I am testing CIS (AV, Firewall & Defense+) in our Active Directory domain. I am having some problems with users logging on to the domain after CIS has been installed. Clients are running Windows XP, domain controller is Windows 2K3.
Once installed, I can log on to the client locally, and when I do so, a new network is detected by CIS. If I attempt to log on to the domain, the user cannot logon. After entering the username and password, the screen freezes for several minutes, and there is no disk activity. Then the message ‘loading your personal settings’ is displayed. If I leave it long enough (45 minutes or more) an error message is displayed saying the profile cannot be found.
I have tried amending the global rules to allow all traffic with a source address of the domain controller. I have also tried disabling AV, Firewall and Defense+, but still get the same result. The only way around this, is to completely remove CIS.
The problem doesn’t occur on all clients, but a significant number, about 50%.
I opened Firewall > Common Tasks > Stealth Ports Wizard > Define a new trusted network stealth my ports to everyone else.
I selected “I would like to define and trust a new network zone”, and entered IP range 192.168.1.1 - 192.168.1.50. This range cantains all servers and networking equipment, clients are 192.168.1.50 onwards.
2 new global rules now allow incoming and outgoing traffic for that IP range, however, I still have the same problem.
I have not created any settings for the firewall, just installed it, then rebooted. As I mentioned previously, I have also added IP range 192.168.1.1 - 192.168.1.50 as a trusted network. Also, the client’s own IP address is trusted as ‘local area network #1’.
I can connect to the domain controllers (there are two) using ping and net view when I am logged on locally, I can’t try this test when logged on the the domain because I can’t log on.
Check your Application rules and ensure you have Trusted Network (same as the global rules) applied to the system object not you will need to create these manually.
Depending upon your requirements, you will need to allow for communication on the following ports and protocols:
NetBIOS
UDP 138
UDP 137
TCP 139
SMB
TCP 445
RPC
TCP 135
You may also need to allow for:
DNS
UDP 53
DHCP
UDP 67/68
LDAP
TCP/UDP 389
There may also be others but it really hinges on what additional connectivity you need.
In the firewall advanced settings change the slider to custom policy mode and set the alerts to very high.
Check the system and svchost entries in Application rules. Ensure the last rule in each is ASK and Log. Clear your log files and attempt a logon.
Now you can watch and answer the firewall prompts and inspect your log files for details of protocol and port requirments.
As I said in my first post, domain validation and service acquisition can be quite a complex task. It depends how much control you want.
Thanks for your suggestions. I have been running some tests, but still have the same problem. When I enter the username and password to log on, it takes about 45 minutes to log on. If I remove Comodo, the account logs on normally (less than a minute).
For System in Application Rules, I have allowed the Local area network #1, a trusted Zone containing IP addresses 192.168.1.1 - 192.168.1.30. I have also allowed any IP in/out with any port. Everything I have added is logging.
I added all the ports you suggested in Global Rules
Firewall is set to Custom Policy mode, and Alerts set to very high.
When I check the log files, nothing shows as blocked during log on.
When I check the event log, I see event id 1053 listed each time I attempt to log on.
Hi. Unfortunately I don’t have a Domain established at home at the moment, so I can’t do any testing. I’ll try and set something up tomorrow and see where it takes me.
Microsoft’s event ID’s are notoriously vague, so I’m not sure where that will take us, but by all means take a look at this and see if it helps:
I think we’ll have to clean up those rules of yousr before we do much else. I’ll try and post something tomorrow. In the mean time, if anyone else wants to join in, feel free
I’ve been doing some more testing. With Comodo installed, the event log reports all these errors:
Event id 1054
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.
Event id 15
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.
Event id 4356
The COM+ Event System failed to create an instance of the subscriber partition:{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}!new:{6295DF2D-35EE-11D1-8707-00C04FD93327}. CoGetObject returned HRESULT 8000401A.
Event id 1521
Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.
DETAIL - The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
Event id 1053
Windows cannot determine the user or computer name. (An internal error occurred. ). Group Policy processing aborted.
I uninstalled Comodo, and Windows logged on without any of the above errors.
I also set up a new PC and a new user, and excluded both user and PC from any group policies.
I installed Comodo with the default settings. The new user was able to log on the first time, but after restart and logging in a second time, I had the same problem again. The attachment shows the application rules. Again I have the same error in event viewer: “Windows cannot obtain the domain controller name for your computer network”
C:\Windows\System32\lsass.exe
Allow IP In from IP Domain_Controller_IP to IP Any where protocol is Any
Allow IP Out from IP Any to IP Domain_Controller_IP where protocol is Any
Firewall > Advanced > Attack Detection Settings > Miscellaneous
Remove tick from Block Fragmented IP Datagrams
With these options set in the local administrator account, a domain user can log on straight away. Other ports and protocols do need to be permitted, such as winlogon.exe and svchost.exe, but they can be approved via the alerts that pop up during log on. Without the above settings, domain users cannot log on.
