This package contains: 1. PEP Number: NM010709G106S CallPilot Server Security Update 2. Problem Description: ----------------------- This package contains Microsoft hotfixes to be installed on a server that has been installed with, or upgraded to CallPilot 1.07. It also fixes the problem created by PEPs NM010709G100S and/or NM010709G102S that prevents upgrade from 1.07 to CallPilot 2 (2.01, 2.02 or 2.5) from working. Any system having either of these two PEPs must have PEP 104S (or a later OS security PEP) installed before upgrade is attempted. NOTE: Installation of this PEP may result in the database file being skipped by system backup. A workaround for this issue is described in Product Advisory Alert PAA-2004-0144-Global-Rev2. The files "DBBkp.exe" and "DBSnap.bat" described in the bulletin are copied onto the system by this PEP. They are located in the root folder of the D: drive. See the file D:\backupworkaround.doc for information about the workaround. PEP NM010709G111S must be installed for User and Application Archive to work after installing this PEP. 3. List of PRs that are fixed by this PEP: ------------------------------------------- Q00752321 Unable to upgrade from 1.07 to release 2.02 when PEP 100S is installed Installs applicable Microsoft Hotfixes up to MS04-017. (MS04-013 to MS04-017 do not apply) Security Improvements: hotfixes to patch the following Microsoft Bulletins: Microsoft C2 patch Knowledge Base article KB244599 KB305929 issue This Certificate Has an Invalid Digital Signature KB823492 issue Enabling the PIPE_CREATE_INSTANCE flag for non-admin users (823492) MS01-056 Windows Media Player .ASF Processor Contains Unchecked Buffer MS02-024 May 22/2002 Authentication Flaw in Windows Debugger can Lead to Elevated Privileges MS02-029 Jul 02/2002 Unchecked Buffer in Remote Access Service Phonebook Could Lead to Code Execution (RAS version) MS02-045 Aug 22/2002 Unchecked Buffer in Network Share Provider Can Lead to Denial of Service MS02-048 Aug 28/2002 Flaw in Certificate Enrollment Control Could Allow Deletion of Digital Certificates MS02-052 Sep 18/2002 Flaw in Microsoft VM JDBC Classes Could Allow Code Execution MS02-055 Oct 02/2002 Unchecked Buffer in Windows Help Facility Could Enable Code Execution MS02-065 Nov 20/2002 Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution (Q329414) MS03-001 Jan 22/2003 Unchecked Buffer in Locator Service Could Lead to Code Execution (810833) MS03-007 Mar 17/2003 Unchecked buffer in Windows component could cause webserver compromise (815021) (revised Apr 23/2003) MS03-008 Mar 19/2003 Flaw in Windows Script Engine Could Allow Code Execution (814078) MS03-011 Apr 09/2003 Flaw in Microsoft VM Could Enable System Compromise (816093) (includes MS02-069) MS03-023 Jul 9/2003 Buffer Overrun In HTML Converter Could Allow Code Execution (823559) MS03-024 Jul 9/2003 Buffer Overrun in Windows Could Lead to Data Corruption (817606) MS03-029 Flaw in Windows Function Could Allow Denial of Service (823803) MS03-030 revised Aug 20/2003 Unchecked Buffer in DirectX Could Enable System Compromise (819696) MS03-034 Flaw in NetBIOS Could Lead to Information Disclosure (824105) (issue) Oct 9/2002 GetEffectiveRightsFromAcl Fails in Service Pack 6 MS03-040 Windows Media Player 6.4 patch (828026) MS03-043 Buffer Overrun in Messenger Service Could Allow Code Execution (828035) MS03-044 Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (825119) MS04-004 Feb 2/2004 Cumulative Security Update for Internet Explorer (832894) MS04-011 Apr 13/2004 Security Update for Microsoft Windows (835732) MS04-012 Apr 13/2004 Cumulative Update for Microsoft RPC/DCOM (828741) KB870669 Disable ADODB.Stream on Internet Explorer MS04-020 Vulnerability in POSIX Could Allow Code Execution (841872) MS04-021 Security Update for IIS 4.0 (841373) MS04-023 Vulnerability in HTML Help Could Allow Code Execution (840315) MS04-024 Vulnerability in Windows Shell Could Allow Remote Code Execution (839645) MS02-008 XMLHTTP Control Can Allow Access to Local Files MS04-025 Cumulative Security Update for Internet Explorer (867801) Microsoft Security Bulletins are available at URLs like this: http://www.microsoft.com/technet/security/bulletin/MS03-018.mspx