|
|
|
date: Thu, 1 May 2008 13:29:13 -0400,
group: microsoft.public.platformsdk.security
back
Windows Firewall blocking LSASS, causing DCOM launch error
I am having a problem with several Windows Server 2003 SP1 servers on our
domain that have the Windows Firewall service running, but Windows Firewall
configured "off" (by domain policy). I turned on ALL auditing (since I don't
know what I am looking for!) and see that Windows Firewall is blocking LSASS
listening on a UDP port soon after a reboot. Oddly, nothing is logged in
C:\Windows\pfirewall.log. It seems to be a random port number. Below are
three example Event Log entries.
When I try to create a remote out of process DCOM object and the server is
one of the affected servers, it fails to launch the process (DCOM Server
Process Launcher cannot communicate with LSASS?) and I immediately get an
E_ACCESSDENIED error returned. If I disable the Windows Firewall service and
reboot, the problem does not occur. What is going on here? Thanks,
Paul
Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 5/1/2008
Time: 11:55:53 AM
User: NT AUTHORITY\SYSTEM
Computer: NCOALINK2
Description:
The Windows Firewall has detected an application listening for incoming
traffic.
Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 716
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1100
Allowed: No
User notified: No
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 5/1/2008
Time: 11:52:08 AM
User: NT AUTHORITY\SYSTEM
Computer: NCOALINK2
Description:
The Windows Firewall has detected an application listening for incoming
traffic.
Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 716
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1092
Allowed: No
User notified: No
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 5/1/2008
Time: 11:52:08 AM
User: NT AUTHORITY\SYSTEM
Computer: NCOALINK2
Description:
The Windows Firewall has detected an application listening for incoming
traffic.
Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 716
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1088
Allowed: No
User notified: No
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
date: Thu, 1 May 2008 13:29:13 -0400
author: Paul Baker [MVP, Windows Desktop Experience] am
Re: Windows Firewall blocking LSASS, causing DCOM launch error
Jeffrey,
Yes, I have read about these changes in Windows Server 2003 SP1 and checked
the permissions. The user is not a member of the Distributed COM Users
group, but is a member of the Administrators group which gives them the
launch, activation and access permissions needed. I tried adding the user to
the Distributed COM Users group anyway, and it made no difference.
I think you missed the point that this is a firewall issue. If I disable the
Windows Firewall service, it works as expected.
Paul
""Jeffrey Tan[MSFT]"" wrote in message
news:Pe6%23YNDrIHA.1784@TK2MSFTNGHUB02.phx.gbl...
> Hi Paul,
>
> Does the 2003 SP1 server have more than one network adapter, even if it is
> disabled? Is Routing and Remote access enabled on the server?
>
> Have you checked your DCOM security configuration on Win2003 SP1? Win2003
> SP1 introduced the new "Distributed COM Users (Built in Group)". I see one
> internal similar case was resolved by adding the user into the
> "Distributed
> COM Users" group so that the user has the "remote activation" permission.
> Can you give it a try?
>
> The article below contains more details of the default DCOM security
> setting for various users and the security enhancement of Win2003 SP1:
> "DCOM Security Enhancements in Windows XP Service Pack 2 and Windows
> Server
> 2003 Service Pack 1"
> http://msdn.microsoft.com/en-us/library/ms679714(VS.85).aspx
>
> I will wait for your further information. Thanks.
>
> Best regards,
> Jeffrey Tan
> Microsoft Online Community Support
>
> Delighting our customers is our #1 priority. We welcome your comments and
> suggestions about how we can improve the support we provide to you. Please
> feel free to let my manager know what you think of the level of service
> provided. You can send feedback directly to my manager at:
> msdnmg@microsoft.com.
>
> ==================================================
> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at
> http://msdn.microsoft.com/subscriptions/support/default.aspx.
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
date: Fri, 2 May 2008 09:26:24 -0400
author: Paul Baker [MVP, Windows Desktop Experience] am
Re: Windows Firewall blocking LSASS, causing DCOM launch error
Hi Jeffrey,
I enabled pfirewall.log, as you suggested. It did not create the log file!
It is still logging in the Security event log several instances of Windows
Firewall blocking LSASS using incoming UDP ports. There are several when I
reboot and one more when I attempt to launch the DCOM server for the first
time.
I put the netsh commands you suggested in a batch file and redirected the
output to a file. Below is the output.
