Blaster update

[LindaR]

If I've downloaded and installed the security update
addressed in Security Bulletin MS03-026 do I still need to
change the TCP/IP filtering as described on the Blaster
Security Alert page? When I did it this morning, my
internet connection went down, so I figured I changed the
wrong connection and changed it back until I can ask my
husband.

I've got Norton AntiVirus (up to date) running and will be
dealing with the Firewall installation ASAP. Have 2003
Personal Firewall but it never got installed.

Thanks.
LindaR

 

[Larry Brasher]

Hello,

Here is some additional information.

Advanced TCP/IP Filtering

On Windows 2000 systems, where Internet Connection Firewall (ICF) is not
available, the following steps will help block the affected ports so that
the system can be patched. These steps are based on a modified excerpt from
this article: 309798 HOW TO: Configure TCP/IP Filtering in Windows 2000
http://support.microsoft.com/?id=309798

To configure TCP/IP security on Windows 2000:

1. Select "Network and Dial-up Connections" in the control panel.

2. Right-click the interface you use to access the Internet, and then click
Properties.

3. In the "Components checked are used by this connection" box, click
Internet Protocol (TCP/IP), and then click Properties.

4. In the Internet Protocol (TCP/IP) Properties dialog box, click
Advanced.

5. Click the Options tab.

6. Click "TCP/IP filtering", and then click Properties.

7. Select the "Enable TCP/IP Filtering (All adapters)" check box.

8. There are three columns with the following labels:

TCP Ports
UDP Ports
IP Protocols

In each column, you must select the "Permit Only" option.

9. Click OK.


Stop Windows XP and Windows Server 2003 systems from rebooting after an
attack:
Another way to prevent Windows XP and Windows 2003 Server systems from
rebooting once the count down has started is to run this command at
the command line:

shutdown /a

This aborts the shutdown sequence. Since the RPC service has already
been shut down, it cannot be shut down again. Then you can patch the
system with MS03-026 which will reboot the system once it’s installed.
This command is not available on pre-XP systems.
Change Service Properties to avoid the reboot:

1. Open up the Services snap-in.
This can be done by right clicking on "My Computer", select
"Manage", select "Services and Applications"and click on "Services".
This can be done by going to the Control Panel and selecting to
switch to "Classic View", double-click on "Administrative Tools"and
select "Services".
2.Double-click on the "Remote Procedure Call (RPC)"service.
3. On the User Interface for RPC, click the "Recovery"tab.
4. Under the "Recovery"tab, go to the "First failure:"drop down and
change the value from "Restart the Computer"to "Restart the
Service".
5. Change the "Restart service after:"value to 5 minutes.
6. Install the MS03-026 / 823980 on the computer.


What You Should Know About the Blaster Worm and Its Variants
http://www.microsoft.com/security/incident/blast.asp

Microsoft scanning tool for MSBLASTER
http://support.microsoft.com/default.aspx?scid=kb;en-us;826369

PREVENTION:
Turn on Internet Connection Firewall (Windows XP or Windows Server 2003) or
use a third party firewall to block TCP ports 135, 139, 445 and 593; UDP
port 135, 137,138; also UDP 69 (TFTP) and TCP 4444 for remote command
shell.
To enable the Internet Connection Firewall in Windows:
http://support.microsoft.com/?id=283673
1.In Control Panel, double-click Networking and Internet Connections, and
then click Network Connections.
2.Right-click the connection on which you would like to enable ICF, and
then click Properties.
3.On the Advanced tab, click the box to select the option to"Protect my
computer or network".
This worm utilizes a previously-announced vulnerability as part of its
infection method. Because of this, you must ensure that their

computers are patched for the vulnerability that is identified in Microsoft
Security Bulletin MS03-026.
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.
Install the patch MS03-026 from Windows Update:
Windows NT 4 Server & Workstation

http://download.microsoft.com/download/6/5/1/651c3333-4892-431f-ae93-bf8718d
29e1a/Q823980i.EXE

Windows NT 4 Terminal Server Edition

http://download.microsoft.com/download/4/6/c/46c9c414-19ea-4268-a430-5372218
8d489/Q823980i.EXE

Windows 2000

http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42
049d5/Windows2000-KB823980-x86-ENU.exe

Windows XP (32 bit)

http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a9
83f01/WindowsXP-KB823980-x86-ENU.exe

Windows XP (64 bit)

http://download.microsoft.com/download/a/7/5/a75b3c8f-5df0-451b-b526-cfc7c5c
67df5/WindowsXP-KB823980-ia64-ENU.exe

Windows 2003 (32 bit)

http://download.microsoft.com/download/8/f/2/8f21131d-9df3-4530-802a-2780629
390b9/WindowsServer2003-KB823980-x86-ENU.exe

Windows 2003 (64 bit)

http://download.microsoft.com/download/4/0/3/403d6631-9430-4ff6-a061-9072a4c
50425/WindowsServer2003-KB823980-ia64-ENU.exe


Shane Brasher
MCSE (2000,NT),MCSA, A+
Microsoft Platforms Support
Windows NT/2000 Networking