Access rights with DCOM and SEP
► What is it?
Is a command line utility to verify all policy settings currently applied to a user or system. The tool is intended for administrators in order to verify security settings when troubleshooting a problem related to system access rights and such. Administrators have the ability to run the tool to any computer in the network as long as the target system is part of the managed systems by such administrator.
► How to use
Run gpresult.exe from the command line interface (CLI)
If no additional options or switches are used, the results will be displayed on screen
For best results is better to create an output file
If no user is specified, the current user’s security setting information will be gathered
Additional options can be found by using the “/?” option
► Why is it important?
When troubleshooting Endpoint Protection issues it is very important to establish security access levels on a local workstation or server, in particular when troubleshooting installation issues or general functionality. If the customer is unable to perform certain actions that can be performed under normal circumstances, a result file with information from gpresult could be found useful to troubleshoot the issue and confirm if the issue is related to limitations on the user account or system.
► What is it?
A built-in windows utility to secure DCOM objects
► What are DCOM objects?
Distributed Component Object Model
A Microsoft technology for communicating among software components in the operating system
A client program object can request services from server program objects on other computers across the network
► How to use
As with many other Windows utilities the configuration window is accessed by executing dcomcnfg.exe
It can also be added to the Microsoft Management Console as a snap-in (Component Services)
► Why is it important?
Symantec tool TestSec gathers information using DCOM object properties
***************************************************************************************************************
*****************************************************************************************************************
Few Dcom related errors
Error 1 :SEPM installed failed while configuring Liveupdate with error code 2103571981
SEPM_INST log shows the following -
LUCA: InstallLiveUpdate enter.
LUCA: C:\DOCUME~1\imaginet\Local Settings\Temp\1\IHNVEAAI\LiveUpdate\lucheck.exe
LUCA: InstallLiveUpdate : CreateProcessAndWait( LUCHECK.EXE ) returned 2103571981
Cause
DCOM Configuration - Default Impersonation Level was set Impersonate instead of Identify.
Solution
1. Go to Start Menu and Run
2 . Type dcomcnfg
3. Select Component Serverices-> Computers-> My Computer
4. Right click on My Computer and select Properties
5. Click on Default Properties tab
6. Change the default Impersonation Level as Identify
7. Verify also that Default Authentication Level is selected as Connect
------------------------------------------------------------------------------------------------------------------------------------------
Error 2: SEP clients are not updating definitions from SEPM and the General tab of the Troubleshooting Window of the SEP client is blank.
A snippet of SylinkMonitor log :-
10/05 14:39:47 [1436] <SendRegistrationRequest:>SMS return=200
10/05 14:39:47 [1436] <ParseHTTPStatusCode:>200=>200 OK
10/05 14:39:47 [1436] <SendRegistrationRequest:>Content Lenght => 350
10/05 14:39:47 [1436] HTTP returns status code=200
Cause : Incorrect DCOM setting.
Solution
1. Login with administrator account.
2. Go to Start >> RUN
3. type in dcomcnfg and enter
4. Expand Component Services
5. Expand Computers
6. Right Click on My Computer and select Properties.
7. Select Default Properties tab.
8. Under Default Impersonation Level.
9. Set to "Identify" and reboot the machine to take an effect.
-----------------------------------------------------------------------------------------------------------------------------------------
Error 3 : Symantec Endpoint Protection Manager service will not stay started, and DCOM errors referring to application launch permissions of IISAdmin are present in the windows event logs.
Problem
After installing the Symantec Endpoint Protection Manager (SEPM) and running through the management server configuration wizard, the SEPM service will not stay started.
Error
Java -1 Error logged in the event log. In addition, DCOM errors related to IISAdmin are present such as: "Application Specific Permissions do not grant local activation permission for NT Authority/Network Service"
Cause
Within DCOM, the IISAdmin launch and access permissions lack an entry for authenticated users. This will deny the Network Service account the ability to launch the process associated with the IIS default application pool.