Thanks,
Paul
netsh firewall show state enable
Firewall status:
-------------------------------------------------------------------
Profile = Domain
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Firewall
Remote admin mode = Disable
Scope: *
Local exceptions allowed by group policy:
-------------------------------------------------------------------
Open ports = Enable
Allowed programs = Enable
Log settings:
-------------------------------------------------------------------
File location = C:\WINDOWS\pfirewall.log
Max file size = 4096 KB
Dropped packets = Enable
Connections = Enable
Service settings:
Mode Customized Name
-------------------------------------------------------------------
Disable No File and Printer Sharing
Scope: *
Disable No UPnP Framework
Scope: *
Disable No Remote Desktop
Scope: *
Port exceptions:
Port Protocol Local policy Mode Name / Service type
-------------------------------------------------------------------
137 UDP Yes Disable NetBIOS Name Service / File and
Printer Sharing
Scope: LocalSubNet
138 UDP Yes Disable NetBIOS Datagram Service / File and
Printer Sharing
Scope: LocalSubNet
139 TCP Yes Disable NetBIOS Session Service / File and
Printer Sharing
Scope: LocalSubNet
445 TCP Yes Disable SMB over TCP / File and Printer
Sharing
Scope: LocalSubNet
1900 UDP Yes Disable SSDP Component of UPnP Framework /
UPnP Framework
Scope: LocalSubNet
2869 TCP Yes Disable UPnP Framework over TCP / UPnP
Framework
Scope: LocalSubNet
3389 TCP Yes Disable Remote Desktop / Remote Desktop
Scope: *
Ports on which programs want to receive incoming connections:
Port Protocol Version PID Type Wildcarded Forced Name / Program
-------------------------------------------------------------------
1025 UDP IPv4 1048 App Yes No (null) /
C:\WINDOWS\system32\svchost.exe
Scope: *
1026 UDP IPv4 1048 App Yes No (null) /
C:\WINDOWS\system32\svchost.exe
Scope: *
500 UDP IPv4 668 App No No (null) /
C:\WINDOWS\system32\lsass.exe
Scope: *
4500 UDP IPv4 668 App No No (null) /
C:\WINDOWS\system32\lsass.exe
Scope: *
161 UDP IPv4 1920 App No No (null) /
C:\WINDOWS\system32\snmp.exe
Scope: *
1040 TCP IPv4 668 RPC No No (null) /
C:\WINDOWS\system32\lsass.exe
Scope: *
123 UDP IPv4 1104 App No No (null) /
C:\WINDOWS\system32\svchost.exe
Scope: *
135 TCP IPv4 668 RPC No No (null) /
C:\WINDOWS\system32\lsass.exe
Scope: *
Ports currently open on all network interfaces:
Port Protocol Version Program
-------------------------------------------------------------------
No ports are currently open on all network interfaces.
ICMP settings for all network interfaces:
Mode Type Description
-------------------------------------------------------------------
Disable 2 Allow outbound packet too big
Disable 3 Allow outbound destination unreachable
Disable 4 Allow outbound source quench
Disable 5 Allow redirect
Disable 8 Allow inbound echo request
Disable 9 Allow inbound router request
Disable 11 Allow outbound time exceeded
Disable 12 Allow outbound parameter problem
Disable 13 Allow inbound timestamp request
Disable 17 Allow inbound mask request
Additional ICMP settings on Local Area Connection 2:
Mode Type Description
-------------------------------------------------------------------
Disable 2 Allow outbound packet too big
Disable 3 Allow outbound destination unreachable
Disable 4 Allow outbound source quench
Disable 5 Allow redirect
Disable 8 Allow inbound echo request
Disable 9 Allow inbound router request
Disable 11 Allow outbound time exceeded
Disable 12 Allow outbound parameter problem
Disable 13 Allow inbound timestamp request
Disable 17 Allow inbound mask request
Local Area Connection 2 firewall settings:
-------------------------------------------------------------------
Operational mode = Disable
Version = IPv4
GUID = {6A3F9F7A-8B59-49E7-B911-87253484DBC4}
C:\Documents and Settings\PaulB\Desktop>netsh firewall show config
Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Log configuration:
-------------------------------------------------------------------
File location = C:\WINDOWS\pfirewall.log
Max file size = 4096 KB
Dropped packets = Enable
Connections = Enable
Local Area Connection firewall configuration:
-------------------------------------------------------------------
Operational mode = Enable
Local Area Connection 2 firewall configuration:
-------------------------------------------------------------------
Operational mode = Enable
C:\Documents and Settings\PaulB\Desktop>reg query
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
ServiceDll REG_SZ C:\WINDOWS\system32\ipnathlp.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
DisableNotifications REG_DWORD 0x0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
139:TCP REG_SZ 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
445:TCP REG_SZ 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
137:UDP REG_SZ 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
138:UDP REG_SZ 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
EnableFirewall REG_DWORD 0x0
C:\Documents and Settings\PaulB\Desktop>reg query
HKLM\Software\Policies\Microsoft\WindowsFirewall /s
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall REG_DWORD 0x0
C:\Documents and Settings\PaulB\Desktop>reg query
"HKLM\Software\Policies\Microsoft\Windows\Network Connections" /s
C:\Documents and Settings\PaulB\Desktop>netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 944
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1040 0.0.0.0:0 LISTENING 668
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 792
TCP 127.0.0.1:1051 0.0.0.0:0 LISTENING 1432
TCP 172.16.112.16:139 0.0.0.0:0 LISTENING 4
TCP 172.16.112.16:1092 172.16.112.2:2222 TIME_WAIT 0
TCP 172.16.112.16:1096 172.16.112.9:445 TIME_WAIT 0
TCP 172.16.112.16:1099 172.16.112.2:2222 TIME_WAIT 0
TCP 172.16.112.16:1100 172.16.112.7:139 ESTABLISHED 4
TCP 172.16.112.16:3389 172.16.112.81:3891 ESTABLISHED 792
UDP 0.0.0.0:161 *:* 1920
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 668
UDP 0.0.0.0:1025 *:* 1048
UDP 0.0.0.0:1026 *:* 1048
UDP 0.0.0.0:4500 *:* 668
UDP 127.0.0.1:123 *:* 1104
UDP 127.0.0.1:1027 *:* 668
UDP 127.0.0.1:1045 *:* 612
UDP 127.0.0.1:1069 *:* 1672
UDP 172.16.112.16:123 *:* 1104
UDP 172.16.112.16:137 *:* 4
UDP 172.16.112.16:138 *:* 4
Paul
""Jeffrey Tan[MSFT]"" wrote in message
news:YwHzSmlrIHA.4716@TK2MSFTNGHUB02.phx.gbl...
