hisecweb.inf

[Mary S]

Hi

hope this is the right ng

I'm trying to implement the abv policy. But where to I change
the settings for event logs. Is this done in the registry?

thanks in advance

mary s

 

[Mary S]

Okey! I found the answer - I/You have to tweak the
registry. Here you can read abt it or buy to program
http://www.winguides.com/registry/display.php/351/

 

[Mary S]

So I'am back again with next question

Why don't I see this

http://www.microsoft.com/technet/im...serv/maintain/monitor/images/lgonof02_BIG.gif

Is it because we have a w2k server stand alone and no domain
controller or domain for that matter?

I need to change the retension method for security log

Tia

 

[Steven L Umbach]

The easiest way is to import the security template into the Local Security
Policy or possibly at the Organizational Unit level that contains servers
you want to apply it to via a Group Policy assuming you want to implement
the security template as it is. If it includes settings for services,
Restricted Groups, file system, or registry you can not simply import it
into the Local Security Policy but you could use secedit or the Security
Configuration and Analysis tool to apply it. I suggest that you first use
the Security Configuration and Analysis tool which is a mmc snapin to
analyze the computer with that template to see exactly what changes it will
implement before you do apply the template and that you make a full image
type backup of your server first so that you have a rollback plan as these
high security templates often have unintended consequences particularly if
the server is also running other applications or services that would not
normally be found on a dedicated web server. See the link below on using
the Security Configuration and Analysis tool. There is a lot of information
for secedit in the Windows built in help or using secedit /?. --- Steve

http://www.lokbox.net/SecureXP/secAnalysis.asp

 

[Mary S]

Hi Steve

Thank you for your handsome explanation. What I'm trying to do is to
strengthen a w2k server against intruders both locally and remotely.
I'm using the hisecweb.inf file as a guideline at this point.

I have not executed the "configure the comp..

I'm going trough every separate suggestion. I can't say I understand
everything. But I'm learning slowly but consistently. The objective
being to produce our own security setting inf file as according to NSA
guides.

Even if I have been careful adjusting the settings I although managed
to make a shared folder on the server disappear and I don't know where
it went wrong. I'll keep getting "The network path
\\192.168.0.10\share\ could not be found" from the clients.

Any suggestions highly appreciated

(F.y.g. Since last time I have connected to the shared folder I have
installed the latest 6-7 security patches otherwise I can't think of
any other things)


Thanks again

 

[Steven L Umbach]

What exactly do you mean that the share disappeared? Is this the only share
on the server and if not can the other shares be accessed? When you go to
the server does it still show that the share exists? Verify that file and
print sharing is enabled and that the server service is running on the
server. Run the command net config server to see if it reports that the
computer is configured to share resources and the command net share to see
if the share and IPC$ are shown. Try to ping the server from the clients by
name and IP address. See if you can access administrative shares from a
client computer that is showing the problem such as C$. Run the support tool
netdiag and that server to see if it reports any particular problems. It is
possible that incompatible security options for digitally sign
commumications, lan manager authentication level, or other security options
could be causing a problem if they were changed on the server. -- Steve

 

[Mary S]

Hi again

Ok! I'm in big trouble now! Somewhere during the journey of securing
the server I must have
done something wrong. And I'm almost sure that it has to do with the
hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
via windows update all at the same time.

I have made some screendumps here http://web.telia.com/~u42115338/ and
maybe it could give you some new ideas.

Yor reply highly appreciated
Thanks

 

[Steven L Umbach]

It looks like your server is configured properly as far as the server
service running and the share existing and ping shows that you have basic
network connectivity. You said that you have not actually applied the
security template yet?? Make sure you are using the correct IP address to
connect to the share. I see that you have two IP addresses listed in your
screendumps? If name resolution is correct you should be able to use the
computer name as in \\p4\exchange. Were you as an administrator able to
access an administrative share such as C$ on that computer from a problem
client?? Also If possible show me a screendump that shows the security
options for the server and the client that you are trying to access the
server from. At least the security options from the server would be helpful.
There are two security options - digitally sign communications and lan
manger authentication level that need to be compatible.

