RE: [ActiveDir] MS04-004
Let me ask you this - are they accessing OWA over an SSL connection? Not that it matters - since you're encapsulating the username and password as part of the URL, its not secure. IIRC, the URL is NEVER encrypted via SSL. So, you're passing username and password in clear text. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Until we can do it another way it is a huge deal here at my company with over hundreds of people accessing Outlook Web Access this way from home or remote locations. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:15 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 I concur. And frankly, those aren't all that secure to begin with, so I don't see it as a huge deal. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 It should only affect URLs that embed user names and passwords. Otherwise, I don't see anything that would bugger up basic authentication. But let us know what you find on your test bench... -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Is there anyway to permit the basic authentication after it is installed? -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:47 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] MS04-004 According to KB834489 (http://support.microsoft.com/default.aspx?scid=kb;en-us;83448 9), it only applies to HTTP/HTTPS Hunter From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/ Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MS04-004
You should be able to rewrite the button to post their username and password rather than URL encapsulate that data. I know one of our cross-system apps does that. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, February 12, 2004 8:10 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 NO, they click on a button that does it for them. -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 5:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 So your users can remember to type http://username:[EMAIL PROTECTED]/resource But they can't remember to type http://servername.domain.com/resource and then enter their username and password when prompted? -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 2:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Until we can do it another way it is a huge deal here at my company with over hundreds of people accessing Outlook Web Access this way from home or remote locations. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:15 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 I concur. And frankly, those aren't all that secure to begin with, so I don't see it as a huge deal. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 It should only affect URLs that embed user names and passwords. Otherwise, I don't see anything that would bugger up basic authentication. But let us know what you find on your test bench... -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Is there anyway to permit the basic authentication after it is installed? -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:47 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] MS04-004 According to KB834489 (http://support.microsoft.com/default.aspx?scid=kb;en-us;83448 9), it only applies to HTTP/HTTPS Hunter From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/ Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=/te chnet/security /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm
RE: [ActiveDir] MS04-004
We realize that however with Exchange 5.5 there is really no other way that we are aware of until we migrate to Exchange 2003 which is getting under way. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Friday, February 13, 2004 8:12 AM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] MS04-004 Let me ask you this - are they accessing OWA over an SSL connection? Not that it matters - since you're encapsulating the username and password as part of the URL, its not secure. IIRC, the URL is NEVER encrypted via SSL. So, you're passing username and password in clear text. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Until we can do it another way it is a huge deal here at my company with over hundreds of people accessing Outlook Web Access this way from home or remote locations. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:15 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 I concur. And frankly, those aren't all that secure to begin with, so I don't see it as a huge deal. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 It should only affect URLs that embed user names and passwords. Otherwise, I don't see anything that would bugger up basic authentication. But let us know what you find on your test bench... -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Is there anyway to permit the basic authentication after it is installed? -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:47 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] MS04-004 According to KB834489 (http://support.microsoft.com/default.aspx?scid=kb;en-us;83448 9), it only applies to HTTP/HTTPS Hunter From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/ Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http
RE: [ActiveDir] MS04-004
Title: RE: [ActiveDir] MS04-004 Thanks -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MS04-004 It works via FTPing thru IE and entering a username/password in the dialog box. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:06 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 If it applies to ftp they how are people going to FTP? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MS04-004 According to russ cooper on ntbugtraq, it does. -Original Message- From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=""> Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=""> /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MS04-004
NO, they click on a button that does it for them. -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 5:30 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] MS04-004 So your users can remember to type http://username:[EMAIL PROTECTED]/resource But they can't remember to type http://servername.domain.com/resource and then enter their username and password when prompted? -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 2:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Until we can do it another way it is a huge deal here at my company with over hundreds of people accessing Outlook Web Access this way from home or remote locations. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:15 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] MS04-004 I concur. And frankly, those aren't all that secure to begin with, so I don't see it as a huge deal. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 It should only affect URLs that embed user names and passwords. Otherwise, I don't see anything that would bugger up basic authentication. But let us know what you find on your test bench... -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Is there anyway to permit the basic authentication after it is installed? -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:47 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 According to KB834489 (http://support.microsoft.com/default.aspx?scid=kb;en-us;83448 9), it only applies to HTTP/HTTPS Hunter From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MS04-004
