A Recalcitrant Screen Saver
Microsoft acknowledges that all Windows 2000 systems, from the initial release through Service Pack 2 (SP2), contain a bug in the screen saver display code. According to Microsoft article Q311463 \[http://support.microsoft.com/default.aspx?scid=kb;en-us;q311463\], the screen saver might not run for Users or Power Users who manually lock their systems or who password protect their screen savers. Because nearly all user accounts are members of the Users group, this bug is likely widespread. The article fails to provide any information about the causes of this problem, but it does indicate that a fix—a new version of hidsrv.exe with a file release date of October 30—is available from Microsoft Support Services (MSS).
Remote Shutdown Logs User Off When It Should Shut Down
When you initiate a remote shutdown on a system that's displaying the Unlock Computer (but not the Computer Locked) dialog box, the remote system responds incorrectly to the shutdown request. Instead of shutting down, the system logs off the current user and sets a flag indicating that a shutdown is in progress, but it doesn't stop the system. If you then send another shutdown request to the same system, the system incorrectly responds with the message, "Shutdown already in progress," but again fails to shut down. If you routinely use the remote shutdown feature for maintenance or security purposes, consider installing the code fix that eliminates this problem on all versions of Windows 2000. The extensive update includes new versions of core OS files gdi32.dll, kernel32.dll, user.exe, user32.dll, userenv.dll, win32k.sys, winlogon.exe, and winsrv.dll. Most of the files have release dates of October 30. The update is available only from Microsoft Support Services (MSS). For more information, see Microsoft article Q307635.
Multilingual WAN Trust Generates Unnecessary Network Traffic
Microsoft article Q311736 documents a problem that applies specifically to Windows 2000 networks consisting of multiple domains of non-English Win2K systems connected via a WAN link. To experience this problem, you must also be running a DNS server in each domain. If you're managing a similar infrastructure and you have trusts established between the domains, turn on Network Monitor and watch the traffic over the WAN link. If you see RPC activity on the link every 5 minutes, look at the individual Netmon packets. If the packets contain requests to the Local Security Authority service (LSASRV) pipe with the string "Authenticated Users" in the data portion of the packet, you need to install a DNS patch on the DNS server in each domain. The unnecessary network traffic results from a bug in the way that each domain's DNS server processes the SID for the Authenticated Users group. Because this group name is translated in the localized version of the OS, it doesn't appear in the local built-in database. To correctly resolve the group name, DNS forwards the request to all the trusted domains every 5 minutes. Call Microsoft Support Services (MSS) for a new version of dns.exe to eliminate the unnecessary network traffic. The file has a release date of November 7, 2001.
Hotfix for the LSASS Hotfix
If you recently installed the Lightweight Directory Access Protocol (LDAP) bind query hotfix q310113_w2k_sp3_x86_en.exe, you’re in for a surprise. According to Microsoft article Q312452, the recently released LDAP code fix contains a bug that corrects the bind problem but causes LSASS to generate an access violation. To confirm that you have this problem, look for the text "1107f490 757c6ced 0d6ffd00 00000000 000074e1 SAMSRV!SampWriteLockoutTime+0x152" in the first line of the access violation dump file.
For the hotfix, call Microsoft Support Services (MSS) and ask for the latest version of the LSASS update. The code fix contains 26 files, most of which have release dates of November 13.
IIS 5.0 Security Issue
A potential security problem results from Internet Data Administration (.ida) and Internet Data Query (.idq) file mappings in Microsoft Internet Information Services (IIS) 5.0. IIS installs several DLLs that provide extended functionality. The idq.dll file—a component of the Windows 2000 Indexing Service—provides support for .ida administrative script files and .idq query files. Several known security vulnerabilities stem from administrative script and query files, one of which Security Bulletin MS01-033 documents. One method you can use to implement more stringent security on your Web sever is to remove the .ida and .idq script mappings with a High Security Template or with the IIS Security tool. However, every time you use the Control Panel Add/Remove Programs applet to install a service pack or add or remove Windows components, the installers incorrectly restore the default mappings, which makes your system once again vulnerable to the same threats. The new (September 24, 2001) version of setupqry.dll preserves the .ida and .idq settings after you install a service pack or reconfigure Win2K system components. You must call Microsoft Support Services (MSS) for the update. For more information, see Microsoft articles Q308268 and Q300972.