What you could try is on the server make sure that the security option for
Microsoft network server:digitally sign communications(always) is set to
disabled and lan manager authentication level is set to send ntlmv2 reponses
only. Make sure those settings show as "effective" settings in Local
Security Policy after running " secedit /refreshpolicy machine_policy
/enforce on it. From a client computer make sure that port 139 TCP or 445
TCP is open on the server to the client. A quick way to do this is to use
telent as in " telnet xxx.xxx.xxx.xxx 139" where xxx.xxx.xxx.xxx is the IP
address of the server you are trying to access. If the port is open you will
get a blank command screen with a blinking cursor. If the port is closed you
will get an access denied message. If you think the problem could be a
security update, you can uninstall most of them in add and remove
rograms. --- Steve

 

[Mary S]

Hi Steve

I have NOT applied the full security template yet. Only some of the
attributes.

I'm sure that I'm using the right ip number - see screendump (If the
ip number fails, I don't
think it will not work with the "computer name/P4" either, or?)

No! I can't connect to any of the admin shares with my administrator
account name and p/w

Unfortunately your suggestion abt. the security option for Microsoft
network server:digitally sign communications(always) is set to
disabled and lan manager authentication level is set to send ntlmv2
reponses only, didn't work. See screendump settings.

I made some new screendumps. If you like, please see the 4 dumps of
the event viewer on the server. This I me (mr X) trying to logon from
another client (XP) to a shared folder (exchange) on the server. Look
at time stamp. I'm successfully logged in and thrown out within 60
sec?

Also see the screendumps from an XP client trying to logon. Please
note that the sequence is a little difference from a w2k log in. XP
clients repeatedly ask for credentials and never log on and gives no
clue what so ever about the problem!

I can't telnet into 445 on the server nor from the LAN nor on the
server telnet localhost 445. (Port 139 using netbios has been closed
for years). So how do I proceed. Could this be the problem?

As I said - We where able to logon to the server before I started
messing around with the policy.

Some other things I have been thinking about/done - some personal
notes;
Can't map any drives from the server to another shares on the LAN.
When restarting the server it takes about 5 min before the server is
online. Why this delay? Static ip used! Ping out from the server okey.
NetBios over TCP/IP disabled. No soft firewall active on the server.
Firewall disabled on the xp client. Checked hosts files..

Thanks for your time

 

[Steven L Umbach]

Hi Mary.

Hmm. Since you have port 139 TCP disabled then the only way that users can
access a share over the regular network would be port 445 TCP and since that
can not be accessed explains part of the problem. The fact that it takes
five minutes to boot up and you can not access any shares indicates possible
related problems. Try booting into safemode with networking to see what
happens as that will bypass most startup applications and ipsec policy if
one is enabled. I did not really see anything in your security options that
looks like a problem except the one security option for additional
restrictions for anonymous access should be set to "none - rely on default
permissions" [though I doubt it is the culprit] until the problem is
resolved and verify that it and the lan manager authentication level shows
send ntlmv2 Reponses only in the "effective" settings in Local Security
Policy. Also verify that the time on the problem server is correct compared
to the domain controller and check day/time/month/year/time zone/AM&PM. The
hisecweb.inf template will also disable some system services. Make sure that
the dns client service and tcp/ip netbios helper services are started on
your server. Use nslookup on it to see if it can connect with it's dns
server and if it can use it to resolve host names. Nslookup will give an
error message that it can not find the name of your dns server if you do not
have reverse dns zone configured but it still can display the IP address of
the dns server.

It sounds like your server for some reason is having difficulty with network
communications on needed ports. Verify that tcp/ip filtering is not enabled
on the network adapter. Look in tcp ip/properties/advanced/options/tcp ip
filtering - properties to make sure it is not enabled. Then check to see if
there is an ipsec policy assigned. The netdiag support tool will do such and
it is a good idea to run netdiag anyhow looking for pertinent
errors/warnings/failed tests. The last test is the IP security test and if
it shows that a policy is assigned then an incorrectly configured ipsec
policy could cause problems such as you are experiencing. Ipsec policies can
be assigned or disabled in Local Security Policy. Beyond that I would
wonder if a security patch has caused a conflict on your server. If you
remove them in add and remove programs they will often reverse problems they
have caused. If you are familiar with how to use netmon to observe packet
traffic on a server, you could use it to see what traffic is going to and
from your server such as if the server is receiving traffic from a client on
port 445 and if the server is responding or not. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 --- netdiag
and how to install support tools.

