
 
 816456 MS03-028: Flaw in ISA Server error pages could allow cross-site scripting attack
 
 816457 Description of ISA Server changes that are included in Small Business Server 2003 Premium Edition
 
 816458 MS04-001: A vulnerability in an Internet Security and Acceleration Server 2000 H.323 filter could allow remote code execution
 
 816459 ISA Server 2000 hotfix for invalid FTP PORT command
 
 816621 Message Screener causes handle leak in Lsass.exe
 
 816828 "Permission Denied" error message when you use rlogin to log on to a server on the Internet
 
 817829 Passive mode FTP may break with multiple IP addresses on external interface
 
 818136 Web Proxy service may crash when it processes a redirect action
 
 818621 No links to navigate up through directory levels in FTP sites when accessed through Internet Explorer
 
 818821 ISA Firewall service stops responding on DNS resolution
 
 819962 "414 Request-URI Too Large" error message from ISA Server
 
 821098 Content cache issues on downstream ISA Server computer
 
 821724 Basic credentials may be sent over an External HTTP connection when SSL is required
 
 821935 ISA Server Web Proxy service stops responding when the CacheConnectSize registry value is set to 0
 
 822241 ISA Server Web Proxy service maintains a connection after a client session is closed
 
 822970 Cannot read ISA Server performance data by using an SNMP program
 
 823261 Web Proxy Service returns "The User Name Was Not Allowed" error message after the FTP Server returns the "User Logged In" message
 
 823359 ISA Server Web Proxy does not append the domain name suffix to the credentials that are passed to an FTP server
 
 823646 ISA Server forces CERN FTP connections to the Root directory
 
 824246 Response that contains the cache-control: s-maxage=0 header does not expire immediately
 
 828044 ISA Server intermittently stops responding to Web Proxy client requests
 
 829892 You cannot connect to external FTP Sites by using a WRQ reflection FTP client through ISA Server 2000
 
 829893 RSA SecurID cookie expires frequently, and clients are repeatedly prompted to authenticate
 
 830295 SSL bridging request fails with HTTP/1.1 500 (Operation would block. ...)
 
 831140 Web content does not appear, or clients receive an "HTTP 502 Proxy Error" message when they try to access external Web sites with ISA Server 2000
 
 831531 Outbound PPTP connections may disconnect after 60 seconds if the ISA Firewall Service is running
 
 832168 SecurID does not redirect to the requested page after successful logon
 
 833009 ICMP traffic is not blocked during startup period with ISA Server
 
 839019 White spaces in URL are not correctly encoded or decoded when you log on
 
 

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod