Troubleshooting Active Directory Account Lockouts

A how-to on diagnosing the cause of a (user’s) Active Directory account repeatedly locking out.

Download the Account Lockout Status tools from Microsoft

Choose ‘Select Target’ from the File menu

  • Enter the user’s account name as the target – if you’re already logged in with a domain Admin account, adding alternate credentials is not necessary.
  • The LockoutStatus tool will show the status of the account on the domain DCs including the DCs which registered the account as locked and, crucially, which DCs recorded a bad password (the ‘Bad Pwd Count’ column). The DCs most likely to give the result we need are those reporting one or more bad passwords as listed in the ‘Bad Pwd Count’ column.

Check the Security log on one of these DCs

  • Typically, you’ll review the logs of the DC that has the most failed lockouts at that given moment, or the DC that locked first. Make sure to reference the log of the exact minute/second that the lockout occurs based on the output of the LockoutStatus.exe tool.

ad-lockout-1

  • In the Security Log of one of the domain controllers which show the account as locked, look for (Event ID 4771 on Server 2008 or Event ID 529 on Server 2003 containing the target username. Specifically, you need the log entries which show Failure code 0x18. Note the client IP Address – This is the address of the machine that reported, or holds, the bad password.

Enable Verbose Logging

  • Sometimes, it’s less specific, whereas there is something else logging the event or, it’s hopping through another device but only the last node is logged in the events- You may get a log that looks like this:

ad-lockout-2

  • In this case, we’ll need to enable verbose logging on the DC, and wait for the next failed login attempt by refreshing the status of the LockoutStatus.exe tool. To refresh the status, simply hit F5 in that window.
  • To enable Verbose Logging, open an elevated command prompt on the DC that is reporting the lockout and execute the following command: nltest /dbflag:0x2080ffff
  • This logs every transaction made to the file: %windir% | debug | netlogon.log  (note, you need to run notepad as an administrator to read this file).
  • Inside of the netlogon.log file, find the logon attempt made by the user by referencing the exact date/time that LockoutStatus.exe reported and it should list the workstation it came from. Again, be sure to find the record matching the exact minute/second that the lockout of failed attempt occurred in the LockoutStatus.exe tool.
  • 11/01 09:11:21 [LOGON] DOMAIN: SamLogon: Transitive Network logon of (null) | UserName from  (WorkStationName) Entered
  • Once you find that you have located the source of the failed attempts, you will want to shut of verbose logging.
  • To do so, enter the following command in the elevated command window: nltest /dbflag:0x0

How to Enable Call Control for 3CX and Sennheiser headset

We have had trouble getting the Sennheiser OfficeRunner to do Call Control from the headset.

Setup

  • 3CX version 12, 14, 15
  • Yealink T46G with EHS36
  • Sennheiser OfficeRunner (DW)
  • 3CXPhone

We tried the very complicated updates to the T46G and EHS36 without success.

The following procedure allows answering the phone with the headset button with EITHER the T46G/EHS36 OR 3CXPhone(using the OfficeRunner directly without a phone – the OfficeRunner is the microphone and speakers).

To make this work:

  1. Go to http://en-us.sennheiser.com/headset-software-pc
  2. Download the latest Headsetup – 6.0.1902+
  3. Download the latest 3CX plugin – 1.1.2206+
  4. In Headsetup, select the 3CX softphone.

Chrome, IE, FF slow Performance with Video

I recently had a computer that would hang for long periods whenever it encountered a video file, generally Shockwave.

The behavior was cross-browser effecting Internet Explorer, Chrome, and FireFox. I tried fiddling with various settings in all three tools with no results.

Finally I simply uninstalled Adobe Shockwave and went to the site and reinstalled it. Problem solved.

Anyway, I thought others might be experiencing the same thing and didn’t want you to waste your time with all sorts of fix attempts when such an easy solution is available. For those who don’t know how to Add and Remove Programs it’s very easy.

  1. Close all your browsers.
  2. Go to the Control Panel
  3. Add/Remove Programs
  4. Click Adobe Shockwave
  5. Change/Uninstall (this uninstalls the program)
  6. Open Browser
  7. Type Shockwave in a search.
  8. Download
  9. Install.

Enjoy your browsing!

