Issue With W2K SP3 Citrix/Terminal Servers and MS04-011(835732)

• Previous message: Derek Soeder: "EEYE: Symantec Multiple Firewall TCP Options Denial of Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Fri, 23 Apr 2004 15:44:57 -0700
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

We patched half of our W2K SP3 Terminal Servers last night with MS04-011,
MS04-012, and MS04-014. This morning all of the users logging into the
patched servers were not able to access their roaming profile and created
local profiles on the Terminal Servers instead.

Here's what we've determined so far.

We have users (clients) in a Windows 2000 SP3 forest connecting through
Citrix on Windows 2000 SP3 Terminal Servers, which are located in another
Windows 2000/2003 forest.
All of the users that are connecting through Citrix/Terminal servers that
have been patched with 835732 are unable to load their roaming profiles, so
local profiles are created instead on each Citrix/Terminal server.

The error in the Application Log is as follows:

Event Type: Information
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 23/04/2004
Time: 12:36:41 PM
User: NT AUTHORITY\SYSTEM
Computer: %servername%
Description: The logged on user's forest is different from the machine's
forest. Cross Forest Group Policy processing is disabled and loopback
processing has been enforced in this forest for this user account.

This appears to be a "Cross-Forest" issue that should only affect Windows
2000 SP4 and Windows 2003, but is affecting our Windows 2000 SP3
Citrix/Terminal Servers. The SP4 issue is mentioned in this KB article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;823862
<http://support.microsoft.com/default.aspx?scid=kb;en-us;823862> .

What appears to be happening is that an SP4 Cross-Forest security "feature"
is activating the Group Policy setting for "Allow Cross-Forest User Policy
and Roaming User Profiles" policy under \Computer
Configuration\Administrative Templates\System\Group Policy. We tried to
enable the policy to see if that would fix it, but it only made things worse
and affected the previously unaffected users as well. We think that since
our Citrix/Terminal Servers are Windows 2000 SP3, they seem to "see" the SP4
policy, but don't understand it. There must be some updated component in the
835732 patch that is allowing SP3 machines to "see" the SP4 policy.

As soon as we uninstalled the 835732 patch from one of these Citrix/Terminal
servers, users were able to access their roaming profiles normally again.
We're going to keep experimenting with this on one of our test servers. Will
keep you updated. If anyone else has any info, please let me know.

Michael Manskopf
IT - Technology and Infrastructure Group
CANACCORD CAPITAL CORP.
#2200 - 609 Granville Street,
Vancouver, B.C.
V7Y 1H2
TEL: (604) 643-7605
CEL: (604) 841-1534
EMAIL: <mailto:Michael_Manskopf@canaccord.com
<mailto:Michael_Manskopf@canaccord.com> >

"Canaccord Capital Corporation <canaccord.com>" made the following
 annotations on 04/23/2004 03:45:02 PM
------------------------------------------------------------------------------
This message may contain confidential or privileged material. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this message in error, please immediately reply to the sender and delete this information from your computer. Thank you.
==============================================================================

-----
Earn up to 10 credit course hours toward the TruSecure ICSA Practitioner (TICSA) Credential and receive a TICSA exam coupon by attending the Infosecurity Canada 2004 conference. Featured speaker, Marcus J. Ranum, TruSecure inventor of the proxy firewall will present on June 3 at 11:30 AM. Visit <https://ticsa.trusecure.com> for certification details and <http://www.infosecuritycanada.com> for conference information. Become TICSA certified and see what happens!
-----

• Previous message: Derek Soeder: "EEYE: Symantec Multiple Firewall TCP Options Denial of Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Account Lockout threshold ... All are window 2000 advanced servers with Service pack 3, ... Domain Contoller Security Policy - Account lockout threshold ... (microsoft.public.security) Re: Security templates and IUSR account log on locally ... the Enterprise security template for Member Servers breaks IIS6 anon ... the guideline is to apply the member servers baseline policy and then the ... web servers policy. ... You may also want to revisit the download for the W2k3 Security Guide as ... (microsoft.public.inetserver.iis.security) Re: Preventing users from c onnecting to shares NOT on the domain.. ... First condition would be to set "Require Security" policy to "Restricted ... These computers could be excluded by IP address, ... > The servers might be located on the same subnet of some of the clients. ... (microsoft.public.win2000.networking) Re: Preventing users from c onnecting to shares NOT on the domain.. ... First condition would be to set "Require Security" policy to "Restricted ... These computers could be excluded by IP address, ... > The servers might be located on the same subnet of some of the clients. ... (microsoft.public.win2000.security) Re: Default Domain Controllers Policy ... I was only looking to change the Local Security Policy on servers that have ... appling to the Computers is if the Computer OU was inside the Default ... Why are you trying to change Local Settings? ... (microsoft.public.win2000.group_policy)