Sign in with
Sign up | Sign in
Your question

hisecweb.inf

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
March 6, 2005 11:47:32 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi

hope this is the right ng

I'm trying to implement the abv policy. But where to I change
the settings for event logs. Is this done in the registry?

thanks in advance

mary s

More about : hisecweb inf

Anonymous
a b 8 Security
March 6, 2005 3:09:05 PM

Archived from groups: microsoft.public.win2000.security (More info?)

The easiest way is to import the security template into the Local Security
Policy or possibly at the Organizational Unit level that contains servers
you want to apply it to via a Group Policy assuming you want to implement
the security template as it is. If it includes settings for services,
Restricted Groups, file system, or registry you can not simply import it
into the Local Security Policy but you could use secedit or the Security
Configuration and Analysis tool to apply it. I suggest that you first use
the Security Configuration and Analysis tool which is a mmc snapin to
analyze the computer with that template to see exactly what changes it will
implement before you do apply the template and that you make a full image
type backup of your server first so that you have a rollback plan as these
high security templates often have unintended consequences particularly if
the server is also running other applications or services that would not
normally be found on a dedicated web server. See the link below on using
the Security Configuration and Analysis tool. There is a lot of information
for secedit in the Windows built in help or using secedit /?. --- Steve

http://www.lokbox.net/SecureXP/secAnalysis.asp

"Mary S" <nomail@forme.com> wrote in message
news:4sgl219hjoe5aqvrid3ht82jlm16ik81ud@4ax.com...
> Hi
>
> hope this is the right ng
>
> I'm trying to implement the abv policy. But where to I change
> the settings for event logs. Is this done in the registry?
>
> thanks in advance
>
> mary s
Anonymous
a b 8 Security
March 6, 2005 4:43:44 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Okey! I found the answer - I/You have to tweak the
registry. Here you can read abt it or buy to program
http://www.winguides.com/registry/display.php/351/





On Sun, 06 Mar 2005 08:47:32 GMT, Mary S <nomail@forme.com> wrote:

>Hi
>
>hope this is the right ng
>
>I'm trying to implement the abv policy. But where to I change
>the settings for event logs. Is this done in the registry?
>
>thanks in advance
>
>mary s
Anonymous
a b 8 Security
March 6, 2005 6:13:14 PM

Archived from groups: microsoft.public.win2000.security (More info?)

So I'am back again with next question

Why don't I see this

http://www.microsoft.com/technet/images/prodtechnol/win...

Is it because we have a w2k server stand alone and no domain
controller or domain for that matter?

I need to change the retension method for security log

Tia


On Sun, 06 Mar 2005 13:43:44 GMT, Mary S <nomail@forme.com> wrote:

>Okey! I found the answer - I/You have to tweak the
>registry. Here you can read abt it or buy to program
>http://www.winguides.com/registry/display.php/351/
>
>
>
>
>
>On Sun, 06 Mar 2005 08:47:32 GMT, Mary S <nomail@forme.com> wrote:
>
>>Hi
>>
>>hope this is the right ng
>>
>>I'm trying to implement the abv policy. But where to I change
>>the settings for event logs. Is this done in the registry?
>>
>>thanks in advance
>>
>>mary s
Anonymous
a b 8 Security
March 7, 2005 6:48:18 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Steve

Thank you for your handsome explanation. What I'm trying to do is to
strengthen a w2k server against intruders both locally and remotely.
I'm using the hisecweb.inf file as a guideline at this point.

I have not executed the "configure the comp..

I'm going trough every separate suggestion. I can't say I understand
everything. But I'm learning slowly but consistently. The objective
being to produce our own security setting inf file as according to NSA
guides.

Even if I have been careful adjusting the settings I although managed
to make a shared folder on the server disappear and I don't know where
it went wrong. I'll keep getting "The network path
\\192.168.0.10\share\ could not be found" from the clients.

Any suggestions highly appreciated

(F.y.g. Since last time I have connected to the shared folder I have
installed the latest 6-7 security patches otherwise I can't think of
any other things)


Thanks again


On Sun, 6 Mar 2005 12:09:05 -0600, "Steven L Umbach"
<n9rou@nospam-comcast.net> wrote:

>The easiest way is to import the security template into the Local Security
>Policy or possibly at the Organizational Unit level that contains servers
>you want to apply it to via a Group Policy assuming you want to implement
>the security template as it is. If it includes settings for services,
>Restricted Groups, file system, or registry you can not simply import it
>into the Local Security Policy but you could use secedit or the Security
>Configuration and Analysis tool to apply it. I suggest that you first use
>the Security Configuration and Analysis tool which is a mmc snapin to
>analyze the computer with that template to see exactly what changes it will
>implement before you do apply the template and that you make a full image
>type backup of your server first so that you have a rollback plan as these
>high security templates often have unintended consequences particularly if
>the server is also running other applications or services that would not
>normally be found on a dedicated web server. See the link below on using
>the Security Configuration and Analysis tool. There is a lot of information
>for secedit in the Windows built in help or using secedit /?. --- Steve
>
>http://www.lokbox.net/SecureXP/secAnalysis.asp
Anonymous
a b 8 Security
March 8, 2005 12:20:02 AM

Archived from groups: microsoft.public.win2000.security (More info?)

What exactly do you mean that the share disappeared? Is this the only share
on the server and if not can the other shares be accessed? When you go to
the server does it still show that the share exists? Verify that file and
print sharing is enabled and that the server service is running on the
server. Run the command net config server to see if it reports that the
computer is configured to share resources and the command net share to see
if the share and IPC$ are shown. Try to ping the server from the clients by
name and IP address. See if you can access administrative shares from a
client computer that is showing the problem such as C$. Run the support tool
netdiag and that server to see if it reports any particular problems. It is
possible that incompatible security options for digitally sign
commumications, lan manager authentication level, or other security options
could be causing a problem if they were changed on the server. -- Steve


"Mary S" <nomail@forme.com> wrote in message
news:3eqo21p9dn8vukn878p0c2mf46afspohmp@4ax.com...
> Hi Steve
>
> Thank you for your handsome explanation. What I'm trying to do is to
> strengthen a w2k server against intruders both locally and remotely.
> I'm using the hisecweb.inf file as a guideline at this point.
>
> I have not executed the "configure the comp..
>
> I'm going trough every separate suggestion. I can't say I understand
> everything. But I'm learning slowly but consistently. The objective
> being to produce our own security setting inf file as according to NSA
> guides.
>
> Even if I have been careful adjusting the settings I although managed
> to make a shared folder on the server disappear and I don't know where
> it went wrong. I'll keep getting "The network path
> \\192.168.0.10\share\ could not be found" from the clients.
>
> Any suggestions highly appreciated
>
> (F.y.g. Since last time I have connected to the shared folder I have
> installed the latest 6-7 security patches otherwise I can't think of
> any other things)
>
>
> Thanks again
>
>
> On Sun, 6 Mar 2005 12:09:05 -0600, "Steven L Umbach"
> <n9rou@nospam-comcast.net> wrote:
>
>>The easiest way is to import the security template into the Local Security
>>Policy or possibly at the Organizational Unit level that contains servers
>>you want to apply it to via a Group Policy assuming you want to implement
>>the security template as it is. If it includes settings for services,
>>Restricted Groups, file system, or registry you can not simply import it
>>into the Local Security Policy but you could use secedit or the Security
>>Configuration and Analysis tool to apply it. I suggest that you first use
>>the Security Configuration and Analysis tool which is a mmc snapin to
>>analyze the computer with that template to see exactly what changes it
>>will
>>implement before you do apply the template and that you make a full image
>>type backup of your server first so that you have a rollback plan as these
>>high security templates often have unintended consequences particularly if
>>the server is also running other applications or services that would not
>>normally be found on a dedicated web server. See the link below on using
>>the Security Configuration and Analysis tool. There is a lot of
>>information
>>for secedit in the Windows built in help or using secedit /?. --- Steve
>>
>>http://www.lokbox.net/SecureXP/secAnalysis.asp
>
Anonymous
a b 8 Security
March 8, 2005 6:15:31 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi again

Ok! I'm in big trouble now! Somewhere during the journey of securing
the server I must have
done something wrong. And I'm almost sure that it has to do with the
hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
via windows update all at the same time.

I have made some screendumps here http://web.telia.com/~u42115338/ and
maybe it could give you some new ideas.

Yor reply highly appreciated
Thanks





On Mon, 7 Mar 2005 21:20:02 -0600, "Steven L Umbach"
<n9rou@nospam-comcast.net> wrote:

>What exactly do you mean that the share disappeared? Is this the only share
>on the server and if not can the other shares be accessed? When you go to
>the server does it still show that the share exists? Verify that file and
>print sharing is enabled and that the server service is running on the
>server. Run the command net config server to see if it reports that the
>computer is configured to share resources and the command net share to see
>if the share and IPC$ are shown. Try to ping the server from the clients by
>name and IP address. See if you can access administrative shares from a
>client computer that is showing the problem such as C$. Run the support tool
>netdiag and that server to see if it reports any particular problems. It is
>possible that incompatible security options for digitally sign
>commumications, lan manager authentication level, or other security options
>could be causing a problem if they were changed on the server. -- Steve
>
>
Anonymous
a b 8 Security
March 8, 2005 7:29:42 PM

Archived from groups: microsoft.public.win2000.security (More info?)

It looks like your server is configured properly as far as the server
service running and the share existing and ping shows that you have basic
network connectivity. You said that you have not actually applied the
security template yet?? Make sure you are using the correct IP address to
connect to the share. I see that you have two IP addresses listed in your
screendumps? If name resolution is correct you should be able to use the
computer name as in \\p4\exchange. Were you as an administrator able to
access an administrative share such as C$ on that computer from a problem
client?? Also If possible show me a screendump that shows the security
options for the server and the client that you are trying to access the
server from. At least the security options from the server would be helpful.
There are two security options - digitally sign communications and lan
manger authentication level that need to be compatible.

What you could try is on the server make sure that the security option for
Microsoft network server:D igitally sign communications(always) is set to
disabled and lan manager authentication level is set to send ntlmv2 reponses
only. Make sure those settings show as "effective" settings in Local
Security Policy after running " secedit /refreshpolicy machine_policy
/enforce on it. From a client computer make sure that port 139 TCP or 445
TCP is open on the server to the client. A quick way to do this is to use
telent as in " telnet xxx.xxx.xxx.xxx 139" where xxx.xxx.xxx.xxx is the IP
address of the server you are trying to access. If the port is open you will
get a blank command screen with a blinking cursor. If the port is closed you
will get an access denied message. If you think the problem could be a
security update, you can uninstall most of them in add and remove
rograms. --- Steve


"Mary S" <nomail@forme.com> wrote in message
news:rhgr21tb20rcs5cgcf6qv5phvi4k99kfsu@4ax.com...
> Hi again
>
> Ok! I'm in big trouble now! Somewhere during the journey of securing
> the server I must have
> done something wrong. And I'm almost sure that it has to do with the
> hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
> via windows update all at the same time.
>
> I have made some screendumps here http://web.telia.com/~u42115338/ and
> maybe it could give you some new ideas.
>
> Yor reply highly appreciated
> Thanks
>
>
>
>
>
> On Mon, 7 Mar 2005 21:20:02 -0600, "Steven L Umbach"
> <n9rou@nospam-comcast.net> wrote:
>
>>What exactly do you mean that the share disappeared? Is this the only
>>share
>>on the server and if not can the other shares be accessed? When you go to
>>the server does it still show that the share exists? Verify that file and
>>print sharing is enabled and that the server service is running on the
>>server. Run the command net config server to see if it reports that the
>>computer is configured to share resources and the command net share to see
>>if the share and IPC$ are shown. Try to ping the server from the clients
>>by
>>name and IP address. See if you can access administrative shares from a
>>client computer that is showing the problem such as C$. Run the support
>>tool
>>netdiag and that server to see if it reports any particular problems. It
>>is
>>possible that incompatible security options for digitally sign
>>commumications, lan manager authentication level, or other security
>>options
>>could be causing a problem if they were changed on the server. -- Steve
>>
>>
>
Anonymous
a b 8 Security
March 9, 2005 10:29:40 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Steve

I have NOT applied the full security template yet. Only some of the
attributes.

I'm sure that I'm using the right ip number - see screendump (If the
ip number fails, I don't
think it will not work with the "computer name/P4" either, or?)

No! I can't connect to any of the admin shares with my administrator
account name and p/w

Unfortunately your suggestion abt. the security option for Microsoft
network server:D igitally sign communications(always) is set to
disabled and lan manager authentication level is set to send ntlmv2
reponses only, didn't work. See screendump settings.

I made some new screendumps. If you like, please see the 4 dumps of
the event viewer on the server. This I me (mr X) trying to logon from
another client (XP) to a shared folder (exchange) on the server. Look
at time stamp. I'm successfully logged in and thrown out within 60
sec?

Also see the screendumps from an XP client trying to logon. Please
note that the sequence is a little difference from a w2k log in. XP
clients repeatedly ask for credentials and never log on and gives no
clue what so ever about the problem!

I can't telnet into 445 on the server nor from the LAN nor on the
server telnet localhost 445. (Port 139 using netbios has been closed
for years). So how do I proceed. Could this be the problem?

As I said - We where able to logon to the server before I started
messing around with the policy.

Some other things I have been thinking about/done - some personal
notes;
Can't map any drives from the server to another shares on the LAN.
When restarting the server it takes about 5 min before the server is
online. Why this delay? Static ip used! Ping out from the server okey.
NetBios over TCP/IP disabled. No soft firewall active on the server.
Firewall disabled on the xp client. Checked hosts files..

Thanks for your time





On Tue, 8 Mar 2005 16:29:42 -0600, "Steven L Umbach"
<n9rou@nospam-comcast.net> wrote:

>It looks like your server is configured properly as far as the server
>service running and the share existing and ping shows that you have basic
>network connectivity. You said that you have not actually applied the
>security template yet?? Make sure you are using the correct IP address to
>connect to the share. I see that you have two IP addresses listed in your
>screendumps? If name resolution is correct you should be able to use the
>computer name as in \\p4\exchange. Were you as an administrator able to
>access an administrative share such as C$ on that computer from a problem
>client?? Also If possible show me a screendump that shows the security
>options for the server and the client that you are trying to access the
>server from. At least the security options from the server would be helpful.
>There are two security options - digitally sign communications and lan
>manger authentication level that need to be compatible.
>
>What you could try is on the server make sure that the security option for
>Microsoft network server:D igitally sign communications(always) is set to
>disabled and lan manager authentication level is set to send ntlmv2 reponses
>only. Make sure those settings show as "effective" settings in Local
>Security Policy after running " secedit /refreshpolicy machine_policy
>/enforce on it. From a client computer make sure that port 139 TCP or 445
>TCP is open on the server to the client. A quick way to do this is to use
>telent as in " telnet xxx.xxx.xxx.xxx 139" where xxx.xxx.xxx.xxx is the IP
>address of the server you are trying to access. If the port is open you will
>get a blank command screen with a blinking cursor. If the port is closed you
>will get an access denied message. If you think the problem could be a
>security update, you can uninstall most of them in add and remove
>rograms. --- Steve
>
>
>"Mary S" <nomail@forme.com> wrote in message
>news:rhgr21tb20rcs5cgcf6qv5phvi4k99kfsu@4ax.com...
>> Hi again
>>
>> Ok! I'm in big trouble now! Somewhere during the journey of securing
>> the server I must have
>> done something wrong. And I'm almost sure that it has to do with the
>> hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
>> via windows update all at the same time.
>>
>> I have made some screendumps here http://web.telia.com/~u42115338/ and
>> maybe it could give you some new ideas.
>>
>> Yor reply highly appreciated
>> Thanks
>>
>>
>>
>>
>>
>> On Mon, 7 Mar 2005 21:20:02 -0600, "Steven L Umbach"
>> <n9rou@nospam-comcast.net> wrote:
>>
>>>What exactly do you mean that the share disappeared? Is this the only
>>>share
>>>on the server and if not can the other shares be accessed? When you go to
>>>the server does it still show that the share exists? Verify that file and
>>>print sharing is enabled and that the server service is running on the
>>>server. Run the command net config server to see if it reports that the
>>>computer is configured to share resources and the command net share to see
>>>if the share and IPC$ are shown. Try to ping the server from the clients
>>>by
>>>name and IP address. See if you can access administrative shares from a
>>>client computer that is showing the problem such as C$. Run the support
>>>tool
>>>netdiag and that server to see if it reports any particular problems. It
>>>is
>>>possible that incompatible security options for digitally sign
>>>commumications, lan manager authentication level, or other security
>>>options
>>>could be causing a problem if they were changed on the server. -- Steve
>>>
>>>
>>
>
Anonymous
a b 8 Security
March 9, 2005 11:56:40 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Mary.

Hmm. Since you have port 139 TCP disabled then the only way that users can
access a share over the regular network would be port 445 TCP and since that
can not be accessed explains part of the problem. The fact that it takes
five minutes to boot up and you can not access any shares indicates possible
related problems. Try booting into safemode with networking to see what
happens as that will bypass most startup applications and ipsec policy if
one is enabled. I did not really see anything in your security options that
looks like a problem except the one security option for additional
restrictions for anonymous access should be set to "none - rely on default
permissions" [though I doubt it is the culprit] until the problem is
resolved and verify that it and the lan manager authentication level shows
send ntlmv2 Reponses only in the "effective" settings in Local Security
Policy. Also verify that the time on the problem server is correct compared
to the domain controller and check day/time/month/year/time zone/AM&PM. The
hisecweb.inf template will also disable some system services. Make sure that
the dns client service and tcp/ip netbios helper services are started on
your server. Use nslookup on it to see if it can connect with it's dns
server and if it can use it to resolve host names. Nslookup will give an
error message that it can not find the name of your dns server if you do not
have reverse dns zone configured but it still can display the IP address of
the dns server.

It sounds like your server for some reason is having difficulty with network
communications on needed ports. Verify that tcp/ip filtering is not enabled
on the network adapter. Look in tcp ip/properties/advanced/options/tcp ip
filtering - properties to make sure it is not enabled. Then check to see if
there is an ipsec policy assigned. The netdiag support tool will do such and
it is a good idea to run netdiag anyhow looking for pertinent
errors/warnings/failed tests. The last test is the IP security test and if
it shows that a policy is assigned then an incorrectly configured ipsec
policy could cause problems such as you are experiencing. Ipsec policies can
be assigned or disabled in Local Security Policy. Beyond that I would
wonder if a security patch has caused a conflict on your server. If you
remove them in add and remove programs they will often reverse problems they
have caused. If you are familiar with how to use netmon to observe packet
traffic on a server, you could use it to see what traffic is going to and
from your server such as if the server is receiving traffic from a client on
port 445 and if the server is responding or not. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 --- netdiag
and how to install support tools.


"Mary S" <nomail@forme.com> wrote in message
news:0oju2195fq30882auhsd9h1ra7aho488rb@4ax.com...
> Hi Steve
>
> I have NOT applied the full security template yet. Only some of the
> attributes.
>
> I'm sure that I'm using the right ip number - see screendump (If the
> ip number fails, I don't
> think it will not work with the "computer name/P4" either, or?)
>
> No! I can't connect to any of the admin shares with my administrator
> account name and p/w
>
> Unfortunately your suggestion abt. the security option for Microsoft
> network server:D igitally sign communications(always) is set to
> disabled and lan manager authentication level is set to send ntlmv2
> reponses only, didn't work. See screendump settings.
>
> I made some new screendumps. If you like, please see the 4 dumps of
> the event viewer on the server. This I me (mr X) trying to logon from
> another client (XP) to a shared folder (exchange) on the server. Look
> at time stamp. I'm successfully logged in and thrown out within 60
> sec?
>
> Also see the screendumps from an XP client trying to logon. Please
> note that the sequence is a little difference from a w2k log in. XP
> clients repeatedly ask for credentials and never log on and gives no
> clue what so ever about the problem!
>
> I can't telnet into 445 on the server nor from the LAN nor on the
> server telnet localhost 445. (Port 139 using netbios has been closed
> for years). So how do I proceed. Could this be the problem?
>
> As I said - We where able to logon to the server before I started
> messing around with the policy.
>
> Some other things I have been thinking about/done - some personal
> notes;
> Can't map any drives from the server to another shares on the LAN.
> When restarting the server it takes about 5 min before the server is
> online. Why this delay? Static ip used! Ping out from the server okey.
> NetBios over TCP/IP disabled. No soft firewall active on the server.
> Firewall disabled on the xp client. Checked hosts files..
>
> Thanks for your time
>
>
>
>
>
> On Tue, 8 Mar 2005 16:29:42 -0600, "Steven L Umbach"
> <n9rou@nospam-comcast.net> wrote:
>
>>It looks like your server is configured properly as far as the server
>>service running and the share existing and ping shows that you have basic
>>network connectivity. You said that you have not actually applied the
>>security template yet?? Make sure you are using the correct IP address to
>>connect to the share. I see that you have two IP addresses listed in your
>>screendumps? If name resolution is correct you should be able to use the
>>computer name as in \\p4\exchange. Were you as an administrator able to
>>access an administrative share such as C$ on that computer from a problem
>>client?? Also If possible show me a screendump that shows the security
>>options for the server and the client that you are trying to access the
>>server from. At least the security options from the server would be
>>helpful.
>>There are two security options - digitally sign communications and lan
>>manger authentication level that need to be compatible.
>>
>>What you could try is on the server make sure that the security option for
>>Microsoft network server:D igitally sign communications(always) is set to
>>disabled and lan manager authentication level is set to send ntlmv2
>>reponses
>>only. Make sure those settings show as "effective" settings in Local
>>Security Policy after running " secedit /refreshpolicy machine_policy
>>/enforce on it. From a client computer make sure that port 139 TCP or 445
>>TCP is open on the server to the client. A quick way to do this is to use
>>telent as in " telnet xxx.xxx.xxx.xxx 139" where xxx.xxx.xxx.xxx is the IP
>>address of the server you are trying to access. If the port is open you
>>will
>>get a blank command screen with a blinking cursor. If the port is closed
>>you
>>will get an access denied message. If you think the problem could be a
>>security update, you can uninstall most of them in add and remove
>>rograms. --- Steve
>>
>>
>>"Mary S" <nomail@forme.com> wrote in message
>>news:rhgr21tb20rcs5cgcf6qv5phvi4k99kfsu@4ax.com...
>>> Hi again
>>>
>>> Ok! I'm in big trouble now! Somewhere during the journey of securing
>>> the server I must have
>>> done something wrong. And I'm almost sure that it has to do with the
>>> hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
>>> via windows update all at the same time.
>>>
>>> I have made some screendumps here http://web.telia.com/~u42115338/ and
>>> maybe it could give you some new ideas.
>>>
>>> Yor reply highly appreciated
>>> Thanks
>>>
>>>
>>>
>>>
>>>
>>> On Mon, 7 Mar 2005 21:20:02 -0600, "Steven L Umbach"
>>> <n9rou@nospam-comcast.net> wrote:
>>>
>>>>What exactly do you mean that the share disappeared? Is this the only
>>>>share
>>>>on the server and if not can the other shares be accessed? When you go
>>>>to
>>>>the server does it still show that the share exists? Verify that file
>>>>and
>>>>print sharing is enabled and that the server service is running on the
>>>>server. Run the command net config server to see if it reports that the
>>>>computer is configured to share resources and the command net share to
>>>>see
>>>>if the share and IPC$ are shown. Try to ping the server from the
>>>>clients
>>>>by
>>>>name and IP address. See if you can access administrative shares from a
>>>>client computer that is showing the problem such as C$. Run the support
>>>>tool
>>>>netdiag and that server to see if it reports any particular problems. It
>>>>is
>>>>possible that incompatible security options for digitally sign
>>>>commumications, lan manager authentication level, or other security
>>>>options
>>>>could be causing a problem if they were changed on the server. -- Steve
>>>>
>>>>
>>>
>>
>
Anonymous
a b 8 Security
March 10, 2005 10:53:40 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Steve

Just to thank your for your time spent on my problem. I'm going
to sit back for the weekend read trough my notes. Maybe I can find
something I have done earlier on?

Could also "open" for port 139 on the LAN - We don't have same
security aspect as on the internet.

One thing is sure - Our server has never been that secure before. No
one can access anything any longer ;-)

Kind regards
Mary S


On Wed, 9 Mar 2005 20:56:40 -0600, "Steven L Umbach"
<n9rou@n0-spam-for-me-comcast.net> wrote:

>Hi Mary.
>
>Hmm. Since you have port 139 TCP disabled then the only way that users can
>access a share over the regular network would be port 445 TCP and since that
>can not be accessed explains part of the problem. The fact that it takes
>five minutes to boot up and you can not access any shares indicates possible
>related problems. Try booting into safemode with networking to see what
>happens as that will bypass most startup applications and ipsec policy if
>one is enabled. I did not really see anything in your security options that
>looks like a problem except the one security option for additional
>restrictions for anonymous access should be set to "none - rely on default
>permissions" [though I doubt it is the culprit] until the problem is
>resolved and verify that it and the lan manager authentication level shows
>send ntlmv2 Reponses only in the "effective" settings in Local Security
>Policy. Also verify that the time on the problem server is correct compared
>to the domain controller and check day/time/month/year/time zone/AM&PM. The
>hisecweb.inf template will also disable some system services. Make sure that
>the dns client service and tcp/ip netbios helper services are started on
>your server. Use nslookup on it to see if it can connect with it's dns
>server and if it can use it to resolve host names. Nslookup will give an
>error message that it can not find the name of your dns server if you do not
>have reverse dns zone configured but it still can display the IP address of
>the dns server.
>
>It sounds like your server for some reason is having difficulty with network
>communications on needed ports. Verify that tcp/ip filtering is not enabled
>on the network adapter. Look in tcp ip/properties/advanced/options/tcp ip
>filtering - properties to make sure it is not enabled. Then check to see if
>there is an ipsec policy assigned. The netdiag support tool will do such and
>it is a good idea to run netdiag anyhow looking for pertinent
>errors/warnings/failed tests. The last test is the IP security test and if
>it shows that a policy is assigned then an incorrectly configured ipsec
>policy could cause problems such as you are experiencing. Ipsec policies can
>be assigned or disabled in Local Security Policy. Beyond that I would
>wonder if a security patch has caused a conflict on your server. If you
>remove them in add and remove programs they will often reverse problems they
>have caused. If you are familiar with how to use netmon to observe packet
>traffic on a server, you could use it to see what traffic is going to and
>from your server such as if the server is receiving traffic from a client on
>port 445 and if the server is responding or not. --- Steve
>
>http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 --- netdiag
>and how to install support tools.
>
>
>"Mary S" <nomail@forme.com> wrote in message
>news:0oju2195fq30882auhsd9h1ra7aho488rb@4ax.com...
>> Hi Steve
>>
>> I have NOT applied the full security template yet. Only some of the
>> attributes.
>>
>> I'm sure that I'm using the right ip number - see screendump (If the
>> ip number fails, I don't
>> think it will not work with the "computer name/P4" either, or?)
>>
>> No! I can't connect to any of the admin shares with my administrator
>> account name and p/w
>>
>> Unfortunately your suggestion abt. the security option for Microsoft
>> network server:D igitally sign communications(always) is set to
>> disabled and lan manager authentication level is set to send ntlmv2
>> reponses only, didn't work. See screendump settings.
>>
>> I made some new screendumps. If you like, please see the 4 dumps of
>> the event viewer on the server. This I me (mr X) trying to logon from
>> another client (XP) to a shared folder (exchange) on the server. Look
>> at time stamp. I'm successfully logged in and thrown out within 60
>> sec?
>>
>> Also see the screendumps from an XP client trying to logon. Please
>> note that the sequence is a little difference from a w2k log in. XP
>> clients repeatedly ask for credentials and never log on and gives no
>> clue what so ever about the problem!
>>
>> I can't telnet into 445 on the server nor from the LAN nor on the
>> server telnet localhost 445. (Port 139 using netbios has been closed
>> for years). So how do I proceed. Could this be the problem?
>>
>> As I said - We where able to logon to the server before I started
>> messing around with the policy.
>>
>> Some other things I have been thinking about/done - some personal
>> notes;
>> Can't map any drives from the server to another shares on the LAN.
>> When restarting the server it takes about 5 min before the server is
>> online. Why this delay? Static ip used! Ping out from the server okey.
>> NetBios over TCP/IP disabled. No soft firewall active on the server.
>> Firewall disabled on the xp client. Checked hosts files..
>>
>> Thanks for your time
>>
>>
>>
>>
>>
>> On Tue, 8 Mar 2005 16:29:42 -0600, "Steven L Umbach"
>> <n9rou@nospam-comcast.net> wrote:
>>
>>>It looks like your server is configured properly as far as the server
>>>service running and the share existing and ping shows that you have basic
>>>network connectivity. You said that you have not actually applied the
>>>security template yet?? Make sure you are using the correct IP address to
>>>connect to the share. I see that you have two IP addresses listed in your
>>>screendumps? If name resolution is correct you should be able to use the
>>>computer name as in \\p4\exchange. Were you as an administrator able to
>>>access an administrative share such as C$ on that computer from a problem
>>>client?? Also If possible show me a screendump that shows the security
>>>options for the server and the client that you are trying to access the
>>>server from. At least the security options from the server would be
>>>helpful.
>>>There are two security options - digitally sign communications and lan
>>>manger authentication level that need to be compatible.
>>>
>>>What you could try is on the server make sure that the security option for
>>>Microsoft network server:D igitally sign communications(always) is set to
>>>disabled and lan manager authentication level is set to send ntlmv2
>>>reponses
>>>only. Make sure those settings show as "effective" settings in Local
>>>Security Policy after running " secedit /refreshpolicy machine_policy
>>>/enforce on it. From a client computer make sure that port 139 TCP or 445
>>>TCP is open on the server to the client. A quick way to do this is to use
>>>telent as in " telnet xxx.xxx.xxx.xxx 139" where xxx.xxx.xxx.xxx is the IP
>>>address of the server you are trying to access. If the port is open you
>>>will
>>>get a blank command screen with a blinking cursor. If the port is closed
>>>you
>>>will get an access denied message. If you think the problem could be a
>>>security update, you can uninstall most of them in add and remove
>>>rograms. --- Steve
>>>
>>>
>>>"Mary S" <nomail@forme.com> wrote in message
>>>news:rhgr21tb20rcs5cgcf6qv5phvi4k99kfsu@4ax.com...
>>>> Hi again
>>>>
>>>> Ok! I'm in big trouble now! Somewhere during the journey of securing
>>>> the server I must have
>>>> done something wrong. And I'm almost sure that it has to do with the
>>>> hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
>>>> via windows update all at the same time.
>>>>
>>>> I have made some screendumps here http://web.telia.com/~u42115338/ and
>>>> maybe it could give you some new ideas.
>>>>
>>>> Yor reply highly appreciated
>>>> Thanks
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, 7 Mar 2005 21:20:02 -0600, "Steven L Umbach"
>>>> <n9rou@nospam-comcast.net> wrote:
>>>>
>>>>>What exactly do you mean that the share disappeared? Is this the only
>>>>>share
>>>>>on the server and if not can the other shares be accessed? When you go
>>>>>to
>>>>>the server does it still show that the share exists? Verify that file
>>>>>and
>>>>>print sharing is enabled and that the server service is running on the
>>>>>server. Run the command net config server to see if it reports that the
>>>>>computer is configured to share resources and the command net share to
>>>>>see
>>>>>if the share and IPC$ are shown. Try to ping the server from the
>>>>>clients
>>>>>by
>>>>>name and IP address. See if you can access administrative shares from a
>>>>>client computer that is showing the problem such as C$. Run the support
>>>>>tool
>>>>>netdiag and that server to see if it reports any particular problems. It
>>>>>is
>>>>>possible that incompatible security options for digitally sign
>>>>>commumications, lan manager authentication level, or other security
>>>>>options
>>>>>could be causing a problem if they were changed on the server. -- Steve
>>>>>
>>>>>
>>>>
>>>
>>
>
Anonymous
a b 8 Security
March 10, 2005 10:53:41 PM

Archived from groups: microsoft.public.win2000.security (More info?)