Tom

mod_evasive doesn’t work with current Apache

Starting with Apache 2.4.1, mod_evasive stores the violation counts PER CHILD. Attackers don’t hit the same child enough times in the time interval to trip the system.
If you have 100 child threads, then you are diluted 1/100 for the time interval

DO NOT USE mod_evasive.

You can slightly improve the performance by editing httpd.conf:
KeepAlive On
MaxRequestsPerChild 0
MinSpareServers somelowvalue
MaxSpareServer somelowvalue

You could use mod_security instead
but it won’t ban IP addresses
yum install mod_security (install mod_security)
yum install mod-security_crs (install OWASP security rules for mod_security)

After installing mod_security, you may get a FAILED message at service httpd restart
You’ll find a similar message in /var/log/httpd/error_log
[alert] (EAI 2)Name or service not known: mod_unique_id: unable to find IPv4 address of “myserver.mydomain.local”
BE CERTAIN that the HOSTNAME value in /etc/syscconfig/network is also a 127.0.0.1 record in /etc/hosts

Use fail2ban
yum install fail2ban
vi /etc/fail2ban/jail.local
[apache-banhermes]
enabled = true
filter = apache-banhermes
logpath = /var/log/httpd/access_log
maxretry = 1
bantime = 60000
action = iptables-multiport[name=banhermes, port=”http,https”]
backend = polling

vi /etc/fail2ban/filter.d/apache-banhermes.conf
[Definition]

failregex = ^<HOST> -.*”(GET|POST) \/hermes\/
ignoreregex =

service start fail2ban

Configuring SNMPv3 in SonicOS (5.9 & above) and (6.1 & above)

Article Applies To:

Gen6 SM E10000 series: NSA E10800, NSA E10400, NSA E10200, NSA E10100

Gen6 SM 9000 series: NSA 9600, NSA 9400, NSA 9200

Gen6 NSA Series: NSA 6600, NSA 5600, NSA 4600, NSA 3600, NSA 2600

Gen5 NSA E-Class series: NSA E8510, E8500, NSA E7500, NSA E6500, NSA E5500

Gen5 NSA series: NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400 MX, NSA 240, NSA 220, NSA 220 /W. NSA 250M, NSA 250M /W.

Gen5 TZ Series: TZ 215, TZ 215 W, TZ 210, TZ 210 W,  TZ 205, TZ 205 W, TZ 200, TZ 200 W, TZ 105, TZ 105 W, TZ 100, TZ 100 W

Firmware/Software Version: SonicOS 5.9 & above and SonicOS 6.1 & above

Services: SNMPv3 (SNMP version 3)

Feature/Application:

Simple Network Management Protocol Version 3 (SNMPv3) is an interoperable Standards- based protocol for network management. SNMPv3 provides secure access to device by a combination of authenticating and encrypting packets over the network.

The security features provided in SNMPv3 are:

Message integrity—Ensuring that a packet has not been tampered with in-transit

Authentication—Determining the message is from a valid source

Encryption—Scrambling the contents of a packet prevent it from being seen by an unauthorized source

Before SNMPv3, all data was transmitted in the clear and subject to monitoring and alteration by unauthorized users. v3 supports various encryption methods. We recommend users never use DES 56-bit encryption as this is very easy to decrypt. AES 128-bit is the preferred method.

Feature Functions

–Support USM (User-based Security Model, RFC3414) for SNMPv3 

–Support View-Based Access Control Model (VACM, RFC3415) for SNMPv3 

–Support Administrative Framework (RFC3411) for SNMPv3 

Feature Limitations 

–Does not support notification destinations 

–Does not support proxy relationships 

–Does not support remotely configurable via SNMP operations 

Procedure:

Step 1: Configure SNMP in SonicWALL device

Step 3: Configuring SNMP & adding SonicWALL unit in PRTG Monitoring software 

Step 1: Configure SNMP in SonicWALL device

  • Enable SNMP and configure SNMP parameters

Please login to the SonicWALL Management GUI as admin.

  • Navigate to System -> SNMP.
  • Check the box Enable SNMP.
  • Click in the Configurebutton and supply the parameters for SNMP or keep the default for general configuration.
  • Click OK
  • Click Applybutton on the top of the page.

For the SNMP functionality, the Community name should be the same in the SonicWALL and the SNMP monitoring software

  • Creating SNMP User, Group & Access

>> Adding User with Group

Please login to the SonicWALL Management GUI as admin.