 

[Mary S]

Hi Steve

Just to thank your for your time spent on my problem. I'm going
to sit back for the weekend read trough my notes. Maybe I can find
something I have done earlier on?

Could also "open" for port 139 on the LAN - We don't have same
security aspect as on the internet.

One thing is sure - Our server has never been that secure before. No
one can access anything any longer ;-)

Kind regards
Mary S

Hi Mary.

Hmm. Since you have port 139 TCP disabled then the only way that users can
access a share over the regular network would be port 445 TCP and since that
can not be accessed explains part of the problem. The fact that it takes
five minutes to boot up and you can not access any shares indicates possible
related problems. Try booting into safemode with networking to see what
happens as that will bypass most startup applications and ipsec policy if
one is enabled. I did not really see anything in your security options that
looks like a problem except the one security option for additional
restrictions for anonymous access should be set to "none - rely on default
permissions" [though I doubt it is the culprit] until the problem is
resolved and verify that it and the lan manager authentication level shows
send ntlmv2 Reponses only in the "effective" settings in Local Security
Policy. Also verify that the time on the problem server is correct compared
to the domain controller and check day/time/month/year/time zone/AM&PM. The
hisecweb.inf template will also disable some system services. Make sure that
the dns client service and tcp/ip netbios helper services are started on
your server. Use nslookup on it to see if it can connect with it's dns
server and if it can use it to resolve host names. Nslookup will give an
error message that it can not find the name of your dns server if you do not
have reverse dns zone configured but it still can display the IP address of
the dns server.

It sounds like your server for some reason is having difficulty with network
communications on needed ports. Verify that tcp/ip filtering is not enabled
on the network adapter. Look in tcp ip/properties/advanced/options/tcp ip
filtering - properties to make sure it is not enabled. Then check to see if
there is an ipsec policy assigned. The netdiag support tool will do such and
it is a good idea to run netdiag anyhow looking for pertinent
errors/warnings/failed tests. The last test is the IP security test and if
it shows that a policy is assigned then an incorrectly configured ipsec
policy could cause problems such as you are experiencing. Ipsec policies can
be assigned or disabled in Local Security Policy. Beyond that I would
wonder if a security patch has caused a conflict on your server. If you
remove them in add and remove programs they will often reverse problems they
have caused. If you are familiar with how to use netmon to observe packet
traffic on a server, you could use it to see what traffic is going to and
from your server such as if the server is receiving traffic from a client on
port 445 and if the server is responding or not. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 --- netdiag
and how to install support tools.

Hi Steve

I have NOT applied the full security template yet. Only some of the
attributes.

I'm sure that I'm using the right ip number - see screendump (If the
ip number fails, I don't
think it will not work with the "computer name/P4" either, or?)

No! I can't connect to any of the admin shares with my administrator
account name and p/w

Unfortunately your suggestion abt. the security option for Microsoft
network server:digitally sign communications(always) is set to
disabled and lan manager authentication level is set to send ntlmv2
reponses only, didn't work. See screendump settings.

I made some new screendumps. If you like, please see the 4 dumps of
the event viewer on the server. This I me (mr X) trying to logon from
another client (XP) to a shared folder (exchange) on the server. Look
at time stamp. I'm successfully logged in and thrown out within 60
sec?

Also see the screendumps from an XP client trying to logon. Please
note that the sequence is a little difference from a w2k log in. XP
clients repeatedly ask for credentials and never log on and gives no
clue what so ever about the problem!

I can't telnet into 445 on the server nor from the LAN nor on the
server telnet localhost 445. (Port 139 using netbios has been closed
for years). So how do I proceed. Could this be the problem?

As I said - We where able to logon to the server before I started
messing around with the policy.

Some other things I have been thinking about/done - some personal
notes;
Can't map any drives from the server to another shares on the LAN.
When restarting the server it takes about 5 min before the server is
online. Why this delay? Static ip used! Ping out from the server okey.
NetBios over TCP/IP disabled. No soft firewall active on the server.
Firewall disabled on the xp client. Checked hosts files..

Thanks for your time

 

[Steven L Umbach]

OK. I hope you make some progress. Yes it is easier than many think to lock
your own users from access. --- Steve

Hi Steve

Just to thank your for your time spent on my problem. I'm going
to sit back for the weekend read trough my notes. Maybe I can find
something I have done earlier on?

