Re: How to fix broken security in Windows 2000?
From: Shannon Jacobs (shanen_at_my-deja.com)
Date: 02/10/05
- Next message: Alun Jones [MSFT]: "Re: MS Not Trust is't PSS/Gold Partners with Early Security/Vuln."
- Previous message: Steve Clark [MSFT]: "Re: ms05-011 - requires broadcast packets?"
- In reply to: Karl Levinson, mvp: "Re: How to fix broken security in Windows 2000?"
- Next in thread: Karl Levinson [x y] mvp: "Re: How to fix broken security in Windows 2000?"
- Reply: Karl Levinson [x y] mvp: "Re: How to fix broken security in Windows 2000?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 10 Feb 2005 10:10:04 +0900
Why thank you (Karl Levinson, mvp). I think this is your first helpful
contribution and it suggests the next path to pursue. You actually reminded
me of something I had forgotten during the original struggles to re-enable
SFC, during which time it was of course not logging anything. I'll continue
working on the problem as time allows.
However, I'd also like to know the real story of what or who reminded you.
Karl Levinson, mvp wrote:
> "Shannon Jacobs" <shanen@my-deja.com> wrote in message
> news:u0cZuulDFHA.3824@TK2MSFTNGP10.phx.gbl...
>
>> File Checker is supposed to perform this check in an automated
>> fashion, and it does for Windows XP (at least on every XP machine
>> I've tested recently). Unfortunately it fails on every tested
>> Windows 2000 machine, but it does not provide any detailed
>> information about the failures.
>
> I agree with you. W2K SFC could be more informative.
>
> Maybe you knew this already, but SFC logs information on the file
> names it is complaining about in the Windows System Event Log. It
> does not necessarily tell you the reason.
>
> I believe SFC on any W2K system will find lots of "missing" and
> "invalid" files. The fact that it "finds" these things does not mean
> your computer is having a problem that needs to be fixed. This SFC
> issue is not necessarily related to any other problem your computers
> may be experiencing. Also, WFP and SFC are still helpful in checking
> your files, it just checks lots of other files as well.
>
> I believe much of this is not because of missing certificates, but
> because the catalog SFC uses might contain lots of extra files by
> design that are not needed in your installation, or is incorrect, out
> of date or needs refreshing. For example, on my system, it found
> lots of missing files such as c:\winnt\system32\agt0804.dll that my
> system does not seem to need to function properly. The problem can
> also occur if your system administrators have intentionally deleted
> or put restrictive file ACL permissions on "unsafe" files like
> TFTP.EXE from your \system32\dllcache\ folder to prevent WFP from
> replacing the files and a hacker from using them, or if methods other
> than the approved ones below have been used to distribute updated
> Windows files:
>
> http://www.microsoft.com/whdc/winlogo/drvsign/wfp.mspx
>
> How SFC / WFP checks files is described somewhat here:
>
> http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=38776
>
> and here:
>
> http://answers.google.com/answers/threadview?id=8227
>
> "The following files are consulted:
>
> Winnt\System32\CatRoot\SYSMAST.*
> Winnt\System32\CatRoot\{F750...295EE}\CATMAST.*
> Winnt\System32\CatRoot\{F750...295EE}\HASHMAST.*
> Winnt\System32\CatRoot\{F750...295EE}\NT5.CAT "
>
> I believe .CAT files like NT5.CAT contain lists of file hashes, but
> no file names. NT5.CAT also mentions "VeriSign Time Stamping Service
> Root" which may relate to the "VeriSign Time Stamping CA" cert
> Windows requires. New patches install new *.CAT files containing new
> valid file hashes into the CatRoot folder, but the article below
> suggests these are not used by a manual SFC check:
>
> http://www.winnetmag.com/Article/ArticleID/27471/27471.html
>
> If you are asking how do you fix this issue with SFC finding lots of
> "missing" files, I think the answer is you don't. It's an annoyance
> by design, but by itself isn't proof that your system is broken or
> needs fixing. If you're having other problems besides SFC, remind us
> of the details and we can look at those.
>
> Other SFC information and known issues are listed here:
>
> http://labmice.techtarget.com/windows2000/FileMgmt/WFP.htm
>
>> The technical question:
>>
>> How to identify missing security certificates in Windows 2000?
>
> The certificates that could affect SFC are the six certs mentioned in
> the MS article you mentioned in your first post, plus the three certs
> mentioned in the article I posted.
>
> You seem to think that because that article did not solve your
> problem, that there must therefore be other missing certificates that
> Microsoft is not telling you about. I believe this is not the case.
> So, if you have already confirmed you have no relevant missing
> certificates, and you don't need to check for missing certificates,
> or ask here how to do so. If you are sure all the certs in that
> article are in place and have the right dates, then I don't think
> your problem is identifying missing certs.
- Next message: Alun Jones [MSFT]: "Re: MS Not Trust is't PSS/Gold Partners with Early Security/Vuln."
- Previous message: Steve Clark [MSFT]: "Re: ms05-011 - requires broadcast packets?"
- In reply to: Karl Levinson, mvp: "Re: How to fix broken security in Windows 2000?"
- Next in thread: Karl Levinson [x y] mvp: "Re: How to fix broken security in Windows 2000?"
- Reply: Karl Levinson [x y] mvp: "Re: How to fix broken security in Windows 2000?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
