MS Patches last Mon - Recap

aborg_at_mca.org.mt
Date: 04/18/04

  • Next message: Vincenzo Ciaglia: "LNSA-#2004-0011: CVS Server and Client Vulnerabilities" 
    To: <bugtraq@securityfocus.com>, NTBugtraq@listserv.ntbugtraq.com
Date: Sun, 18 Apr 2004 12:17:56 +0200

    Hi all ...

    Following my post on bugtraq last Fri and after having waded through the
    deluge of replies, here is a quick recap of things:

    1) Thu morning several of my users could not login. WinXP and Win2k
    complained that the time between the server and client is different. I can
    workaround this since we happen to have cached logon credentials so all I
    needed to do was unplug the network cable, get them to log in and plug it
    in again. Different things worked for different people. NET TIME \\MYPDC
    /SET /Y worked for the 1st one. NET TIME \\MYBACKUPDOMAINCONTROLLER /SET
    /Y worked for the 2nd. I don't know why the first command did not fix the
    problem for User2 (and yes, I did reboot server and client meanwhile) A
    number of other things were required to get things moving for the others.

    2) Fri morning I had a few more people who were working on Thu finding
    themselves unable to login. At this point I began to suspect the MS
    patches from Wed. I hadn't before since at first glance the patches did
    not affect any time-related or login-related functionality. However,
    research on the MS site shows that the time feature uses RPC to coordinate
    the time between client and server and this set alarm bells ringing.

    3) On Sat I found out that even client computers WITHOUT the patches
    installed could not login properly. I tried uninstalling the patches from
    both the PDC and BDC one by one but this did not solve anything.

    4) On Sat I went through all the emails. Thanks for all your help but I
    was aware that NET TIME exists, how to use it, how to set it up to always
    coordinate time with the PDC and how to set the PDC to sync with an
    external time source. I also am aware that Kerberos allows for a 5 min
    difference and am quite sure that our servers are still set up that way. I
    also have net time in the logon script and all of these suggestions - while
    welcome - had already been tried.

    5) Thanks also to all the people who wrote in to tell me that they too have
    similar problems - I counted about 20 all in all. It is reassuring to know
    that I'm not the only one. Unfortunately, reinstalling Windows on my
    server is not an option I would like to consider. And rebooting the
    clients and servers didn't work either.

    6) It is entirely possible therefore that the uninstaller of these patches
    is not comprehensive enough to uninstall all the items/reg keys that it
    sets up. I am going to look for a list of changes and ensure that they
    have been revoked. This statement assumes that the patches are at fault
    here - and while I am aware that a reboot could trigger any number of
    pending uninstalls/installs I had recently rebooted the machines and
    nothing had been removed/added until the patches. I had initially toyed
    with the idea that this may be some kind of trojan and/or virus but cannot
    identify any kind of errant process or item in the registry that would add
    weight to this theory. Suggestions are welcome. However, if everyone else
    is working then what's different between my network and theirs?

    7) I am now in a situation whereby after having uninstalled the patches
    from my PDC and BDC and rebooting both machines, I am unable to login to my
    BDC. This is critical for me and it is why I am here tapping away at my PC
    on a Sunday at 12:16 (I'm in Europe). I intend to stay here at the office
    until the problem is sorted so feel free to email at any time. I will post
    an update as soon as I have one.

    Thanks for all your help so far. Let's see if we can nail this bugger.

    Antoine Borg
    Network Administrator

    Malta Communications Authority
    Suite 43/44, "Il-Piazzetta"
    Tower Road
    Sliema SLM 16
    Malta G.C.

    Mob: +356 79 271852

    ---------
    "There is something about inevitability that offends human nature. Man is
    a creature of hope and invention, both of which belie the idea that things
    cannot be changed. But man is also a creature prone to error, and sometimes
    that makes inevitable the things that he so often seeks to avoid."

  • Next message: Vincenzo Ciaglia: "LNSA-#2004-0011: CVS Server and Client Vulnerabilities"

    Relevant Pages

    • Re: MS Critical Patches - Reboot - Did not reboot.
      ... Generally the 7036 event pops up after a reboot, ... the install of critical patches. ... down and it comes up using PING SERVER -t. ... I tried connecting through RDP and could not connect. ...
      (microsoft.public.windows.server.general)
    • Re: OT: What is the opposite of nostalgia?
      ... and the server was a 200 mhz Pentium with 64 mb ram. ... one has to reboot from time to time because of service packs. ... > patches, updates and such, so like you, 30-40 days. ... >> Andrew Hodgson in Bromyard, Herefordshire, UK. ...
      (microsoft.public.windows.server.sbs)
    • Re: SBS 2003 will not boot up
      ... Then I reboot the server BEFORE installing any patches, ... Then I install patches. ...
      (microsoft.public.windows.server.sbs)
    • Re: MS Critical Patches - Reboot - Did not reboot.
      ... Are you also unable to connect to the server via computer ... I applied couple of critical patches from April till now as the previous ... I have noticed this RDP problem cropping up from sometime in October of ... I will have to reboot the server twice to get in through RDP again. ...
      (microsoft.public.windows.server.general)
    • Re: IIS Hack : Anyone explain cause...
      ... it looks like you cleaned up the server -- if you care about security, ... Microsoft tries and mostly succeeds to release patches PRIOR to ... weeks/months/years prior to exploitation. ... > protected rant as we all know that IIS and indeed lots of software has ...
      (microsoft.public.inetserver.iis)