Title: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=""> Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=""> /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MS04-004
Title: RE: [ActiveDir] MS04-004 According to russ cooper on ntbugtraq, it does. -Original Message- From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=""> Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=""> /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MS04-004
According to KB834489 (http://support.microsoft.com/default.aspx?scid=kb;en-us;834489), it only applies to HTTP/HTTPS Hunter From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MS04-004
Is there anyway to permit the basic authentication after it is installed? -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:47 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] MS04-004 According to KB834489 (http://support.microsoft.com/default.aspx?scid=kb;en-us;834489), it only applies to HTTP/HTTPS Hunter From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MS04-004
so does this have any affect on the dialog box IE shows you for basic auth? does that still work? -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Is there anyway to permit the basic authentication after it is installed? -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:47 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] MS04-004 According to KB834489 (http://support.microsoft.com/default.aspx?scid=kb;en-us;834489), it only applies to HTTP/HTTPS Hunter From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MS04-004
It should only affect URLs that embed user names and passwords. Otherwise, I don't see anything that would bugger up basic authentication. But let us know what you find on your test bench... -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Is there anyway to permit the basic authentication after it is installed? -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:47 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] MS04-004 According to KB834489 (http://support.microsoft.com/default.aspx?scid=kb;en-us;834489), it only applies to HTTP/HTTPS Hunter From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MS04-004
Title: RE: [ActiveDir] MS04-004 If it applies to ftp they how are people going to FTP? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MS04-004 According to russ cooper on ntbugtraq, it does. -Original Message- From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=""> Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=""> /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MS04-004
That still works, it is only, as far as I can tell, when you try to use basic authentication through http or https (http://username:[EMAIL PROTECTED]/resource) -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:58 PM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] MS04-004 so does this have any affect on the dialog box IE shows you for basic auth? does that still work? -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Is there anyway to permit the basic authentication after it is installed? -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:47 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] MS04-004 According to KB834489 (http://support.microsoft.com/default.aspx?scid=kb;en-us;834489), it only applies to HTTP/HTTPS Hunter From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MS04-004
What we have seen is that the urlmon.dll will get de-registered when this patch (and a few others in the past) gets installed. We placed the following line in our Machine startup script so that when users get the problem with blank pop up boxes they just reboot to fix it. Regsvr32 urlmon.dll -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, February 11, 2004 3:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MS04-004 so does this have any affect on the dialog box IE shows you for basic auth? does that still work? -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Is there anyway to permit the basic authentication after it is installed? -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:47 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] MS04-004 According to KB834489 (http://support.microsoft.com/default.aspx?scid=kb;en-us;834489), it only applies to HTTP/HTTPS Hunter From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/ Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu rity /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] MS04-004
Celone, Mike wrote: Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. It doesn't affect FTP -- Tomasz Onyszko [MVP]- [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MS04-004
I concur. And frankly, those aren't all that secure to begin with, so I don't see it as a huge deal. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 It should only affect URLs that embed user names and passwords. Otherwise, I don't see anything that would bugger up basic authentication. But let us know what you find on your test bench... -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Is there anyway to permit the basic authentication after it is installed? -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:47 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 According to KB834489 (http://support.microsoft.com/default.aspx?scid=kb;en-us;83448 9), it only applies to HTTP/HTTPS Hunter From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MS04-004
Title: Message It applies to ftp only so far as people entering or clicking on authenticated FTP links in IE: ftp://user:[EMAIL PROTECTED]/ will fail -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:06 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] MS04-004 If it applies to ftp they how are people going to FTP? -Original Message-From: Kern, Tom [mailto:[EMAIL PROTECTED]Sent: Wednesday, February 11, 2004 3:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] MS04-004 According to russ cooper on ntbugtraq, it does. -Original Message-From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:36 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=""> Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=""> /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] MS04-004
