MS03-007: How to Work Around the Vulnerability That Is Discussed in Microsoft Knowledge Base Article 815021 (816930)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Server 4.0 Terminal Server Edition

IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

This article describes workarounds that you can use if you cannot successfully apply the security update that is discussed in the following Microsoft Knowledge Base article:

815021 MS03-007: Unchecked Buffer in Windows Component May Cause Web Server Compromise

Multiple workarounds are described in this article because enterprise system requirements and structures vary. Microsoft strongly encourages you to apply the security patch as soon as possible.

This article describes the following workarounds:
  • How to lock down or disable IIS if your computer does not require it
  • How to disable WebDAV if you do not require it
  • How to use the URL Buffer Size Registry tool
  • How to manually change the MaxClientRequestBuffer registry value if you require WebDAV
  • How to manually create a MaxClientRequestBuffer registry file for a single computer if you require WebDAV
  • How to deploy the MaxClientRequestBuffer registry file through Active Directory by using a Group Policy object

MORE INFORMATION

How to Lock Down or Disable IIS If Your Computer Does Not Require It

If you do not need Microsoft Internet Information Services (IIS) enabled on your computer, you should disable it. For additional information about how to disable IIS, click the following article number to view the article in the Microsoft Knowledge Base:

321141 HOW TO: Disable or Remove Unnecessary IIS Services

If you need IIS to be installed and running, Microsoft strongly recommends that you use the IIS Lockdown tool to harden the security settings and permit it to install URLScan. URLScan in its default configuration will block requests that can be used to exploit this vulnerability. You can also use the IIS Lockdown tool to disable IIS. For more information about the IIS Lockdown tool, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/tools/locktool.asp

For more information about the URLScan tool, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/URLScan.asp

How to Disable WebDAV If You Do Not Require It

If you do not need the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol enabled on your computer, you should disable it. For additional information about how to disable WebDAV, click the following article number to view the article in the Microsoft Knowledge Base:

241520 How to Disable WebDAV for IIS 5.0

You can also use the IIS Lockdown tool to disable WebDAV. For more information about this tool, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/tools/locktool.asp

How to Use the URL Buffer Size Registry Tool

Introduction to the URL Buffer Size Registry Tool 1.0

Customers who cannot deploy the IIS Lockdown or URLScan tools to their Web servers can use the URL Buffer Size Registry tool. This tool restricts the buffer used by IIS to receive the request that can be used to exploit this vulnerability.

The URL Buffer Size Registry tool can be executed on Windows 2000-based Web servers to automatically set the registry key that restricts the buffer. The tool can be run locally on the Web server to be protected or it can be applied remotely to multiple Web servers by a user who has administrative access to the servers.

You can download The URL Buffer Size Registry tool from the Microsoft Download Center:

DownloadDownload the URL Buffer Size Registry Tool package now.

A system administrator can use this tool to remotely limit the URL buffer size by making a change to the registry. Customers should evaluate the maximum buffer size that is practical for their environment and then set the value accordingly. The buffer should be set to a size less than 64 kilobytes (KB). Microsoft recommends 16 KB as a reasonable value. The URL Buffer Size Registry tool sets the value to 16 KB.

This tool does the following:
  1. Scans a range of IP addresses for computers that respond on port 139 or 445.
  2. Tries to connect to the registry remotely.
  3. Queries to determine whether W3SVC is installed.
  4. Queries to determine whether or not the MaxClientRequestBuffer registry value is set and reports this value. If it is not set, the tool sets MaxClientRequestBuffer to a default value or the user-specified value. The default value is 16 KB.
  5. If the MaxClientRequestBuffer value is set, the tool restarts the IIS service.

Detailed Usage Information

Usage: SetMaxUrlLength.exe [mode] [options] target ...

Modes are defined as
  • /d: detect (default mode)
  • /m[=size]: modify
  • /f[=size]: force

where size, if not specified, defaults to 16384.

Available options are:
  • /i[=input file]: target not required if /i set
  • /l[=log file]: default is SetMaxUrlLength_YYMMDD.log

Targets can take any of the following forms:
  • a.b.c.d - IP address
  • a.b.c.d-i.j.k.l - IP address range
  • a.b.c.d/24 - IP address with CIDR mask
  • host - hostname
  • www.domain.com - fully qualified domain name
  • localhost - check local computer

You may specify as many targets as you want on the command line.

Warning If MaxClientRequestBuffer is set, the tool restarts IIS. When you use this tool, some requests may not function as expected. Microsoft has confirmed that when you set the MaxClientRequestBuffer value to 16 KB, some programs may not function correctly. To work around such problems, try increasing the requested size to a value larger than the default setting. Alternatively, to prevent this particular exploit vector, set a MAXURL in URLScan or disable WebDAV. You can do this through URLScan or the IIS Lockdown tool.

The URL Buffer Size Registry Tool has Three Modes of Operation

  • Detect mode: Reports whether IIS is installed and the value set for MaxClientRequestBuffer, if it is present.
  • Modify mode: Sets the registry value unless it is already present and warns if it is set to greater than 63535. If IIS is not installed, nothing is modified.
  • Force mode: Sets the registry key with the specified value regardless of whether the key is there or not or whether it is set to any other value. If IIS is not installed, nothing is modified.

