Cannot log on to domain (2)

morpheus · September 11, 2006, 1:23pm

I see other people are having trouble logging on to a domain when the CPF is active. I have the same problem:
Windows 2000 Server on the Domain Controller
Windows XP SP2 on my workstation, with CPF installed
Test 1: CPF Firewall (“Network Monitor”) turn OFF → succesful login to the domain
Test 2: CPF Firewall turned ON → with ANY kinf of protocol, IP, port allowed → there is some commucication between the workstation and the server, since I get a message of a wrong password. But when I enter the correct password the PC sitts there for 5 minutes with the logon screen greyed out, then the logon window dissapears and I am left with a mouse pointer on a blank screen for another 5 minutes, then I see the “Loading your personnal settings…” window which sits there forever until I hard-reboot the PC

Any suggestions?
I am trying to check the logs, but they are cleared on each reboot, and I cannot read them after an unsuccesful login. Maybe I can get them from a shared folder through another PC on the network, but I cannot find out which file I need to share.

rki · September 11, 2006, 1:42pm

morpheus post:1:

I see other people are having trouble logging on to a domain when the CPF is active. I have the same problem:
Windows 2000 Server on the Domain Controller
Windows XP SP2 on my workstation, with CPF installed
Test 1: CPF Firewall (“Network Monitor”) turn OFF → succesful login to the domain
Test 2: CPF Firewall turned ON → with ANY kinf of protocol, IP, port allowed → there is some commucication between the workstation and the server, since I get a message of a wrong password. But when I enter the correct password the PC sitts there for 5 minutes with the logon screen greyed out, then the logon window dissapears and I am left with a mouse pointer on a blank screen for another 5 minutes, then I see the “Loading your personnal settings…” window which sits there forever until I hard-reboot the PC

Any suggestions?
I am trying to check the logs, but they are cleared on each reboot, and I cannot read them after an unsuccesful login. Maybe I can get them from a shared folder through another PC on the network, but I cannot find out which file I need to share.

Can you please show us(screen shot) your current CPF Rules?

morpheus · September 11, 2006, 1:49pm

I have deleted now all the “Allow all” rules, I gave up trying to log on the domain for now.
I can tell you though that I have tried with all the traffic (ANY port, IP protocol) to and from the Domain Controller allowed, as well as with ALL the traffic allowed (ANY port, IP protocol, ANY IP). This is not the first firewall I set up so I don’t think I had any mistakes there. Anyway a more experienced friend of mine checked the rules too, and cocnluded that there must be some kind of “special” setting, maybe because the firewall doesnt take the rules into account before logging in or something like that.

Has anybody succesfully logged ono to a domain from a PC with CPF enabled?

effel · September 12, 2006, 8:46pm

Hi morpheus,

I have no trouble logging on to a domain on a Windows 2003 domain controller from a Windows XP Pro client with CPF enabled.

I think what may be causing your problem is that the application monitor in CPF is blocking the process lsass.exe (Local Security Authority System Service) from communicating with your domain controller during the logon process. In addition to network rules, you’ll also need to make the following application rules (in Application Monitor) before attempting domain logons:

Application: C:\WINDOWS\system32\lsass.exe
Parent Application: C:\WINDOWS\system32\winlogon.exe
Destination: Any
Port: Any
Protocol: TCP or UDP
Direction: In
Action: Allow

Application: C:\WINDOWS\system32\lsass.exe
Parent Application: C:\WINDOWS\system32\winlogon.exe
Destination: Any
Port: Any
Protocol: TCP or UDP
Direction: Out
Action: Allow

Also, make sure the “Block all outgoing connections while booting” setting is disabled (accessible from Advanced → Configure Advanced Attack Detection and Prevention → Miscellaneous).

I hope this helps.

EDIT:
It’s possible the inbound rule above is not necessary.

Adding the rule above may not be sufficient. You may have to add one or more of the following application rules:

Application (Parent), Destination, Port, Protocol, Direction, Action
C:\WINDOWS\system32\lsass.exe (C:\WINDOWS\system32\winlogon.exe), Any, Any, TCP or UDP, Out, Allow
C:\WINDOWS\system32\userinit.exe (C:\WINDOWS\system32\winlogon.exe), Any, Any, TCP or UDP, Out, Allow
C:\WINDOWS\system32\winlogon.exe (C:\WINDOWS\system32\smss.exe), Any, Any, TCP or UDP, Out, Allow
C:\WINDOWS\system32\svchost.exe (C:\WINDOWS\system32\services.exe), Any, Any, TCP or UDP, Out, Allow

On Win2K clients, replace C:\WINDOWS with C:\WINNT and in addition to the rules above, add the following rule:
C:\WINNT\system32\services.exe (C:\WINDOWS\system32\winlogon.exe), Any, Any, TCP or UDP, Out, Allow

Hopefully, if Comodo adds logging abilities to the application monitor, it would be easier to determine the exact rules that’s needed to for group policies to be applied successfully and for domain logons to be successful.

bck · November 6, 2006, 6:57pm

I have the same problem as morpheus.

2000 Server Domain Controller, XP SP2 workstation. I added the rules suggested by effel but this did not work.

Any other suggestions?

kail · November 6, 2006, 7:26pm

Check CPFs Log. If CPF is blocking something, then it should be in there. You can export the log to an HTML file & post the relevant entries here if you require advice.

bck · November 6, 2006, 7:57pm

Looks like a have Fake or Malformed UPD packets being blocked by Protocol Analysis. I was reading in another post that I can disable this. Is this under Advanced Attack and Prevention detection? Is there a way around this without disabling it? That is a benifit of CPF right?

kail · November 6, 2006, 8:55pm

Yes, I remember that too… here.

If it’s safe or not depends on the IP addresses involved & who they are.