ISA Server Product Team Blog : Blocking VML with ISA 2004 & ISA 2006

The VML issue is still a hot topic in internal discussion. If you’re an ISA Server admin, please take a look at the following information to help mitigate the risk:

http://www.microsoft.com/technet/security/advisory/925568.mspx discusses a vulnerability in the VML parsing dll which can result in an unpleasant experience.

http://www.microsoft.com/technet/isa/2006/how-to-block-vml.mspx discusses a methodology by which you can use ISA 2004 or ISA 2006 to block HTTP-based attacks targeted against this vulnerability.

Finally, http://isatools.org/block_vml.vbs automates the process of creating the proper HTTP Filter settings for you.

Tim’s report was accurate (see my comments). I’ve updated the script to version 1.2 and reposted it. Many thanx to Tim for his discovery.

Thank you,

Jim Harrison (ISA Sustained Engineering)

Link to ISA Server Product Team Blog : Blocking VML with ISA 2004 & ISA 2006

KB Highlight: WMICore update for Windows 2000 SP4

If you like to live on the cutting edge of the previous version of Windows, there’s a problem that seems to creep up that I’ve seen in a couple of environments before.

VBScript not working in a hanging-kind-of-way (possibly including ASP, definitely logon scripts, and typically just about any general scripty bits) is usually a dead giveaway that you’re running into this problem:

A deadlock occurs when a program that uses WMI calls the LoadLibrary() or the FreeLibrary() function in Windows 2000
http://support.microsoft.com/?id=834010

Assume that a Microsoft ASP.NET program or a program that uses a Windows Management Instrumentation (WMI) provider makes direct or indirect calls to the LoadLibrary function or to the FreeLibrary function to load a DLL. Then, the DLL calls the RegisterTraceGuids or the UnRegisterTraceGuids function in the DllMain export function. In this scenario, a deadlock may occur in the ASP.NET program or in the program that uses a WMI provider.

For example, Microsoft Internet Explorer, Control Panel, and the Add/Remove Programs tool may stop responding (hang) after you install Microsoft Windows 2000 Service Pack 3 (SP3) or Service Pack 4 (SP4). When you stop the Remote Registry service, this permits the programs that have stopped responding to resume. This issue may occur in environments where a remote performance monitoring solution, such as PerfMan or SiteScope, is installed.

Also, when this issue occurs, Microsoft Visual Basic scripts may not run correctly, and you receive no error message. Additionally, the Task Scheduler tool may not run.

If you’ve just made some sort of monitoring change (or just implemented some monitoring or management software) and now logon scripts, ASP, ASP.Net or similar aren’t working quite right any more, I’d suggest trying this on an expendable test machine first. It can save you time.

On the subject – the hotfix article itself is a “call PSS” distribution fix, but a quick search of KB reveals that there’s a publicly downloadable version of that wmicore.dll update included in the Update Rollup for Windows 2000 Service Pack 4-based Server Clusters (885912).

If it fixes the problem, yay! If not, it’s not your problem, so keep troubleshooting.

Useful Utilities for SendTo #1871615

Yeah, I know, it’s been a while. Sorry. Busy.

Anyway, the topic du jour: getting command line utilities to run from SendTo. Yes, I take all credit for inventing this method. Naturally, after writing this, I checked out “sdelete sendto” and someone else had done a batch file that can handle multiple files at once (this just does a file or folder and all subdirectories), but I still take all credit for it.

Setting up Secure Delete for quick and easy multi-pass local file deletion.

  1. Grab Sdelete from SysInternals.com:

    http://www.sysinternals.com/Utilities/SDelete.html

  2. Extract the EXE file somewhere. Remember where. (arguably a subtle, but important step)
  3. Navigate to your %userprofile%\SendTo folder (Start, Run, %userprofile%\SendTo )
  4. Create a new shortcut to the Sdelete executable. (Right-click, new, shortcut)
  5. Modify the shortcut’s Target line to include -p 7 -s (use 7 deletion passes (increment or decrement according to level of paranoia), and delete subdirectories too)

  6. As the robots say: Voila, human! You now have a secure deletion utility only a right-click away!

Also in my SendTo: Notepad and a Foldershare folder. At home, a strain of Unrar too.