crippled by KB902400

Three of our Windows 2000 / IIS 5 servers were crippled by KB902400, the
patch for MS05-051. The only way that we could get the servers to work
again was to uninstall the patch.

The MS05-051 vulnerability looks quite bad, so I'm not happy with leaving
these servers unpatched. Relevant error messages below:

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10010
Date: 10/11/2005
Time: 9:49:06 PM
User: NT AUTHORITY\SYSTEM
Computer: (deleted)
Description:
The server {3D14228D-FBE1-11D0-995D-00C04FD919C1} did not register with DCOM
within the required timeout.

Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 36
Date: 10/11/2005
Time: 9:49:06 PM
User: N/A
Computer: (deleted)
Description:
The server failed to load application '/LM/W3SVC/1/Root'. The error was
'Server execution failed
'.
For additional information specific to this message please visit the
Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp.


Any ideas on what was broken and/or how to fix it?


Rob Shaw-Fuller

PRB: ASP pages do not process and DCOM event 10010 appears in the system
event log:
http://support.microsoft.com/default...b;en-us;327153


CAUSE

The NT AUTHORITY\Authenticated Users or NT AUTHORITY\INTERACTIVE entries
have been removed from the Users group.


RESOLUTION

Add these users back to the Users group, and then restart Internet
Information Services (IIS):
1. Click *Start*, click *Programs*, click *Administrative Tools*, and
then click *Computer Management* to open the Computer Management console.
2. In the left pane, expand *Local Users and Groups*, and then click
the *Groups* folder.
3. In the right pane, right-click the *Users* group, and then click
*Properties*.
4. Click *Add*.
5. In the *Select Users or Groups* dialog box, locate the *Look in*
drop-down box, and then select the local computer.
6. Select *Authenticated Users*, and then click *Add*. Select
*INTERACTIVE*, and then click *Add*. Click *OK*, click *Apply*, and then
click *Close* to close the properties for the Users group.
7. In the left pane, expand *Services and Applications*, and then click
*Services*.
8. In the right pane, right-click *IIS Admin Service*, and then click
*Restart*.
9. In the *Restart Other Services* confirmation dialog box, click *Yes*.



EventID.Net:
http://www.eventid.net/display.asp?e...e=DCOM&phase=1


Rob Shaw-Fuller wrote:

>Three of our Windows 2000 / IIS 5 servers were crippled by KB902400, the
>patch for MS05-051. The only way that we could get the servers to work
>again was to uninstall the patch.
>
>The MS05-051 vulnerability looks quite bad, so I'm not happy with leaving
>these servers unpatched. Relevant error messages below:
>
>Event Type: Error
>Event Source: DCOM
>Event Category: None
>Event ID: 10010
>Date: 10/11/2005
>Time: 9:49:06 PM
>User: NT AUTHORITY\SYSTEM
>Computer: (deleted)
>Description:
>The server {3D14228D-FBE1-11D0-995D-00C04FD919C1} did not register with DCOM
>within the required timeout.
>
>Event Type: Warning
>Event Source: W3SVC
>Event Category: None
>Event ID: 36
>Date: 10/11/2005
>Time: 9:49:06 PM
>User: N/A
>Computer: (deleted)
>Description:
>The server failed to load application '/LM/W3SVC/1/Root'. The error was
>'Server execution failed
>'.
>For additional information specific to this message please visit the
>Microsoft Online Support site located at:
>http://www.microsoft.com/contentredirect.asp.
>
>
>Any ideas on what was broken and/or how to fix it?
>
>
>Rob Shaw-Fuller
>
>
>
>
>
>

What are you doing in our li'l corner of the world, Bitz?
--
~PAÞ

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> PRB: ASP pages do not process and DCOM event 10010 appears in the system
> event log:
> http://support.microsoft.com/default...b;en-us;327153
<snip>

Came in while looking at your link. Was also looking around checking
out the dead body count.

PA Bear wrote:

> What are you doing in our li'l corner of the world, Bitz?

