[unisog] mysterious IIS failures

Jim Duncan jnduncan at cisco.com
Thu Jan 15 18:36:30 GMT 2004

Russell Fulton writes:
> The servers involved are all Windows 2003 (standard) and had all been patched 
> for the known security issues (ie. after the initial patching of MS03-039, etc 
> Windows Update was run and now thinks there are no further updates to be 
> loaded).
> The LSASS failure (this thing manages security in Windows) happens when an 
> installation stops/starts Web publishing processes.
> All three machines had external access, nothing special at the time of update,
> R> 'external access' == outbound access to the 'Net no inbound access. 
> and were on the network at the time (the installation processes require access 
> to DNS etc for certain modules).
> DCOM is consistently not installed.
> COM+/WebDAV are installed.
> 2 out of three had NAV (8.x) installed at the time the issue happened. The 
> virus definitions, etc were current and the machines subject to the policies 
> managed via Loveleen in ITSS -so real time scanning/heuristics are whatever is 
> currently standard.
> R> We do still have intermittent bursts of welchia/slammer traffic on campus so
> R> the thought that this is causing problems during some small window during 
> R> installs is not totally implausible
> R> anyone have any ideas? 

Hi, Russ.  I suggest the machines be re-installed and the patches 
applied _before_ they are reconnected to the network.

It is interesting that I just had a similar discussion with a coworker 
just a few hours ago.  He uses a USB memory device to carry his patches 
over to the new machine because he will not risk connecting the new 
machine to any network until it is patched.  And this is inside a 
fairly tightly controlled network! ;-)

So, it would be interesting to see if the failures continue even when 
the machine is installed, patched, and brought up again while still off 
the network.

Hope this helps.


Jim Duncan, Critical Infrastructure Assurance Group, Cisco Systems, Inc.
jnduncan at cisco.com, +1 919 392 6209, http://www.cisco.com/go/ciag/.
PGP: DSS 4096/1024 E09E EA55 DA28 1399 75EB D6A2 7092 9A9C 6DC3 1821

More information about the unisog mailing list