다음을 통해 공유


The Good, the Bad, and the Ugly of SP1

 

I promise to get to the DIMS stuff soon. In the meantime I want to point out some SP1 uglies:

 

1. We changed the permissonson the SCM so non admins cannot connect anymore. See https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/service_security_and_access_rights.asp

".. Windows Server 2003 and Windows XP/2000/NT: Unlike most other securable objects, the security descriptor for the SCM cannot be modified. This behavior has changed as of Windows Server 2003 SP1."

This caused some pain noted here:

https://groups-beta.google.com/group/microsoft.public.windows.server.security/browse_thread/thread/d4372eca28569558/d5f35f776111ffe1?q=2003+SP1+permissions+Service+control+manager&rnum=1&hl=en#d5f35f776111ffe1

In Sp1 SC.EXE we updated the util so you can change ACLS on the SCM.

C:\>sc sdshow scmanager

This is SP1 info
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

This is the RTM info:

   D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

You can now set security via "SC.EXE sdset scmanager <SDDL>"

 

2. We changed some RPC calls as mentioned here https://support.microsoft.com/kb/899148

"..Windows Server 2003 SP1 adds support for some new transfer syntaxes to the RPC implementation. These new transfer syntaxes are known as "multiple transfer syntax negotiation." They help 32-bit and 64-bit computers handle larger workloads. Additionally, they frequently help 32-bit and 64-bit computers work faster.

Specifically, firewalls and VPN products that do permit more than one presentation context to be present in a bound RPC protocol data unit (PDU) may cause either of the following symptoms:"

As a result - bad things happened. If you cannot update your firewall you can get this hotfix https://support.microsoft.com/kb/899148 and set the value Server2003NegotiateDisable = 1 in order to work around this. (BTW the article is not very clear in saying you need to set this)

Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc
Value: Server2003NegotiateDisable
Type: DWORD
Data: 1

3. We changed the time service as noted here: https://support.microsoft.com/?kbid=892501&SD=tech

4. There are some MIT cross realm trust issues when logging in via Terminal Services - if you think you are hitting this then ping me. Reason, I havent had time to fully look into it, but it appears the reg value "IgnoreRegUserConfigErrors" noted here https://support.microsoft.com/?kbid=815266 resolves this one.

 

spat

Comments

  • Anonymous
    August 15, 2005
    In the The Good, the Bad, and the Ugly of SP1 &amp;nbsp;I mentioned this:
    There are some MIT cross realm...