> Hi Paul,
>
> Thanks for your feedback.
>
> Yes, I just want to get confirmation about these basic settings during
> scoping. Anyway, I have helped to discuss this issue with the firewall
> team.
>
> Based on their feedback, we need to enable firewall logging so that
> firewall activities will be logged into pfirewall.log :
>
> netsh firewall set logging filelocation=%windir%\pfirewall.log
> droppedpackets=enable connections=enable
>
> If you have a machine in this state, could you send me the output of the
> following:
>
> netsh firewall show state enable
> netsh firewall show config
> reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
> /s
> reg query HKLM\Software\Policies\Microsoft\WindowsFirewall /s
> reg query "HKLM\Software\Policies\Microsoft\Windows\Network Connections"
> /s
> netstat -ano
>
> Thanks.
>
> Best regards,
> Jeffrey Tan
> Microsoft Online Community Support
> =========================================
> Delighting our customers is our #1 priority. We welcome your comments and
> suggestions about how we can improve the support we provide to you. Please
> feel free to let my manager know what you think of the level of service
> provided. You can send feedback directly to my manager at:
> msdnmg@microsoft.com.
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
date: Mon, 5 May 2008 10:12:54 -0400
author: Paul Baker [MVP, Windows Desktop Experience] am
Re: Windows Firewall blocking LSASS, causing DCOM launch error
Hi Jeffrey,
It continues to log in the Security event log Windows Firewall blocking
LSASS using incoming UDP ports. Instances of this are logged regularly
(every few minutes, sometimes in clusters) at seemingly random intervals and
for seemingly random ports. All this when the machine is theoretically idle
waiting for me to debug it :)
pfirewall.log has still not been created.
Paul
"Paul Baker [MVP, Windows Desktop Experience]"
<paulrichardbaker@community.nospam> wrote in message
news:uy63dorrIHA.1772@TK2MSFTNGP03.phx.gbl...
> Hi Jeffrey,
>
> I enabled pfirewall.log, as you suggested. It did not create the log file!
> It is still logging in the Security event log several instances of Windows
> Firewall blocking LSASS using incoming UDP ports. There are several when I
> reboot and one more when I attempt to launch the DCOM server for the first
> time.
>
> I put the netsh commands you suggested in a batch file and redirected the
> output to a file. Below is the output.
>
> Thanks,
>
> Paul
>
> netsh firewall show state enable
>
> Firewall status:
> -------------------------------------------------------------------
> Profile = Domain
> Operational mode = Disable
> Exception mode = Enable
> Multicast/broadcast response mode = Enable
> Notification mode = Enable
> Group policy version = Windows Firewall
> Remote admin mode = Disable
> Scope: *
>
> Local exceptions allowed by group policy:
> -------------------------------------------------------------------
> Open ports = Enable
> Allowed programs = Enable
>
> Log settings:
> -------------------------------------------------------------------
> File location = C:\WINDOWS\pfirewall.log
> Max file size = 4096 KB
> Dropped packets = Enable
> Connections = Enable
>
> Service settings:
> Mode Customized Name
> -------------------------------------------------------------------
> Disable No File and Printer Sharing
> Scope: *
> Disable No UPnP Framework
> Scope: *
> Disable No Remote Desktop
> Scope: *
>
> Port exceptions:
> Port Protocol Local policy Mode Name / Service type
> -------------------------------------------------------------------
> 137 UDP Yes Disable NetBIOS Name Service / File and
> Printer Sharing
> Scope: LocalSubNet
> 138 UDP Yes Disable NetBIOS Datagram Service / File
> and Printer Sharing
> Scope: LocalSubNet
> 139 TCP Yes Disable NetBIOS Session Service / File and
> Printer Sharing
> Scope: LocalSubNet
> 445 TCP Yes Disable SMB over TCP / File and Printer
> Sharing
> Scope: LocalSubNet
> 1900 UDP Yes Disable SSDP Component of UPnP Framework /
> UPnP Framework
> Scope: LocalSubNet
> 2869 TCP Yes Disable UPnP Framework over TCP / UPnP
> Framework
> Scope: LocalSubNet
> 3389 TCP Yes Disable Remote Desktop / Remote Desktop
> Scope: *
>
> Ports on which programs want to receive incoming connections:
> Port Protocol Version PID Type Wildcarded Forced Name /
> Program
> -------------------------------------------------------------------
