Re: MS02-018 and NT 4.0 Terminal Servers
From: Russ (Russ.Cooper@RC.ON.CA)Date: 04/17/02
- Previous message: Russ: "Alert: Microsoft Security Bulletin - MS02-019"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Apr 2002 08:55:18 -0400 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Ok, so Vito Amato pointed out to me that MSKB Q319733 states;
"Windows NT Server 4.0, Terminal Edition IIS is not intended for use on
Microsoft Windows NT Server 4.0, Terminal Server Edition, and is not
supported. Microsoft recommends that customers that are running IIS 4.0
on Windows NT Server 4.0, Terminal Server Edition, protect their systems
by uninstalling IIS 4.0."
When I first raised the issue of MS02-018 trashing IIS 4.0 on NT 4.0
Terminal Servers with the Microsoft Security Response Center, they told
me the same thing. But hey, I don't remember ever seeing anything that
said it was unsupported, and I do remember seeing IIS patches made
available in Terminal Server versions, so when did they stop supporting
IIS 4.0 on NT 4.0 Terminal Server??
So I did some checking, and came up with some interesting facts;
1. IIS 4.0 support for Windows NT 4.0 Terminal Server (NT-TSE) appears
to have stopped when NT 4.0 Service Pack 6 went into beta. All IIS 4.0
patches included in NT 4.0 SP6a are included in NT-TSE SP6 (from all of
the checking I've been able to do) which means that Microsoft *DID*
support IIS 4.0 on NT-TSE through NT-TSE SP6.
2. The last patch available for IIS 4.0 on NT-TSE (where NT-TSE is
referenced in the Security Bulletin and/or KB article and therefore *IS*
supported running IIS 4.0) was MS99-039 from September 1999 (2 months
prior to the release of NT 4.0 SP6, the amount of time roughly that NT
4.0 SP6 was in beta and code was frozen).
3. 21 Security Bulletins have been released since that date for IIS 4.0,
including fixes for Code Red and Nimda (some may work with NT-TSE, then
again, some may install and not work properly).
4. Based on version numbers and file size (not date), NT-TSE SP6 would
appear to include parts of MS00-006. IDQ.DLL and QUERY.DLL both have the
right version number (according to Q251170), but WEBHITS.DLL does not
(it has v5.0.1780.1 on NT-TSE SP6 instead of 5.0.1781.3).
5. Based on version numbers and file size (not date), MS01-025, which
fixed QUERY.DLL, is supposed to have the same version number that
MS00-006 had, namely 5.0.1781.3. So does that mean that QUERY.DLL wasn't
revised between MS00-006 and MS01-025 (a year apart)? Or did they forget
to increment the version number? Does the version that shipped as part
of NT-TSE SP6 prevent the problems raised in MS01-025?
According to;
http://support.microsoft.com/servicedesks/fileversion/dllinfo.asp?sd=MSD
N
(a pretty good resource since it lets you find out what version of a dll
shipped in what packages)
files with v4.2.720.1 shipped as part of NT 4.0 SP6/6a. All of the IIS
files in NT-TSE SP6 have this same build number. Furthermore, the NT-TSE
SP6 "Read About" web page states;
"Service Pack 6 (TSE SP6) for Windows NT Server 4.0, Terminal Server
Edition (Terminal Server 4.0) is based on Windows NT Service Pack 6a and
includes specific fixes for Terminal Server 4.0."
In addition, on a Microsoft page trying to convince people to upgrade
from NT 3.51 with WinFrame to NT 4.0 with Citrix MetaFrame, it states;
"Microsoft and Citrix have recognized the value of working together to
provide customers with a complete solution that provides the benefits of
the Windows NT 4.0 platform. Microsoft and Citrix jointly developed
Windows NT Server 4.0, Terminal Server Edition, which will be sold and
supported by Microsoft. Citrix will be releasing the MetaFrame system
software that extends the reach of Terminal Server."
and in Citrix' documentation on NFuse (which needs a web server to
work), Citrix states that IIS 4.0 on NT-TSE **IS A SUPPORTED
CONFIGURATION**.
So, Microsoft used to support IIS on NT-TSE until they stopped building
service packs for NT 4.0. Microsoft and Citrix jointly developed NT-TSE,
and Citrix has always supported IIS 4.0 on NT-TSE.
I'd love to see the letter any licensed NT-TSE owner got from Microsoft
stating that you should remove IIS 4.0 from your system because support
for it was cancelled. You should've received it some time in April of
2000.
I'd also like to see any explanations you received from your TAMs or MS
Sales Representatives to your questions about why MS01-026 didn't
install, or how you were supposed to eliminate Code Red/Nimda on your
NT-TSE boxes running IIS.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
- Previous message: Russ: "Alert: Microsoft Security Bulletin - MS02-019"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
