How to help protect against a WINS security issue
We are investigating reports of a security issue with
Microsoft Windows Internet Name Service (WINS). This security issue affects
Microsoft Windows NT Server 4.0, Microsoft Windows NT Server 4.0 Terminal
Server Edition, Microsoft Windows 2000 Server, and Microsoft Windows Server
2003. This security issue does not affect Microsoft Windows 2000 Professional,
Microsoft Windows XP, or Microsoft Windows Millennium Edition.
By default, WINS is not installed on Windows NT Server 4.0,
Windows NT Server 4.0 Terminal Server Edition, Windows 2000 Server, or Windows
Server 2003. By default, WINS is installed and running on Microsoft Small
Business Server 2000 and Microsoft Windows Small Business Server 2003. By
default, on all versions of Microsoft Small Business Server, the WINS component
communication ports are blocked from the Internet, and WINS is available only
on the local network.
This security issue could make it possible for
an attacker to remotely compromise a WINS server if one of the following
conditions is true:
- You have changed the default configuration to install the
WINS server role on Windows NT Server 4.0, Windows NT Server 4.0 Terminal
Server Edition, Windows 2000 Server, or Windows Server 2003.
- You are running Microsoft Small Business Server 2000 or
Microsoft Windows Small Business Server 2003, and an attacker has access to
your local network.
To help protect your computer against this potential
vulnerability, follow these steps:
- Block TCP port 42 and UDP port 42 at the firewall.
These ports are used to initiate a connection with a remote WINS
server. If you block these ports at the firewall, you help prevent computers
that are behind that firewall from trying to use this vulnerability. TCP port
42 and UDP port 42 are the default WINS replication ports. We recommend
blocking all incoming unsolicited communication from the Internet.
- Use Internet Protocol security (IPsec) to help protect
traffic between WINS server replication partners. To do this, use one of the
Caution Because each WINS infrastructure is unique, these changes may
have unexpected effects on your infrastructure. We strongly recommend that you
perform a risk analysis before you choose to implement this mitigation. We also
strongly recommend that you perform complete testing before you put this
mitigation into production.
- Option 1: Manually configure the IPSec filters
Manually configure the IPSec filters, and then follow the
instructions in the following Microsoft Knowledge Base article to add a block
filter that blocks all packets from any IP address to your system's IP
813878If you use IPSec in your Windows 2000 Active
Directory domain environment and you deploy your IPSec policy by using Group
Policy, the domain policy overrides any locally defined policy. This occurrence
prevents this option from blocking the packets that you want.
How to block specific network protocols and ports by using IPSec
determine whether your servers are receiving an IPSec policy from a Windows
2000 domain or a later version, see to the “Determine whether an IPSec policy
is assigned” section in Knowledge Base article 813878.
When you have
determined that you can create an effective local IPSec policy, download the
IPSeccmd.exe tool or the IPSecpol.exe tool.
The following commands
block inbound and outbound access to TCP port 42 and UDP port 42.
Note In these commands, %IPSEC_Command%
refers to Ipsecpol.exe (on Windows 2000) or Ipseccmd.exe (on Windows Server
The following command makes the IPSec policy effective immediately if
there is no conflicting policy. This command will start blocking all
inbound/outbound TCP port 42 and UDP port 42 packets. This effectively prevents
WINS replication from occurring between the server that these commands were run
on and any WINS replication partners.
%IPSEC_Command% -w REG -p "Block WINS Replication" -r "Block All Inbound TCP Port 42 Rule" -f *=0:42:TCP -n BLOCK
%IPSEC_Command% -w REG -p "Block WINS Replication" -r "Block All Inbound UDP Port 42 Rule" -f *=0:42:UDP -n BLOCK
%IPSEC_Command% -w REG -p "Block WINS Replication" -r "Block All Outbound TCP Port 42 Rule" -f 0=*:42:TCP -n BLOCK
%IPSEC_Command% -w REG -p "Block WINS Replication" -r "Block All Outbound UDP Port 42 Rule" -f 0=*:42:UDP -n BLOCK
If you experience problems on the network after you enable this IPSec
policy, you can unassign the policy and then delete the policy by using the
%IPSEC_Command% -w REG -p "Block WINS Replication" –x
To allow WINS replication to function between specific WINS replication
partners you must override these block rules with allow rules. The allow rules
should specify the IP addresses of your trusted WINS replication partners only.
%IPSEC_Command% -w REG -p "Block WINS Replication" -y
%IPSEC_Command% -w REG -p "Block WINS Replication" -o
You can use the following commands to update the Block WINS
Replication IPSec policy to allow specific IP addresses to communicate with the
server that is using the Block WINS Replication policy.
Note In these commands, %IPSEC_Command%
refers to Ipsecpol.exe (on Windows 2000) or Ipseccmd.exe (on Windows Server
2003), and %IP% refers to the IP address of the
remote WINS server that you want to replicate with.