OK. I hope you make some progress. Yes it is easier than many think to lock
your own users from access. --- Steve


"Mary S" <nomail@forme.com> wrote in message
news:479131l1pdq6267ukc6kvtqb63skddbpd5@4ax.com...
> Hi Steve
>
> Just to thank your for your time spent on my problem. I'm going
> to sit back for the weekend read trough my notes. Maybe I can find
> something I have done earlier on?
>
> Could also "open" for port 139 on the LAN - We don't have same
> security aspect as on the internet.
>
> One thing is sure - Our server has never been that secure before. No
> one can access anything any longer ;-)
>
> Kind regards
> Mary S
>
>
> On Wed, 9 Mar 2005 20:56:40 -0600, "Steven L Umbach"
> <n9rou@n0-spam-for-me-comcast.net> wrote:
>
>>Hi Mary.
>>
>>Hmm. Since you have port 139 TCP disabled then the only way that users can
>>access a share over the regular network would be port 445 TCP and since
>>that
>>can not be accessed explains part of the problem. The fact that it takes
>>five minutes to boot up and you can not access any shares indicates
>>possible
>>related problems. Try booting into safemode with networking to see what
>>happens as that will bypass most startup applications and ipsec policy if
>>one is enabled. I did not really see anything in your security options
>>that
>>looks like a problem except the one security option for additional
>>restrictions for anonymous access should be set to "none - rely on default
>>permissions" [though I doubt it is the culprit] until the problem is
>>resolved and verify that it and the lan manager authentication level shows
>>send ntlmv2 Reponses only in the "effective" settings in Local Security
>>Policy. Also verify that the time on the problem server is correct
>>compared
>>to the domain controller and check day/time/month/year/time zone/AM&PM.
>>The
>>hisecweb.inf template will also disable some system services. Make sure
>>that
>>the dns client service and tcp/ip netbios helper services are started on
>>your server. Use nslookup on it to see if it can connect with it's dns
>>server and if it can use it to resolve host names. Nslookup will give an
>>error message that it can not find the name of your dns server if you do
>>not
>>have reverse dns zone configured but it still can display the IP address
>>of
>>the dns server.
>>
>>It sounds like your server for some reason is having difficulty with
>>network
>>communications on needed ports. Verify that tcp/ip filtering is not
>>enabled
>>on the network adapter. Look in tcp ip/properties/advanced/options/tcp ip
>>filtering - properties to make sure it is not enabled. Then check to see
>>if
>>there is an ipsec policy assigned. The netdiag support tool will do such
>>and
>>it is a good idea to run netdiag anyhow looking for pertinent
>>errors/warnings/failed tests. The last test is the IP security test and if
>>it shows that a policy is assigned then an incorrectly configured ipsec
>>policy could cause problems such as you are experiencing. Ipsec policies
>>can
>>be assigned or disabled in Local Security Policy. Beyond that I would
>>wonder if a security patch has caused a conflict on your server. If you
>>remove them in add and remove programs they will often reverse problems
>>they
>>have caused. If you are familiar with how to use netmon to observe packet
>>traffic on a server, you could use it to see what traffic is going to and
>>from your server such as if the server is receiving traffic from a client
>>on
>>port 445 and if the server is responding or not. --- Steve
>>
>>http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 ---
>>netdiag
>>and how to install support tools.
>>
>>
>>"Mary S" <nomail@forme.com> wrote in message
>>news:0oju2195fq30882auhsd9h1ra7aho488rb@4ax.com...
>>> Hi Steve
>>>
>>> I have NOT applied the full security template yet. Only some of the
>>> attributes.
>>>
>>> I'm sure that I'm using the right ip number - see screendump (If the
>>> ip number fails, I don't
>>> think it will not work with the "computer name/P4" either, or?)
>>>
>>> No! I can't connect to any of the admin shares with my administrator
>>> account name and p/w
>>>
>>> Unfortunately your suggestion abt. the security option for Microsoft
>>> network server:D igitally sign communications(always) is set to
>>> disabled and lan manager authentication level is set to send ntlmv2
>>> reponses only, didn't work. See screendump settings.
>>>
>>> I made some new screendumps. If you like, please see the 4 dumps of
>>> the event viewer on the server. This I me (mr X) trying to logon from
>>> another client (XP) to a shared folder (exchange) on the server. Look
>>> at time stamp. I'm successfully logged in and thrown out within 60
>>> sec?
>>>
>>> Also see the screendumps from an XP client trying to logon. Please
>>> note that the sequence is a little difference from a w2k log in. XP
>>> clients repeatedly ask for credentials and never log on and gives no
>>> clue what so ever about the problem!
>>>
>>> I can't telnet into 445 on the server nor from the LAN nor on the
>>> server telnet localhost 445. (Port 139 using netbios has been closed
>>> for years). So how do I proceed. Could this be the problem?
>>>
>>> As I said - We where able to logon to the server before I started
>>> messing around with the policy.
>>>
>>> Some other things I have been thinking about/done - some personal
>>> notes;
>>> Can't map any drives from the server to another shares on the LAN.
>>> When restarting the server it takes about 5 min before the server is
>>> online. Why this delay? Static ip used! Ping out from the server okey.
>>> NetBios over TCP/IP disabled. No soft firewall active on the server.
>>> Firewall disabled on the xp client. Checked hosts files..
>>>
>>> Thanks for your time
>>>
>>>
>>>
>>>
>>>
>>> On Tue, 8 Mar 2005 16:29:42 -0600, "Steven L Umbach"
>>> <n9rou@nospam-comcast.net> wrote:
>>>
>>>>It looks like your server is configured properly as far as the server
>>>>service running and the share existing and ping shows that you have
>>>>basic
>>>>network connectivity. You said that you have not actually applied the
>>>>security template yet?? Make sure you are using the correct IP address
>>>>to
>>>>connect to the share. I see that you have two IP addresses listed in
>>>>your
>>>>screendumps? If name resolution is correct you should be able to use
>>>>the
>>>>computer name as in \\p4\exchange. Were you as an administrator able to
>>>>access an administrative share such as C$ on that computer from a
>>>>problem
>>>>client?? Also If possible show me a screendump that shows the security
>>>>options for the server and the client that you are trying to access the
>>>>server from. At least the security options from the server would be
>>>>helpful.
>>>>There are two security options - digitally sign communications and lan
>>>>manger authentication level that need to be compatible.
>>>>
>>>>What you could try is on the server make sure that the security option
>>>>for
>>>>Microsoft network server:D igitally sign communications(always) is set to
>>>>disabled and lan manager authentication level is set to send ntlmv2
>>>>reponses
>>>>only. Make sure those settings show as "effective" settings in Local
>>>>Security Policy after running " secedit /refreshpolicy machine_policy
>>>>/enforce on it. From a client computer make sure that port 139 TCP or
>>>>445
>>>>TCP is open on the server to the client. A quick way to do this is to
>>>>use
>>>>telent as in " telnet xxx.xxx.xxx.xxx 139" where xxx.xxx.xxx.xxx is the
>>>>IP
>>>>address of the server you are trying to access. If the port is open you
>>>>will
>>>>get a blank command screen with a blinking cursor. If the port is closed
>>>>you
>>>>will get an access denied message. If you think the problem could be a
>>>>security update, you can uninstall most of them in add and remove
>>>>rograms. --- Steve
>>>>
>>>>
>>>>"Mary S" <nomail@forme.com> wrote in message
>>>>news:rhgr21tb20rcs5cgcf6qv5phvi4k99kfsu@4ax.com...
>>>>> Hi again
>>>>>
>>>>> Ok! I'm in big trouble now! Somewhere during the journey of securing
>>>>> the server I must have
>>>>> done something wrong. And I'm almost sure that it has to do with the
>>>>> hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
>>>>> via windows update all at the same time.
>>>>>
>>>>> I have made some screendumps here http://web.telia.com/~u42115338/ and
>>>>> maybe it could give you some new ideas.
>>>>>
>>>>> Yor reply highly appreciated
>>>>> Thanks
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Mon, 7 Mar 2005 21:20:02 -0600, "Steven L Umbach"
>>>>> <n9rou@nospam-comcast.net> wrote:
>>>>>
>>>>>>What exactly do you mean that the share disappeared? Is this the only
>>>>>>share
>>>>>>on the server and if not can the other shares be accessed? When you go
>>>>>>to
>>>>>>the server does it still show that the share exists? Verify that file
>>>>>>and
>>>>>>print sharing is enabled and that the server service is running on the
>>>>>>server. Run the command net config server to see if it reports that
>>>>>>the
>>>>>>computer is configured to share resources and the command net share to
>>>>>>see
>>>>>>if the share and IPC$ are shown. Try to ping the server from the
>>>>>>clients
>>>>>>by
>>>>>>name and IP address. See if you can access administrative shares from
>>>>>>a
>>>>>>client computer that is showing the problem such as C$. Run the
>>>>>>support
>>>>>>tool
>>>>>>netdiag and that server to see if it reports any particular problems.
>>>>>>It
>>>>>>is
>>>>>>possible that incompatible security options for digitally sign
>>>>>>commumications, lan manager authentication level, or other security
>>>>>>options
>>>>>>could be causing a problem if they were changed on the server. --
>>>>>>Steve
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
Anonymous
a b 8 Security
March 11, 2005 10:11:57 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Steve - problem solved :-)

