Forum FAQ: You cannot save documents to a folder or change the permission settings of folders on a SMB 1.0-based remote server from a Windows-based computer that has security update 980232 (MS10-020) installed.
Symptom
After you apply security update 980232 (MS10-020), you may encounter one of the following issues when you use a remote server that is based on the Server Message Block
(SMB) version 1 protocol. For example, you use a Windows NT Server 4.0 or other third-party servers, or a network storage device as the remote server.
Issue 1
You receive a “Document not saved” error message when you try to use a Microsoft Office application to save a document to the remote server.
Issue 2
You cannot use the built-in backup utility to save backup files to the remote server. For example, you cannot save backup files to the remote server when you use NTBackup
in Windows XP or in Windows Server 2003.
Issue 3
The
Security tab is missing when you examine the property of a folder on the remote server. Therefore, you cannot view or change the permission settings of folders on the remote server.
These issues may also occur if you do not use a SMB 1.0-based device, but use a Wide Area Network (WAN) optimizer instead. For example, you use Cisco wide area application services (WAAS) software.
Note The Server Message Block is more frequently known as the Common Internet File System (CIFS).
Cause
This issue occurs because security update 980232 (MS10-020) introduces a new validation for the security descriptors that are returned from the remote server. The
validation calls the RtlValidRelativeSecurityDescriptor routine together with the security descriptor buffer and the length of the security descriptor buffer. For the length of the security descriptor buffer, the validation uses a field in
the server response and assumes the field is set to the length of the security descriptor buffer correctly when the remote server responds with "STATUS_SUCCESS." However, the remote server returns 0 for the field. This behavior causes the validation to fail.
Resolution
Download and install the hot fix described in the following Microsoft Knowledge Base article:
983458
You cannot save documents to a folder or change the permission settings of folders on a SMB 1.0-based remote server from a Windows-based computer that has security update 980232 (MS10-020) installed
http://support.microsoft.com/default.aspx?scid=kb;EN-US;983458
After you apply the hotfix, the
DataCount field of the server response is used as the length of the security descriptor buffer when the validation runs. This makes sure that the new validation succeeds when the SMB 1.0-based remote server returns "STATUS_SUCCESS."
Applies to
Windows 2000
Windows Server 2003
Windows Server 2003 R2
Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
October 13th, 2010 9:52pm