We are investigating reports of a security issue with Microsoft Windows Internet Name Service (WINS). This security issue affects Microsoft Windows NT Server 4.0, Microsoft Windows NT Server 4.0 Terminal Server Edition, Microsoft Windows 2000 Server, and Microsoft Windows Server 2003. This security issue does not affect Microsoft Windows 2000 Professional, Microsoft Windows XP, or Microsoft Windows Millennium Edition.
By default, WINS is not installed on Windows NT Server 4.0, Windows NT Server 4.0 Terminal Server Edition, Windows 2000 Server, or Windows Server 2003. By default, WINS is installed and running on Microsoft Small Business Server 2000 and Microsoft Windows Small Business Server 2003. By default, on all versions of Microsoft Small Business Server, the WINS component communication ports are blocked from the Internet, and WINS is available only on the local network.
This security issue could make it possible for an attacker to remotely compromise a WINS server if one of the following conditions is true:
You have changed the default configuration to install the WINS server role on Windows NT Server 4.0, Windows NT Server 4.0 Terminal Server Edition, Windows 2000 Server, or Windows Server 2003.
You are running Microsoft Small Business Server 2000 or Microsoft Windows Small Business Server 2003, and an attacker has access to your local network.
To help protect your computer against this potential vulnerability, follow these steps:
Block TCP port 42 and UDP port 42 at the firewall.
These ports are used to initiate a connection with a remote WINS server. If you block these ports at the firewall, you help prevent computers that are behind that firewall from trying to use this vulnerability. TCP port 42 and UDP port 42 are the default WINS replication ports. We recommend blocking all incoming unsolicited communication from the Internet.
Use Internet Protocol security (IPsec) to help protect traffic between WINS server replication partners. To do this, use one of the following options.
Caution Because each WINS infrastructure is unique, these changes may have unexpected effects on your infrastructure. We strongly recommend that you perform a risk analysis before you choose to implement this mitigation. We also strongly recommend that you perform complete testing before you put this mitigation into production.
Option 1: Manually configure the IPSec filters
Manually configure the IPSec filters, and then follow the instructions in the following Microsoft Knowledge Base article to add a block filter that blocks all packets from any IP address to your system's IP address:
813878 How to block specific network protocols and ports by using IPSec
If you use IPSec in your Windows 2000 Active Directory domain environment and you deploy your IPSec policy by using Group Policy, the domain policy overrides any locally defined policy. This occurrence prevents this option from blocking the packets that you want.
To determine whether your servers are receiving an IPSec policy from a Windows 2000 domain or a later version, see to the “Determine whether an IPSec policy is assigned” section in Knowledge Base article 813878.
When you have determined that you can create an effective local IPSec policy, download the IPSeccmd.exe tool or the IPSecpol.exe tool.
The following commands block inbound and outbound access to TCP port 42 and UDP port 42.
Note In these commands, %IPSEC_Command% refers to Ipsecpol.exe (on Windows 2000) or Ipseccmd.exe (on Windows Server 2003).
%IPSEC_Command% -w REG -p "Block WINS Replication" -r "Block All Inbound TCP Port 42 Rule" -f *=0:42:TCP -n BLOCK
%IPSEC_Command% -w REG -p "Block WINS Replication" -r "Block All Inbound UDP Port 42 Rule" -f *=0:42:UDP -n BLOCK
%IPSEC_Command% -w REG -p "Block WINS Replication" -r "Block All Outbound TCP Port 42 Rule" -f 0=*:42:TCP -n BLOCK
%IPSEC_Command% -w REG -p "Block WINS Replication" -r "Block All Outbound UDP Port 42 Rule" -f 0=*:42:UDP -n BLOCK
The following command makes the IPSec policy effective immediately if there is no conflicting policy. This command will start blocking all inbound/outbound TCP port 42 and UDP port 42 packets. This effectively prevents WINS replication from occurring between the server that these commands were run on and any WINS replication partners.
%IPSEC_Command% -w REG -p "Block WINS Replication" –x
If you experience problems on the network after you enable this IPSec policy, you can unassign the policy and then delete the policy by using the following commands:
%IPSEC_Command% -w REG -p "Block WINS Replication" -y
%IPSEC_Command% -w REG -p "Block WINS Replication" -o
To allow WINS replication to function between specific WINS replication partners you must override these block rules with allow rules. The allow rules should specify the IP addresses of your trusted WINS replication partners only.
You can use the following commands to update the Block WINS Replication IPSec policy to allow specific IP addresses to communicate with the server that is using the Block WINS Replication policy.
Note In these commands, %IPSEC_Command% refers to Ipsecpol.exe (on Windows 2000) or Ipseccmd.exe (on Windows Server 2003), and %IP% refers to the IP address of the remote WINS server that you want to replicate with.
