Re: CIS Security Baseline

From: Matt Scarborough (vexversa@verizon.net)
Date: 08/02/02 

From: Matt Scarborough <vexversa@verizon.net>
Date: Fri, 02 Aug 2002 14:33:26 +0000

I believe The Center for Internet Security template

; Template Name: Win2kProGold_R1.2.inf
; Template Version: R1.2
; Date Created: 2002-05-13
; Date Last Modified: 2002-06-13

has created an endless loop from which you cannot escape.

WFP by default protects all Microsoft provided DLL, EXE, OCX, and SYS files from
installation media. However, all DLL, EXE, OCX, and SYS files are not installed to the
hard disk for every machine. And some files may be removed from the machine or the DLL
or Driver Caches during subsequent software, hardware, or hotfix installations. Even
Microsoft has made mistakes with HOTFIX.INF files that fail to place updated files in
the appropriate file caches. This can leave us with an entry for WFP to protect files
that do not exist where WFP believes they should exist.

The preceding condition can exist without significant trouble until we ask System File
Checker to repopulate the %Systemroot%\system32\dllcache. Often the condition is not
discovered until we run for example
SFC /SCANNOW or SFC /SCANBOOT from the command line.

Enter the Center for Internet Security template which sets these Registry entries

HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon\Sfcscan=4,1
HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon\Sfcdisable=4,4
HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon\Sfcshowprogress=4,0

Those cause SFC to run at every boot and disable user interaction, i.e., disable the
pop-ups that tell you what is going on.

Now the real gotcha! The CIS template also sets the following Registry entry
HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon\AllocateCDRoms=1,1

That Registry entry allows only the currently logged on user to access the CD-ROM.
SFC's parent process is Winlogon, running as LocalSystem. As such, without additional
code, SFC does not have rights to access the CD-ROM (where your missing files are
located.) And since the user interaction is disabled, you never know why.

What I would do to fix this is
A) Ensure HKLM\Software\Microsoft\Windows\CurrentVersion\Setup
     SourcePath=D:\
     points to the correct path of your installation media.
B) Change the template to
HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon\Sfcscan=4,1
HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon\Sfcdisable=4,0
HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon\Sfcshowprogress=4,1
HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon\AllocateCDRoms=1,0
and reload the template.
C) Reboot
D) Contact the The Center for Internet Security for support on this issue and guidance
in changing the settings.

Matt Scarborough 2002-08-02

On Wed, 31 Jul 2002 15:15:16 +1000, Leon wrote
<OmM8iEFOCHA.2532@tkmsftngp13>
> Hi,
>
> I have been trialing the recently released Center for Internet Security
> Win2k Gold (Level II) template on a few Win 2k Pro machines, and am quite
> happy with the majority of the default configurations. However there is one
> re-occuring event log message at every start up in the application log, only
> after the template is installed:
>
> Source: Windows File Protection
>
> Event ID: 64021
>
> Type: Information
>
> The system file c:\winnt\(path)\(xxxxxx).dll could not be copied into the
> DLL cache. The specific error code is 0x000004c7 [The operation was canceled
> by the user.
>
> ]. This file is necessary to maintain system stability.
>
> This error repeats many times at startup on all systems tested. The only
> known cause of this previously was an issue with Service Pack 1, which was
> resolved in Service Pack 2. Microsoft stated at the time that this issue was
> not anything to be concerned with.
>
> Is there anyway of fixing it if it is an issue, or stopping the messages if
> it isn't?
>
> Or am I the only one who has come across this???
>

Relevant Pages

  • Re: CIS Security Baseline
    ... > I believe The Center for Internet Security template ... > Enter the Center for Internet Security template which sets these Registry ... And since the user interaction is disabled, ... > points to the correct path of your installation media. ...
    (microsoft.public.win2000.security)
  • RE: Customizing TPM InfoPath Templates
    ... When BizTalk 2006 is installed the TPM Partner template files are installed ... I am not able to open the template that is installed by BizTalk. ... installation. ...
    (microsoft.public.biztalk.general)
  • Re: CIS Security Baseline
    ... > startup, even when nothing had changed, so I turned off SFC totally by ... using the template than not. ... The biggest problem I see is a failure for some to remember the Security Configuration ... This documented step-by-step procedure of incremental template installation (secedit ...
    (microsoft.public.win2000.security)
  • Re: Problem with Powerpoint and Excel after an admin. Installation
    ... Select the encoding, ... but the Result is the same, Word opens a new document, and Powerpoint opens ... The language of the Poerpoint installation and the template is the same. ...
    (microsoft.public.office.setup)
  • Re: CIS Security Baseline
    ... any template would need to have all possible ... >> startup, even when nothing had changed, so I turned off SFC totally by ... > improving neglected machines' security posture. ... > require drives are formatted NTFS *prior* to OS installation to ensure ...
    (microsoft.public.win2000.security)