There is a flaw in http.sys for Windows Server 2008 R2 and later that allows a malformed packet to crash your server and perhaps remotely execute code. Since the patch was released Tuesday, the details of the flaw are widely known and trivial to implement. This means that anyone that can access your web server can crash it at will.
Two common scenarios I work with that are cause for concern:
- Exchange servers. Exchange servers use the Windows web server (IIS) to provide services. This means that your Exchange servers are vulnerable.
- Small Business Server. Organizations with SBS typically provide both remote access and Exchange web services. Both done with IIS and vulnerable to this flaw.
To disable kernel caching in IIS:
- Open IIS Manager.
- In IIS Manager, select the server node and double-click Output Caching.
- On the Output Caching page, in the Actions pane, click Edit Feature Settings.
- In the Edit Output Cache Settings window, shown below, uncheck the Enable kernel cache check box and click OK.
- Close IIS Manager.
If you have a reverse proxy server in front of your web server, it may protect you from this flaw. However, you would need to test to be sure. This article provides a command-line to Curl utility to send the malformed packet: