| Author | Messages | |
abagnale_lists
Posts:16
 | | 11/20/2005 8:49 AM |
| | Yahoo! FareChase - Search multiple travel sites in one click. | | | |
| sbradcpa
Posts:354
| | 11/20/2005 9:13 AM |
| Nearly a SBS box 'eh?
Windows 2003 sp1 isn't too bad of an upgrade
Hardware wise --
If Dell ensure you have Dell Open Manage 4.4 or above otherwise
known/reported issues of BSOD's on DC's with OM 4.3 and below. SP1
shipped in March and it took Dell until June to release OM 4.4
If HP make sure you have the SP1 supported ROM upgrades for that box
too.
Vendor specific issues with Windows 2003
Service Pack 1 (part of SBS SP1)
DELL
Primary Dell page for 2003 SP1: http://www1.us.dell.com/content/topics/global.aspx/alliances/en/microsoft_main?c=us&cs=555&l=encs=555&l=en&s=biz
General Dell pre-install instructions for SP1: http://support.dell.com/support/topics/global.aspx/support/kb/en/document?c=us&DN=1092292&l=en&opt=true&s=gen&~mode=popup
Stop error KB article from Dell “ includes a link to the Dell
Registry Update tool: http://support.dell.com/support/topics/global.aspx/support/kb/en/document?dn=TT1092326
And from Microsoft TechNet post about Dell™s OpenManage
support for SP1: Dell OpenManage support for Windows Server 2003 SP1.
In order to support the new enhancements and features in Windows Server
2003 SP1, Dell plans to release Dell OpenManage version 4.4, including
Dell Server Assistant version 8.6, to fully support SP1. For current
customers who are running Dell OpenManage version 4.3 or earlier, go to
the Dell Web site for Dell OpenManage and Service Pack 1 upgrade and
deployment information.
HEWLETT
PACKARD
For HP Servers please refer to: HP Support. Software and Drivers - download
ProLiant Support Pack for Microsoft Windows Server 2003, 7.30 A: http://h18023.www1.hp.com/support/files/server/us/download/22274.html
We do the post 05-019 patch because we have Exchange anyway.
The other one I've done is the dcom patch for ISA 2004 that allows
outlook on a TS box to connect back through ISA [doesn't sound like you
need that patch though]
Us SBSers have had more issues with the last part of our 'own' SBS sp1,
but the Windows 2003 sp1 part is pretty solid once you ensure you've
done the Dell/HP stuff.
Frank Abagnale wrote:
Hello all,
I am planning on rolling out
SP1 to my Domain Controllers. I have looked through msn search to find
known issues with applying SP1 to DC's.
I found the following kb
articles (below) so I can prepare if I have issues. I haven't run into
any issues in my test environment however, has anyone else had any
undocumented problems they may wish to share? One of my DC's is also a
WINS, DNS, DHCP, FSMO role holder, so any issues or pointers that you
may have come up against would be appreciated.
Also, is there any
recommendation as to which DC you choose first when you upgrade to SP1?
The Windows
Time service may generate event ID 7023 after you upgrade to Windows
Server 2003 Service Pack 1
http://support.microsoft.com/?id=892501
Network issues that affect TCP/IP and RPC traffic across
firewall or VPN
http://support.microsoft.com/kb/899148/
The incorrect
HAL may be applied if your computer uses a custom HAL
http://support.microsoft.com/kb/889101
Thanks
Frank
Yahoo!
FareChase - Search multiple travel sites in one click.
Yahoo!
FareChase - Search multiple travel sites in one click.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| sbradcpa
Posts:354
| | 11/20/2005 9:22 AM |
| Installing security update MS05-019 or Windows Server 2003 Service Pack
1 may cause network connectivity between clients and servers to fail:
http://support.microsoft.com/kb/898060/
RPC data may be blocked, and Outlook may not start in Windows Server
2003 with SP1:
http://support.microsoft.com/default.aspx?scid=kb;en-us;897716
You'll need the first... you might not need the second.
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
Nearly a SBS box 'eh?
Windows 2003 sp1 isn't too bad of an upgrade
Hardware wise --
If Dell ensure you have Dell Open Manage 4.4 or above otherwise
known/reported issues of BSOD's on DC's with OM 4.3 and below. SP1
shipped in March and it took Dell until June to release OM 4.4
If HP make sure you have the SP1 supported ROM upgrades for that box
too.
Vendor specific issues with Windows 2003
Service Pack 1 (part of SBS SP1)
DELL
Primary Dell page for 2003 SP1: http://www1.us.dell.com/content/topics/global.aspx/alliances/en/microsoft_main?c=us&cs=555&l=encs=555&l=en&s=biz
General Dell pre-install instructions for SP1: http://support.dell.com/support/topics/global.aspx/support/kb/en/document?c=us&DN=1092292&l=en&opt=true&s=gen&~mode=popup
Stop error KB article from Dell “ includes a link to the
Dell
Registry Update tool: http://support.dell.com/support/topics/global.aspx/support/kb/en/document?dn=TT1092326
And from Microsoft TechNet post about Dell™s OpenManage
support for SP1: Dell OpenManage support for Windows Server 2003 SP1.