> 1025 UDP IPv4 1048 App Yes No (null) /
> C:\WINDOWS\system32\svchost.exe
> Scope: *
> 1026 UDP IPv4 1048 App Yes No (null) /
> C:\WINDOWS\system32\svchost.exe
> Scope: *
> 500 UDP IPv4 668 App No No (null) /
> C:\WINDOWS\system32\lsass.exe
> Scope: *
> 4500 UDP IPv4 668 App No No (null) /
> C:\WINDOWS\system32\lsass.exe
> Scope: *
> 161 UDP IPv4 1920 App No No (null) /
> C:\WINDOWS\system32\snmp.exe
> Scope: *
> 1040 TCP IPv4 668 RPC No No (null) /
> C:\WINDOWS\system32\lsass.exe
> Scope: *
> 123 UDP IPv4 1104 App No No (null) /
> C:\WINDOWS\system32\svchost.exe
> Scope: *
> 135 TCP IPv4 668 RPC No No (null) /
> C:\WINDOWS\system32\lsass.exe
> Scope: *
>
> Ports currently open on all network interfaces:
> Port Protocol Version Program
> -------------------------------------------------------------------
> No ports are currently open on all network interfaces.
>
> ICMP settings for all network interfaces:
> Mode Type Description
> -------------------------------------------------------------------
> Disable 2 Allow outbound packet too big
> Disable 3 Allow outbound destination unreachable
> Disable 4 Allow outbound source quench
> Disable 5 Allow redirect
> Disable 8 Allow inbound echo request
> Disable 9 Allow inbound router request
> Disable 11 Allow outbound time exceeded
> Disable 12 Allow outbound parameter problem
> Disable 13 Allow inbound timestamp request
> Disable 17 Allow inbound mask request
>
> Additional ICMP settings on Local Area Connection 2:
> Mode Type Description
> -------------------------------------------------------------------
> Disable 2 Allow outbound packet too big
> Disable 3 Allow outbound destination unreachable
> Disable 4 Allow outbound source quench
> Disable 5 Allow redirect
> Disable 8 Allow inbound echo request
> Disable 9 Allow inbound router request
> Disable 11 Allow outbound time exceeded
> Disable 12 Allow outbound parameter problem
> Disable 13 Allow inbound timestamp request
> Disable 17 Allow inbound mask request
>
> Local Area Connection 2 firewall settings:
> -------------------------------------------------------------------
> Operational mode = Disable
> Version = IPv4
> GUID = {6A3F9F7A-8B59-49E7-B911-87253484DBC4}
>
>
> C:\Documents and Settings\PaulB\Desktop>netsh firewall show config
>
> Domain profile configuration (current):
> -------------------------------------------------------------------
> Operational mode = Enable
> Exception mode = Enable
> Multicast/broadcast response mode = Enable
> Notification mode = Enable
>
> Standard profile configuration:
> -------------------------------------------------------------------
> Operational mode = Disable
> Exception mode = Enable
> Multicast/broadcast response mode = Enable
> Notification mode = Enable
>
> Log configuration:
> -------------------------------------------------------------------
> File location = C:\WINDOWS\pfirewall.log
> Max file size = 4096 KB
> Dropped packets = Enable
> Connections = Enable
>
> Local Area Connection firewall configuration:
> -------------------------------------------------------------------
> Operational mode = Enable
>
> Local Area Connection 2 firewall configuration:
> -------------------------------------------------------------------
> Operational mode = Enable
>
>
> C:\Documents and Settings\PaulB\Desktop>reg query
> HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters /s
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
> ServiceDll REG_SZ C:\WINDOWS\system32\ipnathlp.dll
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
> DisableNotifications REG_DWORD 0x0
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
> 139:TCP REG_SZ 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
> 445:TCP REG_SZ 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
> 137:UDP REG_SZ 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
> 138:UDP REG_SZ 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
> EnableFirewall REG_DWORD 0x0
>
>
> C:\Documents and Settings\PaulB\Desktop>reg query
> HKLM\Software\Policies\Microsoft\WindowsFirewall /s
>
> HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
> EnableFirewall REG_DWORD 0x0
>
>
> C:\Documents and Settings\PaulB\Desktop>reg query
> "HKLM\Software\Policies\Microsoft\Windows\Network Connections" /s
>
> C:\Documents and Settings\PaulB\Desktop>netstat -ano
>
> Active Connections
>
> Proto Local Address Foreign Address State PID
> TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 944
> TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
> TCP 0.0.0.0:1040 0.0.0.0:0 LISTENING 668
> TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 792
> TCP 127.0.0.1:1051 0.0.0.0:0 LISTENING 1432
> TCP 172.16.112.16:139 0.0.0.0:0 LISTENING 4
> TCP 172.16.112.16:1092 172.16.112.2:2222 TIME_WAIT 0
> TCP 172.16.112.16:1096 172.16.112.9:445 TIME_WAIT 0
> TCP 172.16.112.16:1099 172.16.112.2:2222 TIME_WAIT 0
> TCP 172.16.112.16:1100 172.16.112.7:139 ESTABLISHED 4
> TCP 172.16.112.16:3389 172.16.112.81:3891 ESTABLISHED 792
> UDP 0.0.0.0:161 *:* 1920
> UDP 0.0.0.0:445 *:* 4
> UDP 0.0.0.0:500 *:* 668
> UDP 0.0.0.0:1025 *:* 1048
> UDP 0.0.0.0:1026 *:* 1048
> UDP 0.0.0.0:4500 *:* 668
> UDP 127.0.0.1:123 *:* 1104
> UDP 127.0.0.1:1027 *:* 668
> UDP 127.0.0.1:1045 *:* 612
> UDP 127.0.0.1:1069 *:* 1672
> UDP 172.16.112.16:123 *:* 1104
> UDP 172.16.112.16:137 *:* 4
> UDP 172.16.112.16:138 *:* 4
>
> Paul
>
> ""Jeffrey Tan[MSFT]"" wrote in message
> news:YwHzSmlrIHA.4716@TK2MSFTNGHUB02.phx.gbl...
>> Hi Paul,
>>
>> Thanks for your feedback.
>>
>> Yes, I just want to get confirmation about these basic settings during
>> scoping. Anyway, I have helped to discuss this issue with the firewall
>> team.
>>
>> Based on their feedback, we need to enable firewall logging so that
>> firewall activities will be logged into pfirewall.log :
>>
>> netsh firewall set logging filelocation=%windir%\pfirewall.log
>> droppedpackets=enable connections=enable
>>
>> If you have a machine in this state, could you send me the output of the
>> following:
>>
>> netsh firewall show state enable
>> netsh firewall show config
>> reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
>> /s
>> reg query HKLM\Software\Policies\Microsoft\WindowsFirewall /s
>> reg query "HKLM\Software\Policies\Microsoft\Windows\Network Connections"
>> /s
>> netstat -ano
>>
>> Thanks.
>>
>> Best regards,
>> Jeffrey Tan
>> Microsoft Online Community Support
>> =========================================
>> Delighting our customers is our #1 priority. We welcome your comments and
>> suggestions about how we can improve the support we provide to you.
>> Please
>> feel free to let my manager know what you think of the level of service
>> provided. You can send feedback directly to my manager at:
>> msdnmg@microsoft.com.
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>
>
date: Mon, 5 May 2008 12:05:24 -0400
author: Paul Baker [MVP, Windows Desktop Experience] am
Re: Windows Firewall blocking LSASS, causing DCOM launch error
Hi Jeffrey,
Today, for some reason, it is successfully launching the server process
non-interactively on the server in question. This is despite the firewall
activity. Similarly configured servers continue to have the same problem (an
immediate E_ACCESSDENIED error). Is there something sporadic going on here?
Last week, I alternately and repeatedly disabled the Windows Firewall
service, rebooted, attempted to launch / enabled the Windows Firewall
service, rebooted, attempted to launch and found that the launch failed with
E_ACCESSDENIED if and only if the Windows Firewall service was enabled (even
though it was configured Off). Yet today, it is consistently working with
the Windows Firewall service enabled.
Paul
"Paul Baker [MVP, Windows Desktop Experience]"
<paulrichardbaker@community.nospam> wrote in message
news:e30HVnsrIHA.1200@TK2MSFTNGP03.phx.gbl...
> Hi Jeffrey,
>
> It continues to log in the Security event log Windows Firewall blocking
> LSASS using incoming UDP ports. Instances of this are logged regularly
> (every few minutes, sometimes in clusters) at seemingly random intervals
> and for seemingly random ports. All this when the machine is theoretically
> idle waiting for me to debug it :)
>
> pfirewall.log has still not been created.
>
> Paul
>
> "Paul Baker [MVP, Windows Desktop Experience]"
> <paulrichardbaker@community.nospam> wrote in message
> news:uy63dorrIHA.1772@TK2MSFTNGP03.phx.gbl...
>> Hi Jeffrey,
>>
>> I enabled pfirewall.log, as you suggested. It did not create the log
>> file! It is still logging in the Security event log several instances of
>> Windows Firewall blocking LSASS using incoming UDP ports. There are
>> several when I reboot and one more when I attempt to launch the DCOM
>> server for the first time.
>>
>> I put the netsh commands you suggested in a batch file and redirected the
>> output to a file. Below is the output.
