Microsoft Security Advisory: Extended protection for authentication

Symptoms
Microsoft has released security advisory 973811. To view the complete security advisory, visit the following Microsoft website:
http://www.microsoft.com/technet/security/advisory/973811.mspx
(http://www.microsoft.com/technet/security/advisory/973811.mspx)How to obtain help and support for this security update Help installing updates: Support for Microsoft Update
(http://support.microsoft.com/ph/6527)
Security solutions for IT professionals: TechNet Security Troubleshooting and Support
(http://technet.microsoft.com/security/bb980617.aspx)
Help protect your computer that is running Windows from viruses and malware:Virus Solution and Security Center
(http://support.microsoft.com/contactus/cu_sc_virsec_master)
Local support according to your country: International Support
(http://support.microsoft.com/common/international.aspx)

Resolution
How do I configure .NET to utilize Extended Protection for Authentication?Here are the steps for enabling Extended Protection for the Microsoft .NET Framework 2.0 Service Pack 2, .NET Framework 3.0 Service Pack 2, and .NET Framework 3.5 SP1. For .NET Framework 2.0 Service Pack 2 (Network Class Library)Extended protection can be turned on by setting properties on HttpListener. For more information, visit the following Microsoft MSDN websites:
HttpListener.ExtendedProtectionPolicy
(http://msdn.microsoft.com/en-us/library/system.net.httplistener.extendedprotectionpolicy(v=VS.100).aspx)
HttpListener.ExtendedProtectionSelectorDelegate
(http://msdn.microsoft.com/en-us/library/system.net.httplistener.extendedprotectionselectordelegate(v=VS.100).aspx)
HttpListener.DefaultServiceNames
(http://msdn.microsoft.com/en-us/library/system.net.httplistener.defaultservicenames(v=VS.100).aspx)If NegotiateStream is used, then the appropriate overloads of [Begin]AuthenticateAsServer and [Begin]AuthenticateAsClient need to be used: For more information, visit the following Microsoft MSDN websites:
http://msdn.microsoft.com/en-us/library/dd413524(v=VS.100).aspx
(http://msdn.microsoft.com/en-us/library/dd413524(v=VS.100).aspx)
http://msdn.microsoft.com/en-us/library/dd413526(v=VS.100).aspx
(http://msdn.microsoft.com/en-us/library/dd413526(v=VS.100).aspx)
http://msdn.microsoft.com/en-us/library/dd413525(v=VS.100).aspx
(http://msdn.microsoft.com/en-us/library/dd413525(v=VS.100).aspx)
http://msdn.microsoft.com/en-us/library/dd413527(v=VS.100).aspx
(http://msdn.microsoft.com/en-us/library/dd413527(v=VS.100).aspx)

In addition to the recommendations in these Microsoft websites, follow these steps:On the client side, install the Extended Protection for Authentication update for Security Support Provider Interface (SSPI). This update changes SSPI to improve Windows authentication. Additionally, this update prevents credentials from being forwarded. After you install this update, you must implement the registry settings that are described in Microsoft Knowledge Base (KB) article 968389 to enable extended protection.For more information, click the following article number to view the article in the Microsoft Knowledge Base:
968389
(http://support.microsoft.com/kb/968389/)Extended Protection for AuthenticationOn the server side, install the Extended Protection for Authentication update for the HTTP Protocol Stack. For .NET Framework 2.0 Service Pack 2 (ASP.NET) No special action is required in order to use Extended Protection.For .NET Framework 3.0 Service Pack 2 (WCF)To enable the Extended Protection for Authentication feature in WCF, follow these steps: To do this, follow these steps:On the client side, install the Extended Protection for Authentication update for Security Support Provider Interface (SSPI). This update changes SSPI to improve Windows authentication. Additionally, this update prevents credentials from being forwarded. After you install this update, you must implement the registry settings that are described in Microsoft Knowledge Base (KB) article 968389 to enable extended protection.For more information, click the following article number to view the article in the Microsoft Knowledge Base:
968389
(http://support.microsoft.com/kb/968389/)Extended Protection for AuthenticationOn the server side, install the Extended Protection for Authentication update for the HTTP Protocol Stack. Install the Extended Protection for Authentication update for Internet Information Services (IIS) when IIS is installed.
After you install the update, follow the instructions in KB article 973917 to configure extended protection in IIS.For more information, click the following article numbers to view the article in the Microsoft Knowledge Base:
973917
(http://support.microsoft.com/kb/973917/)Description of the update that implements Extended Protection for Authentication in Internet Information Services (IIS)
970430
(http://support.microsoft.com/kb/970430/) Description of the update that implements Extended Protection for Authentication in the HTTP Protocol Stack (http.sys) Use the ExtendedProtectionPolicy class in WCF to represent the extended protection policy that the server uses to validate incoming client connections. The class can be applied only when the security mode is set to Transport mode or to TransportWithMessageCredential mode.The following is a sample code that shows the configuration in a binding element of a service config file:

