hisecweb.inf

Archived from groups: microsoft.public.win2000.security (More info?)

Hi

hope this is the right ng

I'm trying to implement the abv policy. But where to I change
the settings for event logs. Is this done in the registry?

thanks in advance

mary s
13 answers Last reply
More about hisecweb
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    The easiest way is to import the security template into the Local Security
    Policy or possibly at the Organizational Unit level that contains servers
    you want to apply it to via a Group Policy assuming you want to implement
    the security template as it is. If it includes settings for services,
    Restricted Groups, file system, or registry you can not simply import it
    into the Local Security Policy but you could use secedit or the Security
    Configuration and Analysis tool to apply it. I suggest that you first use
    the Security Configuration and Analysis tool which is a mmc snapin to
    analyze the computer with that template to see exactly what changes it will
    implement before you do apply the template and that you make a full image
    type backup of your server first so that you have a rollback plan as these
    high security templates often have unintended consequences particularly if
    the server is also running other applications or services that would not
    normally be found on a dedicated web server. See the link below on using
    the Security Configuration and Analysis tool. There is a lot of information
    for secedit in the Windows built in help or using secedit /?. --- Steve

    http://www.lokbox.net/SecureXP/secAnalysis.asp

    "Mary S" <nomail@forme.com> wrote in message
    news:4sgl219hjoe5aqvrid3ht82jlm16ik81ud@4ax.com...
    > Hi
    >
    > hope this is the right ng
    >
    > I'm trying to implement the abv policy. But where to I change
    > the settings for event logs. Is this done in the registry?
    >
    > thanks in advance
    >
    > mary s
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Okey! I found the answer - I/You have to tweak the
    registry. Here you can read abt it or buy to program
    http://www.winguides.com/registry/display.php/351/


    On Sun, 06 Mar 2005 08:47:32 GMT, Mary S <nomail@forme.com> wrote:

    >Hi
    >
    >hope this is the right ng
    >
    >I'm trying to implement the abv policy. But where to I change
    >the settings for event logs. Is this done in the registry?
    >
    >thanks in advance
    >
    >mary s
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    So I'am back again with next question

    Why don't I see this

    http://www.microsoft.com/technet/images/prodtechnol/windows2000serv/maintain/monitor/images/lgonof02_BIG.gif

    Is it because we have a w2k server stand alone and no domain
    controller or domain for that matter?

    I need to change the retension method for security log

    Tia


    On Sun, 06 Mar 2005 13:43:44 GMT, Mary S <nomail@forme.com> wrote:

    >Okey! I found the answer - I/You have to tweak the
    >registry. Here you can read abt it or buy to program
    >http://www.winguides.com/registry/display.php/351/
    >
    >
    >
    >
    >
    >On Sun, 06 Mar 2005 08:47:32 GMT, Mary S <nomail@forme.com> wrote:
    >
    >>Hi
    >>
    >>hope this is the right ng
    >>
    >>I'm trying to implement the abv policy. But where to I change
    >>the settings for event logs. Is this done in the registry?
    >>
    >>thanks in advance
    >>
    >>mary s
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Steve

    Thank you for your handsome explanation. What I'm trying to do is to
    strengthen a w2k server against intruders both locally and remotely.
    I'm using the hisecweb.inf file as a guideline at this point.

    I have not executed the "configure the comp..

    I'm going trough every separate suggestion. I can't say I understand
    everything. But I'm learning slowly but consistently. The objective
    being to produce our own security setting inf file as according to NSA
    guides.

    Even if I have been careful adjusting the settings I although managed
    to make a shared folder on the server disappear and I don't know where
    it went wrong. I'll keep getting "The network path
    \\192.168.0.10\share\ could not be found" from the clients.

    Any suggestions highly appreciated

    (F.y.g. Since last time I have connected to the shared folder I have
    installed the latest 6-7 security patches otherwise I can't think of
    any other things)


    Thanks again


    On Sun, 6 Mar 2005 12:09:05 -0600, "Steven L Umbach"
    <n9rou@nospam-comcast.net> wrote:

    >The easiest way is to import the security template into the Local Security
    >Policy or possibly at the Organizational Unit level that contains servers
    >you want to apply it to via a Group Policy assuming you want to implement
    >the security template as it is. If it includes settings for services,
    >Restricted Groups, file system, or registry you can not simply import it
    >into the Local Security Policy but you could use secedit or the Security
    >Configuration and Analysis tool to apply it. I suggest that you first use
    >the Security Configuration and Analysis tool which is a mmc snapin to
    >analyze the computer with that template to see exactly what changes it will
    >implement before you do apply the template and that you make a full image
    >type backup of your server first so that you have a rollback plan as these
    >high security templates often have unintended consequences particularly if
    >the server is also running other applications or services that would not
    >normally be found on a dedicated web server. See the link below on using
    >the Security Configuration and Analysis tool. There is a lot of information
    >for secedit in the Windows built in help or using secedit /?. --- Steve
    >
    >http://www.lokbox.net/SecureXP/secAnalysis.asp
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    What exactly do you mean that the share disappeared? Is this the only share
    on the server and if not can the other shares be accessed? When you go to
    the server does it still show that the share exists? Verify that file and
    print sharing is enabled and that the server service is running on the
    server. Run the command net config server to see if it reports that the
    computer is configured to share resources and the command net share to see
    if the share and IPC$ are shown. Try to ping the server from the clients by
    name and IP address. See if you can access administrative shares from a
    client computer that is showing the problem such as C$. Run the support tool
    netdiag and that server to see if it reports any particular problems. It is
    possible that incompatible security options for digitally sign
    commumications, lan manager authentication level, or other security options
    could be causing a problem if they were changed on the server. -- Steve


    "Mary S" <nomail@forme.com> wrote in message
    news:3eqo21p9dn8vukn878p0c2mf46afspohmp@4ax.com...
    > Hi Steve
    >
    > Thank you for your handsome explanation. What I'm trying to do is to
    > strengthen a w2k server against intruders both locally and remotely.
    > I'm using the hisecweb.inf file as a guideline at this point.
    >
    > I have not executed the "configure the comp..
    >
    > I'm going trough every separate suggestion. I can't say I understand
    > everything. But I'm learning slowly but consistently. The objective
    > being to produce our own security setting inf file as according to NSA
    > guides.
    >
    > Even if I have been careful adjusting the settings I although managed
    > to make a shared folder on the server disappear and I don't know where
    > it went wrong. I'll keep getting "The network path
    > \\192.168.0.10\share\ could not be found" from the clients.
    >
    > Any suggestions highly appreciated
    >
    > (F.y.g. Since last time I have connected to the shared folder I have
    > installed the latest 6-7 security patches otherwise I can't think of
    > any other things)
    >
    >
    > Thanks again
    >
    >
    > On Sun, 6 Mar 2005 12:09:05 -0600, "Steven L Umbach"
    > <n9rou@nospam-comcast.net> wrote:
    >
    >>The easiest way is to import the security template into the Local Security
    >>Policy or possibly at the Organizational Unit level that contains servers
    >>you want to apply it to via a Group Policy assuming you want to implement
    >>the security template as it is. If it includes settings for services,
    >>Restricted Groups, file system, or registry you can not simply import it
    >>into the Local Security Policy but you could use secedit or the Security
    >>Configuration and Analysis tool to apply it. I suggest that you first use
    >>the Security Configuration and Analysis tool which is a mmc snapin to
    >>analyze the computer with that template to see exactly what changes it
    >>will
    >>implement before you do apply the template and that you make a full image
    >>type backup of your server first so that you have a rollback plan as these
    >>high security templates often have unintended consequences particularly if
    >>the server is also running other applications or services that would not
    >>normally be found on a dedicated web server. See the link below on using
    >>the Security Configuration and Analysis tool. There is a lot of
    >>information
    >>for secedit in the Windows built in help or using secedit /?. --- Steve
    >>
    >>http://www.lokbox.net/SecureXP/secAnalysis.asp
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi again

    Ok! I'm in big trouble now! Somewhere during the journey of securing
    the server I must have
    done something wrong. And I'm almost sure that it has to do with the
    hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
    via windows update all at the same time.

    I have made some screendumps here http://web.telia.com/~u42115338/ and
    maybe it could give you some new ideas.

    Yor reply highly appreciated
    Thanks


    On Mon, 7 Mar 2005 21:20:02 -0600, "Steven L Umbach"
    <n9rou@nospam-comcast.net> wrote:

    >What exactly do you mean that the share disappeared? Is this the only share
    >on the server and if not can the other shares be accessed? When you go to
    >the server does it still show that the share exists? Verify that file and
    >print sharing is enabled and that the server service is running on the
    >server. Run the command net config server to see if it reports that the
    >computer is configured to share resources and the command net share to see
    >if the share and IPC$ are shown. Try to ping the server from the clients by
    >name and IP address. See if you can access administrative shares from a
    >client computer that is showing the problem such as C$. Run the support tool
    >netdiag and that server to see if it reports any particular problems. It is
    >possible that incompatible security options for digitally sign
    >commumications, lan manager authentication level, or other security options
    >could be causing a problem if they were changed on the server. -- Steve
    >
    >
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    It looks like your server is configured properly as far as the server
    service running and the share existing and ping shows that you have basic
    network connectivity. You said that you have not actually applied the
    security template yet?? Make sure you are using the correct IP address to
    connect to the share. I see that you have two IP addresses listed in your
    screendumps? If name resolution is correct you should be able to use the
    computer name as in \\p4\exchange. Were you as an administrator able to
    access an administrative share such as C$ on that computer from a problem
    client?? Also If possible show me a screendump that shows the security
    options for the server and the client that you are trying to access the
    server from. At least the security options from the server would be helpful.
    There are two security options - digitally sign communications and lan
    manger authentication level that need to be compatible.

    What you could try is on the server make sure that the security option for
    Microsoft network server:digitally sign communications(always) is set to
    disabled and lan manager authentication level is set to send ntlmv2 reponses
    only. Make sure those settings show as "effective" settings in Local
    Security Policy after running " secedit /refreshpolicy machine_policy
    /enforce on it. From a client computer make sure that port 139 TCP or 445
    TCP is open on the server to the client. A quick way to do this is to use
    telent as in " telnet xxx.xxx.xxx.xxx 139" where xxx.xxx.xxx.xxx is the IP
    address of the server you are trying to access. If the port is open you will
    get a blank command screen with a blinking cursor. If the port is closed you
    will get an access denied message. If you think the problem could be a
    security update, you can uninstall most of them in add and remove
    rograms. --- Steve


    "Mary S" <nomail@forme.com> wrote in message
    news:rhgr21tb20rcs5cgcf6qv5phvi4k99kfsu@4ax.com...
    > Hi again
    >
    > Ok! I'm in big trouble now! Somewhere during the journey of securing
    > the server I must have
    > done something wrong. And I'm almost sure that it has to do with the
    > hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
    > via windows update all at the same time.
    >
    > I have made some screendumps here http://web.telia.com/~u42115338/ and
    > maybe it could give you some new ideas.
    >
    > Yor reply highly appreciated
    > Thanks
    >
    >
    >
    >
    >
    > On Mon, 7 Mar 2005 21:20:02 -0600, "Steven L Umbach"
    > <n9rou@nospam-comcast.net> wrote:
    >
    >>What exactly do you mean that the share disappeared? Is this the only
    >>share
    >>on the server and if not can the other shares be accessed? When you go to
    >>the server does it still show that the share exists? Verify that file and
    >>print sharing is enabled and that the server service is running on the
    >>server. Run the command net config server to see if it reports that the
    >>computer is configured to share resources and the command net share to see
    >>if the share and IPC$ are shown. Try to ping the server from the clients
    >>by
    >>name and IP address. See if you can access administrative shares from a
    >>client computer that is showing the problem such as C$. Run the support
    >>tool
    >>netdiag and that server to see if it reports any particular problems. It
    >>is
    >>possible that incompatible security options for digitally sign
    >>commumications, lan manager authentication level, or other security
    >>options
    >>could be causing a problem if they were changed on the server. -- Steve
    >>
    >>
    >
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Steve

    I have NOT applied the full security template yet. Only some of the
    attributes.

    I'm sure that I'm using the right ip number - see screendump (If the
    ip number fails, I don't
    think it will not work with the "computer name/P4" either, or?)

    No! I can't connect to any of the admin shares with my administrator
    account name and p/w

    Unfortunately your suggestion abt. the security option for Microsoft
    network server:digitally sign communications(always) is set to
    disabled and lan manager authentication level is set to send ntlmv2
    reponses only, didn't work. See screendump settings.

    I made some new screendumps. If you like, please see the 4 dumps of
    the event viewer on the server. This I me (mr X) trying to logon from
    another client (XP) to a shared folder (exchange) on the server. Look
    at time stamp. I'm successfully logged in and thrown out within 60
    sec?

    Also see the screendumps from an XP client trying to logon. Please
    note that the sequence is a little difference from a w2k log in. XP
    clients repeatedly ask for credentials and never log on and gives no
    clue what so ever about the problem!

    I can't telnet into 445 on the server nor from the LAN nor on the
    server telnet localhost 445. (Port 139 using netbios has been closed
    for years). So how do I proceed. Could this be the problem?

    As I said - We where able to logon to the server before I started
    messing around with the policy.

    Some other things I have been thinking about/done - some personal
    notes;
    Can't map any drives from the server to another shares on the LAN.
    When restarting the server it takes about 5 min before the server is
    online. Why this delay? Static ip used! Ping out from the server okey.
    NetBios over TCP/IP disabled. No soft firewall active on the server.
    Firewall disabled on the xp client. Checked hosts files..

    Thanks for your time


    On Tue, 8 Mar 2005 16:29:42 -0600, "Steven L Umbach"
    <n9rou@nospam-comcast.net> wrote:

    >It looks like your server is configured properly as far as the server
    >service running and the share existing and ping shows that you have basic
    >network connectivity. You said that you have not actually applied the
    >security template yet?? Make sure you are using the correct IP address to
    >connect to the share. I see that you have two IP addresses listed in your
    >screendumps? If name resolution is correct you should be able to use the
    >computer name as in \\p4\exchange. Were you as an administrator able to
    >access an administrative share such as C$ on that computer from a problem
    >client?? Also If possible show me a screendump that shows the security
    >options for the server and the client that you are trying to access the
    >server from. At least the security options from the server would be helpful.
    >There are two security options - digitally sign communications and lan
    >manger authentication level that need to be compatible.
    >
    >What you could try is on the server make sure that the security option for
    >Microsoft network server:digitally sign communications(always) is set to
    >disabled and lan manager authentication level is set to send ntlmv2 reponses
    >only. Make sure those settings show as "effective" settings in Local
    >Security Policy after running " secedit /refreshpolicy machine_policy
    >/enforce on it. From a client computer make sure that port 139 TCP or 445
    >TCP is open on the server to the client. A quick way to do this is to use
    >telent as in " telnet xxx.xxx.xxx.xxx 139" where xxx.xxx.xxx.xxx is the IP
    >address of the server you are trying to access. If the port is open you will
    >get a blank command screen with a blinking cursor. If the port is closed you
    >will get an access denied message. If you think the problem could be a
    >security update, you can uninstall most of them in add and remove
    >rograms. --- Steve
    >
    >
    >"Mary S" <nomail@forme.com> wrote in message
    >news:rhgr21tb20rcs5cgcf6qv5phvi4k99kfsu@4ax.com...
    >> Hi again
    >>
    >> Ok! I'm in big trouble now! Somewhere during the journey of securing
    >> the server I must have
    >> done something wrong. And I'm almost sure that it has to do with the
    >> hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
    >> via windows update all at the same time.
    >>
    >> I have made some screendumps here http://web.telia.com/~u42115338/ and
    >> maybe it could give you some new ideas.
    >>
    >> Yor reply highly appreciated
    >> Thanks
    >>
    >>
    >>
    >>
    >>
    >> On Mon, 7 Mar 2005 21:20:02 -0600, "Steven L Umbach"
    >> <n9rou@nospam-comcast.net> wrote:
    >>
    >>>What exactly do you mean that the share disappeared? Is this the only
    >>>share
    >>>on the server and if not can the other shares be accessed? When you go to
    >>>the server does it still show that the share exists? Verify that file and
    >>>print sharing is enabled and that the server service is running on the
    >>>server. Run the command net config server to see if it reports that the
    >>>computer is configured to share resources and the command net share to see
    >>>if the share and IPC$ are shown. Try to ping the server from the clients
    >>>by
    >>>name and IP address. See if you can access administrative shares from a
    >>>client computer that is showing the problem such as C$. Run the support
    >>>tool
    >>>netdiag and that server to see if it reports any particular problems. It
    >>>is
    >>>possible that incompatible security options for digitally sign
    >>>commumications, lan manager authentication level, or other security
    >>>options
    >>>could be causing a problem if they were changed on the server. -- Steve
    >>>
    >>>
    >>
    >
  9. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Mary.