In order to support the new enhancements and features in Windows Server
2003 SP1, Dell plans to release Dell OpenManage version 4.4, including
Dell Server Assistant version 8.6, to fully support SP1. For current
customers who are running Dell OpenManage version 4.3 or earlier, go to
the Dell Web site for Dell OpenManage and Service Pack 1 upgrade and
deployment information.
HEWLETT
PACKARD
For HP Servers please refer to: HP Support. Software and Drivers - download
ProLiant Support Pack for Microsoft Windows Server 2003, 7.30 A: http://h18023.www1.hp.com/support/files/server/us/download/22274.html
We do the post 05-019 patch because we have Exchange anyway.
The other one I've done is the dcom patch for ISA 2004 that allows
outlook on a TS box to connect back through ISA [doesn't sound like you
need that patch though]
Us SBSers have had more issues with the last part of our 'own' SBS sp1,
but the Windows 2003 sp1 part is pretty solid once you ensure you've
done the Dell/HP stuff.
Frank Abagnale wrote:
Hello all,
I am planning on rolling out
SP1 to my Domain Controllers. I have looked through msn search to find
known issues with applying SP1 to DC's.
I found the following kb
articles (below) so I can prepare if I have issues. I haven't run into
any issues in my test environment however, has anyone else had any
undocumented problems they may wish to share? One of my DC's is also a
WINS, DNS, DHCP, FSMO role holder, so any issues or pointers that you
may have come up against would be appreciated.
Also, is there any
recommendation as to which DC you choose first when you upgrade to SP1?
The Windows
Time service may generate event ID 7023 after you upgrade to Windows
Server 2003 Service Pack 1
http://support.microsoft.com/?id=892501
Network issues that affect TCP/IP and RPC traffic across
firewall or VPN
http://support.microsoft.com/kb/899148/
The incorrect
HAL may be applied if your computer uses a custom HAL
http://support.microsoft.com/kb/889101
Thanks
Frank
Yahoo!
FareChase - Search multiple travel sites in one click.
Yahoo!
FareChase - Search multiple travel sites in one click.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| psimpsen
Posts:0
| | 11/20/2005 9:27 AM |
| We've been refreshing our
2003 DC's to new HW and using W2K3 with SP1. We've done 4 out of 23 with no
issues . All of the DC's that have been done are GC/DNS as well. One, was the
first DC in the child domain, still holding the FSMO roles of PDC & RID. We
transferred the roles and then transferred them back. One also was the
licensing server and a TS Lic server as well. We held out forever
worrying until one DC finally bit the dust and had to be rebuilt,
so why not start here and see if it plays well with others. It
did, so onward through the fog we went, now saying why did we wait so
long....... Every environment is different. It appears you know where to
look if issues do arise. And I don't know the "best practice" but we
haven't followed any kind of order....
Good luck
Paul
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on
behalf of Frank AbagnaleSent: Sun 11/20/2005 2:46 PMTo:
ActiveSubject: [ActiveDir] Windows 2003 SP1
upgrade...
Hello all,
I am planning on rolling out SP1 to my
Domain Controllers. I have looked through msn search to find known issues with
applying SP1 to DC's.
I found the following kb articles
(below) so I can prepare if I have issues. I haven't run into any issues in
my test environment however, has anyone else had any undocumented problems they
may wish to share? One of my DC's is also a WINS, DNS, DHCP, FSMO role holder,
so any issues or pointers that you may have come up against would be
appreciated.
Also, is there any recommendation as to
which DC you choose first when you upgrade to SP1?
The Windows Time service
may generate event ID 7023 after you upgrade to Windows Server 2003 Service Pack
1
http://support.microsoft.com/?id=892501
Network issues that affect TCP/IP and RPC traffic across firewall or
VPN
http://support.microsoft.com/kb/899148/
The incorrect HAL may be
applied if your computer uses a custom HAL
http://support.microsoft.com/kb/889101
!
Thanks
Frank
Yahoo!
FareChase - Search multiple travel sites in one click.
Yahoo!
FareChase - Search multiple travel sites in one click. | | | |
| abagnale_lists
Posts:16
| | 11/20/2005 10:05 AM |
| | Yahoo! FareChase - Search multiple travel sites in one click. | | | |
| listmail
Posts:497
| | 11/20/2005 11:22 AM |
| The biggest thing people complaint to me about that isn't
documented as an issue below is with the new ACL on the service control manager.
The new ACL really locks down who can enumerate services remotely. This has
impact on multiple different applications and services, especially any
monitoring that isn't using full admin IDs. Kind of sad actually, people trying
to run with least privs for the monitors got nailed and had to give out more
perms until info started getting out on how to fix the
problem.
Check out the items exposed by the following
query
http://www.google.com/search?hl=en&lr=&safe=off&rls=GGLD%2CGGLD%3A2004-07%2CGGLD%3Aen&q=sdset+sc+2003+site%3Asupport.microsoft.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Frank
AbagnaleSent: Sunday, November 20, 2005 3:47 PMTo:
ActiveSubject: [ActiveDir] Windows 2003 SP1
upgrade...
Hello all,
I am planning on rolling out SP1 to my
Domain Controllers. I have looked through msn search to find known issues with
applying SP1 to DC's.
I found the following kb articles
(below) so I can prepare if I have issues. I haven't run into any issues in
my test environment however, has anyone else had any undocumented problems they
may wish to share? One of my DC's is also a WINS, DNS, DHCP, FSMO role holder,
so any issues or pointers that you may have come up against would be
appreciated.
Also, is there any recommendation as to
which DC you choose first when you upgrade to SP1?
The Windows Time service
may generate event ID 7023 after you upgrade to Windows Server 2003 Service Pack
1
http://support.microsoft.com/?id=892501
Network issues that affect TCP/IP and RPC traffic across firewall or
VPN
http://support.microsoft.com/kb/899148/
The incorrect HAL may be
applied if your computer uses a custom HAL
http://support.microsoft.com/kb/889101
Thanks
Frank
Yahoo!
FareChase - Search multiple travel sites in one click.
Yahoo!
FareChase - Search multiple travel sites in one click. | | | |
| listmail
Posts:497
| | 11/21/2005 1:48 AM |
| No. MS made it now so that you either need to use an ID
that has admin rights or you have to change the ACL on the SCM to monitor the
services OR the application doing the monitoring needs to know specifically what
service to look at AND know how to ask how to open it WITHOUT asking for
enumeration rights which is unusual since it was always possible previously
because the ACL on the SCM wasn't configurable. All example source showed how to
do it in a way that would break after the change.
What this change does is require more privileges to do work
easily done with an unprivileged account or to require you to partially undo
what MS did to lock it down. Since the ability to change the SCM ACL
previously wasn't something that could be done at all, I understand the idea to
lock it down once it could be modified. However, MS didn't really give much in
the way of tools to operate with it set that way. There was one tool, SC
that was modified in order to work with it and at least initially, it
wasn't very well documented. This easily should have been a GPO config item just
like the other service ACL configs. Personally, I would have greatly
appreciated say a new group... RemoteServiceEnumeration or something like that,
then people simply add principals to that group in order to keep their apps
working.
I have often monitored services on servers remotely with an
ID that has normal user rights in the domain. The ID had no permissions on the
servers at all other than to look at them. Others have done the same. The
monitoring scripts/apps would list all services to see what was running and what
wasn't running, any changes whatsoever would be reported so you knew when
something got added and when something got removed or if something was started
that wasn't previously running or something that was previously running no
longer was running. After SP1, it took modifying the ACL or granting admin level
rights or required the ID to be used locally on the local machine instead of
remotely.
This change, forced people, at least initially until
documentation started coming out, to use higher power IDs to do
something that previously could be done with lower power do-nothing IDs.
To put it another way, there is no technical reason whatsoever that an
admin ID is required to monitor services. Heck you can even delegate service
control to non-admins, I have been giving out ability to stop/start specific
services on servers since early NT4 days.
BTW, which LUA are you referring to? The actual principal
of least user access where you don't give people access to things they shouldn't
have or the LUA to allow non-privileged users to actually do things without
being an admin? I think the first, but it caught me by surprise and I read it as
the second initially because most MS folks are using LUA strictly to speak about
the new capability in Vista. I didn't mention LUA but was referring to
not having to be an admin to do something simple.
I have no problem with locking things down, but don't catch
people by surprise. This should have been something you are told about DURING
the lockdown where you are asked WHO should be able to do it by adding
them to a security group or worse but better than nothing a right, or it
should have been something easy and intuitive to back out or modify the
functionality for. Most MS admins haven't a clue what SC is, those of us that
did had no clue there were changes in it until people started talking a lot
about this issue. Even still, the MS GUI service tools don't work correctly with
this change.
I have heard people using this "fix" as an excuse for why
people should have admin rights for doing things they don't need admin rights
for because, they say, you never know when an MS fix is going to change things
such that delegation won't work and you can't afford to not have things
work.
I think I understand the logic behind the change, it is
about obscuring what is running. Obviously that is worthless from an automated
hacking tool standpoint because they don't generally try to enumerate services,
they just attack ports. Hiding the service list isn't going to do much just like
renaming the admin account isn't going to do much if you allow enumeration of
the SIDs. Which is another good example, instead of just blocking that
capability, what did MS do? They gave you the option....