To assign the policy immediately, use the following command:
%IPSEC_Command% -w REG -p "Block WINS Replication" -r "Allow Inbound TCP Port 42 from %IP% Rule" -f %IP%=0:42:TCP -n PASS
%IPSEC_Command% -w REG -p "Block WINS Replication" -r "Allow Inbound UDP Port 42 from %IP% Rule" -f %IP%=0:42:UDP -n PASS
%IPSEC_Command% -w REG -p "Block WINS Replication" -r "Allow Outbound TCP Port 42 to %IP% Rule" -f 0=%IP%:42:TCP -n PASS
%IPSEC_Command% -w REG -p "Block WINS Replication" -r "Allow Outbound UDP Port 42 to %IP% Rule" -f 0=%IP%:42:UDP -n PASS
%IPSEC_Command% -w REG -p "Block WINS Replication" -x
- Option 2: Run a script to automatically configure the IPSec filters
Download and then run the WINS Replication Blocker script
that creates an IPSec policy to block the ports. To do this, follow these
- To download and extract the .exe files, follow
- Download the WINS Replication Blocker
following file is available for download from the Microsoft Download
the WINS Replication Blocker script package
Collapse this imageExpand this image
December 2, 2004
For additional information about how to download
Microsoft Support files, click the following article number to view the article
in the Microsoft Knowledge Base:
119591 Microsoft scanned this file for viruses. Microsoft used the most
current virus-detection software that was available on the date that the file
was posted. The file is stored on security-enhanced servers that help to
prevent any unauthorized changes to the file.
How to obtain Microsoft support files from online services
If you are downloading the WINS Replication Blocker script to a floppy disk, use a formatted blank disk. If you are downloading the WINS Replication Blocker script to your hard disk, create a new folder to temporarily save the file to and extract the file from.
Caution Do not download files directly to your Windows folder. This
action could overwrite files that are required for your computer to operate
- Locate the file in the folder that you
downloaded it to, and then double-click the self-extracting .exe file to
extract the contents to a temporary folder. For example, extract the contents
- Open a command prompt, and then move to the
directory where the files are extracted.
Run the Block_Wins_Replication.cmd file. To create
the TCP port 42 and UDP port 42 inbound and outbound block rules, type
1 and then press ENTER to select option 1 when you are
prompted to select the option that you want.
- If you suspect that your WINS servers may be
infected, but you are not sure what WINS servers are compromised or whether
your current WINS server is compromised, do not enter any IP addresses in step
3. However, as of November 2004, we are not aware of any customers who have
been affected by this issue. Therefore, if your servers are functioning as
expected, continue as described.
- If you incorrectly set up IPsec, you may cause
serious WINS replication problems on your corporate network.
After you select option 1, the script prompts you to enter the IP addresses of the trusted WINS replication servers.
Each IP address that you enter is exempted from the blocking TCP port 42 and UDP port 42 policy. You are prompted in a loop, and you can enter as many IP addresses as needed. If you do not know all the IP addresses of the WINS replication partners, you can run the script again in the future. To start entering IP addresses of trusted WINS replication partners, type 2
and then press ENTER to select option 2 when you are prompted to select the that option you want.
After you deploy the security update, you can remove the IPSec policy. To do this, run the script. Type 3
and then press ENTER to select option 3 when you are prompted to select the option that you want.
For additional information about IPsec and about how to apply filters, click the following article number to view the article in the Microsoft Knowledge Base:
How to use IPsec IP filter lists in Windows 2000
- Remove WINS if you do not need it.
If you no
longer need WINS, follow these steps to remove it. These steps apply to Windows
2000, Windows Server 2003, and later versions of these operating systems. For
Windows NT Server 4.0, follow the procedure that is included in the product
Important Many organizations require WINS to perform single label or flat
name registration and resolution functions on their network. Administrators
should not remove WINS unless one of the following conditions is true:
Also, if an administrator is removing the WINS functionality
from a server that will continue to provide shared resources on the network,
the administrator must correctly reconfigure the system to use the remaining
name resolution services like DNS on the local network.
- The administrator fully understands the effect that
removing WINS this will have on their network.
- The administrator has configured DNS to provide the
equivalent functionality by using fully qualified domain names and DNS domain
information about WINS, visit the following Microsoft Web site: For more information about how to determine whether you need
NETBIOS or WINS name resolution and DNS configuration, visit the following
Microsoft Web site: To remove WINS, follow these steps:
- In Control Panel, open Add or Remove
- Click Add/Remove Windows Components.
- On the Windows Components Wizard page, under
Components, click Networking Services, and
then click Details.
- Click to clear the Windows Internet Naming
Service (WINS) check box to remove WINS.
- Follow the instructions on the screen to complete the
Windows Components Wizard.
We are working on an update to address this security issue as
part of our regular update process. When the update has reached an appropriate
level of quality, we will provide the update through Windows Update.
If you believe that you have been affected, contact Product Support
customers should contact Product Support Services by using any method that is
listed at the following Microsoft Web site:
Article ID: 890710 - Last Review: July 18, 2012 - Revision: 9.0
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Small Business Server 2003 Premium Edition
- Microsoft Windows Small Business Server 2003 Standard Edition
- Microsoft Small Business Server 2000 Standard Edition
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Server
- Microsoft Windows NT Server 4.0 Standard Edition
|kbwindowsupdate kbservice kbserver kbadmin kbexpertiseadvanced kbhowto kbsecurity kbinfo KB890710|