Microsoft Security Bulletin : MS01-52 Terminal Services Failure - Patch kills terminal services

From: Barry Dorrans (barryd@BANN.CO.UK)
Date: 10/18/01 

Message-ID:  <000001c1580c$7bdc1fc0$53c287d4@puck>
Date:         Thu, 18 Oct 2001 20:38:37 +0100
From: Barry Dorrans <barryd@BANN.CO.UK>
Subject:      Microsoft Security Bulletin : MS01-52 Terminal Services Failure - Patch kills terminal services
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

- ----------------------------------------------------------------------
Title: Invalid RDP Data can Cause Terminal Service Failure
Date: 18 October 2001
Software: Windows NT 4.0 Server, Terminal Server Edition,
            Windows 2000 Server and Advanced Server
Impact: Denial of service
Max Risk: Moderate
Bulletin: MS01-052

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-052.asp.
- ----------------------------------------------------------------------

So, as I'm at home I though I'll test the patch out.

It's a killer, I now have a very very sick SQL box, and a not so sick,
but still sick IIS server.

The SQL server box is in a continuous reboot mode, the IIS box is
stable, but not allowing Terminal services connections. On each machine
terminal services is in Remote Administration mode (ie. One connection
only, from Administrator group members)

The SQL server Error log is filled with Event ID 1014s from the Terminal
Server service, Cannot load illegal module C:\WINNT\System32\rdpwsx.DLL.
The IIS log is missing this report.

Terminal Services is in an "uncontrollable" state from the Services
control panel applet. The applet believes the service has started, yet
the start, pause, stop and restart buttons are inactive and grey. A
reboot of the server seems to not add errors into the error log, however
the service itself is still as dead as a dodo. Time after login in
either box seems longer than normal, up to 2 minutes on the SQL server.
This may be due to SQL objecting to the numerous restarts and rolling
back transactions.

Attempted connections to either box via the terminal services client
application (both servers appear in the list), or the TSWeb application
believe that terminal services is busy.

The SQL server box does also (at seemingly random intervals) die with a
blue screen in TCP/IP.SYS

Now these boxes do have the odd strange thing on, the .Net beta 2 CLR is
on the IIS box, OLAP on SQL but neither have any of the same sets of
"weird" software, so I doubt it's interference with some dodgey
development code I've installed :)

An uninstall of the patch fixes everything on the IIS box. The SQL box
still random reboots or dies in TCPIP.SYS

As you can imagine I'm a little unwilling to experiment further, having
recovered the machines to a useful, stable state again. I would strongly
suggest that before installing the patch on remote servers you test it
in your own configurations.

If anyone requires more information, please feel free to contact mine
(just be mindful I'm in BST!)

(I've CC secure@ ms.com, although if anyone has a better address to
email, please let me know)

Barry

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a
ntivirus.com/smex2000_rebate