Part 1: New Patches

Patch Available for Invalid RDP Data Vulnerability
A new Microsoft patch eliminates a security vulnerability on Windows 2000 computers running Win2K Server Terminal Services. Certain (unspecified) series of RDP data packets in Win2K can make the server crash or hang. According to Microsoft article Q286132, Microsoft has issued patches for some non-English versions of Win2K; check to see if your specific patch is available.

Patch for Remote Registry Access Authentication Vulnerability
According to Microsoft article Q264684, a Windows NT Server 4.0, Terminal Server Edition (TSE) vulnerability allows access to the registry from a remote computer. See the Microsoft article to learn how to get the patch.

Patch Released for Malformed URL Vulnerability that Disables Web Server Response
Another Microsoft patch eliminates a Microsoft IIS security vulnerability in single-user NT 4.0 and TSE. According to Microsoft article Q271652, this vulnerability could let a malicious user send malformed URLs that prevent a Web server from responding to requests for Web pages, FTP services, or other servicesuntil you restart the IIS service.

Patch Available for Network DDE Agent Request Vulnerability
Microsoft has released a patch for a Win2K security vulnerability that could let a malicious user gain complete control of an affected computer via Network Dynamic Data Exchange (DDE). Although Microsoft article Q285851 states that terminal servers aren't vulnerable to this problem unless unprivileged users can log on at the console, you could be vulnerable if you use the Win2K Resource Kit utility to cut and paste files between terminal client sessions and the local computer.

Part 2: Terminal Services Edition Service Pack 6 (SP6)

Patch Available for Invalid RDP Data Vulnerability
According to Microsoft article Q248183, a cryptographic error in the Syskey tool makes offline password attacks easier than previously believed. The Syskey tool is designed to prevent attacks by strongly encrypting the SAM database using 128-bit cryptography. However, the encryption is less effective because multiple database entries are encrypted with the same keystream.

For additional information about the Syskey tool, see Microsoft article Q143475.

Registry Data is Viewable by All Users During Rdisk Repair Update
According to Microsoft article Q249108, using TSE's Rdisk tool to update repair information creates a temporary file that enumerates all the registry hives and their current settings. The permissions on this file won't prevent someone from reading or changing the temporary file's contents while Rdisk is running. The Rdisk tool deletes the temporary file when it completes the update procedure, but if the Rdisk tool is interrupted or ends abnormally (requiring a restart), someone could still access the file after you reboot the computer.

Access Violations in Spooler Service When Printing a Long Named Print Job
Microsoft article Q246729 reports that when the spooler service attempts to print a file with a long name, it might intermittently generate Access violation error messages and hang. When this occurs, the system might indicate that the print job didn't finish because the printer ran out of paper or because of another hardware problem. If the file name is longer than 200 bytes and the printer also has a hardware problem, the spooler service might not generate an error message. This behavior can occur even if you are logged on locally.

Local Procedure Call Might Permit Unauthorized Account Usage
On computers running NT 4.0, a malicious user could use a program that makes a specific local procedure call (LPC) to impersonate another user with local logon privileges and run any program, including programs that can run in the LocalSystem context. As Microsoft article Q247869 notes, domain security is vulnerable if the domain administrator's credentials reside on the computer.

Security Identifier Enumeration Function in LSA Might Not Handle Argument Properly
When you use the LsaLookupSids() function in NT Local Security Authority (LSA) to determine the Security Identifier (SID) associated with a particular user or group name, invalid or contradictory arguments passed to the function might not be handled correctly. According to Microsoft article Q248185, the LSA could stop functioning and crash the computer.

Part 3: General Updates

Users Can't Run Terminal Sessions on DCs
According to Microsoft article Q247989, when you attempt to connect to a Win2K-based domain controller (DC) running Terminal Services, you might see an error message that says the local policy of this system doesn't permit you to log on interactively. Win2K DCs (but not servers) only let some groups log on locallyUsers, Authenticated Users, and Everyone aren't among those groups. The article explains how to refresh the security policy and add new entries to the list of groups allowed to log on locally.

Command Processor Might Not Parse Excessive Arguments Properly
According to Microsoft article Q259622, Win2K and NT command processor's (cmd.exe) code has an unchecked buffer that handles environment strings. If a computer provides batch or other script files, a malicious user could potentially provide arguments that create an extremely large environment string and overflow the buffer. Service Pack 1 (SP1) addressed the problem for Win2K, but the article lists it as a known problem in TSE.

Windows Hangs with Fragmented IP Datagrams
If IP fragments that have a particular malformation are sent to a Windows computer (this problem applies to all Win32 OSs) in a continuous stream at a relatively low data rate, an implementation flaw can cause the computer to devote most or all of its CPU availability to processing the incoming fragments. SP1 for Win2K addresses the problem; Microsoft Security Bulletin MS00-029 explains how to get a fix for TSE.
http://www.microsoft.com/TechNet/security/bulletin/ms00-029.asp

DOS Applications Can't Run in Win2K Terminal Window Using Default Settings
According to Microsoft article Q286256, 16-bit DOS-based programs installed on Win2K-based servers are set to run in full-screen mode by default; however, you can't open DOS windows in full-screen mode during a Win2K Terminal Services client session while connected to a Win2K-based server that runs Terminal Services in Application Server mode. See the article to learn how to edit a DOS program's properties to run in a window.

Post-Service Pack Fixes for BSODs in Win2K and TSE
When you run Win2K Terminal Services with multiple clients, you might receive multiple error messages on blue screens that are related to win32k.sys. See Microsoft article Q281132 (http://support.microsoft.com/support/kb/articles/Q281/1/32.asp) for the fix for this problem.

Microsoft article Q281544 notes that you might randomly see blue screens with "Stop 0x82 (DFS_FILE_SYSTEM)" error messages in TSE. This problem occurs if a Terminal Server client accesses a separate file server on which Distributed File System (DFS) Server is installed.

Incorrect Registry Setting Might Allow Cryptography Key in TSE
A malicious user can interactively log on to an NT or TSE computer and compromise the cryptographic key security of other users who subsequently log on to the same computer. Workstations and servers running TSE are primarily at risk. Microsoft Security Bulletin MS00-008 provides a tool that resets the key's permissions to the correct default values and incorporates the functionality of the tool.

Terminal Server Troubleshooting Tips
Two new Microsoft articles provide tips for tuning and troubleshooting terminal servers. Article Q284439 describes how to install the Terminal Services Advanced Client (TSAC) on a terminal server and edit the logon script to enable error code listing, then lists the available error codes.

Microsoft article Q243215 lists tweaks you can make to a terminal server's Registry to affect how it waits for user logons and how it deals with runaway applications, memory usage, and other parameters.

Win2K Features That Don't Work with Terminal Server
As noted in Microsoft article Q238089, computers running Win2K Server with Terminal Services enabled can't access files and folders marked for offline use (client-side caching) from within a Terminal Services session or from the server console. Shares configured for offline use can exist on a Win2K server with Terminal Services enabled. Users who connect using a mapped drive from a Win2K-based computer can use client-side caching, but users who connect with a Terminal Services session can't use this feature.

Configuring Win2K User Environment to Limit Program Availability in Terminal Server
You can't use Group Policy to selectively deploy programs hosted on a Terminal Server machine. The only way to configure a controlled environment that limits access to these programs is to use mandatory profiles to assign programs and enable Group Policy to lock down the Windows desktop and prevent programs in the All Users profile from loading. Microsoft article Q285977 explains how to create mandatory profiles to control program access.