Re: Windows 2003 firewall
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 11/23/05
- Next message: Steven L Umbach: "Re: Securing SQL"
- Previous message: Will: "How to Stop a Service From Impersonating Other Users"
- Maybe in reply to: Steven L Umbach: "Re: Windows 2003 firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 23 Nov 2005 15:57:06 -0600
If you disable the firewall temporarily and the logon failures disappear
then you know they are related to traffic that the firewall is dropping.
Broadcasts would have a source IP ending in .255. The link below will help
you identify ports used by Windows server operating system. If they are not
on the list then a search of Google [port xx tcp, etc.] may help you track
down what they are used for. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017
"mrss" <mrss@discussions.microsoft.com> wrote in message
news:D4EC1577-416A-4819-9083-AFCBF61E03F4@microsoft.com...
>I do see a certain number of dropped connections in the firewall log.
>These
> are mostly from the two other servers in my domain. I have been opening
> the
> ports that these servers are trying to attach to, although I don't know
> what
> some of them are for. Maybe they are just broadcasts? The logon failures
> in
> Event Viewer seem to be local services on my server, which I don't know
> how
> to explain. Thanks for your help, and have a happy Thanksgiving.
>
> "Steven L Umbach" wrote:
>
>> Make sure that you look at the firewall logs also to see what traffic is
>> being dropped. If you are seeing a large number of logon failures that
>> may
>> be a reason for concern to maintain functionality if they are legitimate
>> connections. The logon events should show the source computer that is
>> causing these events and you would want to investigate further to see if
>> the
>> source computer is working correctly or not and look in it's logs for
>> failure events that may help you determine what is going on. Such logon
>> failures would indicate more is being blocked than typical broadcast
>> oise. --- Steve
>>
>>
>> "mrss" <mrss@discussions.microsoft.com> wrote in message
>> news:D8918485-6C5F-4027-97E5-523D6B8FC3E2@microsoft.com...
>> >I have recently installed SP1 on our Win 2003 server, and activated the
>> > firewall. The applications and services running on this server, like
>> > DHCP
>> > and Mcafee EPO virus protection seem to be working, after some
>> > negotiation
>> > with the firewall. Yesterday I enabled logging of dropped connections
>> > in
>> > Event Viewer, and I now see a large number of logon failures, mostly
>> > for
>> > local services, like lsass.exe and sqlmangr.exe, which event viewer
>> > says
>> > the
>> > firewall has "detected listening on port ...." Do I need to manually
>> > open
>> > these ports? The most frequent blocked connection is cqsmgr.exe, which
>> > I
>> > understand is a Compaq ditty, doing I don't know what. My server is a
>> > Proliant. If I don't see any ill effect, should I just leave these, or
>> > is
>> > the dropping of these connections provoking a storm of requests to my
>> > server
>> > that will slow it down?
>>
>>
>>
- Next message: Steven L Umbach: "Re: Securing SQL"
- Previous message: Will: "How to Stop a Service From Impersonating Other Users"
- Maybe in reply to: Steven L Umbach: "Re: Windows 2003 firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
