RE: DCOM Server Event ID 10003
- From: "RickAllenS" <RickAllenS@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 2 Sep 2005 21:13:01 -0700
Hi Brandy,
I suppose this informtaion might be helpful to me if I understood what it
meant. I don't know what DCOM is. I don't understand how they would be
attempting to launch a DCOM server. And I don't understand what Microsoft
Word has to do with it.
The message that goes with this error message is:
"Access denied attempting to launch a DCOM Server using
DefaultLaunchPermssion. The server is: {00020906-0000-0000-C000-000000000046}
The user is ANONYMOUS LOGON/NT AUTHORITY, SID=S-1-5-7."
I don't want to give anyone permission to do this and that's what it looks
like your instructions are telling me to do . . .
If you could clarify, I would appreciate it.
Thanks!
Rick
""Brandy Nee [MSFT]"" wrote:
> Hello Rick,
>
> Thank you for posting to the SBS Newsgroup.
>
> I understand that from the server usage report, you noticed that your
> server got EVENT ID 10003, and you are worrying whether your network is
> being secure protected. If I have misunderstood your concern, please let me
> know.
>
> A registry search on this shows that {00020906-0000-0000-C000-000000000046}
> is Microsoft Word Document. It seems that something is attempting to create
> an instance of a word application / a word document using DCOM.
>
> Please try the following steps and see if the problem persists:
>
> 1. Click Start, click Run, type "dcomcnfg" (without the quotation marks),
> and then click OK.
>
> 2. Expand to Console Root\Component Services\Computers\My Computer. Right
> click My Computer, go to Properties.
>
> 3. On the "Default Properties" tab, set "Default Authentication Level" to
> Connect and set "Default Impersonation Level" to "Identify".
>
> 4. On the Application tab, select Microsoft Word Document and click
> Properties.
>
> 5. On the Security tab, select "Use custom launch permissions" and click
> Edit.
>
> 6. Check if SYSTEM has the "Allow Launch" permission. If SYSTEM has the
> permission already, click Cancel, and then switch to the General tab, set
> the Authentication Level to "None".
>
> 7. Click OK twice and restart computer.
>
> If the resolution above does not help, try the following:
>
> a. On the server, go to Start, click Run, type "regedit" (without the
> quotation marks).
>
> b. Export HKEY_CLASSES_ROOT\CLSID\{00020906-0000-0000-C000-000000000046}
> from the registry.
>
> c. Delete the above key.
>
> d. Control Panel -> Add/Remove Programs, repair Microsoft Word.
>
> If you suspect that your network is being attacked from the Internet, I
> suggest you read the following document. This document helps you to more
> securely configure your Microsoft Windows Small Business Server 2003
> network. Completing the tasks in this document helps you protect the
> availability, integrity, and confidentiality of your network.
>
> Securing Your Windows Small Business Server 2003 Network
> http://www.microsoft.com/technet/prodtechnol/sbs/2003/maintain/sbsecnet.mspx
>
>
> Hope this information helps. If anything is unclear, please feel free to
> let me know. I am looking forward to your reply!
>
> Best regards,
>
> Brandy Nee
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
> --------------------
> >Thread-Topic: DCOM Server Event ID 10003
> >thread-index: AcWu/d5knfHqbGWWR3CaxKlBdzcylQ==
> >X-WBNR-Posting-Host: 69.14.191.6
> >From: "=?Utf-8?B?Umlja0FsbGVuUw==?=" <RickAllenS@xxxxxxxxxxxxxxxxxxxxxxxxx>
> >Subject: DCOM Server Event ID 10003
> >Date: Thu, 1 Sep 2005 07:03:03 -0700
> >Lines: 17
> >Message-ID: <00E4644A-7892-41ED-809C-5CE9B828AA7A@xxxxxxxxxxxxx>
> >MIME-Version: 1.0
> >Content-Type: text/plain;
> > charset="Utf-8"
> >Content-Transfer-Encoding: 7bit
> >X-Newsreader: Microsoft CDO for Windows 2000
> >Content-Class: urn:content-classes:message
> >Importance: normal
> >Priority: normal
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >Newsgroups: microsoft.public.windows.server.sbs
> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:149894
> >X-Tomcat-NG: microsoft.public.windows.server.sbs
> >
> >For the last couple of days, I have been receiving the following message
> in
> >my usage report:
> >
> >"Access denied attempting to launch a DCOM Server using
> >DefaultLaunchPermssion. The server is:
> {00020906-0000-0000-C000-000000000046}
> >The user is ANONYMOUS LOGON/NT AUTHORITY, SID=S-1-5-7."
> >
> >This message is listed with Event ID 10003 and it says there were 19
> >occurences.
> >
> >I am concerned that somebody is trying to hack my system. Or worse yet
> that
> >the 20th try worked. Can anybody tell me how to analyze this concern and
> find
> >out what is going on? Any help would be greatly appreciated.
> >
> >Thanks!!!
> >
> >Rick
> >
>
>
.
- References:
- DCOM Server Event ID 10003
- From: RickAllenS
- RE: DCOM Server Event ID 10003
- From: "Brandy Nee [MSFT]"
- DCOM Server Event ID 10003
- Prev by Date: SSL Certificate for RPC over HTTP
- Next by Date: Re: Really Slow Sign-on
- Previous by thread: RE: DCOM Server Event ID 10003
- Next by thread: RE: DCOM Server Event ID 10003
- Index(es):
Relevant Pages
|