%IPSEC_Command% -w REG -p "Block WINS Replication" -r "Allow Inbound TCP Port 42 from %IP% Rule" -f %IP%=0:42:TCP -n PASS
%IPSEC_Command% -w REG -p "Block WINS Replication" -r "Allow Inbound UDP Port 42 from %IP% Rule" -f %IP%=0:42:UDP -n PASS
%IPSEC_Command% -w REG -p "Block WINS Replication" -r "Allow Outbound TCP Port 42 to %IP% Rule" -f 0=%IP%:42:TCP -n PASS
%IPSEC_Command% -w REG -p "Block WINS Replication" -r "Allow Outbound UDP Port 42 to %IP% Rule" -f 0=%IP%:42:UDP -n PASS
To assign the policy immediately, use the following command:
%IPSEC_Command% -w REG -p "Block WINS Replication" -x
Option 2: Run a script to automatically configure the IPSec filters
Download and then run the WINS Replication Blocker script that creates an IPSec policy to block the ports. To do this, follow these steps:
To download and extract the .exe files, follow these steps:
Download the WINS Replication Blocker script.
The following file is available for download from the Microsoft Download Center:
Download the WINS Replication Blocker script package now.
Release Date: December 2, 2004
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
If you are downloading the WINS Replication Blocker script to a floppy disk, use a formatted blank disk. If you are downloading the WINS Replication Blocker script to your hard disk, create a new folder to temporarily save the file to and extract the file from.
Caution Do not download files directly to your Windows folder. This action could overwrite files that are required for your computer to operate correctly.
Locate the file in the folder that you downloaded it to, and then double-click the self-extracting .exe file to extract the contents to a temporary folder. For example, extract the contents to C:\Temp.
Open a command prompt, and then move to the directory where the files are extracted.
If you suspect that your WINS servers may be infected, but you are not sure what WINS servers are compromised or whether your current WINS server is compromised, do not enter any IP addresses in step 3. However, as of November 2004, we are not aware of any customers who have been affected by this issue. Therefore, if your servers are functioning as expected, continue as described.
If you incorrectly set up IPsec, you may cause serious WINS replication problems on your corporate network.
Run the Block_Wins_Replication.cmd file. To create the TCP port 42 and UDP port 42 inbound and outbound block rules, type
1 and then press ENTER to select option 1 when you are prompted to select the option that you want.
After you select option 1, the script prompts you to enter the IP addresses of the trusted WINS replication servers.
Each IP address that you enter is exempted from the blocking TCP port 42 and UDP port 42 policy. You are prompted in a loop, and you can enter as many IP addresses as needed. If you do not know all the IP addresses of the WINS replication partners, you can run the script again in the future. To start entering IP addresses of trusted WINS replication partners, type 2 and then press ENTER to select option 2 when you are prompted to select the that option you want.
After you deploy the security update, you can remove the IPSec policy. To do this, run the script. Type 3 and then press ENTER to select option 3 when you are prompted to select the option that you want.
For additional information about IPsec and about how to apply filters, click the following article number to view the article in the Microsoft Knowledge Base:
313190 How to use IPsec IP filter lists in Windows 2000
Remove WINS if you do not need it.
If you no longer need WINS, follow these steps to remove it. These steps apply to Windows 2000, Windows Server 2003, and later versions of these operating systems. For Windows NT Server 4.0, follow the procedure that is included in the product documentation.
Important Many organizations require WINS to perform single label or flat name registration and resolution functions on their network. Administrators should not remove WINS unless one of the following conditions is true:
The administrator fully understands the effect that removing WINS this will have on their network.
The administrator has configured DNS to provide the equivalent functionality by using fully qualified domain names and DNS domain suffixes.
Also, if an administrator is removing the WINS functionality from a server that will continue to provide shared resources on the network, the administrator must correctly reconfigure the system to use the remaining name resolution services like DNS on the local network.
For more information about WINS, visit the following Microsoft Web site:
http://technet2.microsoft.com/WindowsServer/en/library/2e0186ba-1a09-42b5-81c8-3ecca4ddde5e1033.mspx?mfr=true For more information about how to determine whether you need NETBIOS or WINS name resolution and DNS configuration, visit the following Microsoft Web site:
http://technet2.microsoft.com/windowsserver/en/library/55F0DFC8-AFC9-4096-82F4-B8345EAA1DBD1033.mspxTo remove WINS, follow these steps:
In Control Panel, open Add or Remove Programs.
Click Add/Remove Windows Components.
On the Windows Components Wizard page, under
Components, click Networking Services, and then click Details.
Click to clear the Windows Internet Naming Service (WINS) check box to remove WINS.
Follow the instructions on the screen to complete the Windows Components Wizard.
We are working on an update to address this security issue as part of our regular update process. When the update has reached an appropriate level of quality, we will provide the update through Windows Update.
If you believe that you have been affected, contact Product Support Services.
International customers should contact Product Support Services by using any method that is listed at the following Microsoft Web site: