The Good, the Bad, and the Ugly of SP1
I promise to get to the DIMS stuff soon. In the meantime I want to point out some SP1 uglies:
1. We changed the permissonson the SCM so non admins cannot connect anymore. See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/service_security_and_access_rights.asp
".. Windows Server 2003 and Windows XP/2000/NT: Unlike most other securable objects, the security descriptor for the SCM cannot be modified. This behavior has changed as of Windows Server 2003 SP1."
This caused some pain noted here:
http://groups-beta.google.com/group/microsoft.public.windows.server.security/browse_thread/thread/d4372eca28569558/d5f35f776111ffe1?q=2003+SP1+permissions+Service+control+manager&rnum=1&hl=en#d5f35f776111ffe1
In Sp1 SC.EXE we updated the util so you can change ACLS on the SCM.
C:\>sc sdshow scmanager
This is SP1 info
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
This is the RTM info:
D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
You can now set security via "SC.EXE sdset scmanager <SDDL>"
2. We changed some RPC calls as mentioned here http://support.microsoft.com/kb/899148
"..Windows Server 2003 SP1 adds support for some new transfer syntaxes to the RPC implementation. These new transfer syntaxes are known as "multiple transfer syntax negotiation." They help 32-bit and 64-bit computers handle larger workloads. Additionally, they frequently help 32-bit and 64-bit computers work faster.
Specifically, firewalls and VPN products that do permit more than one presentation context to be present in a bound RPC protocol data unit (PDU) may cause either of the following symptoms:"
As a result - bad things happened. If you cannot update your firewall you can get this hotfix http://support.microsoft.com/kb/899148 and set the value Server2003NegotiateDisable = 1 in order to work around this. (BTW the article is not very clear in saying you need to set this)
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc
Value: Server2003NegotiateDisable
Type: DWORD
Data: 1
3. We changed the time service as noted here: http://support.microsoft.com/?kbid=892501&SD=tech
4. There are some MIT cross realm trust issues when logging in via Terminal Services - if you think you are hitting this then ping me. Reason, I havent had time to fully look into it, but it appears the reg value "IgnoreRegUserConfigErrors" noted here http://support.microsoft.com/?kbid=815266 resolves this one.
spat
