Checkpoint Secure Client : RPC Failures / Filter Rejected Issues
WMI/RPC calls from Windows Server 2003 SP1 / SP2 servers to client running Checkpoint Secure Client R60 (pre-HFA02) may experience unexpected shutdowns/restarts. When viewing theSecure Client firewall log you will see that RPC traffic is being dropped by rule 995, even though it may be explicitly allowed by another rule.
WMI query errors may report: Call was canceled by the message filter. (Exception from HRESULT: 0x80010002 (RPC_E_CALL_CANCELED))
This is a known issue caused by the ‘Server2003NegotiateDisable‘ option that is enabled by default upon installation of Windows Server 2003 SP1 or newer – http://support.microsoft.com/kb/899148. There are two potential solutions – a quick fix, and a ‘proper’ fix. I’ll cover the quick fix first.
Download and install the hotfix available from the above MS knowledgebase article – this should be installed on the server affected by this issue.
Once installed, create a new DWORD registry key on the server, setting the value to 1: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc\Server2003NegotiateDisable
Reboot the server, the RPC calls will now fuction as expected to devices with non-RPC compliant VPN clients.
The ‘proper’ fix
Initally, you can perform the above. This will get RPC working with the non-RPC compliant VPN clients.
You should then proceed to update all of the SecureClient installs to at least version R60 HFA02, when this is complete set the registry key to 0 on the server and reboot once again.
An updated version of the client is easily obtainable form the Checkpoint Website.
For further information from Checkpoint see the following URL: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk31818
VBScript : ADODB Provider Could Not Be Found / Re-install MDAC
You may encounter ADODB errors when running a VBscript containing WMI calls on computers running Windows XP Service Pack 2 or 3.
ADODB is a part of the Microsoft Data Access Components (MDAC). You can download MDAC form here, but wait…!
If you are running Service Pack 2 or newer you will find that you are unable to re-install this version of MDAC,as the version included with the service pack is newer.So, in order to perform this task you will require a Windows XP CD with your current Service Pack slip-streamed into it, although files should be available under %systemroot%\windows\servicepackfiles\i386.
With the Windows XP CD inserted / files available perform the following tasks:
- Browse to c:\Windows\Inf folderin Windows Explorer
- Right-click the Mdac.inf file, and then click Install.
- When prompted point the installer to your Windows XP CD, if the files are unavailable form this location use the Service Pack source files under %systemroot%\windows\servicepackfiles\i386
A special consideration, if running McAfee VirusScan Enterprise, ensure you disable the Access Protection component for this process, it will cause the installation of MDAC to fail.
Enable Mailbox Auditing in Exchange 2007 SP1
From the Exchange Shell on the Mailbox Database Server(s) run the following command to enable auditing:
Set-EventLogLevel “MSExchangeIS\9000 Private\Logons” -level low
This command will return no feedback to the end-user.
You can check that this setting has been applied using the command:
Now monitor the Application event log for Event IDs 1013 and 1016
Enable Auditing in Exchange 2007 SP2
SP2 introduces new features for Mailbox Access auditing; a new event log is created on the Exchange Server and it is possible to audit Folder Access, Message Access, Extended Send As and Extended Send On Behalf.
Enable Folder Access using the command:
Set-EventLogLevel “MSExchangeIS\9000 Private\Folder Access” -level low
You can create exceptions to auditing for specific accounts such as service accounts using the command:
Get-MailboxDatabase –identity ‘SERVER’ | Add-ADPermission –User ‘account’ –ExtendedRights ms-Exch-Store-Bypass-Access-Auditing –InheritanceType All
You can now view auditing events in the Exchange Auditing Event Log.
Windows Firewqall : View Current State
Use the following command the view the status of the windows firewall, including whether ‘Remote Administration’ is enabled and the active Profile.
c:\>netsh firewall show state
Profile = Domain
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Firewall
Remote admin mode = Enable
To forcibly enable Remote Admin mode, use the following commands:
call netsh firewall set service RemoteAdmin enable
call netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135
call netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=WMI
call netsh firewall add allowedprogram program=%windir%\system32\dllhost.exe name=Dllhost
Windows 2008 Server Core : Using netsh to configure TCP/IP
List all ipv4 interfaqces and obtain the interface ID of the NIC you wish to change the configuration for, in this instance we will modify the settings of interface ‘10‘ which is shown as ‘connected’:
netsh interface ip show interfaces
Set DHCP for ipv4 interface ’10’:
set address 10 dhcp
Set Static IP Address/subnet mask/gateway on ipv4 interface ’10’:
set address 10 static 192.168.1.100 255.255.0.0 192.168.1.1
Set primary and secondary DNS servers for ipv4 interface ’10’:
set dnsservers 10 dhcp
set dnsservers 10 static 192.168.1.10 primary
add dnsservers 10 192.168.1.11
Set WINS servers for ipv4 interface ’10’:
set winsservers 10 dhcp
set winsservers 10 static 192.168.1.10
add winsservers 10 192.168.1.11
Reset TCP/IPv4 stack:
netsh interface ip reset