I sat down and read my notes already last night - noted that
sometimes last week I did disable NetBios over TCP/IP in Device
Manager according to an advice given to me via an article about
security. Changed the driver to automatic and was now able to
connect to the server again :-)

I should obviously have read my note earlier, but I was quite sure
that It had to do with the policies - my mistake.

Again Steve thanks a lot - you gave me the clue where to look!

Until next time,
hugs Mary

...and port 139 still closed..



On Thu, 10 Mar 2005 14:34:20 -0600, "Steven L Umbach"
<n9rou@nospam-comcast.net> wrote:

>OK. I hope you make some progress. Yes it is easier than many think to lock
>your own users from access. --- Steve
>
>
>"Mary S" <nomail@forme.com> wrote in message
>news:479131l1pdq6267ukc6kvtqb63skddbpd5@4ax.com...
>> Hi Steve
>>
>> Just to thank your for your time spent on my problem. I'm going
>> to sit back for the weekend read trough my notes. Maybe I can find
>> something I have done earlier on?
>>
>> Could also "open" for port 139 on the LAN - We don't have same
>> security aspect as on the internet.
>>
>> One thing is sure - Our server has never been that secure before. No
>> one can access anything any longer ;-)
>>
>> Kind regards
>> Mary S
>>
>>
>> On Wed, 9 Mar 2005 20:56:40 -0600, "Steven L Umbach"
>> <n9rou@n0-spam-for-me-comcast.net> wrote:
>>
>>>Hi Mary.
>>>
>>>Hmm. Since you have port 139 TCP disabled then the only way that users can
>>>access a share over the regular network would be port 445 TCP and since
>>>that
>>>can not be accessed explains part of the problem. The fact that it takes
>>>five minutes to boot up and you can not access any shares indicates
>>>possible
>>>related problems. Try booting into safemode with networking to see what
>>>happens as that will bypass most startup applications and ipsec policy if
>>>one is enabled. I did not really see anything in your security options
>>>that
>>>looks like a problem except the one security option for additional
>>>restrictions for anonymous access should be set to "none - rely on default
>>>permissions" [though I doubt it is the culprit] until the problem is
>>>resolved and verify that it and the lan manager authentication level shows
>>>send ntlmv2 Reponses only in the "effective" settings in Local Security
>>>Policy. Also verify that the time on the problem server is correct
>>>compared
>>>to the domain controller and check day/time/month/year/time zone/AM&PM.
>>>The
>>>hisecweb.inf template will also disable some system services. Make sure
>>>that
>>>the dns client service and tcp/ip netbios helper services are started on
>>>your server. Use nslookup on it to see if it can connect with it's dns
>>>server and if it can use it to resolve host names. Nslookup will give an
>>>error message that it can not find the name of your dns server if you do
>>>not
>>>have reverse dns zone configured but it still can display the IP address
>>>of
>>>the dns server.
>>>
>>>It sounds like your server for some reason is having difficulty with
>>>network
>>>communications on needed ports. Verify that tcp/ip filtering is not
>>>enabled
>>>on the network adapter. Look in tcp ip/properties/advanced/options/tcp ip
>>>filtering - properties to make sure it is not enabled. Then check to see
>>>if
>>>there is an ipsec policy assigned. The netdiag support tool will do such
>>>and
>>>it is a good idea to run netdiag anyhow looking for pertinent
>>>errors/warnings/failed tests. The last test is the IP security test and if
>>>it shows that a policy is assigned then an incorrectly configured ipsec
>>>policy could cause problems such as you are experiencing. Ipsec policies
>>>can
>>>be assigned or disabled in Local Security Policy. Beyond that I would
>>>wonder if a security patch has caused a conflict on your server. If you
>>>remove them in add and remove programs they will often reverse problems
>>>they
>>>have caused. If you are familiar with how to use netmon to observe packet
>>>traffic on a server, you could use it to see what traffic is going to and
>>>from your server such as if the server is receiving traffic from a client
>>>on
>>>port 445 and if the server is responding or not. --- Steve
>>>
>>>http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 ---
>>>netdiag
>>>and how to install support tools.
>>>
>>>
>>>"Mary S" <nomail@forme.com> wrote in message
>>>news:0oju2195fq30882auhsd9h1ra7aho488rb@4ax.com...
>>>> Hi Steve
>>>>
>>>> I have NOT applied the full security template yet. Only some of the
>>>> attributes.
>>>>
>>>> I'm sure that I'm using the right ip number - see screendump (If the
>>>> ip number fails, I don't
>>>> think it will not work with the "computer name/P4" either, or?)
>>>>
>>>> No! I can't connect to any of the admin shares with my administrator
>>>> account name and p/w
>>>>
>>>> Unfortunately your suggestion abt. the security option for Microsoft
>>>> network server:D igitally sign communications(always) is set to
>>>> disabled and lan manager authentication level is set to send ntlmv2
>>>> reponses only, didn't work. See screendump settings.
>>>>
>>>> I made some new screendumps. If you like, please see the 4 dumps of
>>>> the event viewer on the server. This I me (mr X) trying to logon from
>>>> another client (XP) to a shared folder (exchange) on the server. Look
>>>> at time stamp. I'm successfully logged in and thrown out within 60
>>>> sec?
>>>>
>>>> Also see the screendumps from an XP client trying to logon. Please
>>>> note that the sequence is a little difference from a w2k log in. XP
>>>> clients repeatedly ask for credentials and never log on and gives no
>>>> clue what so ever about the problem!
>>>>
>>>> I can't telnet into 445 on the server nor from the LAN nor on the
>>>> server telnet localhost 445. (Port 139 using netbios has been closed
>>>> for years). So how do I proceed. Could this be the problem?
>>>>
>>>> As I said - We where able to logon to the server before I started
>>>> messing around with the policy.
>>>>
>>>> Some other things I have been thinking about/done - some personal
>>>> notes;
>>>> Can't map any drives from the server to another shares on the LAN.
>>>> When restarting the server it takes about 5 min before the server is
>>>> online. Why this delay? Static ip used! Ping out from the server okey.
>>>> NetBios over TCP/IP disabled. No soft firewall active on the server.
>>>> Firewall disabled on the xp client. Checked hosts files..
>>>>
>>>> Thanks for your time
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, 8 Mar 2005 16:29:42 -0600, "Steven L Umbach"
>>>> <n9rou@nospam-comcast.net> wrote:
>>>>
>>>>>It looks like your server is configured properly as far as the server
>>>>>service running and the share existing and ping shows that you have
>>>>>basic
>>>>>network connectivity. You said that you have not actually applied the
>>>>>security template yet?? Make sure you are using the correct IP address
>>>>>to
>>>>>connect to the share. I see that you have two IP addresses listed in
>>>>>your
>>>>>screendumps? If name resolution is correct you should be able to use
>>>>>the
>>>>>computer name as in \\p4\exchange. Were you as an administrator able to
>>>>>access an administrative share such as C$ on that computer from a
>>>>>problem
>>>>>client?? Also If possible show me a screendump that shows the security
>>>>>options for the server and the client that you are trying to access the
>>>>>server from. At least the security options from the server would be
>>>>>helpful.
>>>>>There are two security options - digitally sign communications and lan
>>>>>manger authentication level that need to be compatible.
>>>>>
>>>>>What you could try is on the server make sure that the security option
>>>>>for
>>>>>Microsoft network server:D igitally sign communications(always) is set to
>>>>>disabled and lan manager authentication level is set to send ntlmv2
>>>>>reponses
>>>>>only. Make sure those settings show as "effective" settings in Local
>>>>>Security Policy after running " secedit /refreshpolicy machine_policy
>>>>>/enforce on it. From a client computer make sure that port 139 TCP or
>>>>>445
>>>>>TCP is open on the server to the client. A quick way to do this is to
>>>>>use
>>>>>telent as in " telnet xxx.xxx.xxx.xxx 139" where xxx.xxx.xxx.xxx is the
>>>>>IP
>>>>>address of the server you are trying to access. If the port is open you
>>>>>will
>>>>>get a blank command screen with a blinking cursor. If the port is closed
>>>>>you
>>>>>will get an access denied message. If you think the problem could be a
>>>>>security update, you can uninstall most of them in add and remove
>>>>>rograms. --- Steve
>>>>>
>>>>>
>>>>>"Mary S" <nomail@forme.com> wrote in message
>>>>>news:rhgr21tb20rcs5cgcf6qv5phvi4k99kfsu@4ax.com...
>>>>>> Hi again
>>>>>>
>>>>>> Ok! I'm in big trouble now! Somewhere during the journey of securing
>>>>>> the server I must have
>>>>>> done something wrong. And I'm almost sure that it has to do with the
>>>>>> hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
>>>>>> via windows update all at the same time.
>>>>>>
>>>>>> I have made some screendumps here http://web.telia.com/~u42115338/ and
>>>>>> maybe it could give you some new ideas.
>>>>>>
>>>>>> Yor reply highly appreciated
>>>>>> Thanks
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, 7 Mar 2005 21:20:02 -0600, "Steven L Umbach"
>>>>>> <n9rou@nospam-comcast.net> wrote:
>>>>>>
>>>>>>>What exactly do you mean that the share disappeared? Is this the only
>>>>>>>share
>>>>>>>on the server and if not can the other shares be accessed? When you go
>>>>>>>to
>>>>>>>the server does it still show that the share exists? Verify that file
>>>>>>>and
>>>>>>>print sharing is enabled and that the server service is running on the
>>>>>>>server. Run the command net config server to see if it reports that
>>>>>>>the
>>>>>>>computer is configured to share resources and the command net share to
>>>>>>>see
>>>>>>>if the share and IPC$ are shown. Try to ping the server from the
>>>>>>>clients
>>>>>>>by
>>>>>>>name and IP address. See if you can access administrative shares from
>>>>>>>a
>>>>>>>client computer that is showing the problem such as C$. Run the
>>>>>>>support
>>>>>>>tool
>>>>>>>netdiag and that server to see if it reports any particular problems.
>>>>>>>It
>>>>>>>is
>>>>>>>possible that incompatible security options for digitally sign
>>>>>>>commumications, lan manager authentication level, or other security
>>>>>>>options
>>>>>>>could be causing a problem if they were changed on the server. --
>>>>>>>Steve
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
Anonymous
a b 8 Security
March 11, 2005 5:24:41 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Excellent! Congratulations on taking good notes on configuration changes in
order to backtrack and implement repairs. Just for future reference keep in
mind that many security guides are specific for a particular server role
such as a stand alone [non domain member] IIS and the assumption is made
then that no related services are needed in which case that NetBios over
TCP/IP is not needed because the IIS server would not be offering shares to
users or logon to the domain. --- Steve


