Re: Problems configuring security for services
From: Karl Levinson [x y] MVP (levinson_k@excite.com)
Date: 10/22/02
- Next message: Karl Levinson [x y] MVP: "Re: encrypted files"
- Previous message: Karl Levinson [x y] MVP: "Re: Howto remove policy after exiting Domain"
- In reply to: Chris Weldon: "Problems configuring security for services"
- Next in thread: Chris Weldon: "Re: Problems configuring security for services"
- Reply: Chris Weldon: "Re: Problems configuring security for services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] MVP" <levinson_k@excite.com> Date: Tue, 22 Oct 2002 17:34:01 -0400
"Chris Weldon" <chrisweldon@yahoo.com> wrote in message
news:aab701c27a06$17f4d930$3aef2ecf@TKMSFTNGXA09...
> I've been working with Security Configuration and Analysis
> and Security Templates on a Windows 2000 Advanced Server
> computer and I set the security on all of the servics
> using a template and now I'm getting an error in the
> analysis log after it tries to analize the General Service
> Settings, "General Service analysis completed with error",
> then at the end of the log it says, "----Un-intialize
> analysis engine... Warning 5: Access is denied. Error
> occurs."
>
> What's the easiest way to troubleshoot this and figure out
> which service is causing the problem? Basically, I
> removed the permissions on the all the services for
> Authenticated Users, Users, Power Users, and Everyone. I
> pretty much just left BUILTIN\Administrators and SYSTEM
> permissions in place.
Fixing problems that were caused by group policy templates is rarely easy or
quick.
You could try enabling auditing on all files and registry settings to try to
see in the Security Event Log what exactly is being denied access. If you
give up, there is also a way to undo the security settings to try to reset
the group policy back to the state of a fresh new install of Windows. More
info below:
Note that to enable logging of access to files or registry settings, you
must both enable logging in the overall computer policy AND also add
auditing settings on individual folders or registry keys in the NTFS
security properties in Windows Explorer or the REGEDT32 registry editor.
[Using REGEDIT will not work.] To log file access, the files must be on an
NTFS-formatted partition.
Note also that to enable logging of security events on a Windows domain, you
must change the auditing policy on all domain controllers. Changing the
auditing policy on the computers in the domain enables logging of failed
logins to the computers using local accounts and would not necessarily log
attempts to log into the domain.
Consider changing the Windows event log settings to be appropriate for your
environment. Consider increasing the maximum log size to retain more
information. Be careful not to log too much, or you might find that your
logs contain only a few minutes or hours worth of data. Finally, check the
logs to be sure logs are really being captured.
For more information on enabling and configuring auditing, see the articles
below:
http://nsa1.www.conxion.com/win2k/download.htm a.k.a. http://www.nsa.gov
[look for the NSA Security Recommendation Guides for Windows 2000 and also
Group Policy]
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/
13w2kadc.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310399 - XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549 - 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q248260 - 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q301640 - 2000, file
access settings
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300958 - 2000,
monitoring for unauthorized user access
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q157238 - NT
http://www.labmice.net/troubleshooting/EventLog.htm
[Thanks to Thomas Deml and others]
How to apply the default Group Policy templates:
[Note that you may have to reinstall some software and/or may have
additional problems after running the procedures below]
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q313205 [recommended
first]
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q266118 [recommended
second]
- Next message: Karl Levinson [x y] MVP: "Re: encrypted files"
- Previous message: Karl Levinson [x y] MVP: "Re: Howto remove policy after exiting Domain"
- In reply to: Chris Weldon: "Problems configuring security for services"
- Next in thread: Chris Weldon: "Re: Problems configuring security for services"
- Reply: Chris Weldon: "Re: Problems configuring security for services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
