Re: MS03 -048 causing problems for our 2003 DCs

• Previous message: Drew Copley: "Re: Security researchers organization"
• Maybe in reply to: John G. Chang: "MS03 -048 causing problems for our 2003 DCs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 25 Nov 2003 15:36:17 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Hello,

         Just wanted to let anyone interested to know that
the bug appeared again in our DC's this morning. I was
also able to learn more about this unpublished bug.
The fix for it will be in Service Pack 1 for 2003. The bug
itself, seems to affect the group policies for the default
domain controller policy and default domain policy preventing
the DCs from reading their own policies.

         Another thing it does is remove the the domain controller
policy from %systemroot%\sysvol\domain\ and %systemroot%\
sysvol\sysvol\domain.

         I was given a work around to get past this bug until they
release a fix.

Turn off the file replication service on all the DCs except the one
you will be "fixing".

Run:
Secedit /configure /db %SYSTEMROOT%\security\database\cvtfs.sdb /Cfg

"%SYSTEMROOT%\security\templates\securedc.inf"

Then run:
dcgpofix /target:both

Then you will be allowed back into the Default Domain Controller Policies.
Go in there and disable any digital security setting. You're basically
loosening up every security setting having to do with the DC and the network.
  Run:
gpupdate /force

make sure the other DCs have the same settings in their policies before
re-activating File Replication Service.

That's the work around I was given and it does work.

John

At 03:20 PM 11/21/2003 -0500, you wrote:
>Hello,
>
> I was asked to resubmit this post with the
>CASE_ID_NUM: SRX031118602169 so others
>could reference it if they have similar problems.
>
>I ended up opening a ticket with Microsoft about this issue.
>They could neither confirm or deny that the patch in question
>caused this issue. I was informed that a bug was the cause
>of this problem and no fix existed at this time for it. Again, it
>is not known whether MS03 - 048 was the catalyst for the
>bug to appear.
>
>It made a change that Dean Halter was kind enough to reply
>back to me about.
>
> >>
>Just a thought, but is your security policy set to shutdown systems
>when the security log becomes full? If so, check your servers to make
>sure the
>hkey_local_machine\system\currentcontrolset\control\lsa\crashonauditfail
>is set to 1. A value of 0, I believe, means the policy is disabled. If 2,
>you
>will have to reset the entry to 1 and restart the box. dsh
> >>
>
>The setting above was changed to "2". However, it was more
>involved than that as we spent two days on the issue.
>That particular setting was the main culprit.
>
>Here's what Microsoft said:
>
> >>
>PROBLEM:
>___________________
>Access is denied ad replication
>
>RESOLUTION:
>___________________
>
>Set crashonauditfail equal to 0
>and
>Ran dcgpofix /target:both
>and
>Secedit /configure /db %SYSTEMROOT%\security\database\cvtfs.sdb /Cfg
>"%SYSTEMROOT%\security\templates\securedc.inf"
>
>We also needed to modify the default domain controller policy so that it
>would not require signing between the client and the server.
> >>
>
>The only thing I know is that I am uneasy about
>loading future patches on our 2003 DCs. At least
>I can always contact Microsoft again about this
>particular issue if it happens again.
>
>John
>
>----
>NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
>code "NT1003" when registering to take the TICSA exam at www.2test.com.
>Prove to your employer and peers that you have the knowledge and
>abilities to be an active stakeholder in today's enterprise security.
>Become TICSA certified www.trusecure.com/ticsa. Promotion expires
>12/31/03 and cannot be used in combination with other offers.
>
>----

----
NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
12/31/03 and cannot be used in combination with other offers.
----

• Previous message: Drew Copley: "Re: Security researchers organization"
• Maybe in reply to: John G. Chang: "MS03 -048 causing problems for our 2003 DCs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Risks Digest 24.91 ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Adi Shamir's bug attack ... Security company e-mail undercuts user education ... (comp.risks) Exim 3.34 and lower. ... Its a good time to announce that 2xs security LTD. decided to ... GDB is free software, covered by the GNU General Public License, and you ... will research and fix this bug. ... > the end of the string, reading garbage, causing a segfault, whatever. ... (Vuln-Dev) Re: [Lit.] Buffer overruns - LONG ... effects of security bugs on the intended functionof the ... then I agree that techniques for reducing the impact of a bug ... overrun bug (its hazard) depends on the intended function of the ... (sci.crypt) [UNIX] Bugzilla Unauthorized Bug Modification And Information Disclosure Vulnerabilities ... Get your security news from a reliable source. ... unauthorized bug modifications possible by a third party. ... Private User Comments and Attachment Summaries Leak In XML Bug Export ... Private Metadata Changes For Attachments Information Leak ... (Securiteam) Re: Security researchers organization ... > The Sardonix.org security auditing web site was designed to ... Sardonix provides: ... prevent last year's Chunked Encoding bug? ... -> this provides a reason for individual team members to share their ... (NT-Bugtraq)