So... you watch those ports then? You have some sort of watching going on for that set of ports? Or are you just relying on the concept that, "hey, nothing should be talking to that set of ports, hence I shouldn't see anything in my firewall logs (which I'm reviewing religiously by the way) therefore this must be something amiss and or awry"? Detection of issues (with a lag time built in) vs. prevention?
In the case of the original poster, the firewall is a separately controlled device that I believe is walling off one network of users from a network of servers. In this case, Active Directory servers. I'm just not sure why and I'm insanely curious. :)
Al
On 6/7/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote:
Egress filtering so that there's less ports for me to keep an eye on...
those high level ports can be used for backdoors, trojans and what
not... I live in California.. I have SSNs in an encrypted database... I
have sucky vendors that won't support encryption... so I'm putting all
the layers I can.
I don't trust my secretary that 'has' downloaded malware on her machine
(she's nonadmin these days along with many others in my firm).
I have a tiny network in comparison to you guys (Joe would get
claustrophobic just opening up the group policy snap in and seeing
hardly anything in there) but each workstation has XP sp2 with the
firewalls enabled..and believe you me... if some high level port is
needed, I need, I want to know what the 'normal' baseline traffic is on
my network.. should something change... that's a sign of a new piece of
software.. or worse yet... malware, trojans, yadda yadda... and I'm
having a heart attack and licking stamps on post cards informing clients
of an intrusion.
These days your interior "trusted network" can't be trusted anymore.
The bad guys want my desktops.. and most of my risks in my sized network
is coming in from those users.. not my server.
Al Mulnick wrote:
> Hmm.. I'm surprised by that Susan. :)
>
> Anyhow, why would you lock it down? I'm curious as to what the
> motivation is in this particular instance to use the firewall like
> that? What's the gain? What risk are you mitigating? What are you
> controlling?
>
> As I understand this, it is not an internet facing machine such that a
> firewall is there to slow the rush. This is firewalled off from other
> networks within the "trusted" networks (or not so trusted I suppose,
> since you did deploy a firewall.) I'm not sure I understand what's to
> be gained by doing this, so I'm curious. I'm familiar with what other
> companies have done this type of configuration for, but I'm interested
> in this particular instance.
>
>
>
>
> On 6/7/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]*
> <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED] >> wrote:
>
> I think I'd be setting up a sniffer and figuring out exactly what
> is wanting what open and why.
>
> ...that's an awful lot of ports....and exactly where is this firewall?
>
> I'm with Brian.. except I would probably not use the f word.. but
> I think I'd be going "okay this is fine to keep the bosses from
> freaking out but we're getting to the bottom of this so I can
> close those suckers back up or at least only open the minimums".
>
>
>
>
> Brian Desmond wrote:
>
>> *And fwiw you have some forgiving firewall people. I would have
>> told you to f off and lock it down.*
>>
>> * *
>>
>> *Thanks,*
>>
>> *Brian Desmond*
>>
>> * [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>*
>>
>> * *
>>
>> *c - 312.731.3132*
>>
>> * *
>>
>> *From:* [EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED] >
>> [mailto:[EMAIL PROTECTED]] *On Behalf Of *Clay,
>> Justin (ITS)
>> *Sent:* Friday, June 02, 2006 4:30 PM
>> *To:* ActiveDir@mail.activedir.org
>> <mailto:ActiveDir@mail.activedir.org>
>> *Subject:* RE: [ActiveDir] PCs hang at "Applying computer
>> settings" after upgradingDCs to 2K3 SP1
>>
>>
>>
>> Well everyone, it's fixed. It's something that even MS is a bit
>> surprised at, although they say they have seen it before.
>> Essentially, the last year since this forest has been deployed,
>> high ports (1024-65535) have been blocked at the firewall but for
>> whatever reason, everything seemed to work fine. Installing SP1
>> apparently changed something, or fixed something that finally
>> made it a requirement to have those high ports open.