Salandra, Justin A. wrote: Is there anyway to permit the basic authentication after it is installed? This patch doesn't remove support but its give You a decison, You want or You don't want to use URLS in http(s)://user:[EMAIL PROTECTED] This is well described in KB834489 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q834489 By default this patch block this behaviour for internet explorer and WIndows explorer, but You can use registry entries to control it for other application. For IE and Windows Explorer I've prepared sample reg file which allows URL's in this fomrat: http://www.w2k.pl/downloads/disablepassword.reg -- Tomasz Onyszko [MVP]- [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MS04-004
just finished testing it. it works fine with the dialog box. -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 It should only affect URLs that embed user names and passwords. Otherwise, I don't see anything that would bugger up basic authentication. But let us know what you find on your test bench... -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Is there anyway to permit the basic authentication after it is installed? -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:47 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] MS04-004 According to KB834489 (http://support.microsoft.com/default.aspx?scid=kb;en-us;834489), it only applies to HTTP/HTTPS Hunter From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] MS04-004
Salandra, Justin A. wrote: If it applies to ftp they how are people going to FTP? If You don't supply user credentials in FTP url IE simply show You a window where You can enter You username and password. MS04-004 blocks only specific URL synatax, not basic authentication at all. -- Tomasz Onyszko [MVP]- [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MS04-004
Title: RE: [ActiveDir] MS04-004 It works via FTPing thru IE and entering a username/password in the dialog box. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:06 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 If it applies to ftp they how are people going to FTP? -Original Message- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MS04-004 According to russ cooper on ntbugtraq, it does. -Original Message- From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=""> Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=""> /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MS04-004
Until we can do it another way it is a huge deal here at my company with over hundreds of people accessing Outlook Web Access this way from home or remote locations. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:15 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] MS04-004 I concur. And frankly, those aren't all that secure to begin with, so I don't see it as a huge deal. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 It should only affect URLs that embed user names and passwords. Otherwise, I don't see anything that would bugger up basic authentication. But let us know what you find on your test bench... -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Is there anyway to permit the basic authentication after it is installed? -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:47 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 According to KB834489 (http://support.microsoft.com/default.aspx?scid=kb;en-us;83448 9), it only applies to HTTP/HTTPS Hunter From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MS04-004
So your users can remember to type http://username:[EMAIL PROTECTED]/resource But they can't remember to type http://servername.domain.com/resource and then enter their username and password when prompted? -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 2:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Until we can do it another way it is a huge deal here at my company with over hundreds of people accessing Outlook Web Access this way from home or remote locations. -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:15 PM To: '[EMAIL PROTECTED]' Subject:RE: [ActiveDir] MS04-004 I concur. And frankly, those aren't all that secure to begin with, so I don't see it as a huge deal. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 It should only affect URLs that embed user names and passwords. Otherwise, I don't see anything that would bugger up basic authentication. But let us know what you find on your test bench... -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Is there anyway to permit the basic authentication after it is installed? -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:47 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 According to KB834489 (http://support.microsoft.com/default.aspx?scid=kb;en-us;83448 9), it only applies to HTTP/HTTPS Hunter From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MS04-004
Regarding MS04-004, you all should be aware of the following: http://support.microsoft.com/default.aspx?scid=kb;en-us;831167 This issue is affecting us significantly. Mike Thommes -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:15 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 I concur. And frankly, those aren't all that secure to begin with, so I don't see it as a huge deal. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 4:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 It should only affect URLs that embed user names and passwords. Otherwise, I don't see anything that would bugger up basic authentication. But let us know what you find on your test bench... -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Is there anyway to permit the basic authentication after it is installed? -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:47 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 According to KB834489 (http://support.microsoft.com/default.aspx?scid=kb;en-us;83448 9), it only applies to HTTP/HTTPS Hunter From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 1:36 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] MS04-004 Anyone know if this also applies to ftp connections too. On the SMS list one guy says it does and others say it doesn't? I haven't deployed the patch yet but plan on doing it soon. Mike -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 3:24 PM To: Exchange2000 (E-mail); ActiveDir (E-mail) Subject: [ActiveDir] MS04-004 If any of you use Basic Authentication over HTTP or HTTPS you need to read this. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ Bulletin/MS04-004.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /Bulletin/MS04-004.asp The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/