@scottalanmiller said in Help Sorting out a Firewall Issue:
Are you sure that the firewall is the issue?
@scottalanmiller Yea, using "Windows Firewall with advanced security" on Client. Turning it off on client solves the issue, but that's not a solution I'm comfortable deploying across the entire domain.
Hey guys, hope everyone is doing well.
I'm trying to troubleshoot a firewall issue I'm having between a server and a client.
This is to due with 'Asset Discovery' which the server will perform a TCP handshake with the client, and then hop ports to a random port to collect information about that machine, or at least that's how I understand it.
I'm watching the traffic hit the client on 135, two way TCP traffic on 135, and then a swap of ports to a random port, let's say 63595 incoming to the client from the server, so I'm assuming the handshake went swimmingly. Problem is, as soon as traffic on 63595 is hitting the client from the server, the connection times out.
I'm not well-versed in firewall configurations, and would love some help on the matter.
To troubleshoot, I've taken down the domain level firewall profile on the server temporarily. I've enabled the Windows Management Instrumentation (DCOM-In) Local Port 135 TCP and Remote Port ANY on the client.
After that wasn't cutting it, I added an outbound rule for Local Port 135 and Remote Port ANY on the client, and even swapped those two values to be sure I wasn't getting it backwards.
I'm not having any luck.
I'm still trying to read more to get a "warm and fuzzy" for Firewall configs, but am finding myself struggling to grasp Inbound Local and Remote vs Outbound Local and Remote.
Also, I've triple checked the DNS records and the forward & reverse pointer is there and the IP of the client is static.
Any help would be appreciated.
@black3dynamite said in What Are You Doing Right Now:
Finished upgrading one of my home computers to Windows 11.
How is it? Windows has started prompting me on my home computer to turn on TPM 2.0 or upgrade my mobo. I saw a few videos on it months ago, wondering if it's a "I'll wait until they get the bugs out" or a "oh I need this now" kinda situation.
https://mangolassi.it/post/413461
Oh look, G I Jones, I remember that guy.
Anyway, this is adding a network printer... I don't think this helps at all to be honest. Did you misread the post? Am I missing something?
So I'm learning to code powershell and I'm playing around with writing my own script to target and delete network xerox printers and printer drivers from a machine locally. I'm having issues where when I run the following scripts:
PS C:\Windows\System32> Get-Printer | where{$_.Name -like "*Xerox*"} | Remove-Printer
&
PS C:\Windows\System32> Get-PrinterDriver | where{$_.Name -like "*Xerox*"} | Remove-PrinterDriver
The scripts work, as Get-Printer, Get-PrinterDriver verify that they no longer exist, but they still show up greyed-out in Control Panel>Devices and Printers. (rebooting machine doesn't make them go away either).
A bit of trial and error to be sure I couldn't figure it out before I asked you all was to additionally delete any match to "Xerox" in registry, and a complete removal of all files in the following directories:
C:\Windows\System32\Spool\Servers\*
C:\Windows\System32\Spool\Drivers\x64\*
C:\Windows\System32\Spool\Printers\*
C:\Windows\System32\DriverStore\FileRepository\*Xerox*
I'm obviously looking for a way to streamline this process, so without opening Control Panel via GUI, and manually deleting them, I'd like to do it with script. This isn't a request for a script however, but a request for information regarding the location of these objects, or any experience in regards to deleting them.
@dashrender said in Microsoft Printer Vulnerability - FYI:
You had to what? Reinstall all drivers even for printers that were already installed?
Glad I haven’t seen that hit me!
Oh yeah. It was a "oh today is going to be fun" moment. Initially I thought, because I had recently migrated to Serve 2019 for my print server, that I had messed something up. Just a coincidence though. One might argue that since I was using v3 drivers, I did in fact mess something up, but I remember having issue with them previously, and took to Xerox Tech Support to ensure I was using the drivers they recommend for the new build. Not to mention, some manufacturers don't even supply V4 drivers yet, and some OS's don't like em, from what I'm reading.
I don't often mess with the print server, it's just one of those things you set up initially and only ever look at when something isn't working right. Seems like each time I do have to, it's a whole day of learning. In this instance, I'll be learning about V4 drivers.
