**Please note this only applies to Community Connect 3™ and RM Smart-Tools 3 networks**

Before installing any software update, please refer to TEC90813 and DWN59018 in the Other Useful Articles section below. These articles detail RM's recommendations regarding software update installation and support.

Any references to Community Connect 3 in this document apply equally to RM Smart-Tools 3.

Apply this Security Update at your earliest convenience. It addresses an important security issue where malicious users can gain heightened privileges on Community Connect 3 workstations.

HFXCC3100 is included in Service Release 5 for Community Connect 3; if you have installed Service Release 5 on your network you do not need to install HFXCC3100 separately.

Community Connect 3 (Service Release 3 or 4).
Station Access Control installed and allocated to all workstations.

• Station Access Control must be installed and configured as detailed in the Station Access Control Release Note - Available from DWN235702 in the Other Useful Articles section below.
• The Station Access Control packages, RM Client Security Module and RM Event Forwarding Service, must be allocated to all workstations and the workstations restarted before installing this Security Update. Station Access Control is available from DWN235702 in the Other Useful Articles section below.

This Security Update should be installed on the first Community Connect 3 domain controller in each site. Servers will not need to be restarted after applying this Security Update but all workstations will need to be restarted to pick up the security change.

Please note: This Security Update will disable RSOP (Resultant Set of Policy) Logging on all Community Connect 3 workstations. The result of this is that you will no longer be able to fully use the "Resultant Set of Policy" snap-in in the MMC (Microsoft Management Console). The command gpresult will also no longer work reliably since it requires presence of RSOP data for the user. RSOP and gpresult may appear to continue to work if a user has logged on to a workstation before HFXCC3100 was applied due to the presence of RSOP data generated during that previous logon. This data cannot be relied upon as up-to-date or accurate.

1.      Click the HFXCC3100.exe file link to download the Security Update.

2.      Choose to Save the file, browse to the temporary location you wish to save it to (e.g. D:\temp) and click Save.

3.      When it has downloaded, follow the installation instructions below to install the Security Update.

Note: If you previously started to install the Security Update but cancelled the operation, follow the installation instructions in the 'Installing after cancelling a previous install' section below:

1.      Download HFXCC3100.

2.      Log on to your first Community Connect 3 domain controller as Administrator (not SystemAdmin) and copy the Security Update to a temporary location (e.g. D:\temp).

3.      Run the Security Update by double-clicking the self-extracting executable file (HFXCC3100.exe).  The Security Update will extract files automatically and run the RM Installation Assistant to begin the installation.

4.      When prompted, click Continue.

5.      The installation will proceed automatically.  When prompted that the RM Installation Assistant has finished, click Finish.

6.      Restart all your Community Connect 3 workstations at your convenience to ensure they pick up the security change.

1.      Browse to D:\RMNetwork\RMManage\RM Hotfixes\HFXCC3100_extracted on your first (Forest Root) Community Connect 3 server and double-click the file RM Installation Assistant.exe. (If this folder or its contents does not exist, re-run the HFXCC3100.exe file downloaded from the RM Support website.)

2.      Follow the procedures in 'How to install the Security Update' from step 4 above.

• The Security Update can be installed on to networks running Community Connect 3 with Service Release 3 or 4 and Station Access Control installed.
• HFXCC3100 is included in Service Release 5.
• HFXCC3100 will need to be reinstalled if installed on a SR3 network and then SR4 and/or Windows XP SP2 is installed after the Security Update.

RM research indicates that applying this Security Update will cover approximately 80% of the attack surface exposed by the 'network slip' method.

Scenarios where this exploit may still be possible are:

• first logon by a new user
• first logon by a user following a profile reset
• first logon by a user following a change in group membership

Note, however, that due to the changes made in this Security Update (specifically, the removal of RSOP logging) the "window of opportunity" for removal of the network cable is much smaller. This means that even in the circumstances described above, a malicious user has a much reduced chance of carrying out this exploit.

HFXCC3100 will update the system-wide computer settings to mitigate against the majority of the attack surfaces available by exploiting the 'network slip' malicious attack method.

Specifically, the Security Update alters the System-Wide Computer Settings group policy to prevent workstations from attempting to force group policy application at every logon.  This forced application gives a malicious user the opportunity to interrupt the process, and leave the workstation with no group policy based security - after this Security Update, the station will fall back on cached copies of group policies, keeping your workstations secure.