Definitions table
| Term | Definition |
|---|
| WINS | Windows Internet Name Service |
| WPAD | Web Proxy Auto-discovery Protocol |
| ISATAP | Intra-Site Automatic Tunnel Addressing Protocol |
An overview of the security issue
A design issue that affects client software that is configured to use Web Proxy Automatic Discovery (WPAD) can contact a host that serves a proxy automatic configuration file (Wpad.dat). A WPAD-configured client can look up a host by resolving the name WPAD to determine if the name WPAD corresponds to an entry in WINS.
Malicious registration of a WPAD entry inside a corporate network could allow an attacker to control Internet Explorer configuration. A similar attack is possible by using the name ISATAP.
There are workarounds for the security problem. For example, you can register a reserved name host entry in the WINS database. The administrator must register the host name without registering an IP address, thereby reserving the name host entry.
Changes to WINS after you apply the security update
The following changes to WINS will occur after you apply the WINS security update:
- The security update will automatically create a block list that will be used by WINS. Every name query request is checked against the block list and an empty response will be sent for the block listed name query.
- By default, the block list contains WPAD, "WPAD.", and ISATAP.
- If the WINS database already has any of these entries, then that entry is not put in the blocked list.
- The administrator can configure and edit the block list in the registry. WINS service has to be restarted for the block list to be in effect.
- The block list is stored in the registry for each server. There is no replication of block list entries across multiple servers.
- The block list that is created for DNS differs from this block list.
Frequently asked questions
-
What happens if I add static entries for WPAD, "WPAD.", and ISATAP in WINS?
Answer: The queries for static entries will succeed. Only dynamically added entries are checked in the block list for every query.
-
What happens if I upgrade my WINS server to LH server?
Answer: WINS server that has valid entries of WPAD, "WPAD.", and ISATAP will continue to function as before.
-
What if I delete the entries of the block list in the registry?
Answer: All queries to WPAD, "WPAD.", and ISATAP will succeed after a service restart if there is an entry for WPAD, "WPAD.", and ISATAP in WINS database at the time of the service restart. If WPAD, "WPAD.", and ISATAP entries are not present in the WINS database at the start of the service, the default values are repopulated in the registry.
- What is the location of the registry entry for the block list?
Answer:
The block list uses the QueryBlockList REG_MULTI_SZ entry in the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WINS\Parameters\QueryBlockList
-
What if I add an entry "SAMPLE" to the block list in the registry?
Answer: All queries to "SAMPLE" will fail as soon as the service is restarted after you add the entry.
-
What happens if I already have an entry for "SAMPLE" in the WINS database, and I also add "SAMPLE" in the blocked list?
Answer: Queries to "SAMPLE" will fail.
-
What happens if I add a static entry for WPAD, "WPAD.", and ISATAP to WINS database after I apply the WINS server security update?
Answer: Queries to WPAD, "WPAD.", and ISATAP will succeed.
-
I have a WPAD server deployed in my network. Will I be affected?
Answer: No. WPAD will not be blocked. Only ISATAP will be added in the blocked list.