Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: Support is ending for some versions of Windows.
INTRODUCTION
Microsoft has released security advisory 973811. To view the complete security advisory, visit the following Microsoft website:
http://www.microsoft.com/technet/security/advisory/973811.mspx
How to obtain help and support for this security update
Support for Microsoft Update Security solutions for IT professionals: TechNet Security Troubleshooting and Support Help protect your computer that is running Windows from viruses and malware:Virus Solution and Security Center Local support according to your country: International Support
Help installing updates:More Information
How do I configure .NET to utilize Extended Protection for Authentication?
Here are the steps for enabling Extended Protection for the Microsoft .NET Framework 2.0 Service Pack 2, .NET Framework 3.0 Service Pack 2, and .NET Framework 3.5 SP1.
For .NET Framework 2.0 Service Pack 2 (Network Class Library)
Extended protection can be turned on by setting properties on HttpListener. For more information, visit the following Microsoft MSDN websites:
HttpListener.ExtendedProtectionPolicy HttpListener.ExtendedProtectionSelectorDelegate HttpListener.DefaultServiceNamesIf NegotiateStream is used, then the appropriate overloads of [Begin]AuthenticateAsServer and [Begin]AuthenticateAsClient need to be used: For more information, visit the following Microsoft MSDN websites:
http://msdn.microsoft.com/en-us/library/dd413524(v=VS.100).aspx http://msdn.microsoft.com/en-us/library/dd413526(v=VS.100).aspx http://msdn.microsoft.com/en-us/library/dd413525(v=VS.100).aspx http://msdn.microsoft.com/en-us/library/dd413527(v=VS.100).aspx In addition to the recommendations in these Microsoft websites, follow these steps:
-
On the client side, install the Extended Protection for Authentication update for Security Support Provider Interface (SSPI). This update changes SSPI to improve Windows authentication. Additionally, this update prevents credentials from being forwarded. After you install this update, you must implement the registry settings that are described in Microsoft Knowledge Base (KB) article 968389 to enable extended protection.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:968389Extended Protection for Authentication
-
On the server side, install the Extended Protection for Authentication update for the HTTP Protocol Stack.
For .NET Framework 2.0 Service Pack 2 (ASP.NET)
No special action is required in order to use Extended Protection.
For .NET Framework 3.0 Service Pack 2 (WCF)
To enable the Extended Protection for Authentication feature in WCF, follow these steps: To do this, follow these steps:
-
On the client side, install the Extended Protection for Authentication update for Security Support Provider Interface (SSPI). This update changes SSPI to improve Windows authentication. Additionally, this update prevents credentials from being forwarded. After you install this update, you must implement the registry settings that are described in Microsoft Knowledge Base (KB) article 968389 to enable extended protection.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:968389Extended Protection for Authentication
-
On the server side, install the Extended Protection for Authentication update for the HTTP Protocol Stack.
-
Install the Extended Protection for Authentication update for Internet Information Services (IIS) when IIS is installed.
After you install the update, follow the instructions in KB article 973917 to configure extended protection in IIS. For more information, click the following article numbers to view the article in the Microsoft Knowledge Base:973917Description of the update that implements Extended Protection for Authentication in Internet Information Services (IIS)
970430 Description of the update that implements Extended Protection for Authentication in the HTTP Protocol Stack (http.sys)
-
Use the ExtendedProtectionPolicy class in WCF to represent the extended protection policy that the server uses to validate incoming client connections. The class can be applied only when the security mode is set to Transport mode or to TransportWithMessageCredential mode. The following is a sample code that shows the configuration in a binding element of a service config file:
<binding>
…………… <security mode="Transport"> <transport ……………> <extendedProtectionPolicy policyEnforcement ="WhenSupported"/> </transport > </security> </binding>For more information about the Extended Protection for Authentication feature, visit the following Microsoft TechNet website:
For more configuration information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
Article number |
Article title |
---|---|
Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 1 and on Windows Server 2008 Service Pack 1 (976767 and 980843): June 8, 2010 |
|
Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 2 and on Windows Server 2008 Service Pack 2 (976768 and 980842): June 8, 2010 |
|
Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 1 and on Windows Server 2008 Service Pack 1 (976767, 980843, and 976771): June 8, 2010 |
|
Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 2 and on Windows Server 2008 Service Pack 2 (976768, 980842, and 976772): June 8, 2010 |
|
Description of the rollup update for the .NET Framework 3.5 Service Pack 1 and the .NET Framework 2.0 Service Pack 2 on Windows XP and on Windows Server 2003 (976765 and 980773): June 8, 2010 |
|
Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows XP and on Windows Server 2003 (976765, 980773 and 976769): June 8, |
|
"Could not load type 'System.Security.Authentication.ExtendedProtection.ExtendedProtectionPolicy'" exception error after you install update 982167 or update 982168 |
Known Issues
For more information about known issues with this software, click the following article number to view the article in the Microsoft Knowledge Base:
Article number |
Article title |
---|---|
Updates for the .NET Framework 3.5 Service Pack 1 and the .NET Framework 2.0 Service Pack 2 may cause the Microsoft Knowledge Base article number to appear instead of the full title of the update in the Add or Remove Programs item in Control Panel |