Navigate to System -> SNMP, Click Add User button under Users/Group

  • User Name: User1(Type any friendly name which you would like to use for SNMP)
  • Security Level:Authentication and Privacy (Select the level which you would like to use)
  • Authentication Method: MD5(Select the method which you would like to use)
  • Authentication Key: user12345( type the key which you would like to use But it should be more than 8 characters)
  • Encryption Method: DES(Select the method which you would like to use)
  • Privacy Key: password123(type any key which you would like to use)
  • Group: SNMP Group(Select the group which you would like to add this user)
  • Click the OKbutton on the top of the page.

>> Creating Access for SNMP

Please login to the SonicWALL Management GUI as admin.

Navigate to System -> SNMP, Click Add button under Access

  • Access Name: New SNMP Access(Type any name which you would like to use)
  • Read View: root
  • Master SNMPv3 Group: SNMP Group(Select any group which you would like to use)
  • Access Security Level: Authentication and Privacy(Select the level of security for SNMP)
  • Click OKbutton to save the access.

 Enable SNMP on the SonicWALL interface

Please login to the SonicWALL Management GUI as admin.

Navigate to Network > Interfaces and click on the configure button in front of the LAN & WAN interface.

>> LAN Interface (X0): 

  • In the ‘Management’ section of Edit X0 interface window, check the ‘SNMP’ box.
  • Click the ‘OK’ button.

>> WAN Interface (X1): 

  • In the Management section of Edit X1 interface window, check the SNMP
  • Click the ‘OK’ button.

Step 2: Configuring SNMP & adding SonicWALL unit in PRTG Monitoring software 

Open the SNMP software and register the SonicWALL. (You can download and install a free edition of PRTG from http://www.paessler.com/prtg/download)

Screen shots for PRTG (V14.2.9.1689) are attached below, just enter the SonicWALL appliance’s LAN IP address, along with the community string and it will start gathering data from the SonicWALL

Select Device tab in the PRTG software. Under Overview Click Add Device button to add your sonicwall device.

  • In the device name enter SonicWALL TZ 200(You should use the same name which you used in SNMP configuration of SonicWALL
  • In IPV4- Address/DNS Name 168.168.168(IP address of the SonicWALL interface to which server is connected)
  • Device Icon: Select Dell Icon

Click Continue for next step

You will find the new device which we added. Click Add Sensor button to select the sensor type.

  • Select SNMPunder Technology Used
  • Select SNMP Trafficunder Matching Sensor Type

>>Under Credentials For SNMP Devices

Disable Inherit option and configure SNMP as below

  • SNMP Version: V3
  • Authentication Type: MD5(Select the Authentication method which you configured in SonicWALL)
  • User: User1(Type the user which you created in SonicWALL)
  • Password: user12345(Type Authentication Key which you configured in SonicWALL)
  • Encryption Type: DES(Select the Encryption method which you configured in SonicWALL)
  • Data Encryption Key: password123(Type the Privacy Key which you configured in SonicWALL)
  • SNMP Port: 161
  • SNMP Timeout: 5

Click Continue button to save the configuration

Select the interface for which you would like to monitor traffic. In this scenario select X0, X1 & W0 interface and click Continue button

Now you can see the sensor information for all the interface with the traffic rate

How to Test

In order to test the SNMP traffic. Select any one interface to see its traffic rate with graph. Click on X0 interface to see the information as below

The Live data can be shown in the graph format as below for the X0 interface

Configuring Active Directory/LDAP over TLS (Certificate) on SonicOS Enhanced

Article Applies To:Firmware/Software Version: Sonic OS Enhanced

Services: LDAP over TLS

Feature:

This article explains how to integrating SonicWALL appliance with an LDAP directory service using SSL . This requires configuring your LDAP server for certificate management, installing the correct certificate on your SonicWALL appliance, and configuring the SonicWALL appliance to use the information from the LDAP Server. 

Before beginning your LDAP configuration, you should prepare your LDAP server and your SonicWALL for LDAP over TLS support. This requires:

Installing a server certificate on your LDAP server. 

Installing a Certificate Authority (CA) certificate for the issuing CA on your SonicWALL appliance.

