none
Issue with invalid access to Win 2016 server RRS feed

  • Question

  • Hi,
    Can you help to issue below (in Win 2016 server), after I've put relevant remote IP address?


    Many Thanks & Best Regards, Jackson Chen

    Thursday, September 24, 2020 8:54 AM

All replies

  • Dear all,
    Any help?

    Many Thanks & Best Regards, Jackson Chen

    Monday, September 28, 2020 9:51 AM
  • For local IP address, you selected "These IP addresses",  but you did not enter any address.

    We can't see what is entered for Remote IP addresses because of the message box. Did you enter the IP address?   

    • Marked as answer by Jackson_1990 Tuesday, September 29, 2020 2:53 AM
    • Unmarked as answer by Jackson_1990 Friday, October 9, 2020 1:48 AM
    Monday, September 28, 2020 12:16 PM
  • Yes, I already input remote IP addresses in above.

    Many Thanks & Best Regards, Jackson Chen

    Monday, September 28, 2020 1:07 PM
  • Yes, I already input remote IP addresses in above.
    Read the first sentence of my previous reply. 
    Monday, September 28, 2020 7:07 PM
  • Good day Moto,

    I still see relevant invalid access below, even if I've enabled the rule you suggested to disallow the IP range like 60.1.1.1 to 60.255.255.255, and 37.1.1.1 to 37.255.255.255?

    2020-10-07 06:32:13	spameri@??.??	spameri@??.??	60.?.?.?	127.0.0.1	SMTP	?	530	0
    2020-10-07 13:03:21	spameri@??.??	spameri@??.??	37.?.?.?	127.0.0.1	SMTP	?	530	0
    


    Many Thanks & Best Regards, Jackson Chen

    Friday, October 9, 2020 1:49 AM
  • There are many sites that provide instructions in how to block IP ranges and ports. Try following those instructions.

    https://www.bing.com/search?q=windows%20server%20firewall%20rule%20block%20ip%20range%20&qs=n&form=QBRE&sp=-1&pq=windows%20server%20firewall%20rule%20block%20ip%20range%20

    Friday, October 9, 2020 7:00 PM
  • Hi,

    I did apply relevant rule per what we discussed in above. Why was there invalid access below?

    2020-10-07 06:32:13	spameri@??.??	spameri@??.??	60.?.?.?	127.0.0.1	SMTP	?	530	0
    2020-10-07 13:03:21	spameri@??.??	spameri@??.??	37.?.?.?	127.0.0.1	SMTP	?	530	0
    Please note that I've already Blocked the connection regarding the IP range like 60.1.1.1 to 60.255.255.255, and 37.1.1.1 to 37.255.255.255.


    Many Thanks & Best Regards, Jackson Chen


    • Edited by Jackson_1990 Saturday, October 10, 2020 12:15 PM
    Saturday, October 10, 2020 12:11 PM
  • I have no idea what your problem is. If you defined the rule properly then the access should have been blocked. But I can't see EVERYTHING that you have installed and configured on your server and your network. You're asking me to look into my magic crystal ball and tell you what is wrong. That is simply not possible.

    I believe that in another post I suggested that you use CanYouSeeMe.org or another test workstation and write a rule to block those systems and test to verify that they are in fact being blocked. If your rule does not block your test machine, then you have something else installed or configured on your server that is allowing the access. 

    As I replied in my prior post, there are many sites that provide instructions in how to block IP ranges and ports. Those sites have images that show users what to enter.  Try following those instructions.

    If you can't figure it out, and it's a critical issue, then go hire a local security consultant who can sit down in front of the server with you and review your software and configuration.    

    Saturday, October 10, 2020 12:44 PM
  • Hi,
    Please see the rule already created and applied within the server.


    Many Thanks & Best Regards, Jackson Chen

    Saturday, October 10, 2020 3:18 PM
  • Verify that the firewall is active for domain, private and public profiles, and is set to block inbound connections that do not match a rule and and to log dropped packets. 

    Change the firewall rule to block all access from a test workstation. Then log on to that test machine and try to access the server with Powershell. 

    Test-NetConnection -ComputerName yourservername -CommonTCPPort SMB
    Test-NetConnection -ComputerName yourservername -CommonTCPPort HTTP
    Test-NetConnection -ComputerName yourservername -Port 25


    Back on the server, open an admin command prompt and run this command to display the firewall log. 

    type C:\Windows\System32\LogFiles\Firewall\pfirewall.log

    Do you see DROP entries like this? (With your IP addresses.)

    2020-10-10 12:59:20 DROP TCP 192.168.1.6 192.168.1.3 43418 21 60 S 529574239 0 65535 - - - RECEIVE
    2020-10-10 12:59:20 DROP TCP 192.168.1.6 192.168.1.3 49151 80 60 S 586552964 0 65535 - - - RECEIVE
    2020-10-10 12:59:20 DROP TCP 192.168.1.6 192.168.1.3 41953 135 60 S 2685119102 0 65535 - - - RECEIVE
    

     
    Saturday, October 10, 2020 5:15 PM
  • Hi,

    Can you see issue below?

    C:\Users\Administrator>type C:\Windows\System32\LogFiles\Firewall\pfirewall.log
    The system cannot find the file specified.


    Many Thanks & Best Regards, Jackson Chen

    Sunday, October 11, 2020 3:39 PM
  • Look at the yellow highlighted text in the image that I posted. Where is the log on your machine? 