"Mary S" <nomail@forme.com> wrote in message
news:21g231tu0vc0o86adfnjh252bmf805v030@4ax.com...
> Hi Steve - problem solved :-)
>
> I sat down and read my notes already last night - noted that
> sometimes last week I did disable NetBios over TCP/IP in Device
> Manager according to an advice given to me via an article about
> security. Changed the driver to automatic and was now able to
> connect to the server again :-)
>
> I should obviously have read my note earlier, but I was quite sure
> that It had to do with the policies - my mistake.
>
> Again Steve thanks a lot - you gave me the clue where to look!
>
> Until next time,
> hugs Mary
>
> ..and port 139 still closed..
>
>
>
> On Thu, 10 Mar 2005 14:34:20 -0600, "Steven L Umbach"
> <n9rou@nospam-comcast.net> wrote:
>
>>OK. I hope you make some progress. Yes it is easier than many think to
>>lock
>>your own users from access. --- Steve
>>
>>
>>"Mary S" <nomail@forme.com> wrote in message
>>news:479131l1pdq6267ukc6kvtqb63skddbpd5@4ax.com...
>>> Hi Steve
>>>
>>> Just to thank your for your time spent on my problem. I'm going
>>> to sit back for the weekend read trough my notes. Maybe I can find
>>> something I have done earlier on?
>>>
>>> Could also "open" for port 139 on the LAN - We don't have same
>>> security aspect as on the internet.
>>>
>>> One thing is sure - Our server has never been that secure before. No
>>> one can access anything any longer ;-)
>>>
>>> Kind regards
>>> Mary S
>>>
>>>
>>> On Wed, 9 Mar 2005 20:56:40 -0600, "Steven L Umbach"
>>> <n9rou@n0-spam-for-me-comcast.net> wrote:
>>>
>>>>Hi Mary.
>>>>
>>>>Hmm. Since you have port 139 TCP disabled then the only way that users
>>>>can
>>>>access a share over the regular network would be port 445 TCP and since
>>>>that
>>>>can not be accessed explains part of the problem. The fact that it takes
>>>>five minutes to boot up and you can not access any shares indicates
>>>>possible
>>>>related problems. Try booting into safemode with networking to see what
>>>>happens as that will bypass most startup applications and ipsec policy
>>>>if
>>>>one is enabled. I did not really see anything in your security options
>>>>that
>>>>looks like a problem except the one security option for additional
>>>>restrictions for anonymous access should be set to "none - rely on
>>>>default
>>>>permissions" [though I doubt it is the culprit] until the problem is
>>>>resolved and verify that it and the lan manager authentication level
>>>>shows
>>>>send ntlmv2 Reponses only in the "effective" settings in Local Security
>>>>Policy. Also verify that the time on the problem server is correct
>>>>compared
>>>>to the domain controller and check day/time/month/year/time zone/AM&PM.
>>>>The
>>>>hisecweb.inf template will also disable some system services. Make sure
>>>>that
>>>>the dns client service and tcp/ip netbios helper services are started on
>>>>your server. Use nslookup on it to see if it can connect with it's dns
>>>>server and if it can use it to resolve host names. Nslookup will give an
>>>>error message that it can not find the name of your dns server if you do
>>>>not
>>>>have reverse dns zone configured but it still can display the IP address
>>>>of
>>>>the dns server.
>>>>
>>>>It sounds like your server for some reason is having difficulty with
>>>>network
>>>>communications on needed ports. Verify that tcp/ip filtering is not
>>>>enabled
>>>>on the network adapter. Look in tcp ip/properties/advanced/options/tcp
>>>>ip
>>>>filtering - properties to make sure it is not enabled. Then check to see
>>>>if
>>>>there is an ipsec policy assigned. The netdiag support tool will do such
>>>>and
>>>>it is a good idea to run netdiag anyhow looking for pertinent
>>>>errors/warnings/failed tests. The last test is the IP security test and
>>>>if
>>>>it shows that a policy is assigned then an incorrectly configured ipsec
>>>>policy could cause problems such as you are experiencing. Ipsec policies
>>>>can
>>>>be assigned or disabled in Local Security Policy. Beyond that I would
>>>>wonder if a security patch has caused a conflict on your server. If you
>>>>remove them in add and remove programs they will often reverse problems
>>>>they
>>>>have caused. If you are familiar with how to use netmon to observe
>>>>packet
>>>>traffic on a server, you could use it to see what traffic is going to
>>>>and
>>>>from your server such as if the server is receiving traffic from a
>>>>client
>>>>on
>>>>port 445 and if the server is responding or not. --- Steve
>>>>
>>>>http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 ---
>>>>netdiag
>>>>and how to install support tools.
>>>>
>>>>
>>>>"Mary S" <nomail@forme.com> wrote in message
>>>>news:0oju2195fq30882auhsd9h1ra7aho488rb@4ax.com...
>>>>> Hi Steve
>>>>>
>>>>> I have NOT applied the full security template yet. Only some of the
>>>>> attributes.
>>>>>
>>>>> I'm sure that I'm using the right ip number - see screendump (If the
>>>>> ip number fails, I don't
>>>>> think it will not work with the "computer name/P4" either, or?)
>>>>>
>>>>> No! I can't connect to any of the admin shares with my administrator
>>>>> account name and p/w
>>>>>
>>>>> Unfortunately your suggestion abt. the security option for Microsoft
>>>>> network server:D igitally sign communications(always) is set to
>>>>> disabled and lan manager authentication level is set to send ntlmv2
>>>>> reponses only, didn't work. See screendump settings.
>>>>>
>>>>> I made some new screendumps. If you like, please see the 4 dumps of
>>>>> the event viewer on the server. This I me (mr X) trying to logon from