<binding>……………<security mode=”Transport”><transport ……………><extendedProtectionPolicy policyEnforcement =”WhenSupported”/></transport ></security></binding>For more information about the Extended Protection for Authentication feature, visit the following Microsoft TechNet website:
Extended Protection for Authentication
(http://blogs.technet.com/b/srd/archive/2009/12/08/extended-protection-for-authentication.aspx) For more configuration information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
Collapse this tableExpand this table
Article numberArticle title982532
(http://support.microsoft.com/kb/982532/)Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 1 and on Windows Server 2008 Service Pack 1 (976767 and 980843): June 8, 2010982533
(http://support.microsoft.com/kb/982533/)Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 2 and on Windows Server 2008 Service Pack 2 (976768 and 980842): June 8, 2010982535
(http://support.microsoft.com/kb/982535/)Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 1 and on Windows Server 2008 Service Pack 1 (976767, 980843, and 976771): June 8, 2010982536
(http://support.microsoft.com/kb/982536/)Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows Vista Service Pack 2 and on Windows Server 2008 Service Pack 2 (976768, 980842, and 976772): June 8, 2010982167
(http://support.microsoft.com/kb/982167/)Description of the rollup update for the .NET Framework 3.5 Service Pack 1 and the .NET Framework 2.0 Service Pack 2 on Windows XP and on Windows Server 2003 (976765 and 980773): June 8, 2010982168
(http://support.microsoft.com/kb/982168/)Description of the rollup update for the .NET Framework 3.5 Service Pack 1 on Windows XP and on Windows Server 2003 (976765, 980773 and 976769): June 8, 2262911
(http://support.microsoft.com/kb/2262911/)”Could not load type ‘System.Security.Authentication.ExtendedProtection.ExtendedProtectionPolicy’” exception error after you install update 982167 or update 982168

An ADO application does not run on down-level operating systems after you recompile it on a computer that is running Windows 7 SP 1 or Windows Server 2008 R2 SP 1 or that has KB983246 installed

Symptoms
Consider the following scenario. On a computer that is running Windows 7 Service Pack 1 (SP1) or Windows Server 2008 R2 SP 1 or that has KB9823246 installed, you recompile a Microsoft ActiveX Data Objects (ADO) application by using one of the following applications:Microsoft Visual C++Microsoft Visual Basic for Applications (VBA)Microsoft Visual Basic 6Microsoft .NET applicationsIn this scenario, you find that the application does not run on down-level operating systems. For example, it does not run on the release version of Windows 7, on Windows Vista, and on other earlier versions of Windows. Depending on your implementation, you also receive an error message that resembles one of the following. (You may receive other error messages.)
Error message 1

REGDB_E_CLASSNOTREG (0×80040154)Error message 2

E_POINTER (0×80004003)Error message 3

E_NOINTERFACE (0×80004002)Error message 4

Unable to cast COM object of type ‘System.__ComObject’ to interface type ‘ADODB.Connection’. This operation failed because the QueryInterface call on the COM component for the interface with IID ‘{00001550-0000-0010-8000-00AA006D2EA4}’ failed due to the following error: No such interface supported (Exception from HRESULT: 0×80004002 (E_NOINTERFACE)).”The following Visual C++ code segment replicates this issue.

#import ” msado15.dll” no_namespace rename(“EOF”,”EndOfFile”) int main(){CoInitialize(NULL);_ConnectionPtr pConnection = NULL;HRESULT hr = pConnection.CreateInstance(__uuidof(Connection)); //hr gets E_NOINTERFACE here}The following Visual Basic for Applications code segment replicates this issue.