V4 drivers loaded on the Print Server have corrected this issue for the most part so far. I'm still reading into the "PrintNightmare" vulnerability though. Doesn't seem like Microsoft really has a handle on it yet.
Would disable the UAC prompt, but unless you're forcing connections to only trusted print servers, it simply reopens you to be vulnerable.
I would think even then, you're open. Print-serv gets hit, and now it's pushing driver updates out willy-nilly that aren't driver updates. Or is that not a thing? I know a mile wide and an inch deep about Security.
So this update happened:
Literally have to remote in and UAC admin credentials to install printers for each user, or print drivers for already added printers on client machines, unless you want to change the registry or a few other work-arounds that make you vulnerable.
I really hope this isn't permanent.
Microsoft: "This change may impact Windows print clients in scenarios where non-elevated users were previously able to add or update printers. However, we strongly believe that the security risk justifies this change. While not recommended, customers can manually disable this mitigation with a registry key, which is outlined in the following KB Article:
KB5005652 How to manage new Point and Print default driver installation behavior
Disabling this mitigation will expose your environment to the publicly known vulnerabilities in the Windows Print Spooler service and we recommend administrators assess their security needs before assuming this risk."
source: https://msrc-blog.microsoft.com/2021/08/10/point-and-print-default-behavior-change
EDIT: V4 drivers seem to remedy this so far. I have more reading to do on the matter though, still not sure if v4 is just a workaround or if they are still susceptible to whatever vulnerability they mentioned.
Also to make @scottalanmiller haooy change the title away from Build a pc. Since you only mean setup windows.
Ah. I see the disconnect here. I was really wondering why you would assume OS setup wasn't part of the job, but seeing now that I must've titled with the word "build" which threw you off a bit. That's on me. To be fair though, the computer has probably been gutted, so maybe build would apply? At any rate, that's on me.
@scottalanmiller said in New hire, make him SET-UP his own pc?:
Likewise, we try to have brand new laptops (or desktops when it applies), running the latest software ready to go with all the accounts set up (email, chat, etc.) and people ready to greet the new hire as soon as they get online. We ship them a brand new desk phone and, when possible, have IT from their city deliver everything and make sure that they are up and running well at home.
We can't always do that, in fact really often we can't (COVID plays a big part in that, though), but we try because it really feels like you are part of a solid organization when someone shows up and delivers you a brand new, kick ass setup for your home office.
I'm struggling with time right now myself. My boss took a whole vacation, so my plate is full. With that being said, and after having read some of the replies, I'm going to give him a already working setup I have as a spare (might need some updates), and let his first departmental task to be SETTING UP (maybe install some RAM, and a HDD or whatever too, because I'm pretty sure that machine got gutted) the machine in question.
I still feel pretty strongly that this would be an appropriate task to help see where he's at. This will strengthen my approach to teaching as I can identify his weak areas and address them head-on. The process is already documented so that's also a factor to be evaluated as others have mentioned, and this will hopefully give him the -as we said in the military- "warm and fuzzy", and I hope wash away that imposter syndrome that's so common in the tech industry.
Have you written about that? Imposture syndrome in tech? Seems like something you'd write about, or at least make mention of.
@jaredbusch said in New hire, make him build his own pc?:
@mr-jones is part of his job to deal with OS setup? If not this just stupid waste of time.
Absolutely. Since his background isn't in Windows, setting up and configuring Windows is something he'd need to know.
@scottalanmiller said in New hire, make him build his own pc?:
I try hard to have a nice, new computer fully installed, updated, and ready to go on day one for new hires if possible. It makes us look professional and competent from an IT perspective. Like we are happy to have them on the team and want them productive and successful. It makes them feel better about their job both that they are wanted and that they chose a good place to work. We want to impress them.
We also want them focused on their jobs and learning. They have plenty to learn that they can't know before we hire them like our ticketing system, documentation, email, chat, phones, who is who in the hierarchy, and so forth. I don't want them distracted from getting up to speed.
@scottalanmiller Appreciate the input. One of my biggest reasons for asking this question was because I felt that it wouldn't be recieved well. As you've outlined, it could give them the impression they weren't valued, and that's not the impact I would be looking for.
