Windows NT C2 Security Hotfix Tightens Object Access

Windows NT C2 Security Hotfix Tightens Object Access
If you run a C2-secure facility, you need to download security hotfix q244599i.exe from the Microsoft download center or the Microsoft FTP server. This post-Service Pack 6 (SP6) C2 hotfix tightens access to Windows NT objects in compliance with the following C2 security requirements:

TCP and UDP ports. C2 security requirements mandate that an unprivileged user-mode application may not listen to TCP ports that NT services use, regardless of the cryptographic protection you apply to the NT service traffic using these ports. The ports in question are TCP port 137 and UDP ports 138 and 139. In SP6a and earlier, unprivileged applications can access these ports via calls to the API ZwCreateFile function in netbt.sys. The post-SP6a C2 hotfix lets you change netbt.sys behavior so that netbt.sys won’t allow file-share access to these ports. See Microsoft Support Online article Q241041 for the Registry path and data values you can use to disable unprivileged access to these TCP and UDP ports.

Jet500.dll objects. WINS and DHCP rely on the Jet500 database engine to manage their respective databases. Jet500 creates several objects, including events, semaphores, and mutexes) that manage synchronization among multiple instances of itself, and these objects by default have no access controls. The C2 hotfix restricts access to the Jet500 objects to members of the Administrators group. You can read about the affected objects in Microsoft Support Online article Q243404.

Device driver objects. When a driver opens a device and the driver passes a filename length of zero or the path contains a trailing backslash, several native drivers bypass standard security controls in the open call. According to Microsoft Support Online article Q243405, the C2 hotfix installs new versions of seven NT drivers that follow the secure open procedure: beep.sys, floppy.sys, netdetect,sys, paraport.sys, null.sys, tcpip.sys, and scsiport.sys.

RRAS Doesn't Work with SP6
If you’re running RRAS, don’t install SP6. If you do, you won’t be able to save RRAS configuration data, and you’ll see the following error message when you attempt to save the settings:

An error occurred while backing up the configuration. The filename, directory name, or volume label syntax is incorrect…

If you’ve already applied SP6, Microsoft Support Online article Q245699 recommends that you revert to the previous service pack and reapply all relevant hotfixes. Although the article doesn’t mention it specifically, I assume SP6a will cause the same problem. I hope I get this note out in time to save our RRAS users!

IIS 4.0 Hotfix Closes Two Security Holes
The latest Internet Information Server (IIS) 4.0 Iprftp hotfix corrects two significant security problems in IIS. First, the hotfix cleans up after a previously released IIS 4.0 bug fix (see Microsoft Support Online article Q237987) that theoretically corrected a problem with downloading files from an IIS virtual FTP site. This bug fix introduced a new, more serious security hole that lets anyone view or download files from a virtual IIS 4.0 FTP site, regardless of the NTFS file and directory permissions on the FTP directory. Microsoft Support Online article Q241407 indicates that you must install the new Iprftp hotfix if the last four digits of the version number in module ftpsvc2.dll are between 0719 and 0722. To check the version number, open Windows NT Explorer, locate the file %systemroot%\system32\inetsrv\ftpsvc2.dll, and right-click the filename. If the number is 4.02.0724, you don’t need to take corrective action.

Second, if you use domain-name and IP-address filtering to deny clients, a client with an IP address that IIS can’t resolve can still connect and request content over the connection for the duration of the session. If the client makes a request over a different connection, IIS will deny the request and send the client a 403 error stating that the IP address is not allowed. Microsoft Support Online article Q241562 documents this security vulnerability. You can download the hotfix from the Microsoft FTP site.

Print Spooler Access Violation Hotfix
When the print spooler encounters a print job with a name longer than 200 bytes, the print spooler generates an access violation and the printer hangs intermittently. If the printer also has a hardware problem, the spooler might not display an error message, so you’ll have a hung printer without any information about the cause. Microsoft documents this hotfix in Microsoft Support Online article Q243649. The good news is you can download the hotfix from Microsoft.

Cluster Disk Dismount Bug Fix
When you take a cluster disk offline or attempt to move a cluster disk with raw partitions to another node, you won’t be able to properly dismount the disk. You’ll see the following error message:

System Process - Lost Delayed-Write Data
The system was attempting to transfer file data from buffers to \Device\Harddisk#\Partition#\. The write operation failed, and only some of the data may have been written to the file

If you experience this problem at your site, you must call Microsoft Support and demonstrate the symptom before you can get the new version of clusdisk.sys, which correctly dismounts a volume with raw partitions. Microsoft Support Online article Q247065 states that this bug fix applies to SP6 and SP6a and will be included in SP7.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.