    Hmm. Since you have port 139 TCP disabled then the only way that users can
    access a share over the regular network would be port 445 TCP and since that
    can not be accessed explains part of the problem. The fact that it takes
    five minutes to boot up and you can not access any shares indicates possible
    related problems. Try booting into safemode with networking to see what
    happens as that will bypass most startup applications and ipsec policy if
    one is enabled. I did not really see anything in your security options that
    looks like a problem except the one security option for additional
    restrictions for anonymous access should be set to "none - rely on default
    permissions" [though I doubt it is the culprit] until the problem is
    resolved and verify that it and the lan manager authentication level shows
    send ntlmv2 Reponses only in the "effective" settings in Local Security
    Policy. Also verify that the time on the problem server is correct compared
    to the domain controller and check day/time/month/year/time zone/AM&PM. The
    hisecweb.inf template will also disable some system services. Make sure that
    the dns client service and tcp/ip netbios helper services are started on
    your server. Use nslookup on it to see if it can connect with it's dns
    server and if it can use it to resolve host names. Nslookup will give an
    error message that it can not find the name of your dns server if you do not
    have reverse dns zone configured but it still can display the IP address of
    the dns server.

    It sounds like your server for some reason is having difficulty with network
    communications on needed ports. Verify that tcp/ip filtering is not enabled
    on the network adapter. Look in tcp ip/properties/advanced/options/tcp ip
    filtering - properties to make sure it is not enabled. Then check to see if
    there is an ipsec policy assigned. The netdiag support tool will do such and
    it is a good idea to run netdiag anyhow looking for pertinent
    errors/warnings/failed tests. The last test is the IP security test and if
    it shows that a policy is assigned then an incorrectly configured ipsec
    policy could cause problems such as you are experiencing. Ipsec policies can
    be assigned or disabled in Local Security Policy. Beyond that I would
    wonder if a security patch has caused a conflict on your server. If you
    remove them in add and remove programs they will often reverse problems they
    have caused. If you are familiar with how to use netmon to observe packet
    traffic on a server, you could use it to see what traffic is going to and
    from your server such as if the server is receiving traffic from a client on
    port 445 and if the server is responding or not. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 --- netdiag
    and how to install support tools.


    "Mary S" <nomail@forme.com> wrote in message
    news:0oju2195fq30882auhsd9h1ra7aho488rb@4ax.com...
    > Hi Steve
    >
    > I have NOT applied the full security template yet. Only some of the
    > attributes.
    >
    > I'm sure that I'm using the right ip number - see screendump (If the
    > ip number fails, I don't
    > think it will not work with the "computer name/P4" either, or?)
    >
    > No! I can't connect to any of the admin shares with my administrator
    > account name and p/w
    >
    > Unfortunately your suggestion abt. the security option for Microsoft
    > network server:digitally sign communications(always) is set to
    > disabled and lan manager authentication level is set to send ntlmv2
    > reponses only, didn't work. See screendump settings.
    >
    > I made some new screendumps. If you like, please see the 4 dumps of
    > the event viewer on the server. This I me (mr X) trying to logon from
    > another client (XP) to a shared folder (exchange) on the server. Look
    > at time stamp. I'm successfully logged in and thrown out within 60
    > sec?
    >
    > Also see the screendumps from an XP client trying to logon. Please
    > note that the sequence is a little difference from a w2k log in. XP
    > clients repeatedly ask for credentials and never log on and gives no
    > clue what so ever about the problem!
    >
    > I can't telnet into 445 on the server nor from the LAN nor on the
    > server telnet localhost 445. (Port 139 using netbios has been closed
    > for years). So how do I proceed. Could this be the problem?
    >
    > As I said - We where able to logon to the server before I started
    > messing around with the policy.
    >
    > Some other things I have been thinking about/done - some personal
    > notes;
    > Can't map any drives from the server to another shares on the LAN.
    > When restarting the server it takes about 5 min before the server is
    > online. Why this delay? Static ip used! Ping out from the server okey.
    > NetBios over TCP/IP disabled. No soft firewall active on the server.
    > Firewall disabled on the xp client. Checked hosts files..
    >
    > Thanks for your time
    >
    >
    >
    >
    >
    > On Tue, 8 Mar 2005 16:29:42 -0600, "Steven L Umbach"
    > <n9rou@nospam-comcast.net> wrote:
    >
    >>It looks like your server is configured properly as far as the server
    >>service running and the share existing and ping shows that you have basic
    >>network connectivity. You said that you have not actually applied the
    >>security template yet?? Make sure you are using the correct IP address to
    >>connect to the share. I see that you have two IP addresses listed in your
    >>screendumps? If name resolution is correct you should be able to use the
    >>computer name as in \\p4\exchange. Were you as an administrator able to
    >>access an administrative share such as C$ on that computer from a problem
    >>client?? Also If possible show me a screendump that shows the security
    >>options for the server and the client that you are trying to access the
    >>server from. At least the security options from the server would be
    >>helpful.
    >>There are two security options - digitally sign communications and lan
    >>manger authentication level that need to be compatible.
    >>
    >>What you could try is on the server make sure that the security option for
    >>Microsoft network server:digitally sign communications(always) is set to
    >>disabled and lan manager authentication level is set to send ntlmv2
    >>reponses
    >>only. Make sure those settings show as "effective" settings in Local
    >>Security Policy after running " secedit /refreshpolicy machine_policy
    >>/enforce on it. From a client computer make sure that port 139 TCP or 445
    >>TCP is open on the server to the client. A quick way to do this is to use
    >>telent as in " telnet xxx.xxx.xxx.xxx 139" where xxx.xxx.xxx.xxx is the IP
    >>address of the server you are trying to access. If the port is open you
    >>will
    >>get a blank command screen with a blinking cursor. If the port is closed
    >>you
    >>will get an access denied message. If you think the problem could be a
    >>security update, you can uninstall most of them in add and remove
    >>rograms. --- Steve
    >>
    >>
    >>"Mary S" <nomail@forme.com> wrote in message
    >>news:rhgr21tb20rcs5cgcf6qv5phvi4k99kfsu@4ax.com...
    >>> Hi again
    >>>
    >>> Ok! I'm in big trouble now! Somewhere during the journey of securing
    >>> the server I must have
    >>> done something wrong. And I'm almost sure that it has to do with the
    >>> hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
    >>> via windows update all at the same time.
    >>>
    >>> I have made some screendumps here http://web.telia.com/~u42115338/ and
    >>> maybe it could give you some new ideas.
    >>>
    >>> Yor reply highly appreciated
    >>> Thanks
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> On Mon, 7 Mar 2005 21:20:02 -0600, "Steven L Umbach"
    >>> <n9rou@nospam-comcast.net> wrote:
    >>>
    >>>>What exactly do you mean that the share disappeared? Is this the only
    >>>>share
    >>>>on the server and if not can the other shares be accessed? When you go
    >>>>to
    >>>>the server does it still show that the share exists? Verify that file
    >>>>and
    >>>>print sharing is enabled and that the server service is running on the
    >>>>server. Run the command net config server to see if it reports that the
    >>>>computer is configured to share resources and the command net share to
    >>>>see
    >>>>if the share and IPC$ are shown. Try to ping the server from the
    >>>>clients
    >>>>by
    >>>>name and IP address. See if you can access administrative shares from a
    >>>>client computer that is showing the problem such as C$. Run the support
    >>>>tool
    >>>>netdiag and that server to see if it reports any particular problems. It
    >>>>is
    >>>>possible that incompatible security options for digitally sign
    >>>>commumications, lan manager authentication level, or other security
    >>>>options
    >>>>could be causing a problem if they were changed on the server. -- Steve
    >>>>
    >>>>
    >>>
    >>
    >
  10. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Steve

    Just to thank your for your time spent on my problem. I'm going
    to sit back for the weekend read trough my notes. Maybe I can find
    something I have done earlier on?

    Could also "open" for port 139 on the LAN - We don't have same
    security aspect as on the internet.

