Firstly, I would like to encourage everyone who has such problems with XP SP2
to call Microsoft Support and open a trouble ticket, or see if they already
have a solution available. KB articles get written based on the number of
support calls for a similar issue, and the urgency of fixes often depends on
the number of reports. I don't guarantee you won't get charged, but by rights
you shouldn't as long as the issue isn't documented somewhere and its not the
result of some 3rd party product.
Meanwhile, everyone who can; who runs into problems; or wants to understand XP
SP2 needs to read;
"Changes to Functionality in Windows XP Service Pack 2"
http://go.microsoft.com/fwlink/?LinkId=28022
Its better to download it because then you can do searches through it.
So, for example, one of the documented changes involves RPC/DCOM and
unauthenticated access from remote clients. Not every tool that does remote
administration does so strictly by making calls to the remote client and
getting feedback...some tools are two-way communications. Still other tools do
things via UDP, an unauthenticated protocol, in order to expedite data transfer.
XP SP2 introduces a new registry key, RestrictRemoteClient, which, effectively,
says that no unauthenticated RPC/DCOM connection can be made to your XP SP2
box, nor will it accept RPC/DCOM over UDP (or IPX, or other connectionless
protocols.)
Whether this is or is not the reason for the Disk Manager problems is,
unfortunately, not yet documented by Microsoft. The task of administering other
computers from XP SP2 systems is, IMO, sorely lacking documentation at this
time.
Anyway, I hate to make this suggestion because it does remove a significant
security improvement, but you may want to try setting the RestrictRemoteClient
value to 0. Via Group Policy option "Restrictions for Unauthenticated RPC
Clients", or via the registry at;
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\RPC
This *may* resolve the issue. It will most definitely be the cause of some of
the Access Denied errors people see when they have problems with apps and XP
SP2.
Caveat! Setting that value to 0 disables the improved security preventing
unauthenticated RPC/DCOM connections. If you have to use it, you want to change
this setting when you need it, and change it back when you don't.
Another report I received regarding access denied errors suggests that the RPC
service should have its "Log on as" value changed back from NT
Authority\Network Service, to Local System Account. I haven't found a need for
this, but it was suggested as a solution for some access denied problems. The
MS documentation is a bit vague, and merely states that RPC was changed so that
some aspects of it use the Local System Account context, while others use the
NT Authority\Network Service context. I suspect this problem occurs when ACLs
are being more closely scrutinized, such as when stringent enforcement has been
put in place...but its still a mystery to me.
Anyway, just some thoughts.
Cheers,
Russ - Senior Scientist - TruSecure Corporation/NTBugtraq Editor
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such
that just hitting reply is going to result in the message coming to the list,
not to the individual who sent the message. This was done to help reduce the
number of Out of Office messages posters received. So if you want to send a
reply just to the poster, you'll have to copy their email address out of the
message and place it in your TO: field.
-----
