Hi Steve
Just to thank your for your time spent on my problem. I'm going
to sit back for the weekend read trough my notes. Maybe I can find
something I have done earlier on?
Could also "open" for port 139 on the LAN - We don't have same
security aspect as on the internet.
One thing is sure - Our server has never been that secure before. No
one can access anything any longer ;-)
Kind regards
Mary S
On Wed, 9 Mar 2005 20:56:40 -0600, "Steven L Umbach"
Hi Mary.
Hmm. Since you have port 139 TCP disabled then the only way that users
can
access a share over the regular network would be port 445 TCP and since
that
can not be accessed explains part of the problem. The fact that it takes
five minutes to boot up and you can not access any shares indicates
possible
related problems. Try booting into safemode with networking to see what
happens as that will bypass most startup applications and ipsec policy
if
one is enabled. I did not really see anything in your security options
that
looks like a problem except the one security option for additional
restrictions for anonymous access should be set to "none - rely on
default
permissions" [though I doubt it is the culprit] until the problem is
resolved and verify that it and the lan manager authentication level
shows
send ntlmv2 Reponses only in the "effective" settings in Local Security
Policy. Also verify that the time on the problem server is correct
compared
to the domain controller and check day/time/month/year/time zone/AM&PM.
The
hisecweb.inf template will also disable some system services. Make sure
that
the dns client service and tcp/ip netbios helper services are started on
your server. Use nslookup on it to see if it can connect with it's dns
server and if it can use it to resolve host names. Nslookup will give an
error message that it can not find the name of your dns server if you do
not
have reverse dns zone configured but it still can display the IP address
of
the dns server.
It sounds like your server for some reason is having difficulty with
network
communications on needed ports. Verify that tcp/ip filtering is not
enabled
on the network adapter. Look in tcp ip/properties/advanced/options/tcp
ip
filtering - properties to make sure it is not enabled. Then check to see
if
there is an ipsec policy assigned. The netdiag support tool will do such
and
it is a good idea to run netdiag anyhow looking for pertinent
errors/warnings/failed tests. The last test is the IP security test and
if
it shows that a policy is assigned then an incorrectly configured ipsec
policy could cause problems such as you are experiencing. Ipsec policies
can
be assigned or disabled in Local Security Policy. Beyond that I would
wonder if a security patch has caused a conflict on your server. If you
remove them in add and remove programs they will often reverse problems
they
have caused. If you are familiar with how to use netmon to observe
packet
traffic on a server, you could use it to see what traffic is going to
and
from your server such as if the server is receiving traffic from a
client
on
port 445 and if the server is responding or not. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;321708 ---
netdiag
and how to install support tools.
Hi Steve
I have NOT applied the full security template yet. Only some of the
attributes.
I'm sure that I'm using the right ip number - see screendump (If the
ip number fails, I don't
think it will not work with the "computer name/P4" either, or?)
No! I can't connect to any of the admin shares with my administrator
account name and p/w
Unfortunately your suggestion abt. the security option for Microsoft
network server:digitally sign communications(always) is set to
disabled and lan manager authentication level is set to send ntlmv2
reponses only, didn't work. See screendump settings.
I made some new screendumps. If you like, please see the 4 dumps of
the event viewer on the server. This I me (mr X) trying to logon from
another client (XP) to a shared folder (exchange) on the server. Look
at time stamp. I'm successfully logged in and thrown out within 60
sec?
Also see the screendumps from an XP client trying to logon. Please
note that the sequence is a little difference from a w2k log in. XP
clients repeatedly ask for credentials and never log on and gives no
clue what so ever about the problem!
I can't telnet into 445 on the server nor from the LAN nor on the
server telnet localhost 445. (Port 139 using netbios has been closed
for years). So how do I proceed. Could this be the problem?
As I said - We where able to logon to the server before I started
messing around with the policy.
Some other things I have been thinking about/done - some personal
notes;
Can't map any drives from the server to another shares on the LAN.
When restarting the server it takes about 5 min before the server is
online. Why this delay? Static ip used! Ping out from the server okey.
NetBios over TCP/IP disabled. No soft firewall active on the server.
Firewall disabled on the xp client. Checked hosts files..
Thanks for your time
On Tue, 8 Mar 2005 16:29:42 -0600, "Steven L Umbach"
It looks like your server is configured properly as far as the server
service running and the share existing and ping shows that you have
basic
network connectivity. You said that you have not actually applied the
security template yet?? Make sure you are using the correct IP
address
to
connect to the share. I see that you have two IP addresses listed in
your
screendumps? If name resolution is correct you should be able to use
the
computer name as in \\p4\exchange. Were you as an administrator able
to
access an administrative share such as C$ on that computer from a
problem
client?? Also If possible show me a screendump that shows the security
options for the server and the client that you are trying to access
the
server from. At least the security options from the server would be
helpful.
There are two security options - digitally sign communications and lan
manger authentication level that need to be compatible.
What you could try is on the server make sure that the security option
for
Microsoft network server:digitally sign communications(always) is set
to
disabled and lan manager authentication level is set to send ntlmv2
reponses
only. Make sure those settings show as "effective" settings in Local
Security Policy after running " secedit /refreshpolicy machine_policy
/enforce on it. From a client computer make sure that port 139 TCP or
445
TCP is open on the server to the client. A quick way to do this is to
use
telent as in " telnet xxx.xxx.xxx.xxx 139" where xxx.xxx.xxx.xxx is
the
IP
address of the server you are trying to access. If the port is open
you
will
get a blank command screen with a blinking cursor. If the port is
closed
you
will get an access denied message. If you think the problem could be a
security update, you can uninstall most of them in add and remove
rograms. --- Steve
Hi again
Ok! I'm in big trouble now! Somewhere during the journey of securing
the server I must have
done something wrong. And I'm almost sure that it has to do with the
hisecweb.inf policy or the 6 or 7 latest hotfixes, which I installed
via windows update all at the same time.
I have made some screendumps here
http://web.telia.com/~u42115338/
and
maybe it could give you some new ideas.
Yor reply highly appreciated
Thanks
On Mon, 7 Mar 2005 21:20:02 -0600, "Steven L Umbach"
What exactly do you mean that the share disappeared? Is this the
only
share
on the server and if not can the other shares be accessed? When you
go
to
the server does it still show that the share exists? Verify that
file
and
print sharing is enabled and that the server service is running on
the
server. Run the command net config server to see if it reports that
the
computer is configured to share resources and the command net share
to
see
if the share and IPC$ are shown. Try to ping the server from the
clients
by
name and IP address. See if you can access administrative shares
from
a
client computer that is showing the problem such as C$. Run the
support
tool
netdiag and that server to see if it reports any particular
problems.
It
is
possible that incompatible security options for digitally sign
commumications, lan manager authentication level, or other security
options
could be causing a problem if they were changed on the server. --
Steve