    One thing is sure - Our server has never been that secure before. No
    one can access anything any longer ;-)

    Kind regards
    Mary S


    On Wed, 9 Mar 2005 20:56:40 -0600, "Steven L Umbach"
    <n9rou@n0-spam-for-me-comcast.net> wrote:

    >Hi Mary.
    >
    >Hmm. Since you have port 139 TCP disabled then the only way that users can
    >access a share over the regular network would be port 445 TCP and since that
    >can not be accessed explains part of the problem. The fact that it takes
    >five minutes to boot up and you can not access any shares indicates possible
    >related problems. Try booting into safemode with networking to see what
    >happens as that will bypass most startup applications and ipsec policy if
    >one is enabled. I did not really see anything in your security options that
    >looks like a problem except the one security option for additional
    >restrictions for anonymous access should be set to "none - rely on default
    >permissions" [though I doubt it is the culprit] until the problem is
    >resolved and verify that it and the lan manager authentication level shows
    >send ntlmv2 Reponses only in the "effective" settings in Local Security
    >Policy. Also verify that the time on the problem server is correct compared
    >to the domain controller and check day/time/month/year/time zone/AM&PM. The
    >hisecweb.inf template will also disable some system services. Make sure that
    >the dns client service and tcp/ip netbios helper services are started on
    >your server. Use nslookup on it to see if it can connect with it's dns
    >server and if it can use it to resolve host names. Nslookup will give an
    >error message that it can not find the name of your dns server if you do not
    >have reverse dns zone configured but it still can display the IP address of
    >the dns server.
    >
    >It sounds like your server for some reason is having difficulty with network
    >communications on needed ports. Verify that tcp/ip filtering is not enabled
    >on the network adapter. Look in tcp ip/properties/advanced/options/tcp ip
    >filtering - properties to make sure it is not enabled. Then check to see if
    >there is an ipsec policy assigned. The netdiag support tool will do such and
    >it is a good idea to run netdiag anyhow looking for pertinent
    >errors/warnings/failed tests. The last test is the IP security test and if
    >it shows that a policy is assigned then an incorrectly configured ipsec
    >policy could cause problems such as you are experiencing. Ipsec policies can
    >be assigned or disabled in Local Security Policy. Beyond that I would
    >wonder if a security patch has caused a conflict on your server. If you
    >remove them in add and remove programs they will often reverse problems they
    >have caused. If you are familiar with how to use netmon to observe packet
    >traffic on a server, you could use it to see what traffic is going to and
    >from your server such as if the server is receiving traffic from a client on
    >port 445 and if the server is responding or not. --- Steve
    >
    >http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 --- netdiag
    >and how to install support tools.
    >
    >
    >"Mary S" <nomail@forme.com> wrote in message
    >news:0oju2195fq30882auhsd9h1ra7aho488rb@4ax.com...
    >> Hi Steve
    >>
    >> I have NOT applied the full security template yet. Only some of the
    >> attributes.
    >>
    >> I'm sure that I'm using the right ip number - see screendump (If the
    >> ip number fails, I don't
    >> think it will not work with the "computer name/P4" either, or?)
    >>
    >> No! I can't connect to any of the admin shares with my administrator
    >> account name and p/w
    >>
    >> Unfortunately your suggestion abt. the security option for Microsoft
    >> network server:digitally sign communications(always) is set to
    >> disabled and lan manager authentication level is set to send ntlmv2
    >> reponses only, didn't work. See screendump settings.
    >>
    >> I made some new screendumps. If you like, please see the 4 dumps of
    >> the event viewer on the server. This I me (mr X) trying to logon from
    >> another client (XP) to a shared folder (exchange) on the server. Look
    >> at time stamp. I'm successfully logged in and thrown out within 60
    >> sec?
    >>
    >> Also see the screendumps from an XP client trying to logon. Please
    >> note that the sequence is a little difference from a w2k log in. XP
    >> clients repeatedly ask for credentials and never log on and gives no
    >> clue what so ever about the problem!
    >>
    >> I can't telnet into 445 on the server nor from the LAN nor on the
    >> server telnet localhost 445. (Port 139 using netbios has been closed
    >> for years). So how do I proceed. Could this be the problem?
    >>
    >> As I said - We where able to logon to the server before I started
    >> messing around with the policy.
    >>
    >> Some other things I have been thinking about/done - some personal
    >> notes;
    >> Can't map any drives from the server to another shares on the LAN.
    >> When restarting the server it takes about 5 min before the server is
    >> online. Why this delay? Static ip used! Ping out from the server okey.
    >> NetBios over TCP/IP disabled. No soft firewall active on the server.
    >> Firewall disabled on the xp client. Checked hosts files..
    >>
    >> Thanks for your time
    >>
    >>
    >>
    >>
    >>
    >> On Tue, 8 Mar 2005 16:29:42 -0600, "Steven L Umbach"
    >> <n9rou@nospam-comcast.net> wrote:
    >>
    >>>It looks like your server is configured properly as far as the server
    >>>service running and the share existing and ping shows that you have basic
    >>>network connectivity. You said that you have not actually applied the
    >>>security template yet?? Make sure you are using the correct IP address to
    >>>connect to the share. I see that you have two IP addresses listed in your
    >>>screendumps? If name resolution is correct you should be able to use the
    >>>computer name as in \\p4\exchange. Were you as an administrator able to
    >>>access an administrative share such as C$ on that computer from a problem
    >>>client?? Also If possible show me a screendump that shows the security
    >>>options for the server and the client that you are trying to access the
    >>>server from. At least the security options from the server would be
    >>>helpful.
    >>>There are two security options - digitally sign communications and lan
    >>>manger authentication level that need to be compatible.
    >>>
    >>>What you could try is on the server make sure that the security option for
    >>>Microsoft network server:digitally sign communications(always) is set to
    >>>disabled and lan manager authentication level is set to send ntlmv2
    >>>reponses
    >>>only. Make sure those settings show as "effective" settings in Local
    >>>Security Policy after running " secedit /refreshpolicy machine_policy
    >>>/enforce on it. From a client computer make sure that port 139 TCP or 445
    >>>TCP is open on the server to the client. A quick way to do this is to use
    >>>telent as in " telnet xxx.xxx.xxx.xxx 139" where xxx.xxx.xxx.xxx is the IP
    >>>address of the server you are trying to access. If the port is open you
    >>>will
    >>>get a blank command screen with a blinking cursor. If the port is closed
    >>>you
    >>>will get an access denied message. If you think the problem could be a
    >>>security update, you can uninstall most of them in add and remove
    >>>rograms. --- Steve
    >>>
    >>>
    >>>"Mary S" <nomail@forme.com> wrote in message
    >>>news:rhgr21tb20rcs5cgcf6qv5phvi4k99kfsu@4ax.com...
    >>>> Hi again
    >>>>
    >>>> Ok! I'm in big trouble now! Somewhere during the journey of securing
    >>>> the server I must have
    >>>> done something wrong. And I'm almost sure that it has to do with the
    >>>> hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
    >>>> via windows update all at the same time.
    >>>>
    >>>> I have made some screendumps here http://web.telia.com/~u42115338/ and
    >>>> maybe it could give you some new ideas.
    >>>>
    >>>> Yor reply highly appreciated
    >>>> Thanks
    >>>>
    >>>>
    >>>>
    >>>>
    >>>>
    >>>> On Mon, 7 Mar 2005 21:20:02 -0600, "Steven L Umbach"
    >>>> <n9rou@nospam-comcast.net> wrote:
    >>>>
    >>>>>What exactly do you mean that the share disappeared? Is this the only
    >>>>>share
    >>>>>on the server and if not can the other shares be accessed? When you go
    >>>>>to
    >>>>>the server does it still show that the share exists? Verify that file
    >>>>>and
    >>>>>print sharing is enabled and that the server service is running on the
    >>>>>server. Run the command net config server to see if it reports that the
    >>>>>computer is configured to share resources and the command net share to
    >>>>>see
    >>>>>if the share and IPC$ are shown. Try to ping the server from the
    >>>>>clients
    >>>>>by
    >>>>>name and IP address. See if you can access administrative shares from a
    >>>>>client computer that is showing the problem such as C$. Run the support
    >>>>>tool
    >>>>>netdiag and that server to see if it reports any particular problems. It
    >>>>>is
    >>>>>possible that incompatible security options for digitally sign
    >>>>>commumications, lan manager authentication level, or other security
    >>>>>options
    >>>>>could be causing a problem if they were changed on the server. -- Steve
    >>>>>
    >>>>>
    >>>>
    >>>
    >>
    >
  11. Archived from groups: microsoft.public.win2000.security (More info?)

