Keeping Up with Terminal Services - 06 Jun 2001

Terminal Services Clients Consume Multiple TSCALs
Microsoft released a fix for Windows 2000 Server Terminal Services clients that eat multiple Terminal Server Client Access Licenses (TSCALs), but you can't have it yet. Microsoft discovered a problem with the fix that conflicts with the re-issuance licensing hotfix posted at the end of March. See Microsoft article Q294729 to learn more about the problem this new hotfix is supposed to address.

Post-SP6 Fix: Windows NT Explorer Reports "The Parameter Is Incorrect"
According to Microsoft article Q250318, Windows NT Explorer might generate a "The parameter is incorrect" error message when you attempt to view permissions on a folder after you edit permissions using cacls.exe with the /G switch. Explorer's access control list (ACL) editor generates an error message if any generic permissions, such as GENERIC_READ, GENERIC_WRITE, or GENERIC_EXECUTE, are also present when the GENERIC_ALL permission is set. See the article to learn how to get a fix or use a workaround.

Error Message When You Use Windows Installer
According to Microsoft article Q251274, when you try to install a product on a computer running Windows NT 4.0 and Windows Installer starts, an error message might indicate that the Windows Installer service failed to start or that Internal Error 2755 occurred. The installation then quits. See the article for more information and to learn how to get a fix.

Malformed Print Request Might Stop Win2K TCP/IP Printing Service
After you install the TCP/IP printing service on a Windows NT Server 4.0, Terminal Server Edition (TSE) computer or the Print Services for UNIX component on a Win2K computer, someone could exploit a security vulnerability in the Line Print Daemon (LPD) Server service on those computers. A malicious user could cause the service to stop by sending a malformed print request via the LPD Server. See Microsoft article Q257870 for information about a fix.

Incorrect Registry Setting Might Allow Cryptography-Key Compromise
A malicious user can interactively log on to a TSE computer and compromise other users' cryptographic-key security. If you follow typical security recommendations, typical users aren't allowed to interactively log on to domain controllers (DCs), Web servers, database servers, ERP servers, and other security-critical computers. According to Microsoft article Q259496, this vulnerability doesn't affect Win2K computers. See the article to learn how to get a TSE fix.

NWRDR.sys Mishandles an Exception That Can Cause a "Stop" Error Message
When you use TSE with Gateway Services for NetWare (GSNW), under certain conditions you might receive a "Stop 0x0A" error message because the NetWare redirector doesn't check for null returns when it dereferences an IrpContext function. See Microsoft article Q259980 to learn how to get a fix.

Space at End of Batch File Name Causes Server to Hang
When you start cmd.exe from other programs or run batch files with another batch file as a parameter, the script might not run if the file name is padded with space characters. Task Manager will contain many instances of cmd.exe, and you'll receive insufficient-memory, C run-time, or DLL-initialization error messages. According to Microsoft article Q258839, cmd.exe in TSE (but not Terminal Services) contains a parsing error that results in the behavior described in the "Symptoms" section. Make sure you don't have extra spaces at the end of your file names, or see the article to learn how to get a fix.

Slash Character Not Valid In Strong Passwords
The slash character (/) isn't a valid special character when you use passfilt.dll to enable strong passwords on TSE or Win2K systems. Microsoft article Q271862 explains how to get a fix for TSE; Microsoft first corrected the problem for Win2K in SP2.

Post-SP6 Patch Available for NTLMSSP Privilege Elevation Vulnerability
Microsoft has released a patch that eliminates an NTLM Security Support Provider (NTLMSSP) security vulnerability that can let local users grant themselves administrator-level privileges. The computers most at risk are NT workstations and TSE servers. See Microsoft article Q280119 to learn how to get a fix (the hotfix requires SP6).

Post-SP6 Patch Available for Malformed PPTP Packet-Stream Vulnerability
Microsoft has released a patch that eliminates a PPTP service-code security vulnerability that affects NT 4.0-based servers that provide secure remote sessions. If an affected server receives a sufficient number of packets that contain a specific malformation, kernel memory eventually becomes exhausted and the server will stop responding (hang). See Microsoft article Q283001 to get a fix, which requires SP6.

