Symantec Endpoint Protection and Checkpoint R70

ISSUE:  There was a Windows 2003 server running Symantec Antivirus and Checkpoint R70 suite working just fine.  When the customer upgraded from SAV to SEP it broke Checkpoint Smartview Tracker.

SOLUTION:  Install Symantec Endpoint Protection (Antivirus Only no Firewall) then create exclusions for the Checkpoint applications.  To test:

• Open Symantec Endpoint Protection.
• Click 'Change Settings', Next to Antivirus and Antispyware Protection click 'Configure Settings'.
• Click the 'File System Auto-Protect' tab, then click 'Centralized Exceptions' at the bottom of that tab.
• Click Add, Security Risk Exception -> Folder, navigate to 'C:\WINDOWS\FW1\' and click add.
• Click Add, TrueScan Proactive Threat Scan Exception, navigate to 'C:\WINDOWS\FW1\R70\fw1\bin' and create an exception for both fwd.exe and fwm.exe.
• Then Reboot - fwm.exe should trigger fwd.exe and all is well.

NOTES:  We used tcpview (from sysinternals) to monitor which .exe files were listening on which ports.  We noticed that after the install and reboot, FWM.EXE would start but FWD.EXE would not start.  When we tried to start fwd.exe we saw messages in the fwd.elg log located here: C:\WINDOWS\FW1\R70\fw1\log\fwd.elg.

cplog_log_server_init: failed to init: Unknown Winsock error (10013)
Cannot establish fwd service on port 256.: Address already in use

• fwd.exe listens on TCP/256 & TCP/257 for receiving logs from the Gateways.
• If fwd.exe is active and listening on those ports but SmartView Tracker isn't showing any new logs, simply push policy and it will resume logging.
• Don't forget to use remote file management to download your logs from the gateways (they log locally when they can't access the policy server)

Join systems to a remote domain

ISSUE: We have laptops that are brand new & need to be joined to a customer domain.  Instead of bringing them to the office and camping there for hours we found a way to join them to the domain remotely and perform all the necessary work remotely.

SOLUTION:

1. Log into the PC using a local administrator account. 
2. VPN into work (using PPTP works best for this).  
3. While in, join the system to the domain and reboot.  
4. NOTE: Now here was where it got tricky.  
5. Log into the PC again using the local administrator account.  
6. Again, VPN into work.  
7. Now lock the machine.  
8. And unlock it using your active directory account.  This will make it hit AD over VPN and confirm and cache your domain account (make sure your AD account is in the Local Administrators group on the local machine).  When you unlock it as a different account, it will typically end your VPN session as it closes the users session.
9. When the system has logged out, log in using the domain name as a prefix for your user account (eg: fixit.local\steve.adams).  This will work because windows has cached your password hash.

Windows XP will not unlock

ISSUE: We have a customer running Windows XP Pro clients attached to a Windows 2003 server.  They are all domain members.  Occasionally the users will report that their workstation is locked and they cannot unlock it.   A reboot is all the fixes it.

SOLUTION:  Put the domain name in the user name field (eg: fixit.local\steve.adams).  The unlock window doesn't have a third field to select the domain and for some reason windows appears to be looking locally.  This tells the computer to use the domain account.

ASP.NET State Service

Issue: With load balanced application servers, you have to refer to a state server.

Solution: Windows Server 2003 comes with a service "ASP.NET State Service".  It is set to manual by default.  You need to do a few things to configure it to be used as a central State Server.

1. click start - services.msc - ok
2. find "ASP.NET State Service" change its startup type to automatic and start it
3. open command prompt
4. netstat -ano | find "42424" | RESPONSE TCP    127.0.0.1:42424        0.0.0.0:0              LISTENING       5640
5. run REGEDIT
6. NAVIGATE to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_state\Parameters
7. Change "AllowRemoteConnection" Value Data from 0 to 1
8. Restart the service
9. Re-run the command from step 4
10. netstat -ano | find "42424" | RESPONSE TCP    0.0.0.0:42424          0.0.0.0:0              LISTENING       1240
11. Now that it is listening on 0.0.0.0 it means it can receive requests from other servers.