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rick
KingslanSent: Sunday, November 20, 2005 7:19 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Windows 2003 SP1
upgrade...
True. But, to monitor services does someone have to
log on to the server? Would a good and SAFE work around - if the said user
doesn't need to log on, to create a service account to do the work, but remove
the interactive rights?
Seems to me that proxying the access would be the close to
ultimate in LUA.
Rick
--Posting is provided "AS IS", and confers no rights or
warranties ...
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: Sunday, November 20, 2005 5:21 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Windows 2003 SP1
upgrade...
The biggest thing people complaint to me about that isn't
documented as an issue below is with the new ACL on the service control manager.
The new ACL really locks down who can enumerate services remotely. This has
impact on multiple different applications and services, especially any
monitoring that isn't using full admin IDs. Kind of sad actually, people trying
to run with least privs for the monitors got nailed and had to give out more
perms until info started getting out on how to fix the
problem.
Check out the items exposed by the following
query
http://www.google.com/search?hl=en&lr=&safe=off&rls=GGLD%2CGGLD%3A2004-07%2CGGLD%3Aen&q=sdset+sc+2003+site%3Asupport.microsoft.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Frank
AbagnaleSent: Sunday, November 20, 2005 3:47 PMTo:
ActiveSubject: [ActiveDir] Windows 2003 SP1
upgrade...
Hello all,
I am planning on rolling out SP1 to my
Domain Controllers. I have looked through msn search to find known issues with
applying SP1 to DC's.
I found the following kb articles
(below) so I can prepare if I have issues. I haven't run into any issues in
my test environment however, has anyone else had any undocumented problems they
may wish to share? One of my DC's is also a WINS, DNS, DHCP, FSMO role holder,
so any issues or pointers that you may have come up against would be
appreciated.
Also, is there any recommendation as to
which DC you choose first when you upgrade to SP1?
The Windows Time service
may generate event ID 7023 after you upgrade to Windows Server 2003 Service Pack
1
http://support.microsoft.com/?id=892501
Network issues that affect TCP/IP and RPC traffic across firewall or
VPN
http://support.microsoft.com/kb/899148/
The incorrect HAL may be
applied if your computer uses a custom HAL
http://support.microsoft.com/kb/889101
Thanks
Frank
Yahoo!
FareChase - Search multiple travel sites in one click.
Yahoo!
FareChase - Search multiple travel sites in one click. | | | |
| rkingsla@xxxx.yyy
| | 11/21/2005 12:22 PM |
| True. But, to monitor services does someone have to
log on to the server? Would a good and SAFE work around - if the said user
doesn't need to log on, to create a service account to do the work, but remove
the interactive rights?
Seems to me that proxying the access would be the close to
ultimate in LUA.
Rick
--Posting is provided "AS IS", and confers no rights or
warranties ...
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: Sunday, November 20, 2005 5:21 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Windows 2003 SP1
upgrade...
The biggest thing people complaint to me about that isn't
documented as an issue below is with the new ACL on the service control manager.
The new ACL really locks down who can enumerate services remotely. This has
impact on multiple different applications and services, especially any
monitoring that isn't using full admin IDs. Kind of sad actually, people trying
to run with least privs for the monitors got nailed and had to give out more
perms until info started getting out on how to fix the
problem.
Check out the items exposed by the following
query
http://www.google.com/search?hl=en&lr=&safe=off&rls=GGLD%2CGGLD%3A2004-07%2CGGLD%3Aen&q=sdset+sc+2003+site%3Asupport.microsoft.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Frank
AbagnaleSent: Sunday, November 20, 2005 3:47 PMTo:
ActiveSubject: [ActiveDir] Windows 2003 SP1
upgrade...
Hello all,
I am planning on rolling out SP1 to my
Domain Controllers. I have looked through msn search to find known issues with
applying SP1 to DC's.
I found the following kb articles
(below) so I can prepare if I have issues. I haven't run into any issues in
my test environment however, has anyone else had any undocumented problems they
may wish to share? One of my DC's is also a WINS, DNS, DHCP, FSMO role holder,
so any issues or pointers that you may have come up against would be
appreciated.
Also, is there any recommendation as to
which DC you choose first when you upgrade to SP1?
The Windows Time service
may generate event ID 7023 after you upgrade to Windows Server 2003 Service Pack
1
http://support.microsoft.com/?id=892501
Network issues that affect TCP/IP and RPC traffic across firewall or
VPN
http://support.microsoft.com/kb/899148/
The incorrect HAL may be
applied if your computer uses a custom HAL
http://support.microsoft.com/kb/889101
Thanks
Frank
Yahoo!
FareChase - Search multiple travel sites in one click.
Yahoo!