    OK. I hope you make some progress. Yes it is easier than many think to lock
    your own users from access. --- Steve


    "Mary S" <nomail@forme.com> wrote in message
    news:479131l1pdq6267ukc6kvtqb63skddbpd5@4ax.com...
    > Hi Steve
    >
    > Just to thank your for your time spent on my problem. I'm going
    > to sit back for the weekend read trough my notes. Maybe I can find
    > something I have done earlier on?
    >
    > Could also "open" for port 139 on the LAN - We don't have same
    > security aspect as on the internet.
    >
    > One thing is sure - Our server has never been that secure before. No
    > one can access anything any longer ;-)
    >
    > Kind regards
    > Mary S
    >
    >
    > On Wed, 9 Mar 2005 20:56:40 -0600, "Steven L Umbach"
    > <n9rou@n0-spam-for-me-comcast.net> wrote:
    >
    >>Hi Mary.
    >>
    >>Hmm. Since you have port 139 TCP disabled then the only way that users can
    >>access a share over the regular network would be port 445 TCP and since
    >>that
    >>can not be accessed explains part of the problem. The fact that it takes
    >>five minutes to boot up and you can not access any shares indicates
    >>possible
    >>related problems. Try booting into safemode with networking to see what
    >>happens as that will bypass most startup applications and ipsec policy if
    >>one is enabled. I did not really see anything in your security options
    >>that
    >>looks like a problem except the one security option for additional
    >>restrictions for anonymous access should be set to "none - rely on default
    >>permissions" [though I doubt it is the culprit] until the problem is
    >>resolved and verify that it and the lan manager authentication level shows
    >>send ntlmv2 Reponses only in the "effective" settings in Local Security
    >>Policy. Also verify that the time on the problem server is correct
    >>compared
    >>to the domain controller and check day/time/month/year/time zone/AM&PM.
    >>The
    >>hisecweb.inf template will also disable some system services. Make sure
    >>that
    >>the dns client service and tcp/ip netbios helper services are started on
    >>your server. Use nslookup on it to see if it can connect with it's dns
    >>server and if it can use it to resolve host names. Nslookup will give an
    >>error message that it can not find the name of your dns server if you do
    >>not
    >>have reverse dns zone configured but it still can display the IP address
    >>of
    >>the dns server.
    >>
    >>It sounds like your server for some reason is having difficulty with
    >>network
    >>communications on needed ports. Verify that tcp/ip filtering is not
    >>enabled
    >>on the network adapter. Look in tcp ip/properties/advanced/options/tcp ip
    >>filtering - properties to make sure it is not enabled. Then check to see
    >>if
    >>there is an ipsec policy assigned. The netdiag support tool will do such
    >>and
    >>it is a good idea to run netdiag anyhow looking for pertinent
    >>errors/warnings/failed tests. The last test is the IP security test and if
    >>it shows that a policy is assigned then an incorrectly configured ipsec
    >>policy could cause problems such as you are experiencing. Ipsec policies
    >>can
    >>be assigned or disabled in Local Security Policy. Beyond that I would
    >>wonder if a security patch has caused a conflict on your server. If you
    >>remove them in add and remove programs they will often reverse problems
    >>they
    >>have caused. If you are familiar with how to use netmon to observe packet
    >>traffic on a server, you could use it to see what traffic is going to and
    >>from your server such as if the server is receiving traffic from a client
    >>on
    >>port 445 and if the server is responding or not. --- Steve
    >>
    >>http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 ---
    >>netdiag
    >>and how to install support tools.
    >>
    >>
    >>"Mary S" <nomail@forme.com> wrote in message
    >>news:0oju2195fq30882auhsd9h1ra7aho488rb@4ax.com...
    >>> Hi Steve
    >>>
    >>> I have NOT applied the full security template yet. Only some of the
    >>> attributes.
    >>>
    >>> I'm sure that I'm using the right ip number - see screendump (If the
    >>> ip number fails, I don't
    >>> think it will not work with the "computer name/P4" either, or?)
    >>>
    >>> No! I can't connect to any of the admin shares with my administrator
    >>> account name and p/w
    >>>
    >>> Unfortunately your suggestion abt. the security option for Microsoft
    >>> network server:digitally sign communications(always) is set to
    >>> disabled and lan manager authentication level is set to send ntlmv2
    >>> reponses only, didn't work. See screendump settings.
    >>>
    >>> I made some new screendumps. If you like, please see the 4 dumps of
    >>> the event viewer on the server. This I me (mr X) trying to logon from
    >>> another client (XP) to a shared folder (exchange) on the server. Look
    >>> at time stamp. I'm successfully logged in and thrown out within 60
    >>> sec?
    >>>
    >>> Also see the screendumps from an XP client trying to logon. Please
    >>> note that the sequence is a little difference from a w2k log in. XP
    >>> clients repeatedly ask for credentials and never log on and gives no
    >>> clue what so ever about the problem!
    >>>
    >>> I can't telnet into 445 on the server nor from the LAN nor on the
    >>> server telnet localhost 445. (Port 139 using netbios has been closed
    >>> for years). So how do I proceed. Could this be the problem?
    >>>
    >>> As I said - We where able to logon to the server before I started
    >>> messing around with the policy.
    >>>
    >>> Some other things I have been thinking about/done - some personal
    >>> notes;
    >>> Can't map any drives from the server to another shares on the LAN.
    >>> When restarting the server it takes about 5 min before the server is
    >>> online. Why this delay? Static ip used! Ping out from the server okey.
    >>> NetBios over TCP/IP disabled. No soft firewall active on the server.
    >>> Firewall disabled on the xp client. Checked hosts files..
    >>>
    >>> Thanks for your time
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> On Tue, 8 Mar 2005 16:29:42 -0600, "Steven L Umbach"
    >>> <n9rou@nospam-comcast.net> wrote:
    >>>
    >>>>It looks like your server is configured properly as far as the server
    >>>>service running and the share existing and ping shows that you have
    >>>>basic
    >>>>network connectivity. You said that you have not actually applied the
    >>>>security template yet?? Make sure you are using the correct IP address
    >>>>to
    >>>>connect to the share. I see that you have two IP addresses listed in
    >>>>your
    >>>>screendumps? If name resolution is correct you should be able to use
    >>>>the
    >>>>computer name as in \\p4\exchange. Were you as an administrator able to
    >>>>access an administrative share such as C$ on that computer from a
    >>>>problem
    >>>>client?? Also If possible show me a screendump that shows the security
    >>>>options for the server and the client that you are trying to access the
    >>>>server from. At least the security options from the server would be
    >>>>helpful.
    >>>>There are two security options - digitally sign communications and lan
    >>>>manger authentication level that need to be compatible.
    >>>>
    >>>>What you could try is on the server make sure that the security option
    >>>>for
    >>>>Microsoft network server:digitally sign communications(always) is set to
    >>>>disabled and lan manager authentication level is set to send ntlmv2
    >>>>reponses
    >>>>only. Make sure those settings show as "effective" settings in Local
    >>>>Security Policy after running " secedit /refreshpolicy machine_policy
    >>>>/enforce on it. From a client computer make sure that port 139 TCP or
    >>>>445
    >>>>TCP is open on the server to the client. A quick way to do this is to
    >>>>use
    >>>>telent as in " telnet xxx.xxx.xxx.xxx 139" where xxx.xxx.xxx.xxx is the
    >>>>IP
    >>>>address of the server you are trying to access. If the port is open you
    >>>>will
    >>>>get a blank command screen with a blinking cursor. If the port is closed
    >>>>you
    >>>>will get an access denied message. If you think the problem could be a
    >>>>security update, you can uninstall most of them in add and remove
    >>>>rograms. --- Steve
    >>>>
    >>>>
    >>>>"Mary S" <nomail@forme.com> wrote in message
    >>>>news:rhgr21tb20rcs5cgcf6qv5phvi4k99kfsu@4ax.com...
    >>>>> Hi again
    >>>>>
    >>>>> Ok! I'm in big trouble now! Somewhere during the journey of securing
    >>>>> the server I must have
    >>>>> done something wrong. And I'm almost sure that it has to do with the
    >>>>> hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
    >>>>> via windows update all at the same time.
    >>>>>
    >>>>> I have made some screendumps here http://web.telia.com/~u42115338/ and
    >>>>> maybe it could give you some new ideas.
    >>>>>
    >>>>> Yor reply highly appreciated
    >>>>> Thanks
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>>> On Mon, 7 Mar 2005 21:20:02 -0600, "Steven L Umbach"
    >>>>> <n9rou@nospam-comcast.net> wrote:
    >>>>>
    >>>>>>What exactly do you mean that the share disappeared? Is this the only
    >>>>>>share
    >>>>>>on the server and if not can the other shares be accessed? When you go
    >>>>>>to
    >>>>>>the server does it still show that the share exists? Verify that file
    >>>>>>and
    >>>>>>print sharing is enabled and that the server service is running on the
    >>>>>>server. Run the command net config server to see if it reports that
    >>>>>>the
    >>>>>>computer is configured to share resources and the command net share to
    >>>>>>see
    >>>>>>if the share and IPC$ are shown. Try to ping the server from the
    >>>>>>clients
    >>>>>>by
    >>>>>>name and IP address. See if you can access administrative shares from
    >>>>>>a
    >>>>>>client computer that is showing the problem such as C$. Run the
    >>>>>>support
    >>>>>>tool
    >>>>>>netdiag and that server to see if it reports any particular problems.
    >>>>>>It
    >>>>>>is
    >>>>>>possible that incompatible security options for digitally sign
    >>>>>>commumications, lan manager authentication level, or other security
    >>>>>>options
    >>>>>>could be causing a problem if they were changed on the server. --
    >>>>>>Steve
    >>>>>>
    >>>>>>
    >>>>>
    >>>>
    >>>
    >>
    >
  12. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Steve - problem solved :-)