Could also "open" for port 139 on the LAN - We don't have same
security aspect as on the internet.

One thing is sure - Our server has never been that secure before. No
one can access anything any longer ;-)

Kind regards
Mary S

Hi Mary.

Hmm. Since you have port 139 TCP disabled then the only way that users can
access a share over the regular network would be port 445 TCP and since
that
can not be accessed explains part of the problem. The fact that it takes
five minutes to boot up and you can not access any shares indicates
possible
related problems. Try booting into safemode with networking to see what
happens as that will bypass most startup applications and ipsec policy if
one is enabled. I did not really see anything in your security options
that
looks like a problem except the one security option for additional
restrictions for anonymous access should be set to "none - rely on default
permissions" [though I doubt it is the culprit] until the problem is
resolved and verify that it and the lan manager authentication level shows
send ntlmv2 Reponses only in the "effective" settings in Local Security
Policy. Also verify that the time on the problem server is correct
compared
to the domain controller and check day/time/month/year/time zone/AM&PM.
The
hisecweb.inf template will also disable some system services. Make sure
that
the dns client service and tcp/ip netbios helper services are started on
your server. Use nslookup on it to see if it can connect with it's dns
server and if it can use it to resolve host names. Nslookup will give an
error message that it can not find the name of your dns server if you do
not
have reverse dns zone configured but it still can display the IP address
of
the dns server.

It sounds like your server for some reason is having difficulty with
network
communications on needed ports. Verify that tcp/ip filtering is not
enabled
on the network adapter. Look in tcp ip/properties/advanced/options/tcp ip
filtering - properties to make sure it is not enabled. Then check to see
if
there is an ipsec policy assigned. The netdiag support tool will do such
and
it is a good idea to run netdiag anyhow looking for pertinent
errors/warnings/failed tests. The last test is the IP security test and if
it shows that a policy is assigned then an incorrectly configured ipsec
policy could cause problems such as you are experiencing. Ipsec policies
can
be assigned or disabled in Local Security Policy. Beyond that I would
wonder if a security patch has caused a conflict on your server. If you
remove them in add and remove programs they will often reverse problems
they
have caused. If you are familiar with how to use netmon to observe packet
traffic on a server, you could use it to see what traffic is going to and
from your server such as if the server is receiving traffic from a client
on
port 445 and if the server is responding or not. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 ---
netdiag
and how to install support tools.

Hi Steve

I have NOT applied the full security template yet. Only some of the
attributes.

I'm sure that I'm using the right ip number - see screendump (If the
ip number fails, I don't
think it will not work with the "computer name/P4" either, or?)

No! I can't connect to any of the admin shares with my administrator
account name and p/w

Unfortunately your suggestion abt. the security option for Microsoft
network server:digitally sign communications(always) is set to
disabled and lan manager authentication level is set to send ntlmv2
reponses only, didn't work. See screendump settings.

I made some new screendumps. If you like, please see the 4 dumps of
the event viewer on the server. This I me (mr X) trying to logon from
another client (XP) to a shared folder (exchange) on the server. Look
at time stamp. I'm successfully logged in and thrown out within 60
sec?

Also see the screendumps from an XP client trying to logon. Please
note that the sequence is a little difference from a w2k log in. XP
clients repeatedly ask for credentials and never log on and gives no
clue what so ever about the problem!

I can't telnet into 445 on the server nor from the LAN nor on the
server telnet localhost 445. (Port 139 using netbios has been closed
for years). So how do I proceed. Could this be the problem?

As I said - We where able to logon to the server before I started
messing around with the policy.

Some other things I have been thinking about/done - some personal
notes;
Can't map any drives from the server to another shares on the LAN.
When restarting the server it takes about 5 min before the server is
online. Why this delay? Static ip used! Ping out from the server okey.
NetBios over TCP/IP disabled. No soft firewall active on the server.
Firewall disabled on the xp client. Checked hosts files..

Thanks for your time





On Tue, 8 Mar 2005 16:29:42 -0600, "Steven L Umbach"

It looks like your server is configured properly as far as the server
service running and the share existing and ping shows that you have
basic
network connectivity. You said that you have not actually applied the
security template yet?? Make sure you are using the correct IP address
to
connect to the share. I see that you have two IP addresses listed in
your
screendumps? If name resolution is correct you should be able to use
the
computer name as in \\p4\exchange. Were you as an administrator able to
access an administrative share such as C$ on that computer from a
problem
client?? Also If possible show me a screendump that shows the security
options for the server and the client that you are trying to access the
server from. At least the security options from the server would be
helpful.
There are two security options - digitally sign communications and lan
manger authentication level that need to be compatible.

