The MS05-051 vulnerability looks quite bad, so I'm not happy with leaving
these servers unpatched. Relevant error messages below:
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10010
Date: 10/11/2005
Time: 9:49:06 PM
User: NT AUTHORITY\SYSTEM
Computer: (deleted)
Description:
The server {3D14228D-FBE1-11D0-995D-00C04FD919C1} did not register with DCOM
within the required timeout.
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 36
Date: 10/11/2005
Time: 9:49:06 PM
User: N/A
Computer: (deleted)
Description:
The server failed to load application '/LM/W3SVC/1/Root'. The error was
'Server execution failed
'.
For additional information specific to this message please visit the
Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp.
Any ideas on what was broken and/or how to fix it?
Rob Shaw-Fuller
robsha...@hotmail.com
CAUSE
The NT AUTHORITY\Authenticated Users or NT AUTHORITY\INTERACTIVE entries
have been removed from the Users group.
RESOLUTION
Add these users back to the Users group, and then restart Internet
Information Services (IIS):
1. Click *Start*, click *Programs*, click *Administrative Tools*, and
then click *Computer Management* to open the Computer Management console.
2. In the left pane, expand *Local Users and Groups*, and then click
the *Groups* folder.
3. In the right pane, right-click the *Users* group, and then click
*Properties*.
4. Click *Add*.
5. In the *Select Users or Groups* dialog box, locate the *Look in*
drop-down box, and then select the local computer.
6. Select *Authenticated Users*, and then click *Add*. Select
*INTERACTIVE*, and then click *Add*. Click *OK*, click *Apply*, and then
click *Close* to close the properties for the Users group.
7. In the left pane, expand *Services and Applications*, and then click
*Services*.
8. In the right pane, right-click *IIS Admin Service*, and then click
*Restart*.
9. In the *Restart Other Services* confirmation dialog box, click *Yes*.
EventID.Net:
http://www.eventid.net/display.asp?eventid=10010&eventno=508&source=DCOM&phase=1
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> PRB: ASP pages do not process and DCOM event 10010 appears in the system
> event log:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;327153
<snip>
Bypass traverse checking
Removing the Everyone group from the list of security principals who, by
default, have this user right. The Windows operating systems, and also many
programs, have been designed with the expectation that anyone who can
legitimately access the computer will have the Bypass traverse checking user
right. Therefore, removing the Everyone group from the list of security
principals who, by default, have this user right could lead to operating
system instability or to program failure. It is better that you leave this
setting at its default
We removed all groups from this some time ago and we had to add the Everyone
group back to make the MS05051 patch to work correctly
The default is
Administrators
Everone
backup operators
Power users
Users
Check the local Security policy of your servers to see if this has been
changed and if so replace the everyone group at the vary lest.
This fixed our problems with this patch
--
Mark Murphy - MCSE2000
I was able to resolve this issue by adding
permissions for IWAM_computer and
the ASPNET account (if you have the .NET FW installed) to have read access
to C:\Winnt\Registration - once I made
the change and restarted IIS, the applications worked again.
I removed the default permissons on this folder when the servers were built.
the patch for COM+/MSDTC requires that those accounts have permission to the
folder above.
Filemon clearly showed that it was a permissions issue.
hope this helps,
Seth
My guy also contacted PSS separately, courtesy of the link you so *very*
kindly provided me. Thanks again.
--
~PA Bear
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
Thanks!
N
FYI, Microsoft is now "officially" recognizing this problem in the KB:
http://support.microsoft.com/kb/909444
Rob Shaw-Fuller
robsha...@hotmail.com
"me" <m...@discussions.microsoft.com> wrote...