    I sat down and read my notes already last night - noted that
    sometimes last week I did disable NetBios over TCP/IP in Device
    Manager according to an advice given to me via an article about
    security. Changed the driver to automatic and was now able to
    connect to the server again :-)

    I should obviously have read my note earlier, but I was quite sure
    that It had to do with the policies - my mistake.

    Again Steve thanks a lot - you gave me the clue where to look!

    Until next time,
    hugs Mary

    ...and port 139 still closed..


    On Thu, 10 Mar 2005 14:34:20 -0600, "Steven L Umbach"
    <n9rou@nospam-comcast.net> wrote:

    >OK. I hope you make some progress. Yes it is easier than many think to lock
    >your own users from access. --- Steve
    >
    >
    >"Mary S" <nomail@forme.com> wrote in message
    >news:479131l1pdq6267ukc6kvtqb63skddbpd5@4ax.com...
    >> Hi Steve
    >>
    >> Just to thank your for your time spent on my problem. I'm going
    >> to sit back for the weekend read trough my notes. Maybe I can find
    >> something I have done earlier on?
    >>
    >> Could also "open" for port 139 on the LAN - We don't have same
    >> security aspect as on the internet.
    >>
    >> One thing is sure - Our server has never been that secure before. No
    >> one can access anything any longer ;-)
    >>
    >> Kind regards
    >> Mary S
    >>
    >>
    >> On Wed, 9 Mar 2005 20:56:40 -0600, "Steven L Umbach"
    >> <n9rou@n0-spam-for-me-comcast.net> wrote:
    >>
    >>>Hi Mary.
    >>>
    >>>Hmm. Since you have port 139 TCP disabled then the only way that users can
    >>>access a share over the regular network would be port 445 TCP and since
    >>>that
    >>>can not be accessed explains part of the problem. The fact that it takes
    >>>five minutes to boot up and you can not access any shares indicates
    >>>possible
    >>>related problems. Try booting into safemode with networking to see what
    >>>happens as that will bypass most startup applications and ipsec policy if
    >>>one is enabled. I did not really see anything in your security options
    >>>that
    >>>looks like a problem except the one security option for additional
    >>>restrictions for anonymous access should be set to "none - rely on default
    >>>permissions" [though I doubt it is the culprit] until the problem is
    >>>resolved and verify that it and the lan manager authentication level shows
    >>>send ntlmv2 Reponses only in the "effective" settings in Local Security
    >>>Policy. Also verify that the time on the problem server is correct
    >>>compared
    >>>to the domain controller and check day/time/month/year/time zone/AM&PM.
    >>>The
    >>>hisecweb.inf template will also disable some system services. Make sure
    >>>that
    >>>the dns client service and tcp/ip netbios helper services are started on
    >>>your server. Use nslookup on it to see if it can connect with it's dns
    >>>server and if it can use it to resolve host names. Nslookup will give an
    >>>error message that it can not find the name of your dns server if you do
    >>>not
    >>>have reverse dns zone configured but it still can display the IP address
    >>>of
    >>>the dns server.
    >>>
    >>>It sounds like your server for some reason is having difficulty with
    >>>network
    >>>communications on needed ports. Verify that tcp/ip filtering is not
    >>>enabled
    >>>on the network adapter. Look in tcp ip/properties/advanced/options/tcp ip
    >>>filtering - properties to make sure it is not enabled. Then check to see
    >>>if
    >>>there is an ipsec policy assigned. The netdiag support tool will do such
    >>>and
    >>>it is a good idea to run netdiag anyhow looking for pertinent
    >>>errors/warnings/failed tests. The last test is the IP security test and if
    >>>it shows that a policy is assigned then an incorrectly configured ipsec
    >>>policy could cause problems such as you are experiencing. Ipsec policies
    >>>can
    >>>be assigned or disabled in Local Security Policy. Beyond that I would
    >>>wonder if a security patch has caused a conflict on your server. If you
    >>>remove them in add and remove programs they will often reverse problems
    >>>they
    >>>have caused. If you are familiar with how to use netmon to observe packet
    >>>traffic on a server, you could use it to see what traffic is going to and
    >>>from your server such as if the server is receiving traffic from a client
    >>>on
    >>>port 445 and if the server is responding or not. --- Steve
    >>>
    >>>http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 ---
    >>>netdiag
    >>>and how to install support tools.
    >>>
    >>>
    >>>"Mary S" <nomail@forme.com> wrote in message
    >>>news:0oju2195fq30882auhsd9h1ra7aho488rb@4ax.com...
    >>>> Hi Steve
    >>>>
    >>>> I have NOT applied the full security template yet. Only some of the
    >>>> attributes.
    >>>>
    >>>> I'm sure that I'm using the right ip number - see screendump (If the
    >>>> ip number fails, I don't
    >>>> think it will not work with the "computer name/P4" either, or?)
    >>>>
    >>>> No! I can't connect to any of the admin shares with my administrator
    >>>> account name and p/w
    >>>>
    >>>> Unfortunately your suggestion abt. the security option for Microsoft
    >>>> network server:digitally sign communications(always) is set to
    >>>> disabled and lan manager authentication level is set to send ntlmv2
    >>>> reponses only, didn't work. See screendump settings.
    >>>>
    >>>> I made some new screendumps. If you like, please see the 4 dumps of
    >>>> the event viewer on the server. This I me (mr X) trying to logon from
    >>>> another client (XP) to a shared folder (exchange) on the server. Look
    >>>> at time stamp. I'm successfully logged in and thrown out within 60
    >>>> sec?
    >>>>
    >>>> Also see the screendumps from an XP client trying to logon. Please
    >>>> note that the sequence is a little difference from a w2k log in. XP
    >>>> clients repeatedly ask for credentials and never log on and gives no
    >>>> clue what so ever about the problem!
    >>>>
    >>>> I can't telnet into 445 on the server nor from the LAN nor on the
    >>>> server telnet localhost 445. (Port 139 using netbios has been closed
    >>>> for years). So how do I proceed. Could this be the problem?
    >>>>
    >>>> As I said - We where able to logon to the server before I started
    >>>> messing around with the policy.
    >>>>
    >>>> Some other things I have been thinking about/done - some personal
    >>>> notes;
    >>>> Can't map any drives from the server to another shares on the LAN.
    >>>> When restarting the server it takes about 5 min before the server is
    >>>> online. Why this delay? Static ip used! Ping out from the server okey.
    >>>> NetBios over TCP/IP disabled. No soft firewall active on the server.
    >>>> Firewall disabled on the xp client. Checked hosts files..
    >>>>
    >>>> Thanks for your time
    >>>>
    >>>>
    >>>>
    >>>>
    >>>>
    >>>> On Tue, 8 Mar 2005 16:29:42 -0600, "Steven L Umbach"
    >>>> <n9rou@nospam-comcast.net> wrote:
    >>>>
    >>>>>It looks like your server is configured properly as far as the server
    >>>>>service running and the share existing and ping shows that you have
    >>>>>basic
    >>>>>network connectivity. You said that you have not actually applied the
    >>>>>security template yet?? Make sure you are using the correct IP address
    >>>>>to
    >>>>>connect to the share. I see that you have two IP addresses listed in
    >>>>>your
    >>>>>screendumps? If name resolution is correct you should be able to use
    >>>>>the
    >>>>>computer name as in \\p4\exchange. Were you as an administrator able to
    >>>>>access an administrative share such as C$ on that computer from a
    >>>>>problem
    >>>>>client?? Also If possible show me a screendump that shows the security
    >>>>>options for the server and the client that you are trying to access the
    >>>>>server from. At least the security options from the server would be
    >>>>>helpful.
    >>>>>There are two security options - digitally sign communications and lan
    >>>>>manger authentication level that need to be compatible.
    >>>>>
    >>>>>What you could try is on the server make sure that the security option
    >>>>>for
    >>>>>Microsoft network server:digitally sign communications(always) is set to
    >>>>>disabled and lan manager authentication level is set to send ntlmv2
    >>>>>reponses
    >>>>>only. Make sure those settings show as "effective" settings in Local
    >>>>>Security Policy after running " secedit /refreshpolicy machine_policy
    >>>>>/enforce on it. From a client computer make sure that port 139 TCP or
    >>>>>445
    >>>>>TCP is open on the server to the client. A quick way to do this is to
    >>>>>use
    >>>>>telent as in " telnet xxx.xxx.xxx.xxx 139" where xxx.xxx.xxx.xxx is the
    >>>>>IP
    >>>>>address of the server you are trying to access. If the port is open you
    >>>>>will
    >>>>>get a blank command screen with a blinking cursor. If the port is closed
    >>>>>you
    >>>>>will get an access denied message. If you think the problem could be a
    >>>>>security update, you can uninstall most of them in add and remove
    >>>>>rograms. --- Steve
    >>>>>
    >>>>>
    >>>>>"Mary S" <nomail@forme.com> wrote in message
    >>>>>news:rhgr21tb20rcs5cgcf6qv5phvi4k99kfsu@4ax.com...
    >>>>>> Hi again
    >>>>>>
    >>>>>> Ok! I'm in big trouble now! Somewhere during the journey of securing
    >>>>>> the server I must have
    >>>>>> done something wrong. And I'm almost sure that it has to do with the
    >>>>>> hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
    >>>>>> via windows update all at the same time.
    >>>>>>
    >>>>>> I have made some screendumps here http://web.telia.com/~u42115338/ and
    >>>>>> maybe it could give you some new ideas.
    >>>>>>
    >>>>>> Yor reply highly appreciated
    >>>>>> Thanks
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>> On Mon, 7 Mar 2005 21:20:02 -0600, "Steven L Umbach"
    >>>>>> <n9rou@nospam-comcast.net> wrote:
    >>>>>>
    >>>>>>>What exactly do you mean that the share disappeared? Is this the only
    >>>>>>>share
    >>>>>>>on the server and if not can the other shares be accessed? When you go
    >>>>>>>to
    >>>>>>>the server does it still show that the share exists? Verify that file
    >>>>>>>and
    >>>>>>>print sharing is enabled and that the server service is running on the
    >>>>>>>server. Run the command net config server to see if it reports that
    >>>>>>>the
    >>>>>>>computer is configured to share resources and the command net share to
    >>>>>>>see
    >>>>>>>if the share and IPC$ are shown. Try to ping the server from the
    >>>>>>>clients
    >>>>>>>by
    >>>>>>>name and IP address. See if you can access administrative shares from
    >>>>>>>a
    >>>>>>>client computer that is showing the problem such as C$. Run the
    >>>>>>>support
    >>>>>>>tool
    >>>>>>>netdiag and that server to see if it reports any particular problems.
    >>>>>>>It
    >>>>>>>is
    >>>>>>>possible that incompatible security options for digitally sign
    >>>>>>>commumications, lan manager authentication level, or other security
    >>>>>>>options
    >>>>>>>could be causing a problem if they were changed on the server. --
    >>>>>>>Steve
    >>>>>>>
    >>>>>>>
    >>>>>>
    >>>>>
    >>>>
    >>>
    >>
    >
  13. Archived from groups: microsoft.public.win2000.security (More info?)

