Checkpoint Secure Client : RPC Failures/Filter Rejected Issues

Checkpoint Secure Client : RPC Failures / Filter Rejected Issues

WMI/RPC calls from Windows Server 2003 SP1 / SP2 servers to client running Checkpoint Secure Client R60 (pre-HFA02) may experience unexpected shutdowns/restarts. When viewing theSecure Client firewall log you will see that RPC traffic is being dropped by rule 995, even though it may be explicitly allowed by another rule.

WMI query errors may report: Call was canceled by the message filter. (Exception from HRESULT: 0x80010002 (RPC_E_CALL_CANCELED))

This is a known issue caused by the ‘Server2003NegotiateDisableoption that is enabled by default upon installation of Windows Server 2003 SP1 or newer – There are two potential solutions – a quick fix, and a ‘proper’ fix. I’ll cover the quick fix first.

The quick-fix

   Download and install the hotfix available from the above MS knowledgebase article – this should be installed on the server affected by this issue.

   Once installed, create a new DWORD registry key on the server, setting the value to 1: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc\Server2003NegotiateDisable

   Reboot the server, the RPC calls will now fuction as expected to devices with non-RPC compliant VPN clients.

The ‘proper’ fix

   Initally, you can perform the above. This will get RPC working with the non-RPC compliant VPN clients.

   You should then proceed to update all of the SecureClient installs to at least version R60 HFA02, when this is complete set the registry key to 0 on the server and reboot once again.

   An updated version of the client is easily obtainable form the Checkpoint Website.

   For further information from Checkpoint see the following URL:

WMI : ADODB Provider Could not Be Found

VBScript : ADODB Provider Could Not Be Found / Re-install MDAC

You may encounter ADODB errors when running a VBscript containing WMI calls on computers running  Windows XP Service Pack 2 or 3.

ADODB  is a part of the Microsoft Data Access Components (MDAC). You can download MDAC form here, but wait…!

If you are running Service Pack 2 or newer you will find that you are unable to re-install this version of MDAC,as the version included with the service pack is newer.So, in order to perform this task you will require a Windows XP CD with your current Service Pack slip-streamed into it, although files should be available under %systemroot%\windows\servicepackfiles\i386.

With the Windows XP CD inserted / files available perform the following tasks:

  • Browse to c:\Windows\Inf folderin Windows Explorer
  • Right-click the Mdac.inf file, and then click Install. 
  • When prompted point the installer to your Windows XP CD, if the files are unavailable form this location use the Service Pack source files under %systemroot%\windows\servicepackfiles\i386

A special consideration, if running McAfee VirusScan Enterprise, ensure you disable the Access Protection component for this process, it will cause the installation of MDAC to fail.

Exchange 2007 : Mailbox Auditing

Enable Mailbox Auditing in Exchange 2007 SP1

From the Exchange Shell on the Mailbox Database Server(s) run the following command to enable auditing:
   Set-EventLogLevel “MSExchangeIS\9000 Private\Logons” -level low
This command will return no feedback to the end-user.

You can check that this setting has been applied using the command:

Now monitor the Application event log for Event IDs 1013 and 1016
Enable Auditing in Exchange 2007 SP2

SP2 introduces new features for Mailbox Access auditing; a new event log is created on the Exchange Server and it is possible to audit Folder Access, Message Access, Extended Send As and Extended Send On Behalf.

Enable Folder Access using the command:
   Set-EventLogLevel “MSExchangeIS\9000 Private\Folder Access” -level low

You can create exceptions to auditing for specific accounts such as service accounts using the command:
   Get-MailboxDatabase –identity ‘SERVER’ | Add-ADPermission –User ‘account’ –ExtendedRights ms-Exch-Store-Bypass-Access-Auditing –InheritanceType All

You can now view auditing events in the Exchange Auditing Event Log. 

Windows Firewall : View Current State

Windows Firewqall : View Current State

Use the following command the view the status of the windows firewall, including whether ‘Remote Administration’ is enabled and the active Profile.

c:\>netsh firewall show state

Firewall status:
Profile                           = Domain
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable
Group policy version              = Windows Firewall
Remote admin mode                 = Enable

To forcibly enable Remote Admin mode, use the following commands:

call netsh firewall set service RemoteAdmin enable
call netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135
call netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=WMI
call netsh firewall add allowedprogram program=%windir%\system32\dllhost.exe name=Dllhost 

Windows 2008 Server Core : Using netsh to configure TCP/IP

Windows 2008 Server Core : Using netsh to configure TCP/IP

List all ipv4 interfaqces and obtain the interface ID of the NIC you wish to change the configuration for, in this instance we will modify the settings of interface ‘10‘ which is shown as ‘connected’:
  netsh interface ip show interfaces


Set DHCP for ipv4 interface ’10’:
  set address 10 dhcp

Set Static IP Address/subnet mask/gateway on ipv4 interface ’10’:
  set address 10 static

Set primary and secondary DNS servers for ipv4 interface ’10’:
  set dnsservers 10 dhcp
  set dnsservers 10 static primary
  add dnsservers 10

Set WINS servers for ipv4 interface ’10’:
  set winsservers 10 dhcp
  set winsservers 10 static
  add winsservers 10

Reset TCP/IPv4 stack:
  netsh interface ip reset