What you could try is on the server make sure that the security option
for
Microsoft network server:digitally sign communications(always) is set to
disabled and lan manager authentication level is set to send ntlmv2
reponses
only. Make sure those settings show as "effective" settings in Local
Security Policy after running " secedit /refreshpolicy machine_policy
/enforce on it. From a client computer make sure that port 139 TCP or
445
TCP is open on the server to the client. A quick way to do this is to
use
telent as in " telnet xxx.xxx.xxx.xxx 139" where xxx.xxx.xxx.xxx is the
IP
address of the server you are trying to access. If the port is open you
will
get a blank command screen with a blinking cursor. If the port is closed
you
will get an access denied message. If you think the problem could be a
security update, you can uninstall most of them in add and remove
rograms. --- Steve


Hi again

Ok! I'm in big trouble now! Somewhere during the journey of securing
the server I must have
done something wrong. And I'm almost sure that it has to do with the
hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
via windows update all at the same time.

I have made some screendumps here http://web.telia.com/~u42115338/ and
maybe it could give you some new ideas.

Yor reply highly appreciated
Thanks





On Mon, 7 Mar 2005 21:20:02 -0600, "Steven L Umbach"

What exactly do you mean that the share disappeared? Is this the only
share
on the server and if not can the other shares be accessed? When you go
to
the server does it still show that the share exists? Verify that file
and
print sharing is enabled and that the server service is running on the
server. Run the command net config server to see if it reports that
the
computer is configured to share resources and the command net share to
see
if the share and IPC$ are shown. Try to ping the server from the
clients
by
name and IP address. See if you can access administrative shares from
a
client computer that is showing the problem such as C$. Run the
support
tool
netdiag and that server to see if it reports any particular problems.
It
is
possible that incompatible security options for digitally sign
commumications, lan manager authentication level, or other security
options
could be causing a problem if they were changed on the server. --
Steve

 

[Mary S]

Hi Steve - problem solved

I sat down and read my notes already last night - noted that
sometimes last week I did disable NetBios over TCP/IP in Device
Manager according to an advice given to me via an article about
security. Changed the driver to automatic and was now able to
connect to the server again

I should obviously have read my note earlier, but I was quite sure
that It had to do with the policies - my mistake.

Again Steve thanks a lot - you gave me the clue where to look!

Until next time,
hugs Mary

...and port 139 still closed..

OK. I hope you make some progress. Yes it is easier than many think to lock
your own users from access. --- Steve

Hi Steve

Just to thank your for your time spent on my problem. I'm going
to sit back for the weekend read trough my notes. Maybe I can find
something I have done earlier on?

Could also "open" for port 139 on the LAN - We don't have same
security aspect as on the internet.

One thing is sure - Our server has never been that secure before. No
one can access anything any longer ;-)

Kind regards
Mary S

Hi Mary.

Hmm. Since you have port 139 TCP disabled then the only way that users can
access a share over the regular network would be port 445 TCP and since
that
can not be accessed explains part of the problem. The fact that it takes
five minutes to boot up and you can not access any shares indicates
possible
related problems. Try booting into safemode with networking to see what
happens as that will bypass most startup applications and ipsec policy if
one is enabled. I did not really see anything in your security options
that
looks like a problem except the one security option for additional
restrictions for anonymous access should be set to "none - rely on default
permissions" [though I doubt it is the culprit] until the problem is
resolved and verify that it and the lan manager authentication level shows
send ntlmv2 Reponses only in the "effective" settings in Local Security
Policy. Also verify that the time on the problem server is correct
compared
to the domain controller and check day/time/month/year/time zone/AM&PM.
The
hisecweb.inf template will also disable some system services. Make sure
that
the dns client service and tcp/ip netbios helper services are started on
your server. Use nslookup on it to see if it can connect with it's dns
server and if it can use it to resolve host names. Nslookup will give an
error message that it can not find the name of your dns server if you do
not
have reverse dns zone configured but it still can display the IP address
of
the dns server.