    Excellent! Congratulations on taking good notes on configuration changes in
    order to backtrack and implement repairs. Just for future reference keep in
    mind that many security guides are specific for a particular server role
    such as a stand alone [non domain member] IIS and the assumption is made
    then that no related services are needed in which case that NetBios over
    TCP/IP is not needed because the IIS server would not be offering shares to
    users or logon to the domain. --- Steve


    "Mary S" <nomail@forme.com> wrote in message
    news:21g231tu0vc0o86adfnjh252bmf805v030@4ax.com...
    > Hi Steve - problem solved :-)
    >
    > I sat down and read my notes already last night - noted that
    > sometimes last week I did disable NetBios over TCP/IP in Device
    > Manager according to an advice given to me via an article about
    > security. Changed the driver to automatic and was now able to
    > connect to the server again :-)
    >
    > I should obviously have read my note earlier, but I was quite sure
    > that It had to do with the policies - my mistake.
    >
    > Again Steve thanks a lot - you gave me the clue where to look!
    >
    > Until next time,
    > hugs Mary
    >
    > ..and port 139 still closed..
    >
    >
    >
    > On Thu, 10 Mar 2005 14:34:20 -0600, "Steven L Umbach"
    > <n9rou@nospam-comcast.net> wrote:
    >
    >>OK. I hope you make some progress. Yes it is easier than many think to
    >>lock
    >>your own users from access. --- Steve
    >>
    >>
    >>"Mary S" <nomail@forme.com> wrote in message
    >>news:479131l1pdq6267ukc6kvtqb63skddbpd5@4ax.com...
    >>> Hi Steve
    >>>
    >>> Just to thank your for your time spent on my problem. I'm going
    >>> to sit back for the weekend read trough my notes. Maybe I can find
    >>> something I have done earlier on?
    >>>
    >>> Could also "open" for port 139 on the LAN - We don't have same
    >>> security aspect as on the internet.
    >>>
    >>> One thing is sure - Our server has never been that secure before. No
    >>> one can access anything any longer ;-)
    >>>
    >>> Kind regards
    >>> Mary S
    >>>
    >>>
    >>> On Wed, 9 Mar 2005 20:56:40 -0600, "Steven L Umbach"
    >>> <n9rou@n0-spam-for-me-comcast.net> wrote:
    >>>
    >>>>Hi Mary.
    >>>>
    >>>>Hmm. Since you have port 139 TCP disabled then the only way that users
    >>>>can
    >>>>access a share over the regular network would be port 445 TCP and since
    >>>>that
    >>>>can not be accessed explains part of the problem. The fact that it takes
    >>>>five minutes to boot up and you can not access any shares indicates
    >>>>possible
    >>>>related problems. Try booting into safemode with networking to see what
    >>>>happens as that will bypass most startup applications and ipsec policy
    >>>>if
    >>>>one is enabled. I did not really see anything in your security options
    >>>>that
    >>>>looks like a problem except the one security option for additional
    >>>>restrictions for anonymous access should be set to "none - rely on
    >>>>default
    >>>>permissions" [though I doubt it is the culprit] until the problem is
    >>>>resolved and verify that it and the lan manager authentication level
    >>>>shows
    >>>>send ntlmv2 Reponses only in the "effective" settings in Local Security
    >>>>Policy. Also verify that the time on the problem server is correct
    >>>>compared
    >>>>to the domain controller and check day/time/month/year/time zone/AM&PM.
    >>>>The
    >>>>hisecweb.inf template will also disable some system services. Make sure
    >>>>that
    >>>>the dns client service and tcp/ip netbios helper services are started on
    >>>>your server. Use nslookup on it to see if it can connect with it's dns
    >>>>server and if it can use it to resolve host names. Nslookup will give an
    >>>>error message that it can not find the name of your dns server if you do
    >>>>not
    >>>>have reverse dns zone configured but it still can display the IP address
    >>>>of
    >>>>the dns server.
    >>>>
    >>>>It sounds like your server for some reason is having difficulty with
    >>>>network
    >>>>communications on needed ports. Verify that tcp/ip filtering is not
    >>>>enabled
    >>>>on the network adapter. Look in tcp ip/properties/advanced/options/tcp
    >>>>ip
    >>>>filtering - properties to make sure it is not enabled. Then check to see
    >>>>if
    >>>>there is an ipsec policy assigned. The netdiag support tool will do such
    >>>>and
    >>>>it is a good idea to run netdiag anyhow looking for pertinent
    >>>>errors/warnings/failed tests. The last test is the IP security test and
    >>>>if
    >>>>it shows that a policy is assigned then an incorrectly configured ipsec
    >>>>policy could cause problems such as you are experiencing. Ipsec policies
    >>>>can
    >>>>be assigned or disabled in Local Security Policy. Beyond that I would
    >>>>wonder if a security patch has caused a conflict on your server. If you
    >>>>remove them in add and remove programs they will often reverse problems
    >>>>they
    >>>>have caused. If you are familiar with how to use netmon to observe
    >>>>packet
    >>>>traffic on a server, you could use it to see what traffic is going to
    >>>>and
    >>>>from your server such as if the server is receiving traffic from a
    >>>>client
    >>>>on
    >>>>port 445 and if the server is responding or not. --- Steve
    >>>>
    >>>>http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 ---
    >>>>netdiag
    >>>>and how to install support tools.
    >>>>
    >>>>
    >>>>"Mary S" <nomail@forme.com> wrote in message
    >>>>news:0oju2195fq30882auhsd9h1ra7aho488rb@4ax.com...
    >>>>> Hi Steve
    >>>>>
    >>>>> I have NOT applied the full security template yet. Only some of the
    >>>>> attributes.
    >>>>>
    >>>>> I'm sure that I'm using the right ip number - see screendump (If the
    >>>>> ip number fails, I don't
    >>>>> think it will not work with the "computer name/P4" either, or?)
    >>>>>
    >>>>> No! I can't connect to any of the admin shares with my administrator
    >>>>> account name and p/w
    >>>>>
    >>>>> Unfortunately your suggestion abt. the security option for Microsoft
    >>>>> network server:digitally sign communications(always) is set to
    >>>>> disabled and lan manager authentication level is set to send ntlmv2
