Re: How to fix broken security in Windows 2000?
From: Shannon Jacobs (shanen_at_my-deja.com)
Date: 02/07/05
- Next message: anonymous_at_discussions.microsoft.com: "SUS"
- Previous message: Phillip Windell: "Re: How to fix broken security in Windows 2000?"
- In reply to: Karl Levinson, mvp: "Re: How to fix broken security in Windows 2000?"
- Next in thread: Rick Dilley: "Re: How to fix broken security in Windows 2000?"
- Reply: Rick Dilley: "Re: How to fix broken security in Windows 2000?"
- Reply: Karl Levinson [x y], mvp: "Re: How to fix broken security in Windows 2000?"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 8 Feb 2005 05:48:34 +0900
I really am curious why you (Karl Levinson, mvp) persist in blath^H^H^H^H^H
commenting about a technical topic you know so little about. The only
explanation I can come up with is that you get some kind of Microsoft
brownie points for doing it. Your claim of trying to be helpful does not
sound very convincing at this point. Irrespective of your mysterious goal or
motivation, what you actually do is cause my newsreader to show the thread
is active, causing me to hope that someone who actually understands the
situation has shown up. A few years ago, that someone probably would have
been an MVP who actually understood the technology involved, and the
question would have been satisfactorily resolved within two or three
exchanges. At least that was my most common experience in those
days--whereas this exchange is pretty typical of the new situation.
If you actually go and look "in the trenches", you will see that there are
LOTS of security certificates and LOTS of files. Before resorting to the
newsgroups, I had already spent quite a bit of time trying to do it the
"Microsoft way", and found out that I was apparently wasting my time. To
make progress by that path, there would need to be some way to establish a
relationship between a file and the security certificate it requires. I can
definitely say that the specific security certificates listed in that
article (and in several others) are already present and therefore do NOT
solve the problems on at least one machine. Perhaps you'd like to suggest
that I just try to collect all the security certificates in the world and
import all of them? (Actually, I suspect that approach would actually fail
unless they were imported in the proper order.)
I did manage to test a number of additional machines, and so far the only
interesting pattern seems unchanged. Every Windows 2000 box is broken, and
every Windows XP machine is okay. I even managed to stumble across a
researcher with an English W2K machine, and it seemed to be even more badly
afflicted than most of the Japanese machines. One of the Japanese W2K
machines actually took a while to come up with a missing certificate, but
some of the delay was probably due to another process that was running at
the same time. Still, I do have the impression that the problem is not
absolutely uniform, but that some machines are missing more certificates
than others. Some of this might be because Microsoft's security certificate
upgrades have typically not been included on the primary patch list, but in
the second group, and some people may have skipped those. However, I can
certainly say that for the machines I personally control all of those
security certificate upgrades have been installed--to no avail.
Karl Levinson, mvp <levinson_k@despammed.com> wrote:
> "Shannon Jacobs" <shanen@my-deja.com> wrote in message
> news:ezTj1EMDFHA.1188@tk2msftngp13.phx.gbl...
>> Where? If you are referring to
>> http://support.microsoft.com/default.aspx/kb/822798 (the only link
>> I can find in a sampling of your posts in this thread), then you
>> are incorrect (again). I just reviewed it (again) and that Web
>> page does NOT answer the question, and is only tangentially
>> related to the problem (via a special
>
> The article lists the certificates used to verify the crypto
> signatures on files from updated Microsoft service packs and
> patches. So, this article certainly answers this question at least
> to those files. I would be very surprised if files from the
> original Windows install CD were not signed either with those same
> certificates, or using other older certificates with the same name
> from the same root authority. It appears to be the closest answer
> you're going to find on the Internet [a google search turned up
> nothing else as far as I could find] and is absolutely worth a try.
>
>> case). Part of the final section would be relevant (though I
>> already know this is not the most convenient way to do it) *IF*
>> there was some way to explicitly identify the missing certificates
>> using SFC or some other tool.
>
> The article does identify the missing certificates, or at least the
> three or so required certificates. It's just three certificates,
> so why not open your GUI and compare what you've got to a working
> or newly installed / imaged Windows 2000 computer? How long could
> that possibly take, a few minutes? If you confirm that no
> certificates are missing, the other sections of that article then
> become relevant, by telling you the other possible dependencies. I
> don't see any reason to delay checking all of the dependencies in
> the article, to confirm these are not the problem. For example,
> you haven't told us whether the crypto service is starting on your
> computers [one of the troubleshooting steps mentioned in the
> article], unregistering and re-registering the DLLs in question,
> etc. I had a similar problem and ran through most of the steps in
> an hour or less, much less time than we've spent arguing about
> whether or not that article is the answer to your question. I
> really can't figure out what your aversion is to you or someone
> else on the IT staff there trying out all the steps in the article.
>
>> It makes me wonder if perhaps the real reason Microsoft has so far
>> avoided answering the question is because they no longer support
>> Windows 2000 to that degree.
>
> As far as tech support goes, Windows 2000 is every bit as supported
> as it was on the first day of its release, unless you're asking for
> new functionality to be programmed.
>
>> Imaginary (but sadly plausible) Microsoftian dialog:
>
> Very imaginary.
>
>> found the problem on any WXP machine). That means it would be
>> fundamentally impossible to know whether or not a W2K machine has
>> valid system files, unless you use the CD to restore the original
>> system files.
>
> Or you use a computer that isn't having the problem, or a freshly
> installed computer.
>
>> Of course that
>> cure would be worse than the disease, since you would almost
>> surely be *undoing* various security patches.
>
> Not in Windows 2000 and newer, it tracks and replaces updated files
> for you. I wouldn't be using the install CD here though, it's
> unnecessary.
>
>> Note that if all W2K machines are
>> missing certain security certificates, then the frequently
>> appearing suggestion (in many of Microsoft's "support" Web pages)
>> of copying them (via export) from another W2K machine is not going
>> to work, either.
>
> That's why you copy them from a known working Windows 2000
> computer, or at least compare them with a known working computer,
> in the default settings that havent been touched by your IT staff.
> Because you refuse to look at the certificates and compare them, we
> really have no idea whether the problem is really missing
> certificates or not.
>
>> Mr. Dilley's rudeness was rather amusing (or even hypocritical) in
>> a post that apparently accused someone else of rudeness. (Hard to
>> be sure what his intended points were, since they were so badly
>> expressed.)]
>
> I understood them. His point is that you are very rude and yet you
> need and demand assistance from the people you are insulting.
> Also, your IT staff should be the primary ones troubleshooting
> this, not you.
- Next message: anonymous_at_discussions.microsoft.com: "SUS"
- Previous message: Phillip Windell: "Re: How to fix broken security in Windows 2000?"
- In reply to: Karl Levinson, mvp: "Re: How to fix broken security in Windows 2000?"
- Next in thread: Rick Dilley: "Re: How to fix broken security in Windows 2000?"
- Reply: Rick Dilley: "Re: How to fix broken security in Windows 2000?"
- Reply: Karl Levinson [x y], mvp: "Re: How to fix broken security in Windows 2000?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