It sounds like your server for some reason is having difficulty with
network
communications on needed ports. Verify that tcp/ip filtering is not
enabled
on the network adapter. Look in tcp ip/properties/advanced/options/tcp ip
filtering - properties to make sure it is not enabled. Then check to see
if
there is an ipsec policy assigned. The netdiag support tool will do such
and
it is a good idea to run netdiag anyhow looking for pertinent
errors/warnings/failed tests. The last test is the IP security test and if
it shows that a policy is assigned then an incorrectly configured ipsec
policy could cause problems such as you are experiencing. Ipsec policies
can
be assigned or disabled in Local Security Policy. Beyond that I would
wonder if a security patch has caused a conflict on your server. If you
remove them in add and remove programs they will often reverse problems
they
have caused. If you are familiar with how to use netmon to observe packet
traffic on a server, you could use it to see what traffic is going to and
from your server such as if the server is receiving traffic from a client
on
port 445 and if the server is responding or not. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 ---
netdiag
and how to install support tools.


Hi Steve

I have NOT applied the full security template yet. Only some of the
attributes.

I'm sure that I'm using the right ip number - see screendump (If the
ip number fails, I don't
think it will not work with the "computer name/P4" either, or?)

No! I can't connect to any of the admin shares with my administrator
account name and p/w

Unfortunately your suggestion abt. the security option for Microsoft
network server:digitally sign communications(always) is set to
disabled and lan manager authentication level is set to send ntlmv2
reponses only, didn't work. See screendump settings.

I made some new screendumps. If you like, please see the 4 dumps of
the event viewer on the server. This I me (mr X) trying to logon from
another client (XP) to a shared folder (exchange) on the server. Look
at time stamp. I'm successfully logged in and thrown out within 60
sec?

Also see the screendumps from an XP client trying to logon. Please
note that the sequence is a little difference from a w2k log in. XP
clients repeatedly ask for credentials and never log on and gives no
clue what so ever about the problem!

I can't telnet into 445 on the server nor from the LAN nor on the
server telnet localhost 445. (Port 139 using netbios has been closed
for years). So how do I proceed. Could this be the problem?

As I said - We where able to logon to the server before I started
messing around with the policy.

Some other things I have been thinking about/done - some personal
notes;
Can't map any drives from the server to another shares on the LAN.
When restarting the server it takes about 5 min before the server is
online. Why this delay? Static ip used! Ping out from the server okey.
NetBios over TCP/IP disabled. No soft firewall active on the server.
Firewall disabled on the xp client. Checked hosts files..

Thanks for your time





On Tue, 8 Mar 2005 16:29:42 -0600, "Steven L Umbach"

It looks like your server is configured properly as far as the server
service running and the share existing and ping shows that you have
basic
network connectivity. You said that you have not actually applied the
security template yet?? Make sure you are using the correct IP address
to
connect to the share. I see that you have two IP addresses listed in
your
screendumps? If name resolution is correct you should be able to use
the
computer name as in \\p4\exchange. Were you as an administrator able to
access an administrative share such as C$ on that computer from a
problem
client?? Also If possible show me a screendump that shows the security
options for the server and the client that you are trying to access the
server from. At least the security options from the server would be
helpful.
There are two security options - digitally sign communications and lan
manger authentication level that need to be compatible.

What you could try is on the server make sure that the security option
for
Microsoft network server:digitally sign communications(always) is set to
disabled and lan manager authentication level is set to send ntlmv2
reponses
only. Make sure those settings show as "effective" settings in Local
Security Policy after running " secedit /refreshpolicy machine_policy
/enforce on it. From a client computer make sure that port 139 TCP or
445
TCP is open on the server to the client. A quick way to do this is to
use
telent as in " telnet xxx.xxx.xxx.xxx 139" where xxx.xxx.xxx.xxx is the
IP
address of the server you are trying to access. If the port is open you
will
get a blank command screen with a blinking cursor. If the port is closed
you
will get an access denied message. If you think the problem could be a
security update, you can uninstall most of them in add and remove
rograms. --- Steve


Hi again

Ok! I'm in big trouble now! Somewhere during the journey of securing
the server I must have
done something wrong. And I'm almost sure that it has to do with the
hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
via windows update all at the same time.

I have made some screendumps here http://web.telia.com/~u42115338/ and
maybe it could give you some new ideas.

