You may experience various problems after you install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC

Symptoms

On a computer that is running Microsoft Windows XP, Microsoft Windows 2000, or Windows Server 2003, one or more problems may occur after you install the critical update that is discussed in Microsoft Security Bulletin MS05-051. These problems include the following:
  • The Windows Installer service may not start.
  • The Windows Firewall Service may not start.
  • The Network Connections folder is empty.
  • The Windows Update Web site may incorrectly recommend that you change the Userdata persistence setting in Microsoft Internet Explorer.
  • Active Server Pages (ASP) pages that are running on Microsoft Internet Information Services (IIS) return an “HTTP 500 – Internal Server Error” error message.
  • The Microsoft COM+ EventSystem service will not start.
  • COM+ applications will not start.
  • The computers node in the Microsoft Component Services Microsoft Management Console (MMC) tree will not expand.
  • Authenticated users cannot log on, and a blank screen appears after the users apply the October Security Updates.
  • In a server cluster configuration, the cluster service may not start. The following event is logged in the cluster log file:
  • An event that is similar to the following may be logged in the System log:
  • An access denied error may occur when you try to connect to Windows Management Instrumentation (WMI) by using script, the WBEMTest.exe utility, or other utilities. The %windir%\system32\wbem\logs\wbemprox.log file contains errors that are similar to the following error at the time of the failure:
    ConnectViaDCOM, CoCreateInstanceEx resulted in hr = 0x80070005
  • You may receive the following COM+ 1.0 catalog error message when you create an empty COM+ application:
    XACT_E_RECOVERYINPROGRESS (0x8004d082)

Cause

This problem can occur if any COM applications or COM+ applications cannot access the COM+ catalog files. The application cannot access the COM+ catalog files because the default permissions on the COM+ catalog directory and files have been changed from the default settings. Before Microsoft Security Bulletin MS05-051, explicit permissions to the COM+ catalog were not required. The COM+ catalog files are .clb files and are located in the %windir%\registration folder. By default, the COM+ catalog directory and files have the following permissions:
AdministratorsSystemEveryoneAuthenticated usersServer operators
Windows 2000 Non-Domain ControllerFull ControlFull ControlRead
Windows 2000 Domain ControllerFull ControlFull ControlModifyRead & Execute
Windows Server 2003 Non-Domain ControllerFull ControlFull ControlRead
Windows Server 2003 Domain ControllerFull ControlFull ControlRead & Execute

Resolution

Based on security changes implemented in MS05-051, Read level NTFS file system permission is required to the %windir%\registration folder. Default permissions include Read access for the Everyone group. If this configuration is changed, applications and services may exhibit unexpected behavior. Organizations that have chosen to implement more restrictive NTFS security permissions should consider granting Read level permissions through group membership for users, applications, and services that require access to COM functionality. We recommend that the default settings for the folder be used to avoid potential application compatibility. Extensive application compatibility testing is recommended for administrators who want to implement settings other than the default settings.
For more information about the issues that may be experienced by modifying permissions on system folders, click the following article number to view the article in the Microsoft Knowledge Base:
885409 Security configuration guidance support

Besides NTFS permissions, Bypass Traversal permission is required. By default, this permission is granted to the Everyone group. As stated with NFTS permissions, users, applications, and services should be granted this permission through group membership.
For more information about the Bypass Traversal user right, click the following article number to view the article in the Microsoft Knowledge Base:
823659 Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments

To resolve this problem, restore the default permissions to the COM+ catalog.

For a computer that is running Windows 2000 or Windows Server 2003 and is not running as a domain controller, follow these steps:
  1. In the %windir%/registration folder, make sure that the Everyone group has Read permissions.
  2. In the %windir%/registration folder, make sure that the SYSTEM account has Full Control permissions.
  3. In the %windir%/registration folder, make sure that the Administrators group has Full Control permissions.
  4. In the advanced security properties of the .clb files in the %windir%/registration folder, make sure that the Allow inheritable auditing entries from the parent to propagate to this object and all objects. Include these with entries explicitly defined here option is selected.
  5. Make sure that the Everyone group has one of the following permissions:
    • Traverse permissions (“List Folder Contents”) on all parent directories, including %systemdrive%, %windir%, and %windir%\registration
    • The Bypass traverse checking user right
    To assign the Bypass traverse checking user right to the Everyone group, follow these steps:
    1. Click Start, click
      Run, type gpedit.msc, and then click
      OK.
    2. Expand Computer Configuration, expand
      Windows Settings, expand Security Settings, expand Local Policies, and then expand User Rights Assignment.
    3. Right-click Bypass traverse checking, and then click Properties.
    4. Click Add User or Group.
    5. Type Everyone, and then click
      OK.