In addition, the following services are set to disabled in order to reduce the attack surface: Alerter License Logging Service Messenger Computer Browser TCP/IP NetBIOS Helper ClipBook Server Directory Replicator Net Logon UPS A registry change is made so that the SLEE monitor support tool will still work correctly A registry change is made to enable logging fo RAS communications Registry changes are made to enable signing by SMB client and server Registry changes are made to disable the os2 and posix subsystems A registry change is made to disable CD autorun A registry change to enable RAS NetBIOS auditing A registry change so that the floppy drive is only available to locally logged on user. The OS2 and Posix subsystems are properly disabled (they were already non-functional) The latest version of the MSI installer is installed. An updated version of the MSXML parser (4.0 SP2) is installed (needed for the new hotfix checker) Some file and folder permissions are tightened. Note: this PEP supercedes the PEPs NM010709G100S, NM010709G102S and NM010709G104S. It includes all the hotfixes installed by those 2 PEPs, plus a few more. This PEP may be installed on a system that already has either or both of these two earlier PEPs. References to PEPs 100S, 102S and 104S will be removed from the DMI Viewer (CallPilot PEP Maintenance Utility). 4. Pre-installation notes: -------------------------- 1. Make sure you are installing this PEP on a server that has been installed with, or upgraded to CallPilot 01.07.09 Note: This PEP requires that PEP NM010709G078S must already be installed on the server. 2. Disable any active anti-virus software active on the server prior to installing this PEP. (This makes the PEP install faster.) As a precaution, it's recommended the CLAN connection be disconnected prior to disabling the anti-virus software. 3. Make sure the CallPilot server is fully booted before beginning PEP installation. Stop any other applications running on the local console, including all support tools and the CallPilot PEP Maintenance Utility (DMI Viewer). 4. Ensure the system has sufficient disk-space available to install this PEP. If needed, remove any unnecessary files and folders in the c:\temp or d:\temp folders. If an error occurs while attempting to remove a particular file, ignore the error, but try to remove as many files and folders as possible in the temp folder. It is possible that the file is being used by Windows NT. Note: do not remove the c:\temp and d:\temp, and d:\temp\NM010709G103S folders. Once you have finished cleaning up empty the recycle bin. 5. Ensure there is a recent backup available prior to installing this PEP. It's always recommended that a backup be performed (or split RAID) just prior to performing any server maintenance activity to ensure the most recent customer data is available should a restore be needed. 6. A system reboot is required after the PEP has been installed. Note: Do not reboot the system until the PEP installation is finished, otherwise the PEP may not be properly registered on the server. When PEP installation is complete, a dialog box is displayed with the title "CallPilot OS Security PEP Installation Completed". The system will reboot into service when the OK button is clicked on this dialog. 7. Installation of this PEP (NM010709G106S) will remove PEPs NM010709G100S and/or NM010709G102S and/or NM010709G104S from the CallPilot PEP Maintenance Utility (DMI Viewer), if they are present. 5. Installing the PEP: ---------------------- 1. Begin installation by executing NM010709G106S.exe to extract the files to the D:\TEMP\NM010709G106S folder. 2. Navigate to the D:\TEMP\NM010709G106S folder and run "RUNME.BAT" to launch the installer. Note that RUNME.BAT MUST be executed from this exact folder or the PEP install will fail. 3. Read the Dialog box and click on OK to start the installation of the PEP. Note: This PEP automatically installs a large number of Microsoft hot fixes. Do not close any windows or click on any buttons while the PEP is being installed or the PEP will not install successfully. 