    >>>>> reponses only, didn't work. See screendump settings.
    >>>>>
    >>>>> I made some new screendumps. If you like, please see the 4 dumps of
    >>>>> the event viewer on the server. This I me (mr X) trying to logon from
    >>>>> another client (XP) to a shared folder (exchange) on the server. Look
    >>>>> at time stamp. I'm successfully logged in and thrown out within 60
    >>>>> sec?
    >>>>>
    >>>>> Also see the screendumps from an XP client trying to logon. Please
    >>>>> note that the sequence is a little difference from a w2k log in. XP
    >>>>> clients repeatedly ask for credentials and never log on and gives no
    >>>>> clue what so ever about the problem!
    >>>>>
    >>>>> I can't telnet into 445 on the server nor from the LAN nor on the
    >>>>> server telnet localhost 445. (Port 139 using netbios has been closed
    >>>>> for years). So how do I proceed. Could this be the problem?
    >>>>>
    >>>>> As I said - We where able to logon to the server before I started
    >>>>> messing around with the policy.
    >>>>>
    >>>>> Some other things I have been thinking about/done - some personal
    >>>>> notes;
    >>>>> Can't map any drives from the server to another shares on the LAN.
    >>>>> When restarting the server it takes about 5 min before the server is
    >>>>> online. Why this delay? Static ip used! Ping out from the server okey.
    >>>>> NetBios over TCP/IP disabled. No soft firewall active on the server.
    >>>>> Firewall disabled on the xp client. Checked hosts files..
    >>>>>
    >>>>> Thanks for your time
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>>> On Tue, 8 Mar 2005 16:29:42 -0600, "Steven L Umbach"
    >>>>> <n9rou@nospam-comcast.net> wrote:
    >>>>>
    >>>>>>It looks like your server is configured properly as far as the server
    >>>>>>service running and the share existing and ping shows that you have
    >>>>>>basic
    >>>>>>network connectivity. You said that you have not actually applied the
    >>>>>>security template yet?? Make sure you are using the correct IP
    >>>>>>address
    >>>>>>to
    >>>>>>connect to the share. I see that you have two IP addresses listed in
    >>>>>>your
    >>>>>>screendumps? If name resolution is correct you should be able to use
    >>>>>>the
    >>>>>>computer name as in \\p4\exchange. Were you as an administrator able
    >>>>>>to
    >>>>>>access an administrative share such as C$ on that computer from a
    >>>>>>problem
    >>>>>>client?? Also If possible show me a screendump that shows the security
    >>>>>>options for the server and the client that you are trying to access
    >>>>>>the
    >>>>>>server from. At least the security options from the server would be
    >>>>>>helpful.
    >>>>>>There are two security options - digitally sign communications and lan
    >>>>>>manger authentication level that need to be compatible.
    >>>>>>
    >>>>>>What you could try is on the server make sure that the security option
    >>>>>>for
    >>>>>>Microsoft network server:digitally sign communications(always) is set
    >>>>>>to
    >>>>>>disabled and lan manager authentication level is set to send ntlmv2
    >>>>>>reponses
    >>>>>>only. Make sure those settings show as "effective" settings in Local
    >>>>>>Security Policy after running " secedit /refreshpolicy machine_policy
    >>>>>>/enforce on it. From a client computer make sure that port 139 TCP or
    >>>>>>445
    >>>>>>TCP is open on the server to the client. A quick way to do this is to
    >>>>>>use
    >>>>>>telent as in " telnet xxx.xxx.xxx.xxx 139" where xxx.xxx.xxx.xxx is
    >>>>>>the
    >>>>>>IP
    >>>>>>address of the server you are trying to access. If the port is open
    >>>>>>you
    >>>>>>will
    >>>>>>get a blank command screen with a blinking cursor. If the port is
    >>>>>>closed
    >>>>>>you
    >>>>>>will get an access denied message. If you think the problem could be a
    >>>>>>security update, you can uninstall most of them in add and remove
    >>>>>>rograms. --- Steve
    >>>>>>
    >>>>>>
    >>>>>>"Mary S" <nomail@forme.com> wrote in message
    >>>>>>news:rhgr21tb20rcs5cgcf6qv5phvi4k99kfsu@4ax.com...
    >>>>>>> Hi again
    >>>>>>>
    >>>>>>> Ok! I'm in big trouble now! Somewhere during the journey of securing
    >>>>>>> the server I must have
    >>>>>>> done something wrong. And I'm almost sure that it has to do with the
    >>>>>>> hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
    >>>>>>> via windows update all at the same time.
    >>>>>>>
    >>>>>>> I have made some screendumps here http://web.telia.com/~u42115338/
    >>>>>>> and
    >>>>>>> maybe it could give you some new ideas.
    >>>>>>>
    >>>>>>> Yor reply highly appreciated
    >>>>>>> Thanks
    >>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>>
    >>>>>>> On Mon, 7 Mar 2005 21:20:02 -0600, "Steven L Umbach"
    >>>>>>> <n9rou@nospam-comcast.net> wrote:
    >>>>>>>
    >>>>>>>>What exactly do you mean that the share disappeared? Is this the
    >>>>>>>>only
    >>>>>>>>share
    >>>>>>>>on the server and if not can the other shares be accessed? When you
    >>>>>>>>go
    >>>>>>>>to
    >>>>>>>>the server does it still show that the share exists? Verify that
    >>>>>>>>file
    >>>>>>>>and
    >>>>>>>>print sharing is enabled and that the server service is running on
    >>>>>>>>the
    >>>>>>>>server. Run the command net config server to see if it reports that
    >>>>>>>>the
    >>>>>>>>computer is configured to share resources and the command net share
    >>>>>>>>to
    >>>>>>>>see
    >>>>>>>>if the share and IPC$ are shown. Try to ping the server from the
    >>>>>>>>clients
    >>>>>>>>by
    >>>>>>>>name and IP address. See if you can access administrative shares
    >>>>>>>>from
    >>>>>>>>a
    >>>>>>>>client computer that is showing the problem such as C$. Run the
    >>>>>>>>support
    >>>>>>>>tool
    >>>>>>>>netdiag and that server to see if it reports any particular
    >>>>>>>>problems.
    >>>>>>>>It
    >>>>>>>>is
    >>>>>>>>possible that incompatible security options for digitally sign
    >>>>>>>>commumications, lan manager authentication level, or other security
    >>>>>>>>options
    >>>>>>>>could be causing a problem if they were changed on the server. --
    >>>>>>>>Steve
    >>>>>>>>
    >>>>>>>>
    >>>>>>>
    >>>>>>
    >>>>>
    >>>>
    >>>
    >>
    >
Ask a new question

Read More

Security Microsoft Windows