Issue With W2K SP3 Citrix/Terminal Servers and MS04-011(835732)

From: Manskopf, Michael (Michael_Manskopf_at_CANACCORD.COM)
Date: 04/24/04

  • Next message: Drew Copley: "EEYE: Yahoo! Mail Account Filter Overflow Hijack"
    Date:         Fri, 23 Apr 2004 15:44:57 -0700
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    We patched half of our W2K SP3 Terminal Servers last night with MS04-011,
    MS04-012, and MS04-014. This morning all of the users logging into the
    patched servers were not able to access their roaming profile and created
    local profiles on the Terminal Servers instead.

    Here's what we've determined so far.

    We have users (clients) in a Windows 2000 SP3 forest connecting through
    Citrix on Windows 2000 SP3 Terminal Servers, which are located in another
    Windows 2000/2003 forest.
    All of the users that are connecting through Citrix/Terminal servers that
    have been patched with 835732 are unable to load their roaming profiles, so
    local profiles are created instead on each Citrix/Terminal server.

    The error in the Application Log is as follows:

    Event Type: Information
    Event Source: Userenv
    Event Category: None
    Event ID: 1000
    Date: 23/04/2004
    Time: 12:36:41 PM
    User: NT AUTHORITY\SYSTEM
    Computer: %servername%
    Description: The logged on user's forest is different from the machine's
    forest. Cross Forest Group Policy processing is disabled and loopback
    processing has been enforced in this forest for this user account.

    This appears to be a "Cross-Forest" issue that should only affect Windows
    2000 SP4 and Windows 2003, but is affecting our Windows 2000 SP3
    Citrix/Terminal Servers. The SP4 issue is mentioned in this KB article:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;823862
    <http://support.microsoft.com/default.aspx?scid=kb;en-us;823862> .

    What appears to be happening is that an SP4 Cross-Forest security "feature"
    is activating the Group Policy setting for "Allow Cross-Forest User Policy
    and Roaming User Profiles" policy under \Computer
    Configuration\Administrative Templates\System\Group Policy. We tried to
    enable the policy to see if that would fix it, but it only made things worse
    and affected the previously unaffected users as well. We think that since
    our Citrix/Terminal Servers are Windows 2000 SP3, they seem to "see" the SP4
    policy, but don't understand it. There must be some updated component in the
    835732 patch that is allowing SP3 machines to "see" the SP4 policy.

    As soon as we uninstalled the 835732 patch from one of these Citrix/Terminal
    servers, users were able to access their roaming profiles normally again.
    We're going to keep experimenting with this on one of our test servers. Will
    keep you updated. If anyone else has any info, please let me know.

    Michael Manskopf
    IT - Technology and Infrastructure Group
    CANACCORD CAPITAL CORP.
    #2200 - 609 Granville Street,
    Vancouver, B.C.
    V7Y 1H2
    TEL: (604) 643-7605
    CEL: (604) 841-1534
    EMAIL: <mailto:Michael_Manskopf@canaccord.com
    <mailto:Michael_Manskopf@canaccord.com> >

    "Canaccord Capital Corporation <canaccord.com>" made the following
     annotations on 04/23/2004 03:45:02 PM
    ------------------------------------------------------------------------------
    This message may contain confidential or privileged material. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this message in error, please immediately reply to the sender and delete this information from your computer. Thank you.
    ==============================================================================

    -----
    Earn up to 10 credit course hours toward the TruSecure ICSA Practitioner (TICSA) Credential and receive a TICSA exam coupon by attending the Infosecurity Canada 2004 conference. Featured speaker, Marcus J. Ranum, TruSecure inventor of the proxy firewall will present on June 3 at 11:30 AM. Visit <https://ticsa.trusecure.com> for certification details and <http://www.infosecuritycanada.com> for conference information. Become TICSA certified and see what happens!
    -----


  • Next message: Drew Copley: "EEYE: Yahoo! Mail Account Filter Overflow Hijack"

    Relevant Pages

    • Re: Account Lockout threshold
      ... All are window 2000 advanced servers with Service pack 3, ... Domain Contoller Security Policy - Account lockout threshold ...
      (microsoft.public.security)
    • Re: Security templates and IUSR account log on locally
      ... the Enterprise security template for Member Servers breaks IIS6 anon ... the guideline is to apply the member servers baseline policy and then the ... web servers policy. ... You may also want to revisit the download for the W2k3 Security Guide as ...
      (microsoft.public.inetserver.iis.security)
    • Re: Preventing users from c onnecting to shares NOT on the domain..
      ... First condition would be to set "Require Security" policy to "Restricted ... These computers could be excluded by IP address, ... > The servers might be located on the same subnet of some of the clients. ...
      (microsoft.public.win2000.networking)
    • Re: Preventing users from c onnecting to shares NOT on the domain..
      ... First condition would be to set "Require Security" policy to "Restricted ... These computers could be excluded by IP address, ... > The servers might be located on the same subnet of some of the clients. ...
      (microsoft.public.win2000.security)
    • Re: Default Domain Controllers Policy
      ... I was only looking to change the Local Security Policy on servers that have ... appling to the Computers is if the Computer OU was inside the Default ... Why are you trying to change Local Settings? ...
      (microsoft.public.win2000.group_policy)