Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Changes to WINS server behavior after you install the security update for WINS server


View products that this article applies to.

Introduction

Post installation behavior on server computers after you install the WINS server security update

The purpose of this Knowledge Base article is to educate users about scenarios that are affected by an impending change to WINS server functionality. We have tried to make this document as generic as possible. Please read this document in its entirety and use it to understand if and how your enterprise environment may be affected by this update.

For more information about the WINS server security update, click the following article number to view the article in the Microsoft Knowledge Base:
961064 MS09-008: Description of the security update for WINS server: March 10, 2009

↑ Back to the top


More information

Definitions table

TermDefinition
WINSWindows Internet Name Service
WPADWeb Proxy Auto-discovery Protocol
ISATAPIntra-Site Automatic Tunnel Addressing Protocol

An overview of the security issue

A design issue that affects client software that is configured to use Web Proxy Automatic Discovery (WPAD) can contact a host that serves a proxy automatic configuration file (Wpad.dat). A WPAD-configured client can look up a host by resolving the name WPAD to determine if the name WPAD corresponds to an entry in WINS. Malicious registration of a WPAD entry inside a corporate network could allow an attacker to control Internet Explorer configuration. A similar attack is possible by using the name ISATAP.

There are workarounds for the security problem. For example, you can register a reserved name host entry in the WINS database. The administrator must register the host name without registering an IP address, thereby reserving the name host entry.

Changes to WINS after you apply the security update

The following changes to WINS will occur after you apply the WINS security update:
  • The security update will automatically create a block list that will be used by WINS. Every name query request is checked against the block list and an empty response will be sent for the block listed name query.
  • By default, the block list contains WPAD, "WPAD.", and ISATAP.
  • If the WINS database already has any of these entries, then that entry is not put in the blocked list.
  • The administrator can configure and edit the block list in the registry. WINS service has to be restarted for the block list to be in effect.
  • The block list is stored in the registry for each server. There is no replication of block list entries across multiple servers.
  • The block list that is created for DNS differs from this block list.

Frequently asked questions

  1. What happens if I add static entries for WPAD, "WPAD.", and ISATAP in WINS?
    Answer: The queries for static entries will succeed. Only dynamically added entries are checked in the block list for every query.
  2. What happens if I upgrade my WINS server to LH server?
    Answer: WINS server that has valid entries of WPAD, "WPAD.", and ISATAP will continue to function as before.
  3. What if I delete the entries of the block list in the registry?
    Answer: All queries to WPAD, "WPAD.", and ISATAP will succeed after a service restart if there is an entry for WPAD, "WPAD.", and ISATAP in WINS database at the time of the service restart. If WPAD, "WPAD.", and ISATAP entries are not present in the WINS database at the start of the service, the default values are repopulated in the registry.
  4. What is the location of the registry entry for the block list?
    Answer: The block list uses the QueryBlockList REG_MULTI_SZ entry in the following subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WINS\Parameters\QueryBlockList
  5. What if I add an entry "SAMPLE" to the block list in the registry?
    Answer: All queries to "SAMPLE" will fail as soon as the service is restarted after you add the entry.
  6. What happens if I already have an entry for "SAMPLE" in the WINS database, and I also add "SAMPLE" in the blocked list?
    Answer: Queries to "SAMPLE" will fail.
  7. What happens if I add a static entry for WPAD, "WPAD.", and ISATAP to WINS database after I apply the WINS server security update?
    Answer: Queries to WPAD, "WPAD.", and ISATAP will succeed.
  8. I have a WPAD server deployed in my network. Will I be affected?
    Answer: No. WPAD will not be blocked. Only ISATAP will be added in the blocked list.

↑ Back to the top


Keywords: kbnosurvey, kbarchive, kbexpertiseinter, kbsecurity, kbsecvulnerability, kbsurveynew, KB968731

↑ Back to the top

Article Info
Article ID : 968731
Revision : 2
Created on : 1/16/2015
Published on : 1/16/2015
Exists online : False
Views : 470