Solution : Add authenticated users to access rights.
---------------------------------------------------------------------------------------------------------------------------------------------
Error 4 :After migration / upgrade from SAV 10.x to Symantec Endpoint protection, LiveUpdate finish with Return code = 4 . In Log.LiveUpdate you see errors LU 1875, 1845, 1853, 1806.
In Log.LiveUpdate you see:
03/12/2008, 16.17.57 GMT -> LiveUpdate couldn't expand replacement path [sesmDecAbi32updateDir].
03/12/2008, 16.17.57 GMT -> Progress Update: PATCH_ERROR: Patch File: "C:\Documents and Settings\All Users\Dati applicazioni\Symantec\LiveUpdate\Downloads\Updt179\1203515784jtun_the_updecabi.zip.full.zip", Script File: "C:\Documents and Settings\All Users\Dati application\Symantec\LiveUpdate\Downloads\Updt179\sesmDecAbi32.dis", HR: 0x802A0006
03/12/2008, 16.17.57 GMT -> HR 0x802A0006 DECODE: E_DIS_SCRIPT_SYNTAX_ERROR
03/12/2008, 16.17.57 GMT -> Progress Update: PATCH_FINISH: Patch File: "C:\Documents and Settings\All Users\Dati applicazioni\Symantec\LiveUpdate\Downloads\Updt179\1203515784jtun_the_updecabi.zip.full.zip", Script File: "C:\Documents and Settings\All Users\Dati application\Symantec\LiveUpdate\Downloads\Updt179\sesmDecAbi32.dis", HR: 0x802A0006
03/12/2008, 16.17.57 GMT -> HR 0x802A0006 DECODE: E_DIS_SCRIPT_SYNTAX_ERROR
03/12/2008, 15.44.15 GMT -> EVENT - PRODUCT UPDATE FAILED EVENT - Update available for Catalogue of the contents of Symantec Endpoint Protection Manager 11.0 - 11.0 - SymAllLanguages. Update for takes product from update 0 to . Server name - , Update file - , Signer - , package install code 0. The Update executed with a result code of 1845, => Update interrupted during the processing of pre-session LiveUpdate. It is very likely that this error is caused by an expired subscription.03/12/2008, 15.44.15 GMT -> Product = SESM AntiVirus Client Win32, Version = 11.0.0, and Language =
English was aborted from
Cause: Incorrect DCOM setting.DCOM settings are not correct for usage with Symantec Endpoint Protection updates.
Solution :
The last place to check rights on a computer is in its DCOM settings.
To verify Distributed COM properties
1) On the Windows taskbar, click Start > Run.
2) Type the following, and then click OK:
dcomcnfg
3) Do one of the following, depending on your operating system:
• In Windows XP/2003, click Component Services > Computers > My Computer. Then right-click My Computer and click Properties.
• In all other versions of Windows, go on to the next step.
4) On the Default Security or Default COM Security tab, under Default Access Permissions, click Edit Default.
5) Verify that Administrators, Interactive, and System accounts are set to Allow Access, and then click OK
.
6) Under Default Launch Permissions, click Edit Default.
7) Verify that the Administrators, Interactive, and System accounts are set to Allow Launch, and click OK
.
8) Do one of the following, depending on your operating system:
• In Windows XP/2003, skip the two following steps.
• In all other versions of Windows, go on to the next step.
9) In the Default Configuration Permissions section, click Edit Default.
10) In the Registry Key Permissions window, verify that the following are set to Full Control, and then click OK:
CREATOR OWNER
...\Administrators
SYSTEM
11) On the Default Properties tab, verify that Default Impersonation Level is set to Identify.
12) Click Apply, and then click OK.
13) Restart the computer for the changes to take effect.
*********************************************************************************************************************
Technical Information
User/Permission can be checked with TestSEC
In case some user/permission are wrong, will be reported in Testsec.log :