Yor reply highly appreciated
Thanks





On Mon, 7 Mar 2005 21:20:02 -0600, "Steven L Umbach"

What exactly do you mean that the share disappeared? Is this the only
share
on the server and if not can the other shares be accessed? When you go
to
the server does it still show that the share exists? Verify that file
and
print sharing is enabled and that the server service is running on the
server. Run the command net config server to see if it reports that
the
computer is configured to share resources and the command net share to
see
if the share and IPC$ are shown. Try to ping the server from the
clients
by
name and IP address. See if you can access administrative shares from
a
client computer that is showing the problem such as C$. Run the
support
tool
netdiag and that server to see if it reports any particular problems.
It
is
possible that incompatible security options for digitally sign
commumications, lan manager authentication level, or other security
options
could be causing a problem if they were changed on the server. --
Steve

 

[Steven L Umbach]

Excellent! Congratulations on taking good notes on configuration changes in
order to backtrack and implement repairs. Just for future reference keep in
mind that many security guides are specific for a particular server role
such as a stand alone [non domain member] IIS and the assumption is made
then that no related services are needed in which case that NetBios over
TCP/IP is not needed because the IIS server would not be offering shares to
users or logon to the domain. --- Steve

Hi Steve - problem solved

I sat down and read my notes already last night - noted that
sometimes last week I did disable NetBios over TCP/IP in Device
Manager according to an advice given to me via an article about
security. Changed the driver to automatic and was now able to
connect to the server again

I should obviously have read my note earlier, but I was quite sure
that It had to do with the policies - my mistake.

Again Steve thanks a lot - you gave me the clue where to look!

Until next time,
hugs Mary

..and port 139 still closed..

OK. I hope you make some progress. Yes it is easier than many think to
lock
your own users from access. --- Steve

Hi Steve

Just to thank your for your time spent on my problem. I'm going
to sit back for the weekend read trough my notes. Maybe I can find
something I have done earlier on?

Could also "open" for port 139 on the LAN - We don't have same
security aspect as on the internet.

One thing is sure - Our server has never been that secure before. No
one can access anything any longer ;-)

Kind regards
Mary S


On Wed, 9 Mar 2005 20:56:40 -0600, "Steven L Umbach"

Hi Mary.

Hmm. Since you have port 139 TCP disabled then the only way that users
can
access a share over the regular network would be port 445 TCP and since
that
can not be accessed explains part of the problem. The fact that it takes
five minutes to boot up and you can not access any shares indicates
possible
related problems. Try booting into safemode with networking to see what
happens as that will bypass most startup applications and ipsec policy
if
one is enabled. I did not really see anything in your security options
that
looks like a problem except the one security option for additional
restrictions for anonymous access should be set to "none - rely on
default
permissions" [though I doubt it is the culprit] until the problem is
resolved and verify that it and the lan manager authentication level
shows
send ntlmv2 Reponses only in the "effective" settings in Local Security
Policy. Also verify that the time on the problem server is correct
compared
to the domain controller and check day/time/month/year/time zone/AM&PM.
The
hisecweb.inf template will also disable some system services. Make sure
that
the dns client service and tcp/ip netbios helper services are started on
your server. Use nslookup on it to see if it can connect with it's dns
server and if it can use it to resolve host names. Nslookup will give an
error message that it can not find the name of your dns server if you do
not
have reverse dns zone configured but it still can display the IP address
of
the dns server.

It sounds like your server for some reason is having difficulty with
network
communications on needed ports. Verify that tcp/ip filtering is not
enabled
on the network adapter. Look in tcp ip/properties/advanced/options/tcp
ip
filtering - properties to make sure it is not enabled. Then check to see
if
there is an ipsec policy assigned. The netdiag support tool will do such
and
it is a good idea to run netdiag anyhow looking for pertinent
errors/warnings/failed tests. The last test is the IP security test and
if
it shows that a policy is assigned then an incorrectly configured ipsec
policy could cause problems such as you are experiencing. Ipsec policies
can
be assigned or disabled in Local Security Policy. Beyond that I would
wonder if a security patch has caused a conflict on your server. If you
remove them in add and remove programs they will often reverse problems
they
have caused. If you are familiar with how to use netmon to observe
packet
traffic on a server, you could use it to see what traffic is going to
and
from your server such as if the server is receiving traffic from a
client
on
port 445 and if the server is responding or not. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 ---
netdiag
and how to install support tools.