>>
>> Thanks,
>>
>> Paul
>>
>> netsh firewall show state enable
>>
>> Firewall status:
>> -------------------------------------------------------------------
>> Profile = Domain
>> Operational mode = Disable
>> Exception mode = Enable
>> Multicast/broadcast response mode = Enable
>> Notification mode = Enable
>> Group policy version = Windows Firewall
>> Remote admin mode = Disable
>> Scope: *
>>
>> Local exceptions allowed by group policy:
>> -------------------------------------------------------------------
>> Open ports = Enable
>> Allowed programs = Enable
>>
>> Log settings:
>> -------------------------------------------------------------------
>> File location = C:\WINDOWS\pfirewall.log
>> Max file size = 4096 KB
>> Dropped packets = Enable
>> Connections = Enable
>>
>> Service settings:
>> Mode Customized Name
>> -------------------------------------------------------------------
>> Disable No File and Printer Sharing
>> Scope: *
>> Disable No UPnP Framework
>> Scope: *
>> Disable No Remote Desktop
>> Scope: *
>>
>> Port exceptions:
>> Port Protocol Local policy Mode Name / Service type
>> -------------------------------------------------------------------
>> 137 UDP Yes Disable NetBIOS Name Service / File and
>> Printer Sharing
>> Scope: LocalSubNet
>> 138 UDP Yes Disable NetBIOS Datagram Service / File
>> and Printer Sharing
>> Scope: LocalSubNet
>> 139 TCP Yes Disable NetBIOS Session Service / File
>> and Printer Sharing
>> Scope: LocalSubNet
>> 445 TCP Yes Disable SMB over TCP / File and Printer
>> Sharing
>> Scope: LocalSubNet
>> 1900 UDP Yes Disable SSDP Component of UPnP Framework
>> / UPnP Framework
>> Scope: LocalSubNet
>> 2869 TCP Yes Disable UPnP Framework over TCP / UPnP
>> Framework
>> Scope: LocalSubNet
>> 3389 TCP Yes Disable Remote Desktop / Remote Desktop
>> Scope: *
>>
>> Ports on which programs want to receive incoming connections:
>> Port Protocol Version PID Type Wildcarded Forced Name /
>> Program
>> -------------------------------------------------------------------
>> 1025 UDP IPv4 1048 App Yes No (null) /
>> C:\WINDOWS\system32\svchost.exe
>> Scope: *
>> 1026 UDP IPv4 1048 App Yes No (null) /
>> C:\WINDOWS\system32\svchost.exe
>> Scope: *
>> 500 UDP IPv4 668 App No No (null) /
>> C:\WINDOWS\system32\lsass.exe
>> Scope: *
>> 4500 UDP IPv4 668 App No No (null) /
>> C:\WINDOWS\system32\lsass.exe
>> Scope: *
>> 161 UDP IPv4 1920 App No No (null) /
>> C:\WINDOWS\system32\snmp.exe
>> Scope: *
>> 1040 TCP IPv4 668 RPC No No (null) /
>> C:\WINDOWS\system32\lsass.exe
>> Scope: *
>> 123 UDP IPv4 1104 App No No (null) /
>> C:\WINDOWS\system32\svchost.exe
>> Scope: *
>> 135 TCP IPv4 668 RPC No No (null) /
>> C:\WINDOWS\system32\lsass.exe
>> Scope: *
>>
>> Ports currently open on all network interfaces:
>> Port Protocol Version Program
>> -------------------------------------------------------------------
>> No ports are currently open on all network interfaces.
