Microsoft KB Archive/931355

= Event ID 10016 may be logged in the System log on a computer that is running Windows Server 2003 with Service Pack 1 =

Article ID: 931355

Article Last Modified on 4/24/2007

-

APPLIES TO

 Microsoft Windows Server 2003 Service Pack 1, when used with:  Microsoft Windows Server 2003, Standard Edition (32-bit x86)

 Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

 Microsoft Windows Server 2003, Datacenter Edition (32-bit x86) 

-

<div class="symptoms_section">

SYMPTOMS
On a computer that is running Microsoft Windows Server 2003 with Service Pack 1 (SP1), an event that resembles the following may be logged in the System log: Event Type: Error

Event Source: DCOM

Event Category: None

Event ID: 10016

Date:

Time:

User: Network services

Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID { } to the user. This security permission can be modified using the Component Services administrative tool.

<div class="cause_section">

CAUSE
This issue may occur if the netman component in DCOM does not have the following permissions:
 * Remote Launch
 * Local Activation
 * Remote Activation

<div class="resolution_section">

RESOLUTION
To resolve this issue, grant the permissions that are mentioned in the &quot;Cause&quot; section to the netman component in DCOM. To do this, follow these steps:
 * 1) Click Start, click Run, type dcomcnfg, and then click OK.
 * 2) In Component Services, double-click Component Services, and then double-click Computers.
 * 3) Expand My Computer, expand DCOM Config, and then click netman in the DCOM Config node.
 * 4) Right-click netman, and then click Properties.
 * 5) In the netman Properties dialog box, click the Security tab.
 * 6) Under Launch and Activation Permissions, click Edit.
 * 7) In the Launch Permission dialog box, click Add.
 * 8) In the Enter the object names to select box, type Network Service, and then click OK.
 * 9) While Network Service is selected, click to select the Allow check boxes for the following items:
 * 10) * Remote Launch
 * 11) * Local Activation
 * 12) * Remote Activation
 * 13) Click OK two times.

<div class="moreinformation_section">

DCOM security enhancements in Windows Server 2003 SP1
Microsoft Windows operating systems that are based on the Microsoft Windows NT kernel rely on remote procedure call (RPC) services to run. These operating systems include Microsoft Windows XP and Windows Server 2003. DCOM gives users a convenient way to use RPC services to distribute COM applications across their networks.

Windows Server 2003 SP1 helps enhance security in DCOM and RPC. RPC with DCOM lets you start or call a program on another computer. However, this ability makes RPC more vulnerable to malicious users. To help defend against this vulnerability, Windows Server 2003 SP1 verifies every program call against a computer-wide discretionary access control list (DACL). This process provides a minimum authorization standard for all program calls on a computer. The process does this by maintaining a list of users who have and do not have permission to access a system service.

Although many COM applications include some security-specific code, they may use weak settings. Therefore, the settings may grant unauthenticated access to a process. In earlier versions of Windows Server 2003, an administrator cannot override these settings to stregthen security.

The enhanced DCOM computer restriction settings that are included in Windows Server 2003 SP1 help administrators control incoming calls that use DCOM.

For more information about the DCOM security enhancements that are included in Windows Server 2003 SP1, visit the following Microsoft Web site:http://technet2.microsoft.com/WindowsServer/en/library/4c9a2873-2010-4dbb-b9dd-6a7d1e275f0f1033.mspx?mfr=true

Additional query words: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

Keywords: kbexpertiseadvanced kbtshoot KB931355

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.