This package contains: 1. PEP Number: CP202SEC001S 2. Problem Description: ----------------------- This package contains Microsoft hotfixes to be installed on a server that has been installed with, or upgraded to CallPilot 2.02 (2.01.27). Certain other changes are also made to improve security. This PEP supercedes earlier Security PEPs CP20127G039S, CP20127G046S, CP20127G050S and CP20127G070S. It will remove these earlier PEPs from the DMI viewer. The new PEP CP202SEC001S can be installed whether or not the earlier PEPs have previously been installed. 3. List of PRs that are fixed by this PEP: ------------------------------------------- Security Improvements: hotfixes to patch the following Microsoft Bulletins: Microsoft C2 patch Knowledge Base article KB244599 patch for "This Certificate Has an Invalid Digital Signature" issue (KB305929) patch for "Enabling the PIPE_CREATE_INSTANCE flag for non-admin users" issue (KB823492) MS01-056 Windows Media Player .ASF Processor Contains Unchecked Buffer MS01-048 Mar 17/2003 (rev) Malformed Request to RPC EndPoint Mapper can Cause RPC Service to Fail (305399) MS03-001 Unchecked Buffer in Locator Service Could Lead to Code Execution (810833) KB811630 HTML Help Update to Limit Functionality When It Is Invoked with the windows.showHelp() Method MS03-007 Unchecked buffer in Windows component could cause webserver compromise (815021) (revised Apr 23/2003) MS03-008 Flaw in Windows Script Engine Could Allow Code Execution (814078) MS03-011 Flaw in Microsoft VM Could Enable System Compromise (816093) (includes MS02-069) MS03-013 Buffer Overrun in Windows Kernel Message Handling could Lead to Elevated Privileges (811493) MS03-018 Cumulative Patch for Internet Information Service (811114) (Supercedes MS02-062, MS02-028 and MS02-018) MS03-023 Buffer Overrun In HTML Converter Could Allow Code Execution (823559) MS03-024 Buffer Overrun in Windows Could Lead to Data Corruption (817606) MS03-029 Flaw in Windows Function Could Allow Denial of Service (823803) MS03-030 Unchecked Buffer in DirectX Could Enable System Compromise (819696) MS03-034 Flaw in NetBIOS Could Lead to Information Disclosure (824105) MS03-040 Cumulative Patch for Internet Explorer (828750) MS03-043 Buffer Overrun in Messenger Service Could Allow Code Execution (828035) MS03-044 Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (825119) MDAC 2.5 SP3 MS02-065 Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution (Q329414) MS01-029 Windows Media Player .ASX Process Contains Unchecked Buffer MS04-003 Buffer Overrun in MDAC Function Could Allow Code Execution (832483) MS04-006 Vulnerability in the Windows Internet Naming Service (WINS) Could Allow Code Execution (830352) MS04-011 Security Update for Microsoft Windows (835732) MS04-012 Cumulative Update for Microsoft RPC/DCOM (828741) MS04-014 Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001) KB870669 Disable ADODB.Stream on Internet Explorer MS04-020 Vulnerability in POSIX Could Allow Code Execution (841872) MS04-021 Security Update for IIS 4.0 (841373) MS04-023 Vulnerability in HTML Help Could Allow Code Execution (840315) MS04-024 Vulnerability in Windows Shell Could Allow Remote Code Execution (839645) MS02-008 XMLHTTP Control Can Allow Access to Local Files MS04-025 Cumulative Security Update for Internet Explorer (867801) Microsoft Security Bulletins are available at URLs like this: http://www.microsoft.com/technet/security/bulletin/MS03-018.mspx A fix to PC Anywhere to fix a security vulnerability: 10.5.2 update to fix Symantec pcAnywhere Service-Mode Help File Elevation of Privilege In addition, the following services are set to disabled in order to reduce the attack surface: Alerter License Logging Service Messenger Computer Browser TCP/IP NetBIOS Helper ClipBook Server Directory Replicator Net Logon Schedule TCP/IP Print Server UPS A registry change is made so that the SLEE monitor support tool will still work correctly A registry change is made to enable logging fo RAS communications Registry changes are made to enable signing by SMB client and server Registry changes are made to disable the os2 and posix subsystems A registry change is made to disable CD autorun A registry change to enable RAS NetBIOS auditing A registry change so that the floppy drive is only available to locally logged on user. The RDS component of IIS is disabled. The Exec function of Server Side Includes on IIS is disabled. A newer (V2.5) version of URLSCAN is installed with improved checking The OS2 and Posix subsystems are properly disabled (they were already non-functional) The latest version of the MSI installer is installed. An updated version of the MSXML parser (4.0 SP2) is installed (needed for the new hotfix checker) Some file and folder permissions are tightened. Unneeded web services are deleted or disabled. 4. Pre-installation notes: -------------------------- 1. Make sure you are installing this PEP on a server that has been installed with, or upgraded to CallPilot 2.02 (2.01.27). 2. Make sure the CallPilot server is fully booted before beginning PEP installation. Stop any other applications running on the local console, including all support tools and the CallPilot PEP Maintenance Utility (DMI Viewer). 3. Disable any active anti-virus software active on the server prior to installing this PEP. (This makes the PEP install faster.) As a precaution, it's recommended the CLAN connection be disconnected prior to disabling the anti-virus software. 