>>
>> ICMP settings for all network interfaces:
>> Mode Type Description
>> -------------------------------------------------------------------
>> Disable 2 Allow outbound packet too big
>> Disable 3 Allow outbound destination unreachable
>> Disable 4 Allow outbound source quench
>> Disable 5 Allow redirect
>> Disable 8 Allow inbound echo request
>> Disable 9 Allow inbound router request
>> Disable 11 Allow outbound time exceeded
>> Disable 12 Allow outbound parameter problem
>> Disable 13 Allow inbound timestamp request
>> Disable 17 Allow inbound mask request
>>
>> Additional ICMP settings on Local Area Connection 2:
>> Mode Type Description
>> -------------------------------------------------------------------
>> Disable 2 Allow outbound packet too big
>> Disable 3 Allow outbound destination unreachable
>> Disable 4 Allow outbound source quench
>> Disable 5 Allow redirect
>> Disable 8 Allow inbound echo request
>> Disable 9 Allow inbound router request
>> Disable 11 Allow outbound time exceeded
>> Disable 12 Allow outbound parameter problem
>> Disable 13 Allow inbound timestamp request
>> Disable 17 Allow inbound mask request
>>
>> Local Area Connection 2 firewall settings:
>> -------------------------------------------------------------------
>> Operational mode = Disable
>> Version = IPv4
>> GUID = {6A3F9F7A-8B59-49E7-B911-87253484DBC4}
>>
>>
>> C:\Documents and Settings\PaulB\Desktop>netsh firewall show config
>>
>> Domain profile configuration (current):
>> -------------------------------------------------------------------
>> Operational mode = Enable
>> Exception mode = Enable
>> Multicast/broadcast response mode = Enable
>> Notification mode = Enable
>>
>> Standard profile configuration:
>> -------------------------------------------------------------------
>> Operational mode = Disable
>> Exception mode = Enable
>> Multicast/broadcast response mode = Enable
>> Notification mode = Enable
>>
>> Log configuration:
>> -------------------------------------------------------------------
>> File location = C:\WINDOWS\pfirewall.log
>> Max file size = 4096 KB
>> Dropped packets = Enable
>> Connections = Enable
>>
>> Local Area Connection firewall configuration:
>> -------------------------------------------------------------------
>> Operational mode = Enable
>>
>> Local Area Connection 2 firewall configuration:
>> -------------------------------------------------------------------
>> Operational mode = Enable
>>
>>
>> C:\Documents and Settings\PaulB\Desktop>reg query
>> HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters /s
>>
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
>> ServiceDll REG_SZ C:\WINDOWS\system32\ipnathlp.dll
>>
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
>>
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
>> DisableNotifications REG_DWORD 0x0
>>
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts
>>
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
>> 139:TCP REG_SZ 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
>> 445:TCP REG_SZ 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
>> 137:UDP REG_SZ 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
>> 138:UDP REG_SZ 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
>>
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
>> EnableFirewall REG_DWORD 0x0
>>
>>
>> C:\Documents and Settings\PaulB\Desktop>reg query
>> HKLM\Software\Policies\Microsoft\WindowsFirewall /s
>>
>> HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
>> EnableFirewall REG_DWORD 0x0
>>
>>
>> C:\Documents and Settings\PaulB\Desktop>reg query
>> "HKLM\Software\Policies\Microsoft\Windows\Network Connections" /s
>>
>> C:\Documents and Settings\PaulB\Desktop>netstat -ano
>>
>> Active Connections
>>
>> Proto Local Address Foreign Address State PID
>> TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 944
>> TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
>> TCP 0.0.0.0:1040 0.0.0.0:0 LISTENING 668
>> TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 792
>> TCP 127.0.0.1:1051 0.0.0.0:0 LISTENING
>> 1432
>> TCP 172.16.112.16:139 0.0.0.0:0 LISTENING 4
>> TCP 172.16.112.16:1092 172.16.112.2:2222 TIME_WAIT 0
>> TCP 172.16.112.16:1096 172.16.112.9:445 TIME_WAIT 0
>> TCP 172.16.112.16:1099 172.16.112.2:2222 TIME_WAIT 0
>> TCP 172.16.112.16:1100 172.16.112.7:139 ESTABLISHED 4
>> TCP 172.16.112.16:3389 172.16.112.81:3891 ESTABLISHED 792
>> UDP 0.0.0.0:161 *:*
>> 1920
>> UDP 0.0.0.0:445 *:* 4
>> UDP 0.0.0.0:500 *:* 668
>> UDP 0.0.0.0:1025 *:*
>> 1048
>> UDP 0.0.0.0:1026 *:*
>> 1048
>> UDP 0.0.0.0:4500 *:* 668
>> UDP 127.0.0.1:123 *:*
>> 1104
>> UDP 127.0.0.1:1027 *:* 668
>> UDP 127.0.0.1:1045 *:* 612
>> UDP 127.0.0.1:1069 *:*
>> 1672
>> UDP 172.16.112.16:123 *:*
>> 1104
>> UDP 172.16.112.16:137 *:* 4
>> UDP 172.16.112.16:138 *:* 4
>>
>> Paul
>>
>> ""Jeffrey Tan[MSFT]"" wrote in message
>> news:YwHzSmlrIHA.4716@TK2MSFTNGHUB02.phx.gbl...
>>> Hi Paul,
>>>
>>> Thanks for your feedback.
>>>
>>> Yes, I just want to get confirmation about these basic settings during
>>> scoping. Anyway, I have helped to discuss this issue with the firewall
>>> team.
>>>
>>> Based on their feedback, we need to enable firewall logging so that
>>> firewall activities will be logged into pfirewall.log :
>>>
>>> netsh firewall set logging filelocation=%windir%\pfirewall.log
>>> droppedpackets=enable connections=enable
>>>
>>> If you have a machine in this state, could you send me the output of the
>>> following:
>>>
>>> netsh firewall show state enable
>>> netsh firewall show config
>>> reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
>>> /s
>>> reg query HKLM\Software\Policies\Microsoft\WindowsFirewall /s
>>> reg query "HKLM\Software\Policies\Microsoft\Windows\Network Connections"
>>> /s
>>> netstat -ano
>>>
>>> Thanks.
>>>
>>> Best regards,
>>> Jeffrey Tan
>>> Microsoft Online Community Support
>>> =========================================
>>> Delighting our customers is our #1 priority. We welcome your comments
>>> and
>>> suggestions about how we can improve the support we provide to you.
