Bug Fix Corrects Multiple Disk Array Problems
Bugs in the storport.sys driver can cause Windows Server 2003 to hang when you connect a disk array controller cable or when you remove one of the disk drives in the array. When a system with a disk array is performing more than a minimal amount of disk input or output, it might hang during shutdown, requiring you to manually cycle the power to successfully reboot. Microsoft Product Support Services (PSS) has a new version of the disk array driver, storport.sys, with a file release date of October 15, that corrects these problems. When you call for the patch, reference the Microsoft article "Windows Server 2003 Stops Responding After You Install an Array Controller" (http://support.microsoft.com/?kbid=823728).
Patch Corrects FTP File Rename Failure
A timing problem in the FTP component of Microsoft Internet Information Services (IIS) 6.0 can prevent you from renaming a file after you upload a large file to the FTP directory. According to Microsoft, IIS issues the file rename request before it completes the upload operation. When this problem occurs, FTP responds to the file rename request with error message 550: The process cannot access the file because it is being used by another process. If you look at the IIS log, you'll see three consecutive entries that refer to the failed file rename. The first shows IIS processing a rename from operation (the RNFR line); the second shows IIS performing a rename to operation (RNTO); and the third shows a QUIT, which means the rename operation failed. PSS has a new version of the FTP service, ftpsvc2.dll, that eliminates the timing bug. The patch has a file release date of September 5 and is available only from PSS. Reference the Microsoft article "FIX: You Cannot Rename a File After You Upload the File to an FTP Server" (http://support.microsoft.com/?kbid=828086).
Local Administrator Can Disable User Policy
Here's a hole that a user who has a roaming profile and a local administrator account can exploit to fool a Windows 2003 domain controller (DC) into not applying user policy settings. Windows 2003 uses the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History registry subkey to record whether the user portion of a Group Policy Object (GPO) has been applied. When you configure a user account to have a roaming profile, the system copies the profile to any system on which the user logs on successfully. A user with an Administrator account can run a registry editor and load a portion of the user profile (ntuser.dat) from another system into the registry on the local machine. After the roaming profile is loaded, this individual can change the security on the above subkey, giving the domain account permission to modify the subkey. After the domain account has permission to modify the registry subkey, the user can log off and log back on and change the version number in the Group Policy subkey so that the DC thinks it has already applied the user portion of Group Policy. This nifty maneuver lets a malicious user exclude the local machine from the control of user settings in a GPO. Two workarounds for this exploit exist. You can either disable roaming profiles or force a GPO update every time a user logs on. If you force a GPO update at every logon and you have a nested set of policies, users might experience a long delay before the desktop appears. Microsoft discusses this loophole in the article "A Malicious User May Circumvent User Policy" (http://support.microsoft.com/?kbid=812541).
Post-SP1 Rollup Available
On October 15, Microsoft released Update Rollup 1 for Windows XP. The cumulative update contains 16 security hotfixes, 10 from 2003 and 6 from 2002. The rollup also contains patches for nonsecurity issues, including one you can install to use a default browser other than Microsoft Internet Explorer (IE), a fix that enables XP to create network connections after you repair the OS, and a patch that eliminates error 643 when you attempt to update XP by using the Windows Update site. You can install the rollup interactively at Windows Update. If you want to distribute the rollup to multiple systems, you can download the 2.7MB file from the Microsoft Download center at http://www.microsoft.com/downloads/details.aspx?familyid=d531bf00-d7be-48E3-abcc-961602bd72c2&displaylang=en. Note that this rollup is for 32-bit XP systems; an equivalent update for 64-bit XP systems is not yet available.
Cached Credentials Interfere with Remote Logon
If your Group Policy permits cached credentials on XP workstations, remote users might be unable to log on by using a VPN or dial-up connection after they change their passwords. When a remote user changes his or her password during a remote session, the system doesn't correctly update the password change in the cache. Thus, if a user logs off and logs back on again, the cache contains the previous password and the logon fails. You can force the system to update the cache with the new password by disabling the Automatically use my Windows logon name and password option on the XP system. To permanently solve the problem, you need to install the bug fix, a comprehensive patch that updates 13 XP files involved in remote access and authentication. Most of the files have a release date of September 25, and the fix is available only from PSS. This problem is documented in the Microsoft article "You Cannot Log On After You Correctly Change Your Log On Credentials" (http://support.microsoft.com/?kbid=829652).
Can't Join a Windows 2003 Domain During Unattended Setup
If you use unattended setup to roll out XP systems, you might encounter a problem when the XP machine attempts to join a Windows 2003 domain. If the domain join fails, it might be because the domain policy requires the NTLMv2 authentication protocol and refuses the less secure authentication protocols LM and NT LAN Manager (NTLM). The reference article doesn't indicate whether the domain join failure is caused by a bug in how XP and Windows 2003 negotiate the authentication protocols or by the fact that XP defaults to the less secure protocols. In any case, Microsoft has corrected this problem in a new version of the XP Kerberos component, kerberos.dll, for both 32- and 64-bit systems. Both updates have a file release date of September 22 and are available only from PSS. When you call, cite the Microsoft article "You Cannot Join a Windows XP Computer to a Windows Server 2003 Domain During an Unattended Setup" (http://support.microsoft.com/?kbid=827179).