Re: CIS Security Baseline

From: Leon (l.pholi@secureinteractive.com)
Date: 08/05/02 

From: "Leon" <l.pholi@secureinteractive.com>
Date: Mon, 5 Aug 2002 13:05:45 +1000

Just an additional note to this,

While this did stop the errors, I found SFC very processor intensive for a
significant time at startup, and it would also prompt for the CD at EACH
startup, even when nothing had changed, so I turned off SFC totally by
setting Sfcscan to 4,0. Much better!!

Leon

"Matt Scarborough" <vexversa@verizon.net> wrote in message
news:ht1lku05plvumpi2d1vab58g10al1qfufs@msnews.microsoft.com...
> I believe The Center for Internet Security template
>
> ; Template Name: Win2kProGold_R1.2.inf
> ; Template Version: R1.2
> ; Date Created: 2002-05-13
> ; Date Last Modified: 2002-06-13
>
> has created an endless loop from which you cannot escape.
>
> WFP by default protects all Microsoft provided DLL, EXE, OCX, and SYS
files from
> installation media. However, all DLL, EXE, OCX, and SYS files are not
installed to the
> hard disk for every machine. And some files may be removed from the
machine or the DLL
> or Driver Caches during subsequent software, hardware, or hotfix
installations. Even
> Microsoft has made mistakes with HOTFIX.INF files that fail to place
updated files in
> the appropriate file caches. This can leave us with an entry for WFP to
protect files
> that do not exist where WFP believes they should exist.
>
> The preceding condition can exist without significant trouble until we ask
System File
> Checker to repopulate the %Systemroot%\system32\dllcache. Often the
condition is not
> discovered until we run for example
> SFC /SCANNOW or SFC /SCANBOOT from the command line.
>
> Enter the Center for Internet Security template which sets these Registry
entries
>
> HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon\Sfcscan=4,1
> HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon\Sfcdisable=4,4
> HKLM\Software\Microsoft\Windows
NT\Currentversion\Winlogon\Sfcshowprogress=4,0
>
> Those cause SFC to run at every boot and disable user interaction, i.e.,
disable the
> pop-ups that tell you what is going on.
>
> Now the real gotcha! The CIS template also sets the following Registry
entry
> HKLM\Software\Microsoft\Windows
NT\Currentversion\Winlogon\AllocateCDRoms=1,1
>
> That Registry entry allows only the currently logged on user to access the
CD-ROM.
> SFC's parent process is Winlogon, running as LocalSystem. As such, without
additional
> code, SFC does not have rights to access the CD-ROM (where your missing
files are
> located.) And since the user interaction is disabled, you never know why.
>
> What I would do to fix this is
> A) Ensure HKLM\Software\Microsoft\Windows\CurrentVersion\Setup
> SourcePath=D:\
> points to the correct path of your installation media.
> B) Change the template to
> HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon\Sfcscan=4,1
> HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon\Sfcdisable=4,0
> HKLM\Software\Microsoft\Windows
NT\Currentversion\Winlogon\Sfcshowprogress=4,1
> HKLM\Software\Microsoft\Windows
NT\Currentversion\Winlogon\AllocateCDRoms=1,0
> and reload the template.
> C) Reboot
> D) Contact the The Center for Internet Security for support on this issue
and guidance
> in changing the settings.
>
> Matt Scarborough 2002-08-02
>
> On Wed, 31 Jul 2002 15:15:16 +1000, Leon wrote
> <OmM8iEFOCHA.2532@tkmsftngp13>
> > Hi,
> >
> > I have been trialing the recently released Center for Internet Security
> > Win2k Gold (Level II) template on a few Win 2k Pro machines, and am
quite
> > happy with the majority of the default configurations. However there is
one
> > re-occuring event log message at every start up in the application log,
only
> > after the template is installed:
> >
> > Source: Windows File Protection
> >
> > Event ID: 64021
> >
> > Type: Information
> >
> > The system file c:\winnt\(path)\(xxxxxx).dll could not be copied into
the
> > DLL cache. The specific error code is 0x000004c7 [The operation was
canceled
> > by the user.
> >
> > ]. This file is necessary to maintain system stability.
> >
> > This error repeats many times at startup on all systems tested. The only
> > known cause of this previously was an issue with Service Pack 1, which
was
> > resolved in Service Pack 2. Microsoft stated at the time that this issue
was
> > not anything to be concerned with.
> >
> > Is there anyway of fixing it if it is an issue, or stopping the messages
if
> > it isn't?
> >
> > Or am I the only one who has come across this???
> >
>

Relevant Pages

  • Re: CIS Security Baseline
    ... > startup, even when nothing had changed, so I turned off SFC totally by ... using the template than not. ... The biggest problem I see is a failure for some to remember the Security Configuration ... This documented step-by-step procedure of incremental template installation (secedit ...
    (microsoft.public.win2000.security)
  • Re: CIS Security Baseline
    ... any template would need to have all possible ... >> startup, even when nothing had changed, so I turned off SFC totally by ... > improving neglected machines' security posture. ... > require drives are formatted NTFS *prior* to OS installation to ensure ...
    (microsoft.public.win2000.security)
  • Re: Corrupted File
    ... Sharon, my XP installation is now 2 years old (re-installed once, early ... SP1 installed when it became available, ... When I ran SFC the ONLY source possible was the XP ... > There are source paths stored in the registry. ...
    (microsoft.public.windowsxp.basics)
  • Re: Help! NTVDM error
    ... Startup Control Panel is another pretty good application. ... MS-MVP Windows Shell/User ... Did you somehow ues the sfc /Scanboot option? ... Disabling or enabling this is down to user preference]] ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Help! NTVDM error
    ... Did you somehow ues the sfc /Scanboot option? ... Set msconfig back to Normal Startup and reboot. ... MS-MVP Windows Shell/User ... I also currently have the same error message as described in this post. ...
    (microsoft.public.windowsxp.help_and_support)