    If "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" is the name in the settings, then the FW is not logging anything. Do you see any files in the folder?

    Do you have other software installed, like McAfee, that implements it's own firewall and disables the Window firewall?  

     
    Sunday, October 11, 2020 4:11 PM
  • Hi,
    Yes, I see the relevant Log file below

    but I cannot find out pfirewall.log, when I search whole server.

    Many Thanks & Best Regards, Jackson Chen

    Monday, October 12, 2020 12:56 AM
  • I highlighted 3 items in the image that I posted. 

    And this.

    Verify that the firewall is active for domain, private and public profiles, and is set to block inbound connections that do not match a rule and and to log dropped packets

    Did you run the test-netconnection commands? Did they connect or fail? 

    • Edited by MotoX80 Monday, October 12, 2020 1:10 PM
    Monday, October 12, 2020 1:04 PM
  • Hi,
    I don't see other files within "C:\Windows\System32\LogFiles\Firewall".

    There is no Anti-virus software to disable Firewall. Relevant rules of Firewall are active and working.

    Please see relevant testing result from client machine using Powershell:

    PS C:\WINDOWS\system32> Test-NetConnection -ComputerName 1?.?.?.?20 -CommonTCPPort SMB                                                                                                                                                                                                                                                                              ComputerName     : 1?.?.?.?20
    RemoteAddress    : 1?.?.?.?20
    RemotePort       : 445
    InterfaceAlias   : Ethernet
    SourceAddress    : ?.?.?.11
    TcpTestSucceeded : True
    
    
    
    PS C:\WINDOWS\system32> Test-NetConnection -ComputerName 1?.?.?.?20 -CommonTCPPort HTTP
    
    
    ComputerName     : 1?.?.?.?20
    RemoteAddress    : 1?.?.?.?20
    RemotePort       : 80
    InterfaceAlias   : Ethernet
    SourceAddress    : ?.?.?.11
    TcpTestSucceeded : True
    
    
    
    PS C:\WINDOWS\system32> Test-NetConnection -ComputerName 1?.?.?.?20 -Port 25
    WARNING: TCP connect to (1?.?.?.?20 : 25) failed
    
    
    ComputerName           : 1?.?.?.?20
    RemoteAddress          : 1?.?.?.?20
    RemotePort             : 25
    InterfaceAlias         : Ethernet
    SourceAddress          : ?.?.?.11
    PingSucceeded          : True
    PingReplyDetails (RTT) : 1 ms
    TcpTestSucceeded       : False
    
    
    
    PS C:\WINDOWS\system32>
    


    Many Thanks & Best Regards, Jackson Chen

    Monday, October 12, 2020 3:18 PM
  • So did you turn on logging? Do you see an entry for -ComputerName 1?.?.?.?20 -Port 25?  
    Monday, October 12, 2020 11:47 PM
  • Hi,

    How to enable Firewall log now?


    Many Thanks & Best Regards, Jackson Chen

    Tuesday, October 13, 2020 4:25 AM
  • How to enable Firewall log now?


    Log dropped packets. Insure that is set on all 3 profiles.  

    <form action="https://social.technet.microsoft.com/Forums/en-US/home" data-clientrefresh="true" data-refreshcontent="Search" id="homesearchform" method="get" style="border:0px;font-weight:inherit;font-style:inherit;font-family:inherit;margin:0px;outline:0px;padding:0px;">
    <input aria-label="Search forum questions" id="searchimage" style="background-image:url("../images/homesearch_dark.png");background-background-size:initial;background-repeat:no-repeat;background-attachment:initial;background-origin:initial;background-clip:initial;color:#000000;border-width:initial;border-style:none;border-color:initial;margin:0px;width:22px;vertical-align:middle;float:right;height:22px;cursor:pointer;" type="submit" value="" />
    </form>
    <section></section>

    Tuesday, October 13, 2020 1:30 PM
  • Thanks.

    How to adjust my setting below?


    Many Thanks & Best Regards, Jackson Chen

    Tuesday, October 13, 2020 2:41 PM
  • Do if for all 3 profiles. 

    Tuesday, October 13, 2020 4:10 PM
  • Hi,
    How to get into Windows Defender Firewall with Advanced security?

    Many Thanks & Best Regards, Jackson Chen

    Thursday, October 15, 2020 6:35 AM
  • Hi,
    How to get into Windows Defender Firewall with Advanced security?

    C:\Windows\System32\WF.msc
    Thursday, October 15, 2020 11:25 PM
  • Hi,
    Which is option to enable trace of log below?


    Many Thanks & Best Regards, Jackson Chen

    Friday, October 16, 2020 1:43 AM
  • I do not understand the question. Are you referring to my "Do it for all 3 profiles" reply? Were you unable to set "Logged dropped packets" to Yes?

    Friday, October 16, 2020 1:16 PM
  • Hi,
    Are you referring to Windows 2008 server, right? I noticed that I am not having "Windows Defender ..." like yours. This is the difference I can see between you and me.


    Many Thanks & Best Regards, Jackson Chen

    Saturday, October 17, 2020 3:46 PM
  • My images are from my Win10 Home laptop. There might be some minor differences from a Win2016 Server, but for the most part it's still the Windows Firewall. 

    If my instructions are not clear or the screen images look nothing like yours, you can always use Google to search for "Windows 2016 server configure firewall to log dropped packets" or really anything like that. 

    Saturday, October 17, 2020 4:41 PM