Warning If MaxClientRequestBuffer is set, the tool restarts IIS.

Available options are:
  • /i[=input file]: Read hosts from an input file. This file can contain a list of hosts specified in any of the forms listed earlier in this article. Additionally, a range can be specified as "a.b.c.d i.j.k.l". Lines beginning with "#" or ";" are interpreted as comments. Hosts may also be specified on the command line. If overlapping ranges are created, or duplicates inserted, the tool resolves this by joining the ranges or ignoring duplicates.
  • /l[=log file]: Log output to a log file. If this option is specified, very little output continues to be printed to the console; check the log file for detailed output. Default name for the log file is SetMaxUrlLength_YYMMDD.log. If the user specifies a log name, the name will be [user-specified name]_YYMMDD.log. If the file already exists, a letter will be appended to force the new file to be unique and the previous file will not be overwritten. If you try to use the same name more than 677 times, it cannot create a unique name and will fail.

Logging output adheres to the following format:

IP address<tab>status

If the MaxClientRequestBuffer value is changed, the tool creates two lines of output per host. Because of the multithreaded nature of the program, these lines may not appear next to one another. If the output is piped through Sort.exe, this causes the two lines to be adjacent. The data may also be imported into Microsoft Excel or another spreadsheet program and sorted in that program.

When you use this tool, some requests may not function as expected. Microsoft has confirmed that when you set the MaxClientRequestBuffer to 16 KB, some programs may not function correctly. To work around this problem, try increasing the requested size to a value larger than the default setting. Alternatively, to prevent this particular exploit vector, set a MAXURL in URLScan or disable WebDAV. You can do this through URLScan or the IIS Lockdown tool.

Tool Output

The tool reports errors at each phase differently. On any error or success, the tool continues on to the next IP address.
  1. The tool scans a range of IP addresses for computers that respond on port 139 or 445. If the computer does not exist or does not respond, no output occurs and the tool continues to the next IP address.
  2. The tool tries to remotely connect to the registry. If it cannot open the registry, the output is "IP address cannot open registry."
  3. The tool queries to determine whether W3SVC is installed. If W3SVC is not installed, the output is "IP address W3SVC not installed."
  4. The tool queries to determine whether or not the MaxClientRequestBuffer registry value is set. The tool reports the value or sets MaxClientRequestBuffer to a default or user-specified value. The default value is 16 KB.

If the MaxClientRequestBuffer value is set, the tool restarts the IIS service and the output is "IP address <success or failure to restart>." If a 60-second timeout elapses while restarting, the output is "IP address W3SVC time- out after stop."

How to Manually Change the MaxClientRequestBuffer Registry Value If You Require WebDAV

For additional information about how to manually change the MaxClientRequestBuffer value, click the following article number to view the article in the Microsoft Knowledge Base:

260694 Description of the MaxClientRequestBuffer Registry Value

How to Manually Create a MaxClientRequestBuffer Registry File for a Single Computer If You Require WebDAV

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Alternatively, to quickly apply the MaxClientRequestBuffer registry change to a single computer, create a registry file. To do this, follow these steps:
  1. Start Notepad
  2. Copy and paste the following text into the blank document: 

    Windows Registry Editor Version 5.00

[Hkey_Local_Machine\System\CurrentControlSet\Services\W3SVC\Parameters] 
"MaxClientRequestBuffer"=dword:00004000

    Note The 00004000 DWORD value is a HEX value.
  3. Save the file and give it a .reg extension.
  4. Double-click the file to run it.

    Note The IIS services must be restarted for the changes to take effect.

How to Deploy the MaxClientRequestBuffer Registry File Through Active Directory by Using a Group Policy Object

A Group Policy object is available that permits system administrators to import a policy into Active Directory that will set the MaxCLientRequestBuffer registry value to 16 KB. The following file is available for download from the Microsoft Download Center:

DownloadDownload the Group Policy Object package now.

Follow these steps to import vmalhot_Fix_MAXBUFF.inf into Active Directory:
  1. In Active Directory Users and Computers, right-click the branch that you want to configure (for example, Domain Controllers), and then click Properties.
  2. On the Group Policy tab, click New to add a new Group Policy object.
  3. Type MAXBUFF_Fix, and then press ENTER.
  4. Click Edit.
  5. Expand the Windows Settings, right-click Security Settings, and then click Import Policy.

    Note If Import Policy does not appear on the menu, close the Group Policy window and repeat steps 4 and 5.
  6. In the Import Policy From dialog box, locate the folder that you downloaded vmalhot_Fix_MAXBUFF.inf to, and then double-click this folder.
  7. Close Group Policy and then click Close.
These steps make sure that vmalhot_Fix_MAXBUFF.inf is applied at the selected level in Active Directory when the policy is refreshed. Type the following command to manually refresh the policy:

secedit /refreshpolicy machine_policy /enforce

Modification Type:MinorLast Reviewed:10/30/2003
Keywords:kbinfo kbSecurity KbSECTools kbscan KB816930 kbAudITPRO
©2003 Microsoft Corporation. All rights reserved.