Re: How to fix broken security in Windows 2000?
From: Karl Levinson, mvp (levinson_k_at_despammed.com)
Date: 02/07/05
- Next message: Robert Schuldenfrei: "Re: I did a dumb thing"
- Previous message: S. Pidgorny
: "Planning PKI and smart card solution - implementer's questionnaire" - In reply to: Shannon Jacobs: "Re: How to fix broken security in Windows 2000?"
- Next in thread: Shannon Jacobs: "Re: How to fix broken security in Windows 2000?"
- Reply: Shannon Jacobs: "Re: How to fix broken security in Windows 2000?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 7 Feb 2005 08:12:19 -0500
"Shannon Jacobs" <shanen@my-deja.com> wrote in message
news:ezTj1EMDFHA.1188@tk2msftngp13.phx.gbl...
> Where? If you are referring to
> http://support.microsoft.com/default.aspx/kb/822798 (the only link I can
> find in a sampling of your posts in this thread), then you are incorrect
> (again). I just reviewed it (again) and that Web page does NOT answer the
> question, and is only tangentially related to the problem (via a special
The article lists the certificates used to verify the crypto signatures on
files from updated Microsoft service packs and patches. So, this article
certainly answers this question at least to those files. I would be very
surprised if files from the original Windows install CD were not signed
either with those same certificates, or using other older certificates with
the same name from the same root authority. It appears to be the closest
answer you're going to find on the Internet [a google search turned up
nothing else as far as I could find] and is absolutely worth a try.
> case). Part of the final section would be relevant (though I already know
> this is not the most convenient way to do it) *IF* there was some way to
> explicitly identify the missing certificates using SFC or some other tool.
The article does identify the missing certificates, or at least the three or
so required certificates. It's just three certificates, so why not open
your GUI and compare what you've got to a working or newly installed /
imaged Windows 2000 computer? How long could that possibly take, a few
minutes? If you confirm that no certificates are missing, the other
sections of that article then become relevant, by telling you the other
possible dependencies. I don't see any reason to delay checking all of the
dependencies in the article, to confirm these are not the problem. For
example, you haven't told us whether the crypto service is starting on your
computers [one of the troubleshooting steps mentioned in the article],
unregistering and re-registering the DLLs in question, etc. I had a similar
problem and ran through most of the steps in an hour or less, much less
time than we've spent arguing about whether or not that article is the
answer to your question. I really can't figure out what your aversion is to
you or someone else on the IT staff there trying out all the steps in the
article.
> It makes me wonder if perhaps the real reason Microsoft has so far
> avoided answering the question is because they no longer support Windows
> 2000 to that degree.
As far as tech support goes, Windows 2000 is every bit as supported as it
was on the first day of its release, unless you're asking for new
functionality to be programmed.
> Imaginary (but sadly plausible) Microsoftian dialog:
Very imaginary.
> found the problem on any WXP machine). That means it would be
fundamentally
> impossible to know whether or not a W2K machine has valid system files,
> unless you use the CD to restore the original system files.
Or you use a computer that isn't having the problem, or a freshly installed
computer.
> Of course that
> cure would be worse than the disease, since you would almost surely be
> *undoing* various security patches.
Not in Windows 2000 and newer, it tracks and replaces updated files for you.
I wouldn't be using the install CD here though, it's unnecessary.
> Note that if all W2K machines are
> missing certain security certificates, then the frequently appearing
> suggestion (in many of Microsoft's "support" Web pages) of copying them
(via
> export) from another W2K machine is not going to work, either.
That's why you copy them from a known working Windows 2000 computer, or at
least compare them with a known working computer, in the default settings
that havent been touched by your IT staff. Because you refuse to look at
the certificates and compare them, we really have no idea whether the
problem is really missing certificates or not.
> Mr. Dilley's rudeness was rather amusing (or even hypocritical) in a post
> that apparently accused someone else of rudeness. (Hard to be sure what
his
> intended points were, since they were so badly expressed.)]
I understood them. His point is that you are very rude and yet you need and
demand assistance from the people you are insulting. Also, your IT staff
should be the primary ones troubleshooting this, not you.
- Next message: Robert Schuldenfrei: "Re: I did a dumb thing"
- Previous message: S. Pidgorny
: "Planning PKI and smart card solution - implementer's questionnaire" - In reply to: Shannon Jacobs: "Re: How to fix broken security in Windows 2000?"
- Next in thread: Shannon Jacobs: "Re: How to fix broken security in Windows 2000?"
- Reply: Shannon Jacobs: "Re: How to fix broken security in Windows 2000?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
