Systems Management Server (SMS) 2003 cannot connect to local shares after you apply a Windows Server 2003 security template to a SMS 2003 site server (886070)


The information in this article applies to:

  • Microsoft Systems Management Server 2003

Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.

SYMPTOMS

After you apply a Microsoft Windows Server 2003 security template to a Microsoft Systems Management Server (SMS) 2003 site server, SMS 2003 cannot connect to local shares, and you receive error messages that are similar to the following in the Distmgr.log file:

Could not connect to job source \\ServerName\SMS_SiteCode\inboxes\schedule.box (2). Cannot start replication. $$<SMS_DISTRIBUTION_MANAGER><DateTime><ThreadID>

CAUSE

This issue will occur after you apply a Windows Server 2003 security template to a SMS 2003 site server.

WORKAROUND

To work around this issue, use one of the following methods: 2. Restart the server that you applied the security template to.

Apply a security template

Security templates are available in the Systems Management Server 2003 Toolkit.

To download the SMS 2003 Toolkit 2, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=61E4E21F-2652-42DD-A04D-B67F0573751D&displaylang=en

You can find the following three different security templates for SMS 2003 in the %ProgramFiles%\SMS 2003 Toolkits 2\Security Template folder after you install the toolkit on your computer:
  • EnterpriseClient-SMSServer.inf
  • HighSecurity-SMSServer.inf
  • LegacyClient-SMSServer.inf
Note Remove the SMS 2003 Toolkit 1 before you install SMS 2003 Toolkit 2.

Create and apply a security template

Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk. To work around this issue, you must create an SMS 2003 security template that will enable site server functions. Then, you must apply that security template. To do this, follow these steps:
  1. Create an SMS security template. To do this, follow these steps:
    1. Click Start, point to All Programs, point to Accessories, and then click Notepad.
    2. Paste the following SMS security template code in Notepad:
      ; Security Configuration Template for Security Configuration Editor
;
; Template Name:        886070 - SMS Server.inf
; Template Version:     1.0
;
;This Security Configuration Template provides settings to support the 
;Systems Management Server Role settings for the Windows Server 2003 
;Security Guide. Please read the entire guide before using 
;this template.
;
; Release History
; 0001	-	Original	February 16, 2004

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Values]
[Service General Setting]
"COMSysApp",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
"IISADMIN",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
"Schedule",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
"W3SVC",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
"HTTPFilter",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
"MSDTC",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
[Privilege Rights]
SeDenyNetworkLogonRight = *S-1-5-7
[Profile Description]
Description=Incremental Settings for an Systems Management Servers in an environment with high security requirements.
    3. Click File, click Save, and then type SystemRoot\Security\Templates\SMS2003SiteServer.Inf in the File name box.

    Note This security template is now available in the Systems Management Server 2003 Toolkit 2. To download the SMS 2003 Toolkit 2 , visit the following Microsoft Web site:

    http://www.microsoft.com/downloads/details.aspx?FamilyID=61E4E21F-2652-42DD-A04D-B67F0573751D&displaylang=en


    You can find the following three different security templates for SMS 2003 in the %programfiles%\SMS 2003 Toolkits 2\Security Template folder after you install this toolkit on your computer:
    • EnterpriseClient-SMSServer.inf
    • HighSecurity-SMSServer.inf
    • LegacyClient-SMSServer.inf
    Note Remove the Systems Management Server 2003 Toolkit 1 before you install Systems Management Server 2003 Toolkit 2.

    For more information about the security templates for SMS 2003 in the Systems Management Server 2003 Toolkit 2, visit the following Microsoft Web site:

    http://www.microsoft.com/technet/prodtechnol/sms/sms2003/security/spsecsms03/spsec_11.mspx

  2. Apply the security template. To do this, follow these steps:
    1. Click Start, click Run, type MMC, and then click OK.
    2. On the File menu, click Add/Remove Snap-in.
    3. Click Add.
    4. In the Available Stand Alone Snap-ins list, click Security Configuration and Analysis, click Add, click Close, and then click OK.
    5. In the left pane, click Security Configuration and Analysis, and then read the instructions in the right pane.
    6. Right-click Security Configuration and Analysis, and then click Open Database.
    7. In the File name box, type SMSSiteServer, and then click Open.
    8. Click the security template that you created in step 1, and then click Open to import the entries that are contained in the template to the database.
    9. Right-click Security Configuration and Analysis in the left pane, and then click Configure Computer Now.

MORE INFORMATION

When you apply one of the baseline templates that are included with the Windows Server 2003 Security Guide, you must also apply an SMS security template so that SMS operations will not be disabled.

For additional information about SMS security templates, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/sms/sms2003/security/spsecsms03/spsec_11.mspx

For additional information about the SMS 2003 Toolkit 1, visit the following Microsoft Web site:

http://go.microsoft.com/fwlink/?LinkId=28823

For additional information about Windows Server 2003 security, visit the following Microsoft Web site:

http://go.microsoft.com/fwlink/?LinkId=28827

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

816585 How to apply predefined security templates in Windows Server 2003

816297 How to define security templates by using the Security Templates snap-in in Windows Server 2003

816580 How to analyze system security in Windows Server 2003

Modification Type:MinorLast Reviewed:6/14/2006
Keywords:kbtshoot kbSMSSecurity kbwinservperf kbMgmtServices kbprb KB886070 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.