Private Sub Form_Load() Dim Conn As New ADODB.Connection ‘Runtime error here: Class does not support Automation or does not support expected interfaceEnd SubVBA Error:Run-time error ’430′: Class does not support Automation or does not support expected interface
Note Microsoft no longer supports the primary interop assembly for ADO and no longer supports Visual Basic 6. For more information about Visual Basic 6 supportability, visit the following MSDN webpage:
Support Statement for Visual Basic 6.0 on Windows Vista, Windows Server 2008 and Windows 7
(http://msdn.microsoft.com/en-us/vbasic/ms788708.aspx)For more information about the primary interop assembly for ADO supportability, click the following article number to view the article in the Microsoft Knowledge Base:
318559
(http://support.microsoft.com/kb/318559/)Using the primary interop assembly for ADO (ADODB) in Visual Studio .NET
Resolution
This issue occurs because some ADO interfaces were changed in Windows 7 SP1 to be associated with new instance identifiers (IIDs). The older IID interfaces were assigned the following suffix:
_Deprecated For example, the interface _Connection was updated as follows:In Windows 7 and in earlier versions of Windows, the _Connection IID is 00000550-0000-0010-8000-00AA006D2EA4.In Windows 7 SP1, the _Connection IID is 00001550-0000-0010-8000-00AA006D2EA4, and the IID for _Connection_Deprecated is 00000550-0000-0010-8000-00AA006D2EA4.If your application uses early binding to _Connection, the new IID is stored in the application binary during compilation. This causes an error when the application runs on a down-level operating system because the IID does not exist.
Some ADO APIs are platform-dependent in ADO 2.7 and in later versions. On 64-bit versions of Windows, these ADO APIs process arguments by using a 64-bit data type (such as the LONGLONG data type). However, applications that use these APIs still use the LONG data type. Therefore, you receive a “Type Mismatch” error message when you try to run the macro.

MS13-093: Vulnerability in Windows ancillary function driver could allow information disclosure: November 12, 2013

Symptoms
Microsoft has released security bulletin MS13-093. To view the complete security bulletin, visit one of the following Microsoft websites:Home users:
http://www.microsoft.com/security/pc-security/updates.aspx
(http://www.microsoft.com/security/pc-security/updates.aspx)Skip the details: Download the updates for your home computer or laptop from the Microsoft Update website now:
http://update.microsoft.com/microsoftupdate/
(http://update.microsoft.com/microsoftupdate/)IT professionals:
http://technet.microsoft.com/security/bulletin/MS13-093
(http://technet.microsoft.com/security/bulletin/MS13-093)How to obtain help and support for this security update Help installing updates: Support for Microsoft Update
(http://support.microsoft.com/ph/6527)
Security solutions for IT professionals: TechNet Security Troubleshooting and Support
(http://technet.microsoft.com/security/bb980617.aspx)
Help protect your computer that is running Windows from viruses and malware:Virus Solution and Security Center
(http://support.microsoft.com/contactus/cu_sc_virsec_master)
Local support according to your country: International Support
(http://support.microsoft.com/common/international.aspx)

Resolution
The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.Windows Server 2003 file information
Collapse this imageExpand this image
The files that apply to a specific milestone (SPn) and service branch (QFE, GDR) are noted in the “SP requirement” and “Service branch” columns.GDR service branches contain only those fixes that are widely released to address widespread, critical issues. QFE service branches contain hotfixes in addition to widely released fixes.In addition to the files that are listed in these tables, this software update also installs an associated security catalog file (KBnumber.cat) that is signed with a Microsoft digital signature.For all supported x64-based versions of Windows Server 2003 and of Windows XP Professional x64 edition
Collapse this imageExpand this image

Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatformAfd.sys5.2.3790.5217292,35205-Sep-201302:23×64
Collapse this imageExpand this image
For all supported IA-64-based versions of Windows Server 2003
Collapse this imageExpand this image

Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatformAfd.sys5.2.3790.5217583,68005-Sep-201302:23IA-64
Collapse this imageExpand this image

Collapse this imageExpand this image

MS10-046: Vulnerability in Windows Shell could allow remote code execution

Symptoms
Microsoft has released security bulletin MS10-046. To view the complete security bulletin, visit one of the following Microsoft websites: Home users:
http://www.microsoft.com/security/updates/bulletins/201008.aspx
(http://www.microsoft.com/security/updates/bulletins/201008.aspx)Skip the details: Download the updates for your home computer or laptop from the Microsoft Update website now:
http://update.microsoft.com/microsoftupdate/
(http://update.microsoft.com/microsoftupdate/)IT professionals:
http://www.microsoft.coma/technet/security/bulletin/ms10-046.mspx
(http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx)How to obtain help and support for this security update Help installing updates: Support for Microsoft Update
(http://support.microsoft.com/ph/6527)
Security solutions for IT professionals: TechNet Security Troubleshooting and Support
(http://technet.microsoft.com/security/bb980617.aspx)
Help protect your computer that is running Windows from viruses and malware:Virus Solution and Security Center
(http://support.microsoft.com/contactus/cu_sc_virsec_master)
Local support according to your country: International Support
(http://support.microsoft.com/common/international.aspx)

