I wanted to reach out and provide some detail on the bulletin that was released today. Microsoft Security Bulletin MS09-031 addresses a security vulnerability in ISA Server 2006 that can allow a remote unauthenticated user to access restricted resources in certain cases. We wanted to explain what that configuration was, how the vulnerability can manifest and what options you have if you use this configuration.
ISA server 2006 RTM, Supportability Update, Service Pack 1 that are configured as follows:
· The Web listener is configured for forms-based authentication (FBA) using RADIUS One-Time Passwords (OTP)
· The web publishing rule delegates using Kerberos Constrained Delegation (KCD)
· ISA is configured to allow fallback to HTTP-Basic authentication.
If you do not use RADIUS OTP with KCD, or you have disabled HTTP-Basic fallback for RADIUS OTP, you are not subject to this vulnerability.
· ISA Server 2000
· ISA Server 2004
· Forefront TMG
How the vulnerability works
When ISA Server 2006 is configured for FBA using RADIUS OTP and receives a request from a user agent that indicates a fall-back to HTTP-Basic authentication, ISA does not properly authenticate the request. If configured for KCD, ISA will proceed to use KCD for authentication to the published server without properly authenticating the connected user.
Options if you use RADIUS OTP with KCD
1. Apply the MS09-031 security update.
2. Apply ISA Server 2006 Service Pack 1 and disable HTTP-Basic fallback using the script in http://support.microsoft.com/kb/938966.
If you have ISA Server 2006 configured to use FBA and RADIUS OTP and your web publishing rule uses KCD, please apply the patch immediately. If you do not use FBA with RADIUS OTP and KCD, patch installation is less critical for your ISA Server.
In accordance with Microsoft Product Lifecycle policy, ISA Server 2006 RTM and ISA Server 2006 Supportability Pack are not supported after 14 July 2009. The update supplied in the MS09-031 bulletin is the last update that will be produced for ISA Server 2006 RTM or ISA Server 2006 Supportability Pack. ISA Server 2006 updates produced after 14 July 2009 will apply to ISA Server 2006 SP1 only.
David B. Cross
Product Unit Manager