FareChase - Search multiple travel sites in one click. | | | |
| abagnale_lists
Posts:16
| | 11/21/2005 12:26 PM |
| | Yahoo! FareChase - Search multiple travel sites in one click. | | | |
| AD000001290
Posts:0
| | 11/21/2005 12:37 PM |
| There is no need to perform 2 separate steps. If your GC is
w2k then the GC-DC step may take some considerable time to complete,
too.
Simply run dcpromo and demote the GC/DC to a member
server.
neil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Frank
AbagnaleSent: 21 November 2005 12:24To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Windows 2003 SP1
upgrade...
If I need to demote a Global Catalog, do I need to uncheck it as a GC in
sites & services and wait for it to replicate before I run DCPROMO
and demote the DC?
Frank"Simpsen, Paul A. (HSC)"
wrote:
We've been refreshing our
2003 DC's to new HW and using W2K3 with SP1. We've done 4 out of 23 with no
issues . All of the DC's that have been done are GC/DNS as well. One, was the
first DC in the child domain, still holding the FSMO roles of PDC & RID.
We transferred the roles and then transferred them back. One also was the
licensing server and a TS Lic server as well. We held out forever
worrying until one DC finally bit the dust and had to be rebuilt,
so why not start here and see if it plays well with others. It
did, so onward through the fog we went, now saying why did we wait so
long....... Every environment is different. It appears you know where to
look if issues do arise. And I don't know the "best practice" but we
haven't followed any kind of order....
Good luck
Paul
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on
behalf of Frank AbagnaleSent: Sun 11/20/2005 2:46 PMTo:
ActiveSubject: [ActiveDir] Windows 2003 SP1
upgrade...
Hello all,
I am planning on rolling out SP1 to my
Domain Controllers. I have looked through msn search to find known issues with
applying SP1 to DC's.
I found the following kb articles
(below) so I can prepare if I have issues. I haven't run into any issues
in my test environment however, has anyone else had any undocumented problems
they may wish to share? One of my DC's is also a WINS, DNS, DHCP, FSMO role
holder, so any issues or pointers that you may have come up against
would be appreciated.
Also, is there any recommendation as to
which DC you choose first when you upgrade to SP1?
The Windows Time service
may generate event ID 7023 after you upgrade to Windows Server 2003 Service
Pack 1
http://support.microsoft.com/?id=892501
Network issues that affect TCP/IP and RPC traffic across firewall
or VPN
http://support.microsoft.com/kb/899148/
The incorrect HAL may be
applied if your computer uses a custom HAL
http://support.microsoft.com/kb/889101
!
Thanks
Frank
Yahoo!
FareChase - Search multiple travel sites in one click.
Yahoo!
FareChase - Search multiple travel sites in one click.
Yahoo!
FareChase - Search multiple travel sites in one click.
Yahoo!
FareChase - Search multiple travel sites in one click. PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies. | | | |
| rkingsla@xxxx.yyy
| | 11/27/2005 5:03 AM |
| Sometimes, I realize that I commented on something, go back
and read the thread and come upon a novella.
Occasionally, all I want is a paragraph. Hopefully,
all of this information wasn't meant for me, because all I do day in, day out
these days is drink from a fire hose - hence why I'm not around so much these
days. This hopefully helped others, as it presents no value to me right
now at all. I'm versed in this quite well.
Yes - the question was meant to stir a conversation - more
about interactive as a mechanism to remove a looming hole for accounts that NEED
high level permissions but don't NEED to be logged into. Surprisingly,
this is a vector that most people forget about. If you don't need to log
in to it - why does it have interactive?
As to which LUA - the actual, higher level principle of
giving nothing (not just people) any more access than it absolutely
requires. I made the assumption that the ACLing that you referred to had
already removed any and all unnecessary permissions to things unsavory,
dangerous, and shiny-but-sharp from touch.
Hence the question about interactive. It's not an
ACL.
And, as to our direction with software and decisions made -
I don't comment much public ally anymore. I've gotten myself into too much
trouble of late, another reason I'm not here as much.
Brett can answer some of these, or get someone from the dev
team on Security issues. I'll answer anything you want on MCS and how to
implement. But, as to why things are or where they are going to be in
future product - I won't be commenting on that. That's another pretty,
shiny, sharp-thing.
Rick
--Posting is provided "AS IS", and confers no rights or
warranties ...
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joeSent: Monday, November 21, 2005 7:45
AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir]
Windows 2003 SP1 upgrade...
No. MS made it now so that you either need to use an ID
that has admin rights or you have to change the ACL on the SCM to monitor the
services OR the application doing the monitoring needs to know specifically what
service to look at AND know how to ask how to open it WITHOUT asking for
enumeration rights which is unusual since it was always possible previously
because the ACL on the SCM wasn't configurable. All example source showed how to
do it in a way that would break after the change.
