Using ISA 2004 Firewalls to Protect Against Sasser (v1.01)

Got questions? Discuss this article over at

By default, inbound connections through the ISA 2004 firewall are blocked for these ports. However, if you create server publishing rules for these ports, the published server could be at risk. This can be problematic if you have a front-end Exchange Server in a DMZ segment, because this port must be open between the DMZ segment and the Internal network. However, you do not need to open this port between the External network and the DMZ segment, so your risks are mitigated to a certain extent.

The default firewall policy for the ISA 2004 firewall prevents the spread of Sasser to external networks because Sasser requires outbound FTP to spread. However, if your ISA firewall is configured with an “All Open” outbound Access Rule, then you must create Access Rules to block Sasser on its known ports.

To help prevent outbound Sasser attacks:

• Create an Access Rule blocking traffic on ports listed in the above table. Blocking TCP port 445 in the outbound direction prevents outbound CIFS traffic and blocking TCP ports 5556 and 9996 in the outbound direction will prevent an infected host from acting as an FTP server and spreading the worm.
• Configure the Firewall Client to block malicious Sasser processes. You will have to install the Firewall client on the client operating systems for this method to work. Note that all Windows client operating systems should have the Firewall client software installed (do not install the Firewall client on network servers, unless you have specific and compelling reasons to do so). If all outbound access is authenticated, this will prevent the worm from acting as a Firewall Client through ISA firewall.

The ISA firewall machine is also potentially vulnerable to internal attack by the Sasser worm. In order to protect the ISA firewall itself from a Sasser attack, do not create Access Rules allowing traffic to the Local Host network on the ports listed in the table above.

1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click on the Firewall Policy node.
2. Click on the Tasks tab in the Task Pane. Click the Create a New Access Rule link.
3. On the Welcome to the New Access Rule Wizard page, enter Block Sasser Outbound in the Access Rule name text box. Click Next.
4. On the Rule Action page, select the Deny option and click Next.
5. On the Protocols page, select the Selected protocols option from the This rule applies to list. Click the Add button.
6. In the Add Protocols dialog box, click the New menu, then click the Protocol command.

7.  On the Welcome to the New Protocol Definition Wizard page, enter Sasser Outbound in the Protocol Definition name text box and click Next.
8.  On the Primary Connection Information page, click the New button.
9.  In the New/Edit Protocol Definition dialog box, select the Protocol type as TCP. The Direction is Outbound. The From port is 445 and the To port is 445. Click OK.

10. On the Primary Connection Information Page click the New button.
11. In the New/Edit Protocol Definition dialog box, select the Protocol type as TCP. The Direction is Outbound. The From port is 5556 and the To port is 5556. Click OK.

12. On the Primary Connection Information Page click the New button.
13. In the New/Edit Protocol Definition dialog box, select the Protocol type as TCP. The Direction is Outbound. The From port is 9996 and the To port is 9996. Click OK.

14. Click Next on the Primary Connection Information page.

15. Select the No option on the Secondary Connections page. Click Next.
16. Click Finish on the Completing the New Protocol Definition Wizard page.
17. In the Add Protocols dialog box, click the User-defined folder and then double click the Sasser Outbound entry. Click Close.
18. Click Next on the Protocols page.
19. On the Access Rule Sources page, click the Add button.
20.  In the Add Network Entities dialog box, click the Network Sets folder and then double click the All Protected Networks entry. Click Close.

21. Click Next on the Access Rule Sources page.
22. On the Access Rule Destinations page, click the Add button.
23. In the Add Network Entities dialog box, click the Networks folder and then double click on the External entry. Click Close.
24. On the User Sets page, accept the default entry, All Users, and click Next.
25. Click Finish on the Completing the New Access Rule Wizard page.
26. Move the Block Sasser Outbound rule to the top of the list of rules.
27. Click Apply to save the changes and update the firewall policy.
28. Click OK in the Apply New Configuration dialog box.

The malicious Sasser processes known at this time are avserve and avserve2.

1. In Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node.
2. Click the General node.
3. On the General node, click the Define Firewall Client Settings link in the Details pane.
4. In the Firewall Client Settings dialog box, click the Application Settings tab.
5. On the Application Settings tab, click the New button.

6. In the Application Entry Setting dialog box, enter avserve in the Application text box. Select disable from the Key drop down list. Select 1 from the Value drop down list. Click OK.

7. Repeat steps 5 and 6, but this time enter avserve2 in the Application text box.
8. Click OK in the Firewall Client Settings dialog box.
9. Click Apply to save the changes and update the firewall policy.
10. Click OK in the Apply New Configuration dialog box.

Configuring the Firewall Client for Avserve.exe and Avserve2.exe only prevents the malicious processes on an infected host from acting as a Firewall Client. If the host is also configured as a SecureNAT client, then this setting may have no effect. (To prevent SecureNAT client access across ISA Server, make sure that there are no anonymous Access Rules allowing outbound access to these applications.)

You can test the functionality of the Block Sasser Outbound rule by using Telnet on a client located on an ISA 2004 firewall protected network.

1. Open the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Monitoring node in the left pane of the console.
2. On the Monitoring node, click the Logging tab in the Details pane.
3. On the Tasks tab of the Task Pane, click the Start Query link.
4. On a client system located on a protected network, click Start and then click Run. In the Open text box, enter cmd and click OK.
5. At the command prompt enter telnet 131.107.1.1 5556 and press ENTER.
6. Return to the Microsoft Internet Security and Acceleration Server 2004 management console and view the real time log monitor. You will see entries indicating that the Block Sasser Outbound Access Rule prevented the connection.

You can use a script to block the Sasser ports. Jim Harrison has on his

• What You Should Know About the Sasser Worm (http://go.microsoft.com/fwlink/?LinkID=28659)
• Microsoft Security Bulletin MS04-011 (http://go.microsoft.com/fwlink/?LinkID=28661)
• ISA Server Product Documentation (http://go.microsoft.com/fwlink/?LinkID=28663)

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000104 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy