-----Original Message----- From: Windows NTBugtraq Mailing List [mailto:[EMAIL PROTECTED]] On Behalf Of Barry Dorrans Sent: Thursday, October 18, 2001 15:39 To: [EMAIL PROTECTED] Subject: Microsoft Security Bulletin : MS01-52 Terminal Services Failure - Patch kills terminal services - ---------------------------------------------------------------------- Title: Invalid RDP Data can Cause Terminal Service Failure Date: 18 October 2001 Software: Windows NT 4.0 Server, Terminal Server Edition, Windows 2000 Server and Advanced Server Impact: Denial of service Max Risk: Moderate Bulletin: MS01-052 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-052.asp. - ---------------------------------------------------------------------- So, as I'm at home I though I'll test the patch out. It's a killer, I now have a very very sick SQL box, and a not so sick, but still sick IIS server. The SQL server box is in a continuous reboot mode, the IIS box is stable, but not allowing Terminal services connections. On each machine terminal services is in Remote Administration mode (ie. One connection only, from Administrator group members) The SQL server Error log is filled with Event ID 1014s from the Terminal Server service, Cannot load illegal module C:\WINNT\System32\rdpwsx.DLL. The IIS log is missing this report. Terminal Services is in an "uncontrollable" state from the Services control panel applet. The applet believes the service has started, yet the start, pause, stop and restart buttons are inactive and grey. A reboot of the server seems to not add errors into the error log, however the service itself is still as dead as a dodo. Time after login in either box seems longer than normal, up to 2 minutes on the SQL server. This may be due to SQL objecting to the numerous restarts and rolling back transactions. Attempted connections to either box via the terminal services client application (both servers appear in the list), or the TSWeb application believe that terminal services is busy. The SQL server box does also (at seemingly random intervals) die with a blue screen in TCP/IP.SYS Now these boxes do have the odd strange thing on, the .Net beta 2 CLR is on the IIS box, OLAP on SQL but neither have any of the same sets of "weird" software, so I doubt it's interference with some dodgey development code I've installed :) An uninstall of the patch fixes everything on the IIS box. The SQL box still random reboots or dies in TCPIP.SYS As you can imagine I'm a little unwilling to experiment further, having recovered the machines to a useful, stable state again. I would strongly suggest that before installing the patch on remote servers you test it in your own configurations. If anyone requires more information, please feel free to contact mine (just be mindful I'm in BST!) (I've CC secure@ ms.com, although if anyone has a better address to email, please let me know) Barry _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