What this change does is require more privileges to do work
easily done with an unprivileged account or to require you to partially undo
what MS did to lock it down. Since the ability to change the SCM ACL
previously wasn't something that could be done at all, I understand the idea to
lock it down once it could be modified. However, MS didn't really give much in
the way of tools to operate with it set that way. There was one tool, SC
that was modified in order to work with it and at least initially, it
wasn't very well documented. This easily should have been a GPO config item just
like the other service ACL configs. Personally, I would have greatly
appreciated say a new group... RemoteServiceEnumeration or something like that,
then people simply add principals to that group in order to keep their apps
working.
I have often monitored services on servers remotely with an
ID that has normal user rights in the domain. The ID had no permissions on the
servers at all other than to look at them. Others have done the same. The
monitoring scripts/apps would list all services to see what was running and what
wasn't running, any changes whatsoever would be reported so you knew when
something got added and when something got removed or if something was started
that wasn't previously running or something that was previously running no
longer was running. After SP1, it took modifying the ACL or granting admin level
rights or required the ID to be used locally on the local machine instead of
remotely.
This change, forced people, at least initially until
documentation started coming out, to use higher power IDs to do
something that previously could be done with lower power do-nothing IDs.
To put it another way, there is no technical reason whatsoever that an
admin ID is required to monitor services. Heck you can even delegate service
control to non-admins, I have been giving out ability to stop/start specific
services on servers since early NT4 days.
BTW, which LUA are you referring to? The actual principal
of least user access where you don't give people access to things they shouldn't
have or the LUA to allow non-privileged users to actually do things without
being an admin? I think the first, but it caught me by surprise and I read it as
the second initially because most MS folks are using LUA strictly to speak about
the new capability in Vista. I didn't mention LUA but was referring to
not having to be an admin to do something simple.
I have no problem with locking things down, but don't catch
people by surprise. This should have been something you are told about DURING
the lockdown where you are asked WHO should be able to do it by adding
them to a security group or worse but better than nothing a right, or it
should have been something easy and intuitive to back out or modify the
functionality for. Most MS admins haven't a clue what SC is, those of us that
did had no clue there were changes in it until people started talking a lot
about this issue. Even still, the MS GUI service tools don't work correctly with
this change.
I have heard people using this "fix" as an excuse for why
people should have admin rights for doing things they don't need admin rights
for because, they say, you never know when an MS fix is going to change things
such that delegation won't work and you can't afford to not have things
work.
I think I understand the logic behind the change, it is
about obscuring what is running. Obviously that is worthless from an automated
hacking tool standpoint because they don't generally try to enumerate services,
they just attack ports. Hiding the service list isn't going to do much just like
renaming the admin account isn't going to do much if you allow enumeration of
the SIDs. Which is another good example, instead of just blocking that
capability, what did MS do? They gave you the option....
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rick
KingslanSent: Sunday, November 20, 2005 7:19 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Windows 2003 SP1
upgrade...
True. But, to monitor services does someone have to
log on to the server? Would a good and SAFE work around - if the said user
doesn't need to log on, to create a service account to do the work, but remove
the interactive rights?
Seems to me that proxying the access would be the close to
ultimate in LUA.
Rick
--Posting is provided "AS IS", and confers no rights or
warranties ...
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: Sunday, November 20, 2005 5:21 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Windows 2003 SP1
upgrade...
The biggest thing people complaint to me about that isn't
documented as an issue below is with the new ACL on the service control manager.
The new ACL really locks down who can enumerate services remotely. This has
impact on multiple different applications and services, especially any
monitoring that isn't using full admin IDs. Kind of sad actually, people trying
to run with least privs for the monitors got nailed and had to give out more
perms until info started getting out on how to fix the
problem.
Check out the items exposed by the following
query
http://www.google.com/search?hl=en&lr=&safe=off&rls=GGLD%2CGGLD%3A2004-07%2CGGLD%3Aen&q=sdset+sc+2003+site%3Asupport.microsoft.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Frank
AbagnaleSent: Sunday, November 20, 2005 3:47 PMTo:
ActiveSubject: [ActiveDir] Windows 2003 SP1
upgrade...
Hello all,
I am planning on rolling out SP1 to my
Domain Controllers. I have looked through msn search to find known issues with
applying SP1 to DC's.
I found the following kb articles
(below) so I can prepare if I have issues. I haven't run into any issues in
my test environment however, has anyone else had any undocumented problems they
may wish to share? One of my DC's is also a WINS, DNS, DHCP, FSMO role holder,
so any issues or pointers that you may have come up against would be
appreciated.
Also, is there any recommendation as to
which DC you choose first when you upgrade to SP1?
The Windows Time service
may generate event ID 7023 after you upgrade to Windows Server 2003 Service Pack
1
http://support.microsoft.com/?id=892501
Network issues that affect TCP/IP and RPC traffic across firewall or
VPN
http://support.microsoft.com/kb/899148/
The incorrect HAL may be
applied if your computer uses a custom HAL
http://support.microsoft.com/kb/889101
Thanks
Frank
Yahoo!