Resolution
Note We do not recommend that you use of this Fix it now that the security bulletin MS10-46 is available. We strongly recommend that customers deploy the security update instead. However, the Fix It remains available so that customers can deploy it in situations where the security update cannot be immediately installed and so that they can undo the Fix It after they install the security update.
To implement the workaround that disables .lnk and .pif file functionality automatically on a computer that is running Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server R2, click the Fix this problem link under Enable workaround. To undo the workaround, click the Fix this problem link under Disable workaround. In either scenario, click Run in the File Download dialog box, and follow the steps in the Fix it Wizard.
Note After you apply the Fix it, you must restart the computer. After the installation of the Fix it, the user is prompted before the system is restarted. Enterprise deployments allow for unattended install with the following Display options:
Collapse this tableExpand this table
/quietQuiet mode, no user interaction/passiveUnattended mode – progress bar only/q[n|b|r|f] Sets user interface leveln – No UI
b – Basic UI
r – Reduced UI
f – Full UI (default)Restart Options:
Collapse this tableExpand this table
/norestartDo not restart after the installation is complete/promptrestartPrompts the user for restart if necessary/forcerestartAlways restart the computer after installation
Note Applying the Fix it removes the graphical representation of icons on the Task bar and Start menu bar and replaces them with white icons that do not have the graphical representation of the icon.
Before you apply the Fix it, the icons on the desktop appear as follows:

Collapse this imageExpand this image

After you apply the Fix it, the icons appear on the task bar as follows:

Collapse this imageExpand this image

After you apply the Fix it, the icons appear on the Start menu bar as follows:

Collapse this imageExpand this image

Collapse this tableExpand this table
Enable workaroundDisable workaround
a.button { background: url(/library/images/support/KBGraphics/PUBLIC/cn/FixItButton.jpg) no-repeat 0 0; width: 139px; height: 56px; display:block; cursor:pointer; } a.button:hover { background-position: bottom right; } Fix this problem
Microsoft Fix it 50486
a.button { background: url(/library/images/support/KBGraphics/PUBLIC/cn/FixItButton.jpg) no-repeat 0 0; width: 139px; height: 56px; display:block; cursor:pointer; } a.button:hover { background-position: bottom right; } Fix this problem
Microsoft Fix it 50487Note This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.
Note If you are not on the computer that has the problem, save the Fix it solution to a flash drive or to a CD, and then run it on the computer that has the problem.
Next, go to the “Did this fix the problem?” section.

DNS Host record of a computer is deleted after you change the DNS server assignment

Symptoms
Consider the following scenario:
You configure two DNS servers in a domain.You create Active Directory-integrated DNS zones, and then you enable dynamic update on both DNS servers.You join a computer that is running one of the following operating systems to the domain:
Windows VistaWindows Server 2008Windows 7Windows Server 2008 R2 You configure the computer to use one of the DNS servers in the domain. You change the DNS server assignment of the computer to the other DNS server in the domain.You perform one of the following operations on the client computer:
You restart the computer.You restart the DNS client service. You run the ipconfig /registerdns command.In this scenario, the DNS Host record of the computer is deleted from the DNS server. Therefore, name resolution issues occur.
For example, you change the DNS server assignment of an Exchange server. Subsequently, the Host record of the Exchange server is deleted. In this scenario, users cannot connect to the Exchange server.

Resolution
This issue occurs because of an issue in the DNS Client service. When the DNS server configuration information is changed on a client, the DNS Client service deletes the DNS host record of the client from the old DNS server and then adds it to the new DNS server. Because the DNS record is present on the new server that is a part of the same domain, the record is not updated. However, the old DNS server replicates the deletion operation to the new DNS server and to other DNS servers. Therefore, the new DNS server deletes the record, and the record is deleted across the domain.

SQL Server Questions and Answers, SQL QA