4. When the PEP installation is complete, a window will be displayed with the title "CallPilot OS Security PEP Installation Completed". Read the Dialog box and then click on the OK button to reboot the server. 5. After rebooting, you may see an error from the "Java Package Manager" saying "Unable to install Java packages. The command line is invalid". Please ignore this error. It has no impact. Dismiss it by clicking OK. The error will not appear in future reboots. 6. See the section "Supplemental Information" below for instructions on checking hotfixes. 7. When the PEP has been properly installed, remove files and folders from D:\TEMP. Empty the Recycle Bin. NOTE: do not remove the D:\TEMP folder itself. 8. If anti-virus software was disabled, check to ensure it is now enabled. Note that it must be properly configured to scan "incoming" files only. See the bulletin on configuring anti-virus software for CallPilot. 6. Installation Log ------------------- File "secpep.log" in the root folder of the system drive will contain a log of the actions performed during PEP installation. In addition, a note will be added to the file "osvers.txt", also in the root folder of the system drive. 7. PEP Uninstall: ------------- Due to the nature of the Microsoft hotfixes contained within this PEP, it cannot be uninstalled. Once applied, if removed from DMIViewer, only the reference to PEP NM010709G106S will actually be removed. 8. PEP ReInstallation --------------------- If required, this PEP may be installed again without any problem. This will reapply hotfixes and other configuration changes. If the PEP is not already in the PEP Utility (DMI Viewer), the PEP entry will be added when the PEP is reinstalled. If the PEP is already listed in the CallPilot PEP Utility (DMIViewer), it will not be added again to this utility. A popup window saying "Setup concludes that no actions needs to be taken" will be displayed. This just means that the PEP is already present in the list of installed PEPs so it will not be added again to this list. Click OK to dismiss the popup and complete the PEP install. 9. Supplemental Information - Verifying HotFixes ------------------------------------------------ Microsoft has released a tool called MBSAcli to check a system to ensure that all relevant security hotfixes are present. A version of this tool is provided in the PEP (in the D:\TEMP\NM010709G106S\HotFixes\Checker folder). The tool makes use of an XML file from Microsoft called "mssecure_1033.cab" telling it which hotfixes are available, when they are needed and how to check for them. The PEP includes a version of this XML file that was current at the time the PEP was created. MBSACLI replaces the previous hfnetchk hotfix checker. The new version does a better job of checking hotfixes for different OS components. "mbsacli /hf" replaces "hfnetchk" To run the hot fix checker: 1. Launch a command prompt. 2. Navigate to the D:\TEMP\NM010709G106S\HotFixes\Checker folder. 3. Run CheckHotFixes.bat. Watch for "Patch Not Found" errors which indicate hotfixes that are needed but are not installed. Ignore "Note" messages. These just give some additional information related to a given patch. Note: For this PEP, it is normal for a warning to be shown related to MS01-041 since CallPilot will have a more recent file version than expected. Note: The tool may give an error if the CallPilot server is still booting up. If this happens try running the tool again later. To display a list of hotfixes that have been explicitly installed on this server, do the following: 1. Launch a command prompt. 2. Navigate to the D:\TEMP\NM010709G106S\HotFixes\Checker folder. 3. Run ListHotFixes.bat. NOTE: the list displayed is incomplete. Some hotfixes that are, in fact, installed will not appear in the list. Use the "CheckHotFixes" command to determine if any needed hotfixes are missing. NOTE: On multi-CPU systems (e.g. 702t and 1001rp), hotfix MS04-011 may show up as "Patch Not Found", even though it has been properly installed. These platforms use the multi-processor version of the OS kernel (ntoskrnl.exe). The hotfix checker does not correctly check for this file. You can verify proper hotfix installation by ensuring the date on \WINNT\system32\ntoskrnl.exe is Mar 18/2004.