4. Ensure the system has sufficient disk-space available to install this PEP. If needed, remove any unnecessary files and folders in the c:\temp or d:\temp folders. If an error occurs while attempting to remove a particular file, ignore the error, but try to remove as many files and folders as possible in the temp folder. It is possible that the file is being used by Windows NT. Note: do not remove the c:\temp and d:\temp, and d:\temp\CP202SEC001S folders. Once you have finished cleaning up, empty the recycle bin. 5. Ensure there is a recent backup available prior to installing this PEP. It's always recommended that a backup be performed (or split RAID) just prior to performing any server maintenance activity to ensure the most recent customer data is available should a restore be needed. 6. The PEP installation is automatic. When this is complete, a dialog box is displayed with the title "CallPilot OS Security PEP Installation Completed". The system will reboot into service when the OK button is clicked on this dialog. Note: Do not reboot the system until the PEP installation is finished, otherwise the PEP may not be properly registered on the server. 5. Installing the PEP: ---------------------- 1. Begin installation by executing CP202SEC001S.exe to extract the files to the D:\TEMP\CP202SEC001S folder. 2. Navigate to the D:\TEMP\CP202SEC001S folder and run "RUNME.BAT" to launch the installer. Note that RUNME.BAT MUST be executed from this exact folder or the PEP install will fail. 3. Click on OK to start the installation of the PEP. Total time required will be about 2 minutes, plus the time to reboot into service. Note: This PEP automatically installs a number of Microsoft hot fixes. Do not close any windows or click on any buttons while the PEP is being installed or the PEP will not install successfully. 4. When the PEP installation is complete, a window will be displayed with the title "CallPilot OS Security PEP Installation Completed". Click on the OK button to reboot the server. 5. If anti-virus software was disabled, check to ensure it is now enabled. Note that it must be properly configured to scan "incoming" files only. See the bulletin on configuring anti-virus software for CallPilot. 6. Installation Log ------------------- File "secpep.log" in the root folder of the system drive will contain a log of the actions performed during PEP installation. In addition, a note will be added to the file "osvers.txt", also in the root folder of the system drive. 7. PEP Uninstall ---------------- Due to the nature of the Microsoft hotfixes contained within this PEP, it cannot be uninstalled. Once applied, if removed from DMIViewer, only the reference to PEP CP202SEC001S will actually be removed. 8. PEP ReInstallation --------------------- If required, this PEP may be installed again without any problem. This will reapply hotfixes and other configuration changes. If the PEP is not already in the PEP Utility (DMI Viewer), the PEP entry will be added when the PEP is reinstalled. It is possible that one or more popup windows may appear saying that a particular hotfix is not needed. Just click OK and the reinstallation will continue. If the PEP is already listed in the CallPilot PEP Utility (DMIViewer), it will not be added again to this utility. A popup window saying "Setup concludes that no actions needs to be taken" will be displayed. This just means that the PEP is already present in the list of installed PEPs so it will not be added again to this list. Click OK to dismiss the popup and complete the PEP install. 9. Supplemental Information - Verifying HotFixes ------------------------------------------------ Microsoft has released a tool called MBSAcli to check a system to ensure that all relevant security hotfixes are present. A version of this tool is provided in the PEP (in the D:\TEMP\CP202SEC001S\HotFixes\Checker folder). The tool makes use of an XML file from Microsoft called "mssecure_1033.cab" telling it which hotfixes are available, when they are needed and how to check for them. The PEP includes a version of this XML file that was current at the time the PEP was created. MBSACLI replaces the previous hfnetchk hotfix checker. The new version does a better job of checking hotfixes for different OS components. "mbsacli /hf" replaces "hfnetchk" To run the hot fix checker: Use Windows NT Explorer to double-click D:\TEMP\CP202SEC001S\HotFixes\Checker\CheckHotFixes.bat Watch for "Patch Not Found" errors which indicate hotfixes that are needed but are not installed. Ignore "Note" messages. These just give some additional information related to a given patch. Note: For this PEP, it is normal for a warning to be shown related to MS01-041 since CallPilot will have a more recent file version than expected. Note: The tool may give an error if the CallPilot server is still booting up. If this happens try running the tool again later. To display a list of hotfixes that have been explicitly installed on this server, do the following: Use Windows NT Explorer to double-click D:\TEMP\CP202SEC001S\HotFixes\Checker\ListHotFixes.bat NOTE: the list displayed is incomplete. Some hotfixes that are, in fact, installed will not appear in the list. Use the "CheckHotFixes" command to determine if any needed hotfixes are missing.