>>
>>
>>
>> They opened 1024-65535 on our Checkpoint firewall and the login
>> times instantly went from 4-8 minutes back down to the usual few
>> seconds. It sucks to have to learn about things like this by
>> killing a production environment for 4 hours and burning some
>> Premiere Support hours, but at least we know what to look for
>> when we upgrade some of our other domains to SP1!
>>
>>
>>
>> Thanks to everyone for all the suggestions and help, it's always
>> appreciated!
>>
>>
>>
>> Also, to everyone else that was experiencing this issue, I'd be
>> interested to know if a firewall or router ACL blocking high
>> ports is the cause of the problem for you!
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> *From:* [EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED] >
>> [mailto:[EMAIL PROTECTED]] *On Behalf Of *Clay,
>> Justin (ITS)
>> *Sent:* Friday, June 02, 2006 2:31 PM
>> *To:* ActiveDir@mail.activedir.org
>> <mailto:ActiveDir@mail.activedir.org>
>> *Subject:* RE: [ActiveDir] PCs hang at "Applying computer
>> settings" after upgradingDCs to 2K3 SP1
>>
>>
>>
>> Nope, I can get to them from the client PCs just fineā¦I was able
>> to drill down into all of the policies that I tried.
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> *From:* [EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED]>
>> [mailto:[EMAIL PROTECTED] ] *On Behalf Of *Al Mulnick
>> *Sent:* Friday, June 02, 2006 1:34 PM
>> *To:* ActiveDir@mail.activedir.org
>> <mailto: ActiveDir@mail.activedir.org>
>> *Subject:* Re: [ActiveDir] PCs hang at "Applying computer
>> settings" after upgradingDCs to 2K3 SP1
>>
>>
>>
>> Any problems accessing
>>
>>
>>
>> \\domain\sysvol\domain\Policies
>>
>>
>>
>> ?
>>
>>
>>
>> On 6/2/06, *Clay, Justin (ITS)* < [EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED]>> wrote:
>>
>> Hopefully the attachment comes through. The interesting part, and
>> where most of the time delay is seen is here:
>>
>>
>>
>> USERENV(42c.2f0) 12:36:47:528 ProcessGPOs: Machine role is 2.
>>
>> USERENV(42c.2f0 ) 12:37:50:606 MyGetUserName: GetUserNameEx
>> failed with 1753.
>>
>> USERENV(42c.2f0) 12:37:50:606 MyGetUserName: Retrying call to
>> GetUserNameEx in 1/2 second.
>>
>> USERENV(42c.2f0) 12:38:54:371 MyGetUserName: GetUserNameEx
>> failed with 1753.
>>
>> USERENV(42c.2f0) 12:38:54:371 MyGetUserName: Retrying call to
>> GetUserNameEx in 1/2 second.
>>
>> USERENV(42c.2f0) 12:39:58:027 MyGetUserName: GetUserNameEx
>> failed with 1753.
>>
>> USERENV(42c.2f0) 12:39:58:027 MyGetUserName: Retrying call to
>> GetUserNameEx in 1/2 second.
>>
>> USERENV(42c.2f0) 12:41:01:573 MyGetUserName: GetUserNameEx
>> failed with 1753.
>>
>> USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: MyGetUserName failed
>> with 1753.
>>
>> USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: No WMI logging done in
>> this policy cycle.
>>
>> USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: Processing failed with
>> error 1753.
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> *From:* [EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED]>
>> [mailto: [EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED]>] *On Behalf Of *Al
>> Mulnick
>> *Sent:* Friday, June 02, 2006 12:19 PM
>> *To:* ActiveDir@mail.activedir.org
>> <mailto:ActiveDir@mail.activedir.org>
>> *Subject:* Re: [ActiveDir] PCs hang at "Applying computer
>> settings" after upgradingDCs to 2K3 SP1
>>
>>
>>
>> I think a different thread mentioned that DNS was about 90% of
>> the cause of this type of behavior. It's not the only one however.