Then of course - inside your app's web.config file you'll need to add two things:

1. Machine Key: made up of a validation key & a decryption key.

we recommend using Development Now to generate the string.

2. reference to your new state server you configured above

<sessionState mode="StateServer"
stateConnectionString="tcpip=SERVERNAME.DOMAIN.LOCAL:42424"
cookieless="false"
timeout="20"/>

Dell Latitude with Windows 7 Slow to Log Off Shut Down

The customer has a few  Dell Latitude e6500's running Windows 7 64-bit.  It has a Broadcom wireless card with all the latest drivers and updates and BIOS.

They noticed it was taking a long time (close to 5 min) to shutdown or even logoff.  We tried this with positive results:

1. Click Start - services.msc - click ok
2. find "DW WLAN Tray Service" - stop it, then set the startup time to Manual.
3. Reboot

Now try a logoff or shutdown.

Allow Splunk to retrieve logs from Server 2008

Issue: Allow the Splunk service through the firewall on Server 2008

Solution:

1. Click Start - type firewall
2. don't select the first one "windows firewall with advanced security"
3. select the second one in the list "windows firewall"
4. click change settings
5. click the exceptions tab
6. Check the box next to "Remote Event Log Management" (appears to allow port 135/tcp)
7. Done, now Splunk can remotely access the box (with the right privileges) and index the event logs 

Flush Splunk Data

Issue: During the initial setup and configuration of Splunk it might be nice to empty the indexes and start over.

Solution: Here are some commands to run to clean out the indexed data.

Note: You must first stop the Splunk service before you can run any of these commands:

./splunk stop

This example tells Splunk to remove event data in all indexes (because no index argument is specified).

./splunk clean eventdata

This example removes indexed event data from the internal index and forces Splunk to skip the confirmation prompt.

./splunk clean eventdata internal -f

Note: It can also be helpful to flush the event logs of the Server as they might refer to the server's previous name which will just add junk to Splunk's indexes.

Other Terms: Purge splunk data – delete data – clear out splunk old data - flush splunk data

Netstat - PID - which service is listening on which port

Some basic IP port commands for helping you - in windows.

1. open a command window
2. type netstat -ano
3. This command will display all IP connections and ports on which the system is listening.
4. type netstat -ano | find ":445"
5. This command will display all IP connections involving the port :445. You can run it with "445" but it might include some extra lines where the outbound port includes 445 (eg: 34450).
6. This is extremely helpful to confirm a server is in fact listening on a specific port like :80 or :443.
7. Further, if a server has multiple IP addresses, which IP is listening on which port.

Let's take it a step further:

1. type netstat -ano |
2. TCP    127.0.0.1:7778         0.0.0.0:0              LISTENING       2420
   
   TCP    127.0.0.1:7778         127.0.0.1:49257  ESTABLISHED  2420
   TCP    127.0.0.1:9080         0.0.0.0:0              LISTENING       4708
   TCP    127.0.0.1:14147        0.0.0.0:0             LISTENING       2120
   TCP    127.0.0.1:16709        0.0.0.0:0             LISTENING       2848
   
   
3. The second to last last column has LISTENING OR ESTABLISHED as a status.
4. type netstat -ano | find "LISTENING"
5. This will show all ports on which the system is listening.
6. The last last column has the Process ID.  Let's take 2420 on this example system.
7. Open Task manager (CTRL-SHIFT-ESC) - click on the process tab
8. click view - Select Columns - Check the box next to PID (process Identifier).
9. NOTE: You may also need to check a box at the bottom "Show process from all users" if it isn't already.
10. Now we find 2420 on this current system at this time to be TracSrvWrapper.exe.