Re: MS03-031 Problems

From: Mateo (m_leija_at_hotmail.com)
Date: 09/17/03


Date: Wed, 17 Sep 2003 10:36:35 -0600


Tim,

We had the same problem with client connections after applying MS03-031 to
our SQL Servers running on WinNT. We applied the following patch to resolve
the issue. Hope this works for you as well.

http://support.microsoft.com/default.aspx?scid=kb;en-us;823492

~Mateo

"Tim" <timrichardson@nospam.com> wrote in message
news:036801c378a1$173a9990$a401280a@phx.gbl...
> I manage several SQL Servers (2000 Enterprise Edition
> SP3a) on Windows Server 2000 SP4. Each server has a
> default instance and two or more named instances
> installed as well. These servers run in a Windows NT4
> domain. Our clients log into this domain as well as a
> Novel NDS domain. Our client workstations are either NT4
> workstations managed by Novel Zenworks or unmanaged
> Windows XP machines.
>
> Our systems were recently audited and we were compelled
> to apply all of the most recent patches. Unfortunately,
> the cumulative patch correcting the Named Pipes
> vulnerability (MS03-031) seems to have made connecting to
> our SQL Servers rather difficult (and in one case
> impossible). Client machines, running various
> applications, began returning "SQL Server does not exist
> or access denied errors" (similar to the ones described
> in the Knowledge Base article KB823492).
>
> Our SQL Service accounts are configured as domain users
> (with permission sets like those described in KB283811).
> I have found that if I configure the service accounts to
> be members of the local adiministrator group, I can
> connenct without difficulty. When I remove them from the
> admin group, I get the error described above. This
> problem does not mainfest itself on the one SQL Server
> (SP3a) that I have that is not patched with MS03-031.
>
> My question is what permissions do I need to add to my
> domain user accounts to allow them to
> create/maintian/utilize a named pipe connections with
> this patch in this environment?
>
> It is not an attractive option for me to run these
> accounts as local administrators.
>
> Thanks,
>
> Tim