Hi Steve

I have NOT applied the full security template yet. Only some of the
attributes.

I'm sure that I'm using the right ip number - see screendump (If the
ip number fails, I don't
think it will not work with the "computer name/P4" either, or?)

No! I can't connect to any of the admin shares with my administrator
account name and p/w

Unfortunately your suggestion abt. the security option for Microsoft
network server:digitally sign communications(always) is set to
disabled and lan manager authentication level is set to send ntlmv2
reponses only, didn't work. See screendump settings.

I made some new screendumps. If you like, please see the 4 dumps of
the event viewer on the server. This I me (mr X) trying to logon from
another client (XP) to a shared folder (exchange) on the server. Look
at time stamp. I'm successfully logged in and thrown out within 60
sec?

Also see the screendumps from an XP client trying to logon. Please
note that the sequence is a little difference from a w2k log in. XP
clients repeatedly ask for credentials and never log on and gives no
clue what so ever about the problem!

I can't telnet into 445 on the server nor from the LAN nor on the
server telnet localhost 445. (Port 139 using netbios has been closed
for years). So how do I proceed. Could this be the problem?

As I said - We where able to logon to the server before I started
messing around with the policy.

Some other things I have been thinking about/done - some personal
notes;
Can't map any drives from the server to another shares on the LAN.
When restarting the server it takes about 5 min before the server is
online. Why this delay? Static ip used! Ping out from the server okey.
NetBios over TCP/IP disabled. No soft firewall active on the server.
Firewall disabled on the xp client. Checked hosts files..

Thanks for your time





On Tue, 8 Mar 2005 16:29:42 -0600, "Steven L Umbach"

It looks like your server is configured properly as far as the server
service running and the share existing and ping shows that you have
basic
network connectivity. You said that you have not actually applied the
security template yet?? Make sure you are using the correct IP
address
to
connect to the share. I see that you have two IP addresses listed in
your
screendumps? If name resolution is correct you should be able to use
the
computer name as in \\p4\exchange. Were you as an administrator able
to
access an administrative share such as C$ on that computer from a
problem
client?? Also If possible show me a screendump that shows the security
options for the server and the client that you are trying to access
the
server from. At least the security options from the server would be
helpful.
There are two security options - digitally sign communications and lan
manger authentication level that need to be compatible.

What you could try is on the server make sure that the security option
for
Microsoft network server:digitally sign communications(always) is set
to
disabled and lan manager authentication level is set to send ntlmv2
reponses
only. Make sure those settings show as "effective" settings in Local
Security Policy after running " secedit /refreshpolicy machine_policy
/enforce on it. From a client computer make sure that port 139 TCP or
445
TCP is open on the server to the client. A quick way to do this is to
use
telent as in " telnet xxx.xxx.xxx.xxx 139" where xxx.xxx.xxx.xxx is
the
IP
address of the server you are trying to access. If the port is open
you
will
get a blank command screen with a blinking cursor. If the port is
closed
you
will get an access denied message. If you think the problem could be a
security update, you can uninstall most of them in add and remove
rograms. --- Steve


Hi again

Ok! I'm in big trouble now! Somewhere during the journey of securing
the server I must have
done something wrong. And I'm almost sure that it has to do with the
hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
via windows update all at the same time.

I have made some screendumps here http://web.telia.com/~u42115338/
and
maybe it could give you some new ideas.

Yor reply highly appreciated
Thanks





On Mon, 7 Mar 2005 21:20:02 -0600, "Steven L Umbach"

What exactly do you mean that the share disappeared? Is this the
only
share
on the server and if not can the other shares be accessed? When you
go
to
the server does it still show that the share exists? Verify that
file
and
print sharing is enabled and that the server service is running on
the
server. Run the command net config server to see if it reports that
the
computer is configured to share resources and the command net share
to
see
if the share and IPC$ are shown. Try to ping the server from the
clients
by
name and IP address. See if you can access administrative shares
from
a
client computer that is showing the problem such as C$. Run the
support
tool
netdiag and that server to see if it reports any particular
problems.
It
is
possible that incompatible security options for digitally sign
commumications, lan manager authentication level, or other security
options
could be causing a problem if they were changed on the server. --
Steve