Deployment Steps:

Please note: In this article we have used Windows 2003 server for Certificate Authority and Active Directory. If you are using windows server other than 2003 please check Microsoft site for configuring CA and Active directory, however the steps on the SonicOS Enhanced remains the same.

The following procedures describe how to Configure LDAP over TLS.

Step 1. Configuring the CA on the Active Directory Server 

Step 2. Exporting the CA Certificate from the Active Directory Server

Step 3. Importing the CA Certificate onto the SonicWALL

Step 4. Configuring LDAP settings on SonicWALL Appliance

Step 1: Configuring the CA on the Active Directory (Windows 2003 Server)

To configure the CA on the Active Directory server (skip the first five steps if Certificate Services are already installed):

  1. Navigate to Start > Settings > Control Panel > Add/Remove Programs.
  2. Select Add/Remove Windows Components.
  3. Select Certificate Services.
  4. Select Enterprise Root CA when prompted.
  5. Enter the requested information. See http://support.microsoft.com/kb/931125.

Step 2: Exporting the CA Certificate from the Active Directory Server

To export the CA certificate from the AD server:

  1. Launch the Certification Authority application: Start > Run > certsrv.msc.
  2. Right click on the CA you created and select Properties.

001

  1. On the General tab, click the View Certificate button.
  2. On the Details tab, select Copy to File.

002
003

  1. Follow through the wizard, and select the DER Encoded binary X.509 (.cer) format.

004
005

  1. Click on the browseand Specify a path and filename to which to save the certificate.

006
007

  1. Click on the Nextbutton and click Finish

008
009
010

Step 3: Importing the CA Certificate onto the SonicWALL

To import the CA certificate onto the SonicWALL:

  1. Browse to System > CA Certificates.
  2. Click on Import. Select the certificate file you just exported.

011

  1. Select Import a CA certificate from a PKCS#7 (.p7b), PEM (.pem) or DER (.der or .cer) encoded file, Click on Browse and Select the certificate file you just exported from the MS Certificate Authority.

012
013

  1. Once the root certificate is selected, Click on the import

014

  1. Once the CA root certificate is imported, it will be listed under the System > Certificatesection with Type as CA Certificate

015

Step 4: Configuring LDAP settings on SonicWALL Appliance

  1. Go to Users > Settings page

In the Authentication method for login drop-down list, select LDAP + Local Usersand Click Configure

016

If you are connected to your SonicWALL appliance via HTTP rather than HTTPS, you will see a dialog box warning you of the sensitive nature of the information stored in directory services and offering to change your connection to HTTPS. If you have HTTPS management enabled for the interface to which you are connected (recommended), check the “Do not show this message again” box and click Yes.

  1. On the Settingstab of the LDAP Configuration window, configure the following fields

Name or IP address:  The FQDN  of the LDAP server against which you wish to authenticate. When using a name, be certain that it can be resolved by your DNS server.(Recommended to use the name of the server)

Port Number: The default LDAP over TLS port number is TCP 636.

Server timeout (seconds): The amount of time, in seconds, that the SonicWALL will wait for a response from the LDAP server before timing out. Allowable ranges are 1 to 99999, with a default of 10 seconds.

Overall operation timeout (minutes): 5(Default)

Anonymous Login – Some LDAP servers allow for the tree to be accessed anonymously. If your server supports this (Active Directory generally does not), then you may select this option.

Login User Name – Specify a user name that has rights to log in to the LDAP directory. The login name will automatically be presented to the LDAP server in full ‘dn’ notation. This can be any account with LDAP read privileges (essentially any user account) – Administrative privileges are not required.

Note that this is the user’s name, not their login ID.

Login Password – The password for the user account specified above.

Protocol Version – Select either LDAPv3 or LDAPv2. Most modern implementations of LDAP, including Active Directory, employ LDAPv3.

Use TL(SSL) : Use Transport Layer Security (SSL) to log in to the LDAP server. It is strongly recommended that TLS be used to protect the username and password information that will be sent across the network. Most modern implementations of LDAP server, including Active Directory, support TLS. Deselecting this default setting will display an alert that you must accept to proceed.(Check this Option) 

Send LDAP ‘Start TLS’ Request – Some LDAP server implementations support the Start TLS directive rather than using native LDAP over TLS. This allows the LDAP server to listen on one port (normally 389) for LDAP connections, and to switch to TLS as directed by the client. Active Directory does not use this option, and it should only be selected if required by your LDAP server. Require valid certificate from server – Validates the certificate presented by the server during the TLS exchange, matching the name specified above to the name on the certificate. Deselecting this default option will present an 

alert, but exchanges between the SonicWALL and the LDAP server will still use TLS – only without issuance validation.