Post-SP6, SP1 Fix: TCP/IP Routes Might Be Incorrect if AddIPAddress() Is Used on Multihomed Computers
If you use the AddIPAddress function repeatedly to add dynamic IP addresses to adapters in a multihomed Win2K or TSE computer, the routes might be incorrect and could interfere with communication with other computers. This problem occurs because TCP/IP doesn't correctly maintain IP addresses and routing-table entries. Microsoft article Q287032 recommends that you remove the addresses in the same order you added them, or you can get a fix (the TSE fix requires SP6).

Database Files Close Unexpectedly if a Win2K Terminal Services User Opens Them
According to Microsoft article Q294816, the network redirector in Terminal Services creates only one file control block (FCB) for all user connections, so when the first user logs off, the other users lose their connections. Microsoft doesn't have a fix. To work around this problem, place the program and data files on a local volume on the terminal server. If the program has hard-coded drive letters that usually go through mapped network drives, you can create those drives using the SUBST command.

Invalid TCP Checksums On Port Causes Kernel-Mode Memory Leak
A Win2K-based computer running Terminal Services might exhibit a kernel-mode memory leak in the nonpaged pool. Networking services on the computer might eventually stop responding to client requests because improper handling of packets with bad TCP checksums causes a memory leak in tdtcp.sys. I don't see this article in the list of SP2 fixes, even though the file is dated March 2001. See Microsoft article Q2924356 to learn how to get the fix.

Post-SP6 Fix: Registry Hive Fragmentation Behavior Not Configurable
Microsoft article Q283217 describes a way to configure the Registry Hive Cell Size algorithm, but this method doesn't work on TSE computers. The variable that controls this behavior is always set to zero, regardless of the registry value. Microsoft article Q294345 explains how to get a fix for this problem, which requires SP6.

You Can Overwrite ODBC DLLs On Win2K
Terminal Services, which relies on ODBC, doesn't function correctly if an older program (one that predates Win2K) installs ODBC components; Terminal Services prevents users from authenticating properly if ODBC versions don't match. This behavior occurs because ODBC DLLs aren't protected system files. As a result, programs such as Microsoft SQL Server can overwrite DLL files that already exist in Win2K. Microsoft article Q238880 recommends that you copy the newer version of the ODBC files back into the %SystemRoot%\System32 folder and restart the server.

Per-Session <Temp> Folders Aren't Available to GPO Logon Scripts When Logon Scripts Run Synchronously
By default, a Terminal Services computer creates a separate temporary folder for each new server session. When a user runs multiple Terminal Services sessions, each session has a separate temporary folder based on the session identification. When a Group Policy Object (GPO) is set to run logon scripts synchronously, Temp and Tmp aren't per-session while the logon scripts are running; however, Temp and Tmp are per-session after log on. See Microsoft article Q285138 to learn how to get a fix.

How To Change the NT Logon Screen Saver
When you start NT, a Begin Logon dialog box prompts you to press CTRL+ALT+DEL to log on. By default, if you don't press a key for 15 minutes, the NT logon screen saver (logon.scr) starts. To learn how to change the screen saver, see Microsoft article Q185348.

Applying Permissions with Security Configuration Editor Installed Causes Error
When you apply permissions on the drive containing the system files on a TSE computer, an error message might indicate that the target drive doesn't have enough room or that the parameter is incorrect. This problem occurs only after you install Security Configuration Editor and use its new ACL editor. The system generates an error message when a record can't be written in the Application event log. Microsoft article Q257504 contains some background information about what the error messages should look like and why the error isn't written.

Win2K Domain Controller Default Ports List
If you want to find out the most common ports, protocols, and services on a Win2K-based server running Active Directory (AD), see Microsoft article Q289241. This article lists the different services and their respective ports, but doesn't explain how to configure the ports for firewalls or proxies.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.