>>
>>
>>
>> What keeps rebooting? The DC? Or the workstations? If the
>> workstations, not only ethereal but Darren's suggestion of
>> logging is a good idea.
>>
>>
>>
>> On 6/2/06, *Za Vue* < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:
>>
>> Finally..someone is also experiencing this problem. My DCs are
>> Windows 2003 SP1 also. It seems to hang every 3-4 reboots. My
>> first thought was DNS DNS.. but NetDiag, Repl, DCDiag, Nslookup
>> all show no error. Nothing is reported in logs. It is not
>> firewall. I have play with NetBIOS, changing Provider Order in
>> Network Neighborhood->Advanced Settings..nada.
>>
>> This week has been quiet. If someone calls again I have ethereal
>> setup and ready to capture. The thing about my environment is I
>> do not manage the switches or router. I don't know if someone is
>> messing with something.
>>
>>
>>
>> -Z.V.
>>
>>
>>
>> , Justin (ITS) wrote:
>>
>> Hello,
>>
>>
>>
>> Last night we upgraded our 3 Win2K3 domain controllers to SP1.
>> This morning, we're getting tons and tons of calls from users who
>> report that their computer sits at "Applying computer settings"
>> for a good 10 minutes, then another 10 or so minutes at "Applying
>> your personalized settings"
>>
>>
>>
>> After the upgrade we did start seeing DCOM errors in the System
>> event log, which I've found many people online have experienced.
>> I "fixed it" (or at least the DCOM errors went away) by granting
>> Network Service the following rights:
>>
>>
>>
>> Local Launch
>>
>> Remote Launch
>>
>> Local Activation
>>
>> Remote Activation
>>
>>
>>
>> In the Launch and Activation Permissions dialog on the Security
>> tab of the netman component. However, even after the DCOM errors
>> have gone away, we continue to see the same results on the clients.
>>
>>
>>
>> Any ideas? I'm considering calling Premier Support, but I figured
>> you guys would be better help than them.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> /Justin Clay/
>> /ITS Enterprise Services/
>> /Metropolitan Government of Nashville and Davidson County /
>> /Howard School Building/
>> /Phone: (615) 880-2573/
>>
>>
>>
>>
>>
>> ITS ENTERPRISE SERVICES EMAIL NOTICE
>>
>> The information contained in this email and any attachments is
>> confidential and may be subject to copyright or other
>> intellectual property protection. If you are not the intended
>> recipient, you are not authorized to use or disclose this
>> information, and we request that you notify us by reply mail or
>> telephone and delete the original message from your mail system.
>>
>>
>>
>>
>>
>> ITS ENTERPRISE SERVICES EMAIL NOTICE
>>
>> The information contained in this email and any attachments is
>> confidential and may be subject to copyright or other
>> intellectual property protection. If you are not the intended
>> recipient, you are not authorized to use or disclose this
>> information, and we request that you notify us by reply mail or
>> telephone and delete the original message from your mail system.
>>
>>
>>
>>
>>
>>
>> ITS ENTERPRISE SERVICES EMAIL NOTICE
>>
>> The information contained in this email and any attachments is
>> confidential and may be subject to copyright or other
>> intellectual property protection. If you are not the intended
>> recipient, you are not authorized to use or disclose this
>> information, and we request that you notify us by reply mail or
>> telephone and delete the original message from your mail system.
>>
>>
>>
>>
>>
>> ITS ENTERPRISE SERVICES EMAIL NOTICE
>>
>> The information contained in this email and any attachments is
>> confidential and may be subject to copyright or other
>> intellectual property protection. If you are not the intended
>> recipient, you are not authorized to use or disclose this
>> information, and we request that you notify us by reply mail or
>> telephone and delete the original message from your mail system.
>>
>>
>>
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
The SBS product team wants to hear from you:
http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
