Fri, Jun 25 2010 23:17
Are you for sure going to hit the SharePoint issue?
Companyweb and SharePoint Central Admin not accessible after installing KB983444 - The Official SBS Blog - Site Home - TechNet Blogs:
On Facebook yesterday, Shaquile asked if he should patch for the SharePoint security update as he knew he would "have to spend hours to resolve the issues and I know that the clients are not going to pay for it!"
First off let's set some expectations:
I can't guarantee 100% that you won't hit issues installing this SharePoint patch. But I can't guarantee 100% that you WILL have issues. On my production servers and on my test boxes, I could not get this update to fail. And believe me, I TRIED. Yet I have seen others that said that they have been hit by this.
Some questions to ask yourself... have you had patching issues with SharePoint on this server before? I personally have always installed SharePoint updates all by themselves and separately from all other updates. I don't know if that helps, but for me it helps to narrow down any possible side effects.
Next ... I'd honestly patch this when you have a plan to have other more "maintenance" type of updates.. such as Exchange 2007 sp3. The security issue in this has a low risk in a SBS 2008 network due to how we don't expose SharePoint to a public url.
Next for most of the folks, all you need to do is the psconfig command. On a rare few, some need to watch that SharePoint Search service.
But bottom line, just because a security update comes out, doesn't mean that it has to be done immediately, doesn't mean that the risk is horrific if you don't immediately patch and remember.. you can always evaluate the mitigation and do that instead. Typically buried in the patch section is documentation of a mitigation that will keep you protected just fine in the meantime.
You can use the workaround in the security bulletin to block the help file until such time you patch it. The workaround will protect you until such time as you are ready to tackle the patch. The issue is with the help file on the box. Change the access rights to that help file and voila... issue is mitigated.
To restrict access to the vulnerable Help.aspx, run the following commands from a command prompt:
cacls "%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /P everyone:N
cacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /P everyone:N
Do runas admin and remember it's normal for the error message to occur on the Program Files (x86) because SBS 2008 is a 64bit box and the x64 version of SharePoint is installed.
Once the security is set, you can't browse to that help.aspx file
When's the last time anyone read the SharePoint help file anyway? Risk mitigation. Patch not needed for now. Document what you did to the server to ensure you undo it when you ultimately patch, and there you go. any potential issue with patching right now immediately has been bypassed.
So keep in mind that just because there's a known issue listed here... doesn't mean you'll hit it:
And keep in mind that just because there's a patch, doesn't mean you have to install it if you've taken the time to deem the risk acceptable or taken mitigations to remove the risk.
To undo it follow the workaround instructions again...
How to undo the workaround.
Run the following commands from a command prompt:
takeown /f "%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx"
takeown /f "%ProgramFiles(x86)%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx"
cacls "%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /R everyone
cacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /R everyone
When you run that command... you'll undo the mitigaton and be able to see the security tab info again.
Filed under: Security