We had problems with this patch also. Turns out that a domain policy setting
that was done before has stoped this patch from working correctly The
following is the policy and the MS blurb about it

Bypass traverse checking

Removing the Everyone group from the list of security principals who, by
default, have this user right. The Windows operating systems, and also many
programs, have been designed with the expectation that anyone who can
legitimately access the computer will have the Bypass traverse checking user
right. Therefore, removing the Everyone group from the list of security
principals who, by default, have this user right could lead to operating
system instability or to program failure. It is better that you leave this
setting at its default

We removed all groups from this some time ago and we had to add the Everyone
group back to make the MS05051 patch to work correctly

The default is
Administrators
Everone
backup operators
Power users
Users

Check the local Security policy of your servers to see if this has been
changed and if so replace the everyone group at the vary lest.

This fixed our problems with this patch

--
Mark Murphy - MCSE2000


"Rob Shaw-Fuller" wrote:

> Three of our Windows 2000 / IIS 5 servers were crippled by KB902400, the
> patch for MS05-051. The only way that we could get the servers to work
> again was to uninstall the patch.
>
> The MS05-051 vulnerability looks quite bad, so I'm not happy with leaving
> these servers unpatched. Relevant error messages below:
>
> Event Type: Error
> Event Source: DCOM
> Event Category: None
> Event ID: 10010
> Date: 10/11/2005
> Time: 9:49:06 PM
> User: NT AUTHORITY\SYSTEM
> Computer: (deleted)
> Description:
> The server {3D14228D-FBE1-11D0-995D-00C04FD919C1} did not register with DCOM
> within the required timeout.
>
> Event Type: Warning
> Event Source: W3SVC
> Event Category: None
> Event ID: 36
> Date: 10/11/2005
> Time: 9:49:06 PM
> User: N/A
> Computer: (deleted)
> Description:
> The server failed to load application '/LM/W3SVC/1/Root'. The error was
> 'Server execution failed
> '.
> For additional information specific to this message please visit the
> Microsoft Online Support site located at:
> http://www.microsoft.com/contentredirect.asp.
>
>
> Any ideas on what was broken and/or how to fix it?
>
>
> Rob Shaw-Fuller
>
>
>
>
>

I ran into this problem as well, my cause is different then Mark's

I was able to resolve this issue by adding
permissions for IWAM_computer and
the ASPNET account (if you have the .NET FW installed) to have read access
to C:\Winnt\Registration - once I made
the change and restarted IIS, the applications worked again.

I removed the default permissons on this folder when the servers were built.
the patch for COM+/MSDTC requires that those accounts have permission to the
folder above.

Filemon clearly showed that it was a permissions issue.

hope this helps,

Seth


"Mark Murphy" wrote:

> We had problems with this patch also. Turns out that a domain policy setting
> that was done before has stoped this patch from working correctly The
> following is the policy and the MS blurb about it
>
> Bypass traverse checking
>
> Removing the Everyone group from the list of security principals who, by
> default, have this user right. The Windows operating systems, and also many
> programs, have been designed with the expectation that anyone who can
> legitimately access the computer will have the Bypass traverse checking user
> right. Therefore, removing the Everyone group from the list of security
> principals who, by default, have this user right could lead to operating
> system instability or to program failure. It is better that you leave this
> setting at its default
>
> We removed all groups from this some time ago and we had to add the Everyone
> group back to make the MS05051 patch to work correctly
>
> The default is
> Administrators
> Everone
> backup operators
> Power users
> Users
>
> Check the local Security policy of your servers to see if this has been
> changed and if so replace the everyone group at the vary lest.
>
> This fixed our problems with this patch
>
> --
> Mark Murphy - MCSE2000
>
>
> "Rob Shaw-Fuller" wrote:
>
> > Three of our Windows 2000 / IIS 5 servers were crippled by KB902400, the
> > patch for MS05-051. The only way that we could get the servers to work
> > again was to uninstall the patch.
> >
> > The MS05-051 vulnerability looks quite bad, so I'm not happy with leaving
> > these servers unpatched. Relevant error messages below:
> >
> > Event Type: Error
> > Event Source: DCOM
> > Event Category: None
> > Event ID: 10010
> > Date: 10/11/2005
> > Time: 9:49:06 PM
> > User: NT AUTHORITY\SYSTEM
> > Computer: (deleted)
> > Description:
> > The server {3D14228D-FBE1-11D0-995D-00C04FD919C1} did not register with DCOM
> > within the required timeout.
> >
> > Event Type: Warning
> > Event Source: W3SVC
> > Event Category: None
> > Event ID: 36
> > Date: 10/11/2005
> > Time: 9:49:06 PM
> > User: N/A
> > Computer: (deleted)
> > Description:
> > The server failed to load application '/LM/W3SVC/1/Root'. The error was
> > 'Server execution failed
> > '.
> > For additional information specific to this message please visit the
> > Microsoft Online Support site located at:
> > http://www.microsoft.com/contentredirect.asp.
> >
> >
> > Any ideas on what was broken and/or how to fix it?
> >
> >
> > Rob Shaw-Fuller
> >
> >
> >
> >
> >

