Re: XP SP2: cannot access Disk Manager (LDM) on remote Win 2000 systems>>>
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: Tue, 24 Aug 2004 17:40:12 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Firstly, I would like to encourage everyone who has such problems with XP SP2 to call Microsoft Support and open a trouble ticket, or see if they already have a solution available. KB articles get written based on the number of support calls for a similar issue, and the urgency of fixes often depends on the number of reports. I don't guarantee you won't get charged, but by rights you shouldn't as long as the issue isn't documented somewhere and its not the result of some 3rd party product.
Meanwhile, everyone who can; who runs into problems; or wants to understand XP SP2 needs to read;
"Changes to Functionality in Windows XP Service Pack 2"
Its better to download it because then you can do searches through it.
So, for example, one of the documented changes involves RPC/DCOM and unauthenticated access from remote clients. Not every tool that does remote administration does so strictly by making calls to the remote client and getting feedback...some tools are two-way communications. Still other tools do things via UDP, an unauthenticated protocol, in order to expedite data transfer.
XP SP2 introduces a new registry key, RestrictRemoteClient, which, effectively, says that no unauthenticated RPC/DCOM connection can be made to your XP SP2 box, nor will it accept RPC/DCOM over UDP (or IPX, or other connectionless protocols.)
Whether this is or is not the reason for the Disk Manager problems is, unfortunately, not yet documented by Microsoft. The task of administering other computers from XP SP2 systems is, IMO, sorely lacking documentation at this time.
Anyway, I hate to make this suggestion because it does remove a significant security improvement, but you may want to try setting the RestrictRemoteClient value to 0. Via Group Policy option "Restrictions for Unauthenticated RPC Clients", or via the registry at;
This *may* resolve the issue. It will most definitely be the cause of some of the Access Denied errors people see when they have problems with apps and XP SP2.
Caveat! Setting that value to 0 disables the improved security preventing unauthenticated RPC/DCOM connections. If you have to use it, you want to change this setting when you need it, and change it back when you don't.
Another report I received regarding access denied errors suggests that the RPC service should have its "Log on as" value changed back from NT Authority\Network Service, to Local System Account. I haven't found a need for this, but it was suggested as a solution for some access denied problems. The MS documentation is a bit vague, and merely states that RPC was changed so that some aspects of it use the Local System Account context, while others use the NT Authority\Network Service context. I suspect this problem occurs when ACLs are being more closely scrutinized, such as when stringent enforcement has been put in place...but its still a mystery to me.
Anyway, just some thoughts.
Russ - Senior Scientist - TruSecure Corporation/NTBugtraq Editor
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.