MS09-031: ISA Server 2006 FBA and RADIUS OTP Bulletin

Passing along some information regarding a vulnerability in the ISA firewall that exists when you use FBA and RADIUS One Time Passwords (OTP).

If you have a Web Publishing Rule that meets the following specs:

  • The Web listener is configured for forms-based authentication (FBA) using RADIUS One-Time Passwords (OTP)
  • The web publishing rule delegates using Kerberos Constrained Delegation (KCD)
  • ISA is configured to allow fallback to HTTP-Basic authentication.

Then you need to get your head up and apply MS09-031 update.

For more information, check on Jim Harrison’s  article over at:

https://blogs.technet.com/isablog/archive/2009/07/13/ms09-031-isa-server-2006-fba-and-radius-otp-bulletin.aspx

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

image
Prowess Consulting www.prowessconsulting.com

PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: ts[email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top