They're droppin' like flies but not nearly as bad as late Tuesday &
yesterday. (Loved this:
http://blogs.technet.com/mscom/archi...09/410523.aspx, especially
"20+ Billion Downloads in 2005.Routinely 150M+/Day".)

My guy also contacted PSS separately, courtesy of the link you so *very*
kindly provided me. Thanks again.
--
~PA Bear

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> Came in while looking at your link. Was also looking around checking
> out the dead body count.
>
> PA Bear wrote:
>
>> What are you doing in our li'l corner of the world, Bitz?

I stumbled upon this exact problem too. Adding the permissions to the
Registration folder as "me" said corrected the problems.

Thanks!
N


me wrote:
> I ran into this problem as well, my cause is different then Mark's
>
> I was able to resolve this issue by adding
> permissions for IWAM_computer and
> the ASPNET account (if you have the .NET FW installed) to have read access
> to C:\Winnt\Registration - once I made
> the change and restarted IIS, the applications worked again.
>
> I removed the default permissons on this folder when the servers were built.
> the patch for COM+/MSDTC requires that those accounts have permission to the
> folder above.
>
> Filemon clearly showed that it was a permissions issue.
>
> hope this helps,
>
> Seth
>
>
> "Mark Murphy" wrote:
>
> > We had problems with this patch also. Turns out that a domain policy setting
> > that was done before has stoped this patch from working correctly The
> > following is the policy and the MS blurb about it
> >
> > Bypass traverse checking
> >
> > Removing the Everyone group from the list of security principals who, by
> > default, have this user right. The Windows operating systems, and also many
> > programs, have been designed with the expectation that anyone who can
> > legitimately access the computer will have the Bypass traverse checking user
> > right. Therefore, removing the Everyone group from the list of security
> > principals who, by default, have this user right could lead to operating
> > system instability or to program failure. It is better that you leave this
> > setting at its default
> >
> > We removed all groups from this some time ago and we had to add the Everyone
> > group back to make the MS05051 patch to work correctly
> >
> > The default is
> > Administrators
> > Everone
> > backup operators
> > Power users
> > Users
> >
> > Check the local Security policy of your servers to see if this has been
> > changed and if so replace the everyone group at the vary lest.
> >
> > This fixed our problems with this patch
> >
> > --
> > Mark Murphy - MCSE2000
> >
> >
> > "Rob Shaw-Fuller" wrote:
> >
> > > Three of our Windows 2000 / IIS 5 servers were crippled by KB902400, the
> > > patch for MS05-051. The only way that we could get the servers to work
> > > again was to uninstall the patch.
> > >
> > > The MS05-051 vulnerability looks quite bad, so I'm not happy with leaving
> > > these servers unpatched. Relevant error messages below:
> > >
> > > Event Type: Error
> > > Event Source: DCOM
> > > Event Category: None
> > > Event ID: 10010
> > > Date: 10/11/2005
> > > Time: 9:49:06 PM
> > > User: NT AUTHORITY\SYSTEM
> > > Computer: (deleted)
> > > Description:
> > > The server {3D14228D-FBE1-11D0-995D-00C04FD919C1} did not register with DCOM
> > > within the required timeout.
> > >
> > > Event Type: Warning
> > > Event Source: W3SVC
> > > Event Category: None
> > > Event ID: 36
> > > Date: 10/11/2005
> > > Time: 9:49:06 PM
> > > User: N/A
> > > Computer: (deleted)
> > > Description:
> > > The server failed to load application '/LM/W3SVC/1/Root'. The error was
> > > 'Server execution failed
> > > '.
> > > For additional information specific to this message please visit the
> > > Microsoft Online Support site located at:
> > > http://www.microsoft.com/contentredirect.asp.
> > >
> > >
> > > Any ideas on what was broken and/or how to fix it?
> > >
> > >
> > > Rob Shaw-Fuller
> > >
> > >
> > >
> > >
> > >

