23.9.2009 von Thomas_Punzo.

File : windows_server_certification_path.pdf
If you want to update..here is the path!

Geschrieben in Betriebsysteme | Drucken | Keine Kommentare »

23.9.2009 von Thomas_Punzo.

Every time a service is stopped or started, if the Winmgmt service is running,
there are a series of events written to the security event log indicating that an
explicit logon was done under an Admin’s credentials. This is not the admin logged
onto the console and stopping/starting the service, and it is not the service
account for the service being stopped/started. The Event ID 540 is shown in

Security.log:

[..]
Event ID:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 2005.12.08.
Time: 9:23:16
User: Domain\adminaccount
Computer: Computername
Description:
Successful Network Logon:
User Name: Adminaccount
Domain: MOL
Logon ID: (0×0,0xB39171E0)
Logon Type: 3
Logon Process: Authz
Authentication Package: Kerberos
Workstation Name: MOLBUDAEXCH03
Logon GUID: -
Caller User Name: MOLBUDAEXCH03$
Caller Domain: MOL
Caller Logon ID: (0×0,0×3E7)
Caller Process ID: 1176
Transited Services: -
Source Network Address: -
Source Port: -
[..]

Solution:
During Server 2003 SP1 setup/upgrade, WMI places the SID of the user performing the
upgrade into the CreatorSID property for a permanent event consumer (SCM/NT Event
Log).

WMI needs to validate rights of this account, hence the authz logon.
The easiest workaround on a small scale is to change that entry in WMI, either
manually or via altering SCM.MOF and recompiling, to point back to the local system
SID.
When that is in place the authz check is not done.
To confirm the issue, please try the following on a ‘broken’ SP1 server:

- Start-> Run -> wbemtest
- Connect to root\subscription
- Go to “Enum instances”
- Select recursive and type in __EventConsumer (be aware of the both underscores at the beginning) -> click OK
- In the result set double click the instance of NTEventLogEventConsumer (”SCM Event Log Consumer”)
- Click Show MOF and note the value for CreatorSID if it’s 1,1,0,0,0,0,0,5,18,0,0 then it’s system. Otherwise it’s a user.

D.h. im Klartext die CreatorSID auf den angegebenen Wert zurücksetzen.
Hierzu gibt es noch die folgende Hilfestellung:

RESOLUTION:
We changed the CreatorSID from the your user account to the Local
System account by using the Following Process:

1. Open C:\Windows\System32\Wbem\scm.mof using notepad
Scroll down to the end of the file
Look for the following function
instance of NTEventLogEventConsumer
{
Name = “SCM Event Log Consumer”;
SourceName = “Service Control Manager”;
EventType = 1;
Category = 0;
NameOfUserSIDProperty = “sid”;
};

Add the following line at the end of the function
CreatorSid = {1,1,0,0,0,0,0,5,18,0,0,0}; /*Comments - LINE ADDED*/
So that it will look like the Following.

instance of NTEventLogEventConsumer
{
Name = “SCM Event Log Consumer”;
SourceName = “Service Control Manager”;
EventType = 1;
Category = 0;
NameOfUserSIDProperty = “sid”;
CreatorSid = {1,1,0,0,0,0,0,5,18,0,0,0}; /*Comments - LINE ADDED*/
};

2. Now to recompile the SCM.MOF we need to open the Command Prompt under the
credentials of SYSTEM account and to do that

· log on as an admin
· from a command prompt, enter “at [time] /interactive cmd.exe”, where [time] is

Sometime in the near future
· Switch to the new command prompt that launches
· Change to c:\windows\system32\wbem
· Execute “mofcomp scm.mof”

3. To verify that whether the CreatorSid got changed or not we need to do the
Following:

- Start-> Run -> wbemtest
- Connect to root\subscription
- Go to “Enum instances”
- Select recursive and type in __EventConsumer (be aware of the both underscores at the beginning) -> click OK
- In the result set double click the instance of NTEventLogEventConsumer (”SCM Event Log Consumer”)
- Click Show MOF and note the value for CreatorSID
- if it’s 1,1,0,0,0,0,0,5,18,0,0 then it’s system. Otherwise it’s a user

Geschrieben in Microsoft, Betriebsysteme | Drucken | 1 Kommentar »

23.9.2009 von Tim Wanierke.

This article helps you restore the security settings to the default settings in Windows. You should use this solution only when a security change that had negative effects has been applied to the computer and when no backup is available from which to restore. This solution does not restore all security settings that are applied when you install Windows.

Link: http://support.microsoft.com/kb/313222/en-us

Geschrieben in Microsoft | Drucken | Keine Kommentare »