Local certificate for TLS – Optional, to be used only if the LDAP server requires a client certificate for connections. Useful for LDAP server implementations that return passwords to ensure the identity of the LDAP client (Active Directory does not return passwords). This setting is not required for Active Directory. Leave this option unchecked if not sure.

017

  1. On theSchema tab, configure the following fields:

LDAP Schema: Microsoft Active Directory

018

  1. On the Directory tab, configure the following fields:

Primary domain: The user domain used by your LDAP implementation

User tree for login to server: The location of where the tree is that the user specified in the settings tab

Click on Auto-configure

Select Append to Existing trees and Click OK

019
020

This will populate the Trees containing users and Trees containing user groups fields by scanning through the directories in search of all trees that contain user objects.

  1. On the LDAP Userstab, configure the following fields:

Default LDAP User Group : Trusted Group

How to Test:

021

On the LDAP Test tab, test a Username and Password in Active directory to make sure that the communication is successful.

022

WordPress Plugins Fail to Update without FTP Credentials

In the interest of security we moved many of our websites to a new server and found that plugins suddenly refused to update without FTP credentials. This was obviously fine when wanted to do the updates and knew the FTP credentials but presented a problem because we like to encourage our clients to perform routine maintenance to keep their sites up to date.  Obviously they are not going to know the FTP information.

This server happens to use setfacl to further control user access to the site folders. We don’t believe this is the problem.

WordPress does attempts to write a file to wp-content as a test for directory access. For some reason this test seemed to be failing.

We bypassed the test by adding the following line to wp-config.php:

define(‘FS_METHOD’, ‘direct’);

When the file write test was bypassed, the plugin installed without requiring the FTP credentials.

We hope this helps you as well!

The Effect of Solid State Disks on Processor Usage

I am now encountering servers and client computers that have solid state disks (SSDs). My experience is showing that this sometimes causes improper analysis of performance measures through Performance Monitor (perfmon.exe) and Resource Monitor (accessible through the Resource Monitor button on the Performance table of Task Manager).

In the past, poor interactive response time of a system, or complete “locking up” of a system was not necessarily accompanied by high processor usage, but high processor usage was usually indicated that a system was slow to respond or locked up. Disk IO is usually the primary performance bottleneck in a system because disks are the component that includes mechanical limitations of physical disk access. Response time can be viewed in the Disk Activity panel of the Disk tab of Resource Monitor, or measured by Avg. Disk sec/Read and Avg. Disk sec/Write in Performance Monitor. Be sure to get the “seconds” in the numerator when you select counters—there are several counters that are very similar.

 When we use SSDs, this changes. The biggest bottleneck is reduced or removed, and the computer can process much more information per second, and therefore processor usage goes up—often to 100%. I have seen systems that were either running at 0% or 100% with no in between. After eliminating all other problems, I began to realize that once all other potential problems were eliminated, that this high processor usage was good rather than bad, and was seldom accompanied by the “locking up” of a system—other activities could run or continue to run and receive a reasonable share of “time slices” of a system.

The takeaway is that if you have a system with SSDs and there is 100% processor usage but things seem to be working fine, everything is probably OK and is likely to be a desirable status.

PRTG – Exception from HRESULT: 0x8024402

Sensor

Windows Update powershell

Problem/Error Message

Exception from HRESULT: 0x8024402C

Cause

If the monitored server has a bad DNS address you will receive this error.

Resolution

Ensure that all DNS addresses used on the monitored server are valid.

You may alternatively/also receive:

Timeout caused by wait for mutex (code: PE035)

How to upgrade the firmware on a Sennheiser OfficeRunner headset

It can sometimes be difficult to figure out how to update your firmware when working with a Sennheiser OfficeRunner headset but it’s really quite simple once you know the steps.

  1. Plugin the headset base to your computer using a USB cable
  2. Download and install the Sennheiser HeadSetup software.
  3. Right-click the new HeadSetup tray icon and select Open
  4. Click the Updates tab
  5. Click the Check for update button.

That’s it!