Thanks, Seth! This was the fix!

FYI, Microsoft is now "officially" recognizing this problem in the KB:
http://support.microsoft.com/kb/909444


Rob Shaw-Fuller


"me" <> wrote...
>I ran into this problem as well, my cause is different then Mark's
>
> I was able to resolve this issue by adding
> permissions for IWAM_computer and
> the ASPNET account (if you have the .NET FW installed) to have read
> access
> to C:\Winnt\Registration - once I made
> the change and restarted IIS, the applications worked again.
>
> I removed the default permissons on this folder when the servers were
> built.
> the patch for COM+/MSDTC requires that those accounts have permission to
> the
> folder above.
>
> Filemon clearly showed that it was a permissions issue.
>
> hope this helps,
>
> Seth
>
>
> "Mark Murphy" wrote:
>
>> We had problems with this patch also. Turns out that a domain policy
>> setting
>> that was done before has stoped this patch from working correctly The
>> following is the policy and the MS blurb about it
>>
>> Bypass traverse checking
>>
>> Removing the Everyone group from the list of security principals who, by
>> default, have this user right. The Windows operating systems, and also
>> many
>> programs, have been designed with the expectation that anyone who can
>> legitimately access the computer will have the Bypass traverse checking
>> user
>> right. Therefore, removing the Everyone group from the list of security
>> principals who, by default, have this user right could lead to operating
>> system instability or to program failure. It is better that you leave
>> this
>> setting at its default
>>
>> We removed all groups from this some time ago and we had to add the
>> Everyone
>> group back to make the MS05051 patch to work correctly
>>
>> The default is
>> Administrators
>> Everone
>> backup operators
>> Power users
>> Users
>>
>> Check the local Security policy of your servers to see if this has been
>> changed and if so replace the everyone group at the vary lest.
>>
>> This fixed our problems with this patch
>>
>> --
>> Mark Murphy - MCSE2000
>>
>>
>> "Rob Shaw-Fuller" wrote:
>>
>> > Three of our Windows 2000 / IIS 5 servers were crippled by KB902400,
>> > the
>> > patch for MS05-051. The only way that we could get the servers to work
>> > again was to uninstall the patch.
>> >
>> > The MS05-051 vulnerability looks quite bad, so I'm not happy with
>> > leaving
>> > these servers unpatched. Relevant error messages below:
>> >
>> > Event Type: Error
>> > Event Source: DCOM
>> > Event Category: None
>> > Event ID: 10010
>> > Date: 10/11/2005
>> > Time: 9:49:06 PM
>> > User: NT AUTHORITY\SYSTEM
>> > Computer: (deleted)
>> > Description:
>> > The server {3D14228D-FBE1-11D0-995D-00C04FD919C1} did not register with
>> > DCOM
>> > within the required timeout.
>> >
>> > Event Type: Warning
>> > Event Source: W3SVC
>> > Event Category: None
>> > Event ID: 36
>> > Date: 10/11/2005
>> > Time: 9:49:06 PM
>> > User: N/A
>> > Computer: (deleted)
>> > Description:
>> > The server failed to load application '/LM/W3SVC/1/Root'. The error
>> > was
>> > 'Server execution failed
>> > '.
>> > For additional information specific to this message please visit the
>> > Microsoft Online Support site located at:
>> > http://www.microsoft.com/contentredirect.asp.
>> >
>> >
>> > Any ideas on what was broken and/or how to fix it?
>> >
>> >
>> > Rob Shaw-Fuller
>> >
>> >
>> >
>> >
>> >