[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    Re: XP SP2: cannot access Disk Manager (LDM) on remote Win 2000 systems>>>
From:       Russ <Russ.Cooper () RC ! ON ! CA>
Date:       2004-08-24 21:40:12
Message-ID: 33673E294083364AB67C85A4245FE3547108 () muskie ! rc ! on ! ca
[Download RAW message or body]

Firstly, I would like to encourage everyone who has such problems with XP SP2 to call \
Microsoft Support and open a trouble ticket, or see if they already have a solution \
available. KB articles get written based on the number of support calls for a similar \
issue, and the urgency of fixes often depends on the number of reports. I don't \
guarantee you won't get charged, but by rights you shouldn't as long as the issue \
isn't documented somewhere and its not the result of some 3rd party product.

Meanwhile, everyone who can; who runs into problems; or wants to understand XP SP2 \
needs to read;

"Changes to Functionality in Windows XP Service Pack 2"
http://go.microsoft.com/fwlink/?LinkId=28022

Its better to download it because then you can do searches through it.

So, for example, one of the documented changes involves RPC/DCOM and unauthenticated \
access from remote clients. Not every tool that does remote administration does so \
strictly by making calls to the remote client and getting feedback...some tools are \
two-way communications. Still other tools do things via UDP, an unauthenticated \
protocol, in order to expedite data transfer.

XP SP2 introduces a new registry key, RestrictRemoteClient, which, effectively, says \
that no unauthenticated RPC/DCOM connection can be made to your XP SP2 box, nor will \
it accept RPC/DCOM over UDP (or IPX, or other connectionless protocols.)

Whether this is or is not the reason for the Disk Manager problems is, unfortunately, \
not yet documented by Microsoft. The task of administering other computers from XP \
SP2 systems is, IMO, sorely lacking documentation at this time.

Anyway, I hate to make this suggestion because it does remove a significant security \
improvement, but you may want to try setting the RestrictRemoteClient value to 0. Via \
Group Policy option "Restrictions for Unauthenticated RPC Clients", or via the \
registry at;

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\RPC

This *may* resolve the issue. It will most definitely be the cause of some of the \
Access Denied errors people see when they have problems with apps and XP SP2.

Caveat! Setting that value to 0 disables the improved security preventing \
unauthenticated RPC/DCOM connections. If you have to use it, you want to change this \
setting when you need it, and change it back when you don't.

Another report I received regarding access denied errors suggests that the RPC \
service should have its "Log on as" value changed back from NT Authority\Network \
Service, to Local System Account. I haven't found a need for this, but it was \
suggested as a solution for some access denied problems. The MS documentation is a \
bit vague, and merely states that RPC was changed so that some aspects of it use the \
Local System Account context, while others use the NT Authority\Network Service \
context. I suspect this problem occurs when ACLs are being more closely scrutinized, \
such as when stringent enforcement has been put in place...but its still a mystery to \
me.

Anyway, just some thoughts.

Cheers,
Russ - Senior Scientist - TruSecure Corporation/NTBugtraq Editor

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that \
just hitting reply is going to result in the message coming to the list, not to the \
individual who sent the message. This was done to help reduce the number of Out of \
Office messages posters received. So if you want to send a reply just to the poster, \
you'll have to copy their email address out of the message and place it in your TO: \
                field.
-----


[prev in list] [next in list] [prev in thread] [next in thread]