mysterious IIS failures

Russell Fulton r.fulton at
Thu Jan 15 06:38:36 GMT 2004

R> I am forwarding on a post to our computer support list from one of 
R> our faculty IT managers:

R> additions by me tagged R>

<initial post>
during processes where iis is being installed or adjusted and services are
being started and stopped, is an RPC vulnerability opened?

2 instances on separate servers doing different tasks, but both involving
the control of the IIS service have seen LSASS.exe death reminiscent of the
RPC DCOM issue related to MS03-026.

Is some level of protection being peeled back as part of this service change
that temporarily exposes the machine to an attack?
</initial post>

R> I asked Matiu for some more details:

The servers involved are all Windows 2003 (standard) and had all been patched 
for the known security issues (ie. after the initial patching of MS03-039, etc 
Windows Update was run and now thinks there are no further updates to be 

The LSASS failure (this thing manages security in Windows) happens when an 
installation stops/starts Web publishing processes.

All three machines had external access, nothing special at the time of update,
R> 'external access' == outbound access to the 'Net no inbound access. 
and were on the network at the time (the installation processes require access 
to DNS etc for certain modules).

DCOM is consistently not installed.
COM+/WebDAV are installed.

2 out of three had NAV (8.x) installed at the time the issue happened. The 
virus definitions, etc were current and the machines subject to the policies 
managed via Loveleen in ITSS -so real time scanning/heuristics are whatever is 
currently standard.

R> We do still have intermittent bursts of welchia/slammer traffic on campus so
R> the thought that this is causing problems during some small window during 
R> installs is not totally implausible

R> anyone have any ideas? 

    Matiu Carr    <m.carr at>

    IT Manager:    Architecture, Property
                   Planning and Fine Arts
                   University of Auckland

This mail sent through University of Auckland
Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!

More information about the unisog mailing list