www.tartoos.com Frequently Asked Questions Regarding Blaster for IT Pros

Due to Blaster, my machine is constantly rebooting. How do I stop it long enough to install the patch?

Methods to prevent your machines from rebooting are listed below. Start with the first method and, if that doesn’t work or is inappropriate, try the next method. If none of the methods listed work on your systems, please contact Product Support Services.

For Windows XP or Windows Server 2003, turn on Internet Connection Firewall.www.tartoos.com

If you are using the Internet Connection Firewall in Windows XP or Windows Server 2003 to protect your Internet connection, it will by default block inbound RPC traffic from the Internet. (See http://support.microsoft.com/default.aspx?scid=kb;en-us;283673&sd=tech.)

To enable the Internet Connection Firewall:

1.	From the Start menu, run the Control Panel, click Networking and Internet Connections, and click Network Connections.
2.	Right-click the connection on which you would like to enable the firewall and click Properties. (The connection you choose should be the one that you use to get access to the Internet.)
3.	On the Advanced tab, select the option to Protect my computer or network.
4.	Note: These steps enable the firewall on systems running Windows XP or Windows Server 2003 only. If you are running Windows 2000 or Windows NT 4.0, you should enable a third-party firewall product.

To disable DCOM on all affected machines:

Disabling the DCOM should only be viewed as a temporary measure. If the first method above was already implemented, you should not have to proceed with the method described in this section.
Note This procedure will not block the exploit on Windows 2000 RTM, SP1, or SP2 systems. It should not be implemented as a workaround on those systems.

When a computer is part of a network, the DCOM protocol enables COM objects on that computer to communicate with COM objects on other computers. You can disable DCOM for a particular computer to help protect against the Blaster vulnerability, but doing so will disable all communication between objects on that computer and objects on other computers.

If you disable DCOM on a remote computer, you will not be able to remotely access that computer afterward to re-enable DCOM. To re-enable DCOM, you will need physical access to that computer.

To manually disable (or enable) DCOM for a computer: www.tartoos.com

Run Dcomcnfg.exe.

If you are running Windows XP or Windows Server 2003, perform these additional steps:

Click Component Services under Console Root.

Open the Computers folder.

•	For the local computer, right-click My Computer and choose Properties.
•	For a remote computer, right-click the Computers folder, select New, select Computer, type the computer name, right-click the computer name, and select Properties.

Choose the Default Properties tab.

Clear (or select) the Enable Distributed COM on this Computer check box.www.tartoos.com

If you will be setting more properties for the machine, click the Apply button to disable (or enable) DCOM. Otherwise, click OK to apply the changes and exit Dcomcnfg.exe.

Reboot or restart the system to make the changes take effect.

Although these steps will stop a machine infected or under attack from Blaster from rebooting every few minutes, they should be considered temporary measures because they only help block paths of attack but do not correct the underlying vulnerability.

Additional information on disabling DCOM can be found in this Knowledge Base article 825750, "How to Disable DCOM Support in Windows," http://support.microsoft.com/default.aspx?scid=kb;en-us;825750&sd=tech

If you are running Windows 2000 RTM, SP1, or SP2 and are therefore unable to disable DCOM, you can configure Advanced TCP/IP Filtering.

To configure TCP/IP security on Windows 2000:

On Windows 2000 systems, where Internet Connection Firewall (ICF) is not available and DCOM cannot be disabled, the following steps will help block the affected ports so that the system can be patched. These steps are based on a modified excerpt from Knowledge Base article 309798, "HOW TO: Configure TCP/IP Filtering in Windows 2000," http://support.microsoft.com/default.aspx?scid=kb;en-us;309798&sd=tech.

1.	From the Start menu, select Control Panel, and select Network and Dial-up Connections.
2.	Right-click the interface you use to access the Internet and click Properties.
3.	In the "Components checked are used by this connection" box, click Internet Protocol (TCP/IP) and click Properties.
4.	In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced.
5.	Click the Options tab.www.tartoos.com
6.	Click TCP/IP filtering and click Properties.
7.	Select the Enable TCP/IP Filtering (All adapters) check box.
8.	Select the Permit Only option in each of the columns with the following labels: TCP Ports UDP Ports IP Protocols
9.	Click OK.

Note: Because the TCP/IP filtering enabled above can break many applications (including FTP, P2P software, and Instant Messaging), the TCP/IP filtering should be disabled after the patch is installed.