As the title suggests, I'm getting a new hire for my department. He's got an unrelated bachelors, but has taken some computer science classes in the process and has some background at Geek Squad.
We have an HP Z440 workstation sitting on the shelf, that I was about to configure for him, but I had the idea of "why don't I just make him figure it out" as I remembered that I had a hiccup with it myself a ways back, before I knew the difference between a desktop and a workstation.
My intent wouldn't be hazing, but more of "you should be able to troubleshoot your own pc at the bare minimum" as I've been in the situation myself where I had tickets coming in, and I still had to figure out how to re-image my workstation and get it up and running in a hurry.
I'm a veteran (infantry) and this is the soldier equivalent to "knowing your rifle" I feel, but sometimes these mindsets don't translate well to the civilian sector, so this is an moral sense test if you will.
What do you guys think? Is this unneccessary, cruel, or half-brained?
@gjacobse said in Windows 10 Network Icon / Networking help:
It just dawned on me, but this may not help you in the least.
The 'Globe' icon only means that it can't see some MS defined Internet based service... IIRC. While working with the 911 system, we had networking. Devices were set to a Static IP address and were pingable, search able, and could be remoted with the software used (sadly I don't recall).
That said - It was an isolated network. You could not ever get to Google, MS or other - as it was a secure / limited network. It was
only used for 911 calls!It's possible that yes, it's a problem in the config,.. but it could also be that you have
networkingbut notinternetaccess.
Yes, one of my earlier lessons dealing with blacklisting web access to student machines was to always whitelist "msftncsi.com" or I get calls from teachers saying there's the "no internet globe", even though I've just blacklisted everything except the requested sites they use.
Is the AP using the same network range as the rest of the network?
@scottalanmiller It's a different VLAN. As there are two AP's on this VLAN, I've confirmed that at least the few other clients that I tried with Wireless NIC's on these two AP's work with this setup.
Going to try to dive in today unless something pressing comes up. Gotta make time to learn.
@dashrender said in Windows 10 Network Icon / Networking help:
yeah, let's compare your ipconfig output and see what differences there are.
@travisdh1 If memory serves, It's "media disconnected" and it pulls APIPA, with no ability to ping any DC/DNS Server, AP, or outside addresses, but due to the nature of this issue I'll have to be physically present at the machine. I'll try to knock this out today.
@dashrender said in Windows 10 Network Icon / Networking help:
@mr-jones said in Windows 10 Network Icon / Networking help:
I have a client machine at my job that I've set a DHCP reservation for, and then set the NIC on the client machine statically to the reserved IP address to match the reservation.
Why? The whole point of a static reservation is so you don't set the the endpoint with a static IP.
@dashrender I'm laughing because I wrote out a section explaining why I would try this specifically for you as I knew your first response would be "But why". But I took it out before I posted for whatever reason. It all just boiled down to shits n giggles. Obviously it wouldn't be a best practice, but in this case I don't see why it wouldn't work, and I want to understand what I'm missing.
This is not a big deal and I'm really just curious to understand it as I advance my networking skills a bit.
I have a client machine at my job that I've set a DHCP reservation for, and then set the NIC on the client machine statically to the reserved IP address to match the reservation. On this Win10 client, using it's WiFi capabilities, the NIC in the taskbar shows the "offline" globe, and has no connection (I've tested), unless I set the NIC to Dynamic, at which point everything works as intended.
Overall I'm guessing it's a WAP or NIC issue, as other clients on domain with similar setup work fine, but I'd still like an explanation from someone who can tell me the intricacies of why or how this might be happening.
@dbeato said in Outlook Calendar Security Group Permissions:
@mr-jones I was going to say I have a script that does change the Default Permisisons to all users
https://github.com/dbeato/scripts/blob/master/Office 365/Update-Default-Permissions.ps1
But It might come down to having the users added either via script or manually to that group you want and then applying the permissions. However Microsoft Exchange has been cumbersome to apply permissions by groups. I would recommend to do it by user instead.
Yea it does sound like that might end up being the case. I'll poke at it some more, as I'm not quite ready to give up on it. Thanks for the reply.