>>>>> another client (XP) to a shared folder (exchange) on the server. Look
>>>>> at time stamp. I'm successfully logged in and thrown out within 60
>>>>> sec?
>>>>>
>>>>> Also see the screendumps from an XP client trying to logon. Please
>>>>> note that the sequence is a little difference from a w2k log in. XP
>>>>> clients repeatedly ask for credentials and never log on and gives no
>>>>> clue what so ever about the problem!
>>>>>
>>>>> I can't telnet into 445 on the server nor from the LAN nor on the
>>>>> server telnet localhost 445. (Port 139 using netbios has been closed
>>>>> for years). So how do I proceed. Could this be the problem?
>>>>>
>>>>> As I said - We where able to logon to the server before I started
>>>>> messing around with the policy.
>>>>>
>>>>> Some other things I have been thinking about/done - some personal
>>>>> notes;
>>>>> Can't map any drives from the server to another shares on the LAN.
>>>>> When restarting the server it takes about 5 min before the server is
>>>>> online. Why this delay? Static ip used! Ping out from the server okey.
>>>>> NetBios over TCP/IP disabled. No soft firewall active on the server.
>>>>> Firewall disabled on the xp client. Checked hosts files..
>>>>>
>>>>> Thanks for your time
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tue, 8 Mar 2005 16:29:42 -0600, "Steven L Umbach"
>>>>> <n9rou@nospam-comcast.net> wrote:
>>>>>
>>>>>>It looks like your server is configured properly as far as the server
>>>>>>service running and the share existing and ping shows that you have
>>>>>>basic
>>>>>>network connectivity. You said that you have not actually applied the
>>>>>>security template yet?? Make sure you are using the correct IP
>>>>>>address
>>>>>>to
>>>>>>connect to the share. I see that you have two IP addresses listed in
>>>>>>your
>>>>>>screendumps? If name resolution is correct you should be able to use
>>>>>>the
>>>>>>computer name as in \\p4\exchange. Were you as an administrator able
>>>>>>to
>>>>>>access an administrative share such as C$ on that computer from a
>>>>>>problem
>>>>>>client?? Also If possible show me a screendump that shows the security
>>>>>>options for the server and the client that you are trying to access
>>>>>>the
>>>>>>server from. At least the security options from the server would be
>>>>>>helpful.
>>>>>>There are two security options - digitally sign communications and lan
>>>>>>manger authentication level that need to be compatible.
>>>>>>
>>>>>>What you could try is on the server make sure that the security option
>>>>>>for
>>>>>>Microsoft network server:D igitally sign communications(always) is set
>>>>>>to
>>>>>>disabled and lan manager authentication level is set to send ntlmv2
>>>>>>reponses
>>>>>>only. Make sure those settings show as "effective" settings in Local
>>>>>>Security Policy after running " secedit /refreshpolicy machine_policy
>>>>>>/enforce on it. From a client computer make sure that port 139 TCP or
>>>>>>445
>>>>>>TCP is open on the server to the client. A quick way to do this is to
>>>>>>use
>>>>>>telent as in " telnet xxx.xxx.xxx.xxx 139" where xxx.xxx.xxx.xxx is
>>>>>>the
>>>>>>IP
>>>>>>address of the server you are trying to access. If the port is open
>>>>>>you
>>>>>>will
>>>>>>get a blank command screen with a blinking cursor. If the port is
>>>>>>closed
>>>>>>you
>>>>>>will get an access denied message. If you think the problem could be a
>>>>>>security update, you can uninstall most of them in add and remove
>>>>>>rograms. --- Steve
>>>>>>
>>>>>>
>>>>>>"Mary S" <nomail@forme.com> wrote in message
>>>>>>news:rhgr21tb20rcs5cgcf6qv5phvi4k99kfsu@4ax.com...
>>>>>>> Hi again
>>>>>>>
>>>>>>> Ok! I'm in big trouble now! Somewhere during the journey of securing
>>>>>>> the server I must have
>>>>>>> done something wrong. And I'm almost sure that it has to do with the
>>>>>>> hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
>>>>>>> via windows update all at the same time.
>>>>>>>
>>>>>>> I have made some screendumps here http://web.telia.com/~u42115338/
>>>>>>> and
>>>>>>> maybe it could give you some new ideas.
>>>>>>>
>>>>>>> Yor reply highly appreciated
>>>>>>> Thanks
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, 7 Mar 2005 21:20:02 -0600, "Steven L Umbach"
>>>>>>> <n9rou@nospam-comcast.net> wrote:
>>>>>>>
>>>>>>>>What exactly do you mean that the share disappeared? Is this the
>>>>>>>>only
>>>>>>>>share
>>>>>>>>on the server and if not can the other shares be accessed? When you
>>>>>>>>go
>>>>>>>>to
>>>>>>>>the server does it still show that the share exists? Verify that
>>>>>>>>file
>>>>>>>>and
>>>>>>>>print sharing is enabled and that the server service is running on
>>>>>>>>the
>>>>>>>>server. Run the command net config server to see if it reports that
>>>>>>>>the
>>>>>>>>computer is configured to share resources and the command net share
>>>>>>>>to
>>>>>>>>see
>>>>>>>>if the share and IPC$ are shown. Try to ping the server from the
>>>>>>>>clients
>>>>>>>>by
>>>>>>>>name and IP address. See if you can access administrative shares
>>>>>>>>from
>>>>>>>>a
>>>>>>>>client computer that is showing the problem such as C$. Run the
>>>>>>>>support
>>>>>>>>tool
>>>>>>>>netdiag and that server to see if it reports any particular
>>>>>>>>problems.
>>>>>>>>It
>>>>>>>>is
>>>>>>>>possible that incompatible security options for digitally sign
>>>>>>>>commumications, lan manager authentication level, or other security
>>>>>>>>options
>>>>>>>>could be causing a problem if they were changed on the server. --
>>>>>>>>Steve
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
!