Security template crashed apps

[C Hall]

Hi all,

I was in the process of implementing the W2K Hardening templates on some
workstations, but ran into some problems with third party apps. I got a
variety of errors, one app in particular needs to be able to connect to the
server via UNC path. Not sure what port it uses. Two of the apps connect to
a server and return data files (one of those, an image file). Can anyone
render a guess about how the File System and Registry are changed
(roughly...) with the Hardening templates?


Thanks,
Chris

 

[Steven L Umbach]

What template did you apply?? It may not be a file/registry permission
problem. Check the application, security, and system logs on one of those
workstations to see if any helpful information has been recorded there. You
can open the security template in the Security Configuration and Analysis
mmc snapin tool [see link below] to see what is configured in it and also
run an analysis of that template on a computer where you have not applied
it yet to see what changes it makes to security policy. --- Steve

http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/seconfig.mspx

 

[C Hall]

Steven,

I applied W2KHG-MemberWKS. I'll take a look at the logs and post any further
questions.

What template did you apply?? It may not be a file/registry permission
problem. Check the application, security, and system logs on one of those
workstations to see if any helpful information has been recorded there. You
can open the security template in the Security Configuration and Analysis
mmc snapin tool [see link below] to see what is configured in it and also
run an analysis of that template on a computer where you have not applied
it yet to see what changes it makes to security policy. --- Steve

http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/seconfig.mspx

Hi all,

I was in the process of implementing the W2K Hardening templates on some
workstations, but ran into some problems with third party apps. I got a
variety of errors, one app in particular needs to be able to connect to
the
server via UNC path. Not sure what port it uses. Two of the apps connect
to
a server and return data files (one of those, an image file). Can anyone
render a guess about how the File System and Registry are changed
(roughly...) with the Hardening templates?


Thanks,
Chris

 

[Steven L Umbach]

From what I can see that security template does not do much. It does however
change the user rights for access this computer from the network and logon
locally though I really doubt that those would be an issue. What I would try
is to add the everyone group to access this computer from the network on a
computer to see if that makes a difference. It does not change any services
or file system. It does change permissions to a number of keys under
MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\* if you look at the
template, even if you open it with notepad. You can enable auditing of
object access for failure on a computer and then audit those registry keys
to see if access is being denied. --- Steve

Steven,

I applied W2KHG-MemberWKS. I'll take a look at the logs and post any
further
questions.

What template did you apply?? It may not be a file/registry permission
problem. Check the application, security, and system logs on one of those
workstations to see if any helpful information has been recorded there. You
can open the security template in the Security Configuration and Analysis
mmc snapin tool [see link below] to see what is configured in it and also
run an analysis of that template on a computer where you have not
applied
it yet to see what changes it makes to security policy. --- Steve

http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/seconfig.mspx

Hi all,

I was in the process of implementing the W2K Hardening templates on
some
workstations, but ran into some problems with third party apps. I got a
variety of errors, one app in particular needs to be able to connect to
the
server via UNC path. Not sure what port it uses. Two of the apps
connect
to
a server and return data files (one of those, an image file). Can
anyone
render a guess about how the File System and Registry are changed
(roughly...) with the Hardening templates?


Thanks,
Chris

 

[C Hall]

Thanks for the reply.

I decided I'm going to setup a dummy machine and build the template from
scratch :-<, that way when I go down the line, section by section, I can see
which section or setting is causing the problem. The server that these apps
(at least a couple of them...) are trying to access is an AS/400. I know
that there are several settings that pertain to communication and such, like
LAN Manager authentication level, reference to named pipes (which we do have
a couple of sql apps...not sure if one of those broke or not). I'm just
thinking that in the File System or Registry sections, permissions got
tightened and that these apps need to be able to write to a temp folder or
something like that. The other program gave an error referencing Paradox. I
think it needed to be able to write a file somewhere also. Looking at logs
on the machines, I didn't see anything that could be a cause. BTW, all
machines are Windows 2000 Pro. I'll take a look at the registry key
permissions you mention below. Any other suggestions are welcome and I'll
post back any results from testing I do.

Chris

From what I can see that security template does not do much. It does however
change the user rights for access this computer from the network and logon
locally though I really doubt that those would be an issue. What I would try
is to add the everyone group to access this computer from the network on a
computer to see if that makes a difference. It does not change any services
or file system. It does change permissions to a number of keys under
MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\* if you look at the
template, even if you open it with notepad. You can enable auditing of
object access for failure on a computer and then audit those registry keys
to see if access is being denied. --- Steve

Steven,

I applied W2KHG-MemberWKS. I'll take a look at the logs and post any
further
questions.

What template did you apply?? It may not be a file/registry permission
problem. Check the application, security, and system logs on one of those
workstations to see if any helpful information has been recorded there. You
can open the security template in the Security Configuration and Analysis
mmc snapin tool [see link below] to see what is configured in it and also
run an analysis of that template on a computer where you have not
applied
it yet to see what changes it makes to security policy. --- Steve

http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/seconfig.mspx

Hi all,

I was in the process of implementing the W2K Hardening templates on
some
workstations, but ran into some problems with third party apps. I got a
variety of errors, one app in particular needs to be able to connect to
the
server via UNC path. Not sure what port it uses. Two of the apps
connect
to
a server and return data files (one of those, an image file). Can
anyone
render a guess about how the File System and Registry are changed
(roughly...) with the Hardening templates?


Thanks,
Chris