Windows Server 2003 SP2 is a combination of security updates, functionality updates, and new features. SP2 contains the latest collection of updates to help improve the security, reliability, and performance of the following operating systems. As well as Windows Server 2003 SP1, it makes some significant changes to security including start up account for services, DCOM security and etc. Since Windows Server SP2 has stronger defaults and privilege reduction on services, it may result in some issues after installing Windows 2003 SP2.
Here we introduce a typical security related issue after installing SP2:
Windows 2003 SP2 uses Network Service account for the RPC service. Prior to SP2 and SP1, OS was using Local System account for the same. After installing SP2 for Windows Server 2003 services will not start that use the Network Service or Local Service account.
Have you ever encountered the following problem?
Remote Procedure Call (RPC) service has been changed from Local System account to Network Service account for better security. “Impersonate a client after authentication” right is required to include Administrators and the SERVICE group if the RPC Service runs as the Network Service account.
What can we do if meeting with the issue?
a. Open the Group Policy configuration window (gpedit.msc or open it in Active Directory Users and Computers).
b. Locate the policy entry: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Impersonate a client after authentication.
c. Ensure that the “Administrators” group and the “SERVICE” group is granted this privilege.
d. If the problem remains, correct the Access Control List for HKEY_CLASSES_ROOT\CLSID (and all child keys and values) to ensure NT Authority\Network Service can read. This can be accomplished by adding Authenticated Users or Users group and providing Read permissions.
Note: If the Add User or Group button is disabled and if the computer is a domain controller, use the Domain Controller Security Policy administrative tool to make the policy changes. This policy tool will override the local security policy settings. If this computer is a member server and the Add User or Group button is disabled, identify all Group Policy settings that apply to this computer, and then make the policy changes to the appropriate Group Policy settings.
e. In the Enter the object names to select box, type Administrators , and then click OK.
f. Repeat step d through e for the SERVICE group account.
g. Click OK to close the Impersonate a client after authentication Properties dialog box.
h. On the File menu, click Exit.
i. Restart the computer.
If you can add the Administrators group and SERVICE group accounts to the Impersonate a client after authentication policy setting, restart the computer.
Thanks Guys, you just saved my arse!
i am facing same problem, when i am using option B i am not able to go to property. i am trying to start services but not able to start
"Could not start the Microsoft Exchange Routing Engine service on Local Computer. Error 1068: The dependency service or group failed to start."
Sorry - does not help. Administrator and SERVICE have the perms and still no dice. Users cannot check their emails
Thanks for this wonderful sokution.
However, I could not proceed on getting to option B.
I am having similar problems has complain below:
# re: Service starting problem after installing SP2
Wednesday, April 29, 2009 9:20 AM by dhirajchougale
I shall appreciate your assistance.
This seems like a wonderful solution, however, The server is a domain controller but not the Primary domain controller, therefore, when I try to open the domain controller security policy administrative tool, it gives me the error "cannot contact the domain controller or the domain does not exist" The option to change the permissions in gpedit.msc is grayed out... so I am kinda stuck. What I am going to attempt is to uninstall SP2 and then add the appropriate changes before re-applying the update.. wish me luck
Just so I am clear. Here was my issue: I am running windows 2003 Server Ent. Edition. The server is a domain controller. After installing Sp2 and rebooting the server, it took way longer to reboot, I got an error that alerted me that several services failed to start up, then one my GUI appeared, I noticed that my Network adapter icon did not appear in the tool tray. I could not open a web page, I could not ping any device in my network. So I checked the Network Connections service and it was not started. I attemtped to start it, but it failed to start. When I attempted to start the windows installer service, it failed to start also. When I tried to view the serivce dependencies, I got an error W32: access Denied. Once I found this thread I thought "Heck Yes" this is the golden ticket. So I went to work... but since the network connection services refuses to start I cannot open the domain controller security policy editor. the Local policy editor is not an option because the buttons are grayed out. I will update this thread if I am aboe to fix this problem. Thank you
...update: success!! After uninstalling SP2 on my server, and rebooting, all of the services started fine just like before, and I was able to apply the fix mentioned in this thread. After adding the appropriate permissions in Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Impersonate a client after authentication, I then re-installed SP2, rebooted the server and all is well now!
Thanks for the solution!!
I was facing the similar problem but the network service cannot be started because I have set the permission on HKLM\SW\WinNT\CurrentVer\SvcHost to 'Read' only. The reason I've done this as to remove Win32\Conficker-A virus and unfortunately I've forgotten to set it back to default permission setting. After installing SP2 and reboot the server, the problem happened. After googled down this page and recalled the job that I've made earlier , I set the permission back to original and restart the server. Finally, everything back to normal. Thanks mate