FareChase - Search multiple travel sites in one click.
Yahoo!
FareChase - Search multiple travel sites in one click. | | | |
| listmail
Posts:497
| | 11/28/2005 2:03 AM |
| I don't know if you are trying to bait me or your head
recently got stuck between your gluteus maximi.
Obviously since you have your mouth to the firehose
you know that I was pointing out that the ACL change on an object that
previously couldn't have the ACL changed now disallows a normal user from
enumerating services on an SP1 Server remotely. This means that either A) They
need to be logging on locally (interactively) or B) They need to be given Admin
rights to the machine where previously they didn't need them or C) The ACL needs
to be modified from what MS set in order to use the least
privileged account to monitor the services. Also obviously, this means you know
that your monitoring must change considerably or you need to at least partially
undo what MS did. The issue on the last being that the documentation on how to
do it was terribly lacking and the point where most of these security settings
are handled is barren of anything for this setting. Creating a service account
and disabling interactive auth does nothing to help anything, in fact it can
open up holes itself. Thankfully when this was previously discussed on the list,
there was an MS person reading that knew what was going on and could point at
his blog for how to correct the problem.
If I cared to sit
down with the security folks who came up with it I would ask, all of this for
what real security benefit? If you are attacking a specific service, you either
just fire the "magic pill" across regardless or you can still view
individual service status by asking for it if the tool you are using knows
how to ask for the right level of perms when connecting. Enumeration isn't
needed for hacking. It only slows normal people down because most of MSes
tools don't access the services with the proper level of
perms requested either. That means all of the MS GUI service tools are
now useless to people who maybe want (and have been delegated) to manage a
single service or use the GUI to verify that the server IT manages for them is
running their services. As for monitoring itself, if the previous
mechanism to monitor the service was with an ID that had no special permissions
on the server, creating a new ID and spinning up a service on the local machine
is more invasive and insecure as you now have a new vector to actually attack
the machine, a service that is inside the main wall of security as it already
running on the local machine. This change stopped a lot of people, at least
for a while, who had least privileges configured for managing stuff from being
able to manage and required them to be given a lot more permissions than they
really needed. Go team!
I don't mind if you don't comment on why MS did something
or even how, obviously you have no control over anything they do, you are MCS,
you try to implement what they give you. However, your first response in light
of your second combined with the conversation at hand doesn't seem to make any
sense. It didn't make a lot of sense even without your second
response.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rick
KingslanSent: Sunday, November 27, 2005 12:01 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Windows 2003 SP1
upgrade...
Sometimes, I realize that I commented on something, go back
and read the thread and come upon a novella.
Occasionally, all I want is a paragraph. Hopefully,
all of this information wasn't meant for me, because all I do day in, day out
these days is drink from a fire hose - hence why I'm not around so much these
days. This hopefully helped others, as it presents no value to me right
now at all. I'm versed in this quite well.
Yes - the question was meant to stir a conversation - more
about interactive as a mechanism to remove a looming hole for accounts that NEED
high level permissions but don't NEED to be logged into. Surprisingly,
this is a vector that most people forget about. If you don't need to log
in to it - why does it have interactive?
As to which LUA - the actual, higher level principle of
giving nothing (not just people) any more access than it absolutely
requires. I made the assumption that the ACLing that you referred to had
already removed any and all unnecessary permissions to things unsavory,
dangerous, and shiny-but-sharp from touch.
Hence the question about interactive. It's not an
ACL.
And, as to our direction with software and decisions made -
I don't comment much public ally anymore. I've gotten myself into too much
trouble of late, another reason I'm not here as much.
Brett can answer some of these, or get someone from the dev
team on Security issues. I'll answer anything you want on MCS and how to
implement. But, as to why things are or where they are going to be in
future product - I won't be commenting on that. That's another pretty,
shiny, sharp-thing.
Rick
--Posting is provided "AS IS", and confers no rights or
warranties ...
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joeSent: Monday, November 21, 2005 7:45
AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir]
Windows 2003 SP1 upgrade...
No. MS made it now so that you either need to use an ID
that has admin rights or you have to change the ACL on the SCM to monitor the
services OR the application doing the monitoring needs to know specifically what
service to look at AND know how to ask how to open it WITHOUT asking for
enumeration rights which is unusual since it was always possible previously
because the ACL on the SCM wasn't configurable. All example source showed how to
do it in a way that would break after the change.
What this change does is require more privileges to do work
easily done with an unprivileged account or to require you to partially undo
what MS did to lock it down. Since the ability to change the SCM ACL
previously wasn't something that could be done at all, I understand the idea to
lock it down once it could be modified. However, MS didn't really give much in
the way of tools to operate with it set that way. There was one tool, SC
that was modified in order to work with it and at least initially, it
wasn't very well documented. This easily should have been a GPO config item just
like the other service ACL configs. Personally, I would have greatly
appreciated say a new group... RemoteServiceEnumeration or something like that,
then people simply add principals to that group in order to keep their apps
working.
I have often monitored services on servers remotely with an
ID that has normal user rights in the domain. The ID had no permissions on the
servers at all other than to look at them. Others have done the same. The
monitoring scripts/apps would list all services to see what was running and what
wasn't running, any changes whatsoever would be reported so you knew when
something got added and when something got removed or if something was started
that wasn't previously running or something that was previously running no
longer was running. After SP1, it took modifying the ACL or granting admin level
rights or required the ID to be used locally on the local machine instead of
remotely.
This change, forced people, at least initially until
documentation started coming out, to use higher power IDs to do
something that previously could be done with lower power do-nothing IDs.
To put it another way, there is no technical reason whatsoever that an
admin ID is required to monitor services. Heck you can even delegate service
control to non-admins, I have been giving out ability to stop/start specific
services on servers since early NT4 days.
BTW, which LUA are you referring to? The actual principal
of least user access where you don't give people access to things they shouldn't
have or the LUA to allow non-privileged users to actually do things without
being an admin? I think the first, but it caught me by surprise and I read it as
the second initially because most MS folks are using LUA strictly to speak about
the new capability in Vista. I didn't mention LUA but was referring to
not having to be an admin to do something simple.
I have no problem with locking things down, but don't catch
people by surprise. This should have been something you are told about DURING
the lockdown where you are asked WHO should be able to do it by adding
them to a security group or worse but better than nothing a right, or it
should have been something easy and intuitive to back out or modify the
functionality for. Most MS admins haven't a clue what SC is, those of us that
did had no clue there were changes in it until people started talking a lot
about this issue. Even still, the MS GUI service tools don't work correctly with
this change.
I have heard people using this "fix" as an excuse for why
people should have admin rights for doing things they don't need admin rights
for because, they say, you never know when an MS fix is going to change things
such that delegation won't work and you can't afford to not have things
work.
I think I understand the logic behind the change, it is
about obscuring what is running. Obviously that is worthless from an automated
hacking tool standpoint because they don't generally try to enumerate services,
they just attack ports. Hiding the service list isn't going to do much just like
renaming the admin account isn't going to do much if you allow enumeration of
the SIDs. Which is another good example, instead of just blocking that
capability, what did MS do? They gave you the option....
joe
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rick
KingslanSent: Sunday, November 20, 2005 7:19 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Windows 2003 SP1
upgrade...
True. But, to monitor services does someone have to
log on to the server? Would a good and SAFE work around - if the said user
doesn't need to log on, to create a service account to do the work, but remove
the interactive rights?
Seems to me that proxying the access would be the close to
ultimate in LUA.
Rick
--Posting is provided "AS IS", and confers no rights or
warranties ...
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: Sunday, November 20, 2005 5:21 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Windows 2003 SP1
upgrade...
The biggest thing people complaint to me about that isn't
documented as an issue below is with the new ACL on the service control manager.
The new ACL really locks down who can enumerate services remotely. This has
impact on multiple different applications and services, especially any
monitoring that isn't using full admin IDs. Kind of sad actually, people trying
to run with least privs for the monitors got nailed and had to give out more
perms until info started getting out on how to fix the
problem.
Check out the items exposed by the following
query
http://www.google.com/search?hl=en&lr=&safe=off&rls=GGLD%2CGGLD%3A2004-07%2CGGLD%3Aen&q=sdset+sc+2003+site%3Asupport.microsoft.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Frank
AbagnaleSent: Sunday, November 20, 2005 3:47 PMTo:
ActiveSubject: [ActiveDir] Windows 2003 SP1
upgrade...
Hello all,
I am planning on rolling out SP1 to my
Domain Controllers. I have looked through msn search to find known issues with
applying SP1 to DC's.
I found the following kb articles
(below) so I can prepare if I have issues. I haven't run into any issues in
my test environment however, has anyone else had any undocumented problems they
may wish to share? One of my DC's is also a WINS, DNS, DHCP, FSMO role holder,
so any issues or pointers that you may have come up against would be
appreciated.
Also, is there any recommendation as to
which DC you choose first when you upgrade to SP1?
The Windows Time service
may generate event ID 7023 after you upgrade to Windows Server 2003 Service Pack
1
http://support.microsoft.com/?id=892501
Network issues that affect TCP/IP and RPC traffic across firewall or
VPN
http://support.microsoft.com/kb/899148/
The incorrect HAL may be
applied if your computer uses a custom HAL
http://support.microsoft.com/kb/889101
Thanks
Frank
Yahoo!
FareChase - Search multiple travel sites in one click.
Yahoo!
FareChase - Search multiple travel sites in one click. | | | |
|
|