>>> Please
>>> feel free to let my manager know what you think of the level of service
>>> provided. You can send feedback directly to my manager at:
>>> msdnmg@microsoft.com.
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>
>>
>
>
date: Mon, 5 May 2008 13:15:55 -0400
author: Paul Baker [MVP, Windows Desktop Experience] am
Re: Windows Firewall blocking LSASS, causing DCOM launch error
Yes, I still need help with this issue. The same problem remains on three
other servers. It is still unexplained how it went away on one (I did not
change any configuration).
I need to know if Windows Firewall is supposed to be blocking LSASS on
random UDP ports, even though the firewall is Off and without logging in
pfirewall.log. And, could this explain a failure to launch? I'd hate the
resolution to be disabling the Windows Firewall service without even
understanding what the problem is.
Paul
""Jeffrey Tan[MSFT]"" wrote in message
news:uRTFfB$rIHA.1856@TK2MSFTNGHUB02.phx.gbl...
> Hi Paul,
>
> Sorry for the late response, I took sick leave at home yesterday.
>
> I am not sure if I have understood you completely. Do you mean that the
> problem suddenly go away mystically? I get this question because I see you
> replied with "Yet today, it is consistently working with
> the Windows Firewall service enabled".
>
> Do you still need any help on this issue? If so, please feel free to tell
> me, I will collaborate with the Windows firewall team to resolve this
> problem. Thanks.
>
> Best regards,
> Jeffrey Tan
> Microsoft Online Community Support
> =========================================
> Delighting our customers is our #1 priority. We welcome your comments and
> suggestions about how we can improve the support we provide to you. Please
> feel free to let my manager know what you think of the level of service
> provided. You can send feedback directly to my manager at:
> msdnmg@microsoft.com.
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
date: Wed, 7 May 2008 09:17:20 -0400
author: Paul Baker [MVP, Windows Desktop Experience] am
Re: Windows Firewall blocking LSASS, causing DCOM launch error
Jeffrey,
Up until now, I have been describing one server (let's call it "server2").
That is the one I took out of production to test. There are three other
servers as well that we are using (it would be difficult to start fiddling
with them as well, but we can observe their current behaviour easily).
Perhaps knowing their behaviour will help.
server1 - Windows Firewall disabled - E_ACCESSDENIED immediately
server2 - Windows Firewall enabled/off - works
server3 - Windows Firewall enabled/off - E_ACCESSDENIED immediately
server4 - Windows Firewall disabled - E_ACCESSDENIED immediately
The behaviour I saw with server2 seemed to tie it to whether or not Windows
Firewall was disabled. But now it is working, for some unknown reason, while
other similarly systems with Windows Firewall disabled also have a problem.
Maybe it is not Windows Firewall.
It seems what I need to know is - what things can cause an E_ACCESSDENIED
error before launching the server process when run as "The launching user"
but not run as "The interactive user"? It can't be launch permissions or
anything obvious. It's got to be something to do with an extra security
check that is done only when it is non-interactive. Can the DCOM folks help
out here?
Thanks a lot,
Paul
"Paul Baker [MVP, Windows Desktop Experience]"
<paulrichardbaker@community.nospam> wrote in message
news:%23yw3uSEsIHA.5096@TK2MSFTNGP02.phx.gbl...
> Yes, I still need help with this issue. The same problem remains on three
> other servers. It is still unexplained how it went away on one (I did not
> change any configuration).
>
> I need to know if Windows Firewall is supposed to be blocking LSASS on
> random UDP ports, even though the firewall is Off and without logging in
> pfirewall.log. And, could this explain a failure to launch? I'd hate the
> resolution to be disabling the Windows Firewall service without even
> understanding what the problem is.
>
> Paul
>
> ""Jeffrey Tan[MSFT]"" wrote in message
> news:uRTFfB$rIHA.1856@TK2MSFTNGHUB02.phx.gbl...
>> Hi Paul,
>>
>> Sorry for the late response, I took sick leave at home yesterday.
>>
>> I am not sure if I have understood you completely. Do you mean that the
>> problem suddenly go away mystically? I get this question because I see
>> you
>> replied with "Yet today, it is consistently working with
>> the Windows Firewall service enabled".
>>
>> Do you still need any help on this issue? If so, please feel free to tell
>> me, I will collaborate with the Windows firewall team to resolve this
>> problem. Thanks.
>>
>> Best regards,
>> Jeffrey Tan
>> Microsoft Online Community Support
>> =========================================
>> Delighting our customers is our #1 priority. We welcome your comments and
>> suggestions about how we can improve the support we provide to you.
>> Please
>> feel free to let my manager know what you think of the level of service
>> provided. You can send feedback directly to my manager at:
>> msdnmg@microsoft.com.
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>
>
date: Wed, 7 May 2008 09:38:10 -0400
author: Paul Baker [MVP, Windows Desktop Experience] am
|
|
