Service starting problem after installing SP2

Windows Server 2003 SP2 is a combination of security updates, functionality updates, and new features. SP2 contains the latest collection of updates to help improve the security, reliability, and performance of the following operating systems. As well as Windows Server 2003 SP1, it makes some significant changes to security including start up account for services, DCOM security and etc. Since Windows Server SP2 has stronger defaults and privilege reduction on services, it may result in some issues after installing Windows 2003 SP2.

Here we introduce a typical security related issue after installing SP2:

Windows 2003 SP2 uses Network Service account for the RPC service. Prior to SP2 and SP1, OS was using Local System account for the same. After installing SP2 for Windows Server 2003 services will not start that use the Network Service or Local Service account.

 

Have you ever encountered the following problem?

  • RPC service or other services set to automatic dependent on RPC will not start properly. For example, when trying to start the service, get error of "Error 1068: The dependency service or group failed to start"
  • Network connection fails to open or Network adapter icons do not appear in Network Connections.
  • Incoming and outgoing network communication fails
  • COM+, Volume Shadow Copy and Shell Hardware Detection services are in the “starting” state
  • Receive “Access is denies” when selecting the dependencies tab of a service that does not start

Why?

Remote Procedure Call (RPC) service has been changed from Local System account to Network Service account for better security. “Impersonate a client after authentication” right is required to include Administrators and the SERVICE group if the RPC Service runs as the Network Service account.

What can we do if meeting with the issue?

a. Open the Group Policy configuration window (gpedit.msc or open it in Active Directory Users and Computers).

b. Locate the policy entry: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentImpersonate a client after authentication.

c. Ensure that the “Administrators” group and the “SERVICE” group is granted this privilege.

d. If the problem remains, correct the Access Control List for HKEY_CLASSES_ROOTCLSID (and all child keys and values) to ensure NT AuthorityNetwork Service can read. This can be accomplished by adding Authenticated Users or Users group and providing Read permissions.

Note: If the Add User or Group button is disabled and if the computer is a domain controller, use the Domain Controller Security Policy administrative tool to make the policy changes. This policy tool will override the local security policy settings. If this computer is a member server and the Add User or Group button is disabled, identify all Group Policy settings that apply to this computer, and then make the policy changes to the appropriate Group Policy settings.

e. In the Enter the object names to select box, type Administrators , and then click OK.

f. Repeat step d through e for the SERVICE group account.

g. Click OK to close the Impersonate a client after authentication Properties dialog box.

h. On the File menu, click Exit.

i. Restart the computer.

If you can add the Administrators group and SERVICE group accounts to the Impersonate a client after authentication policy setting, restart the computer.