      Note If you receive a message that an object named "Users" cannot be found, click Object Types, click to select the
      Groups check box, and then click OK two times.
For a domain controller that is running Windows 2000, follow these steps:
  1. In the %windir%/registration folder, make sure that the Authenticated Users group has Read & Execute permissions.
  2. In the %windir%/registration folder, make sure that the Server Operators group has Modify permissions.
  3. In the %windir%/registration folder, make sure that the SYSTEM account has Full Control permissions.
  4. In the %windir%/registration folder, make sure that the Administrators group has Full Control permissions.
  5. In the advanced security properties of the .clb files in the %windir%/registration folder, make sure that the Allow Inheritable permissions from parent to propagate to this object option is selected.
For a domain controller that is running Windows Server 2003, follow these steps:
  1. In the %windir%/registration folder, make sure that the Everyone group has Read & Execute permissions.
  2. In the %windir%/registration folder, make sure that the SYSTEM account has Full Control permissions.
  3. In the %windir%/registration folder, make sure that the Administrators group has Full Control permissions.
  4. In the advanced security properties of the .clb files in the %windir%/registration folder, make sure that the Allow inheritable auditing entries from the parent to propagate to this object and all objects. Include these with entries explicitly defined here. option is selected.
  5. Make sure that the Everyone group has one of the following permissions:
    • Traverse permissions (“List Folder Contents”) on all parent directories, including %systemdrive%, %windir%, and %windir%\registration
    • The Bypass traverse checking user right
    To assign the Bypass traverse checking user right to the Everyone group, follow these steps:
    1. Click Start, click
      Run, type gpedit.msc, and then click
      OK.
    2. Expand Computer Configuration, expand
      Windows Settings, expand Security Settings, expand Local Policies, and then expand User Rights Assignment.
    3. Right-click Bypass traverse checking, and then click Properties.
    4. Click Add User or Group.
    5. Type Everyone, and then click
      OK.

      Note If you receive a message that an object named "Users" cannot be found, click Object Types, click to select the
      Groups check box, and then click OK two times.
Note The system may later create additional .clb files in the %windir%/registration folder. To make sure that the new .clb files have the appropriate permissions, grant the Read permissions to the whole directory instead of just granting it directly to the .clb files that currently exist. You can use the Cacls.exe file to automate these permission changes on the affected computer or to easily roll out the changes to multiple computers.

For a computer that is running Windows 2000 or Windows Server 2003 and is not running as a domain controller, use the following commands:
echo y| cacls %windir%\registration /G everyone:R system:F administrators:F
echo y| cacls %windir%\registration\*.clb /G everyone:R system:F administrators:F
For a domain controller that is running Windows 2000, use the following commands:
echo y| cacls %windir%\registration /G "Authenticated Users":R "Server Operators":R system:F administrators:F
For a domain controller that is running Windows 2003, use the following commands:
echo y| cacls %windir%\registration /G everyone:R system:F administrators:F
echo y| cacls %windir%\registration\*.clb /G everyone:R system:F administrators:F
Note Make sure that there is no space between the y character and the pipe (|) character. If there is a space between these characters, the commands will not correctly execute.

More Information

When this problem occurs, you may receive one or more of the following events in the event log:
  • The following EventSystem event may be logged in the event log if the Network Service account does not have the correct permissions:
  • The following COM+ event may be logged in the event log if the Network Service account does not have the correct permissions:
  • The following COM+ event may be logged in the event log if the Network Service account does not have the correct permissions:
  • When you try to browse an ASP page that is running on an IIS service and the Show friendly HTTP error messages option is not selected in Internet Explorer, you may receive the following error message:
    Server Application Error.
    The server has encountered an error while loading an application during the processing of your request. Please refer to the event log for more detail information. Please contact the server administrator for assistance.
    HTTP 500 - Internal server error Internet Explorer 
    An event similar to the following may also be logged in the event log:
  • When you try to manually start COM+ applications in Component Services, you may receive the following error message:
    Catalog Error: An error occurred while processing the last operation. Error code 80080005 - Server execution failed. The event log may contain additional troubleshooting information.
    An event similar to the following may also be logged in the event log:
  • When you try to install an application or when you try to manually start the Windows Installer Service, you may receive the following error message:
    The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.
  • The Windows Firewall Service may not start with the following error code:
    Error Result : 0x80070005 ( -2147024891 ) ID Defined as : E_ACCESSDENIED Message Text : Access is denied.

Steps to reproduce this problem

Remove the system account and the Everyone account from the file permissions for the *.clb files. To do this, follow these steps:
  1. Click Start, click Run, type Explorer.exe c:\winnt\registration, and then click
    OK.
  2. In Windows Explorer, right-click
    Properties, and then click the Securitytab.
  3. In the Registration Properties dialog box, click System under Group and User Name, and then click Advanced.
  4. In the Advanced Security Settings for Registration dialog box, click Remove, and then click
    OK.
  5. Repeat step 3 and step 4 to stop the Everyone account from accessing .clb files.
คุณสมบัติ

รหัสบทความ: 909444 - การตรวจสอบครั้งสุดท้าย: 28 ก.ย. 2011 - ฉบับแก้ไข: 1

คำติชม