user5870571's questions

A recent vulnerability scan states that a server running Windows 2012 R2 IIS 8.5 has an open proxy.

I cannot find anything in the web.config file or any information in IIS 8.5 that leads me to believe there is a proxy.

The response from Nexpose is below.

HTTP HEAD request to http://www.google.com/

HTTP response code was an expected 200
1: ...=2018-02-24-03; expires=Mon, 26-Mar-2018 03:38:51 GMT; path=/; doma...

HTTP header 'Set-Cookie' was present and matched expectation

I tried to telnet to my server on 3128 and the connection was refused. Is this a false positive in Nexpose?

If I telnet to the server on 80 I receive this message.

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Connection: close
Content-Length: 326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Verb</h2>
<hr><p>HTTP Error 400. The request verb is invalid.</p>
</BODY></HTML>

So this will probably be the opposite of what most people have asked. An Internet search certainly appears to support that.

I have AD users that have logon hour restrictions. I want these logon hour restrictions to also apply to network logons (specifically to OWA and ActiveSync).

So if a user is not allowed to logon after 7pm on Monday, and they have an ActiveSync session created at 6:30pm on Monday, at 7pm I need that ActiveSync session removed.

Unfortunately, testing this with a user has shown that they are very able to still send and receive email on the cell phone.

I need to know why this is not working and how to fix this.

The cell phone is an Android and the Exchange server is Exchange 2010.

Any ideas would be greatly appreciated.

Update 1: I have also enabled Network security: Force logoff when logon hours expire in Group Policy. Yes, I enabled it in the Default Domain Policy as directed by Microsoft. I ran gupdate /force on the DC and on the Exchange server. The user is still able to send and receive emails.

I have inherited an iSCSI configuration that was set as Read10/Write10. That would be okay, but the need right now is to expand the existing volumes using space from an additional disk array that has been joined to the existing array group.

That has been done. I have also expanded the volumes. I was hoping to convert the disks to GPT but interestingly I think I am running into this error. https://blogs.technet.microsoft.com/askcore/2010/02/18/understanding-the-2-tb-limit-in-windows-storage/

I have done some preliminary Googleing but have not come across a definitive answer on if there is a way to convert Read10/Write10 to Read16/Write16 without data loss or needing to restore from a backup. If there is, does anyone know the process to make that change with an iSCSI target running Windows Server 2012 R2 and Dell Equallogic PS6100 disk array?

We recently added a second iSCSI disk array to an existing disk array group. This added 6TB to our pool. In the pool we have 3 volumes. I added 2TB of free space to each of the 3 volumes.

If I login to one of the servers with the iSCSI targets configured I see C:\ClusterStorage. In that directory we have Volume1, Volume2, and Volume3.

Under the Size column each shows the old capacity (1.5 TB) instead of 3.5TB.

I have already allocated the 2TB to each volume in the Dell Equal Logic Group Manager and confirmed the capacity is 3.5TB.

Is there anything I need to do for the servers attached to the iSCSI volumes to identify the correct Volume capacities?

Operating System - Windows 2008 R2 Service Pack - Service Pack 1 IP Address - 10.50.1.111 Subnet Mask - 255.255.255.0 Gateway - 10.50.1.1 DNS Server - 10.50.1.90

Other servers are using 10.50.1.90 as their DNS server and are not having any problems. This tells me that the problem is not with the DNS server.

I can ping 10.50.1.90.

The firewall is disabled.

If I run nslookup and query the name of 10.50.1.90 (OfficeDC1.office.org) it says, "*** [10.50.1.90] can't find OfficeDC1".

If I run nslookup and change the server to 8.8.8.8 and query google.com it says, "*** [8.8.8.8] can't find google.com: No response from server".

Any thoughts?

We have a Microsoft Access 2010 database (ACCDB).

This ACCDB file is just a front end to a Microsoft SQL Server 2008 database.

Authentication to the database is accomplished by Windows integrated authentication.

I have created a System DSN on the workstation. In the ODBC connection window, I select APP1 for the server name and am able to pick the database (for our purposes we will call it test) from the drop down list and when I am done choosing options I test the connection (the test works).

I have gone into SQL and confirmed that the user has permissions to login to the database with their windows username.

When that user (or other user) tries to login they get the error ODBC--connection to 'systemDSN' failed.

I have opened the ACCDB file and opened the Linked Table Manager. It shows that all dbos are pointing the the same DSN name I entered on the computer.

Is there something very simple I am missing? Any ideas?

I have checked the Application and Security logs on the workstation and the SQL server and didn't see anything for the login attempts.

Update 1:

If we add the system dsn in the 32-bit version of ODBC we get a different error. The error we get is Invalid use of Null but each field has something in it.

If we change the system dsn in the 64-bit version of ODBC to a user dsn we also get the Invalid use of Null error.

I am working on migrating an on premise Exchange 2010 server to Office365 Exchange Online.

I am doing a cutover migration as we have less than 100 mailboxes and the cutover is going to happen in a few days.

When I create the migration endpoint, it fails. I then went to https://testconnectivity.microsoft.com and ran the Microsoft Office Outlook Connectivity Tests by choosing Outlook Connectivity (Autodiscover is not setup for this server). The test shows that everything passes except the last part. The part that fails is "Testing the MAPI Mail Store endpoint on the Exchange server" but it doesn't give much information about why it failed.

I tried disabling and re-enabling Outlook Anywhere but it does not work.

I have an existing network. It looks like this.

Router LAN (192.168.0.1 /24) -> Switch (192.168.0.10 /24) -> Workstations (192.168.0.100 - 192.168.0.200 /24)

Our network has expanded and I need to have more hosts available.

The simplest way to do this is to change the router's inside interface subnet (/24) to a supernet (/23).

This will give me 192.168.0.0-192.168.1.254 instead of just 192.168.0.0-192.168.0.254.

That is exactly what I want.

My question is do I need to adjust the subnet masks on hosts on either the 192.168.0.0 /24 network or 192.168.1.0 /24 network or should they continue to work having only changed the subnet mask on the inside interface of the router?

The reason I'm confused is 192.168.0.0 /24 and 192.168.1.0 /24 are both part of 192.168.0.0 /23 so in my mind there is not a need to change the subnet masks of hosts in those smaller networks but having made the subnet mask change only to the inside interface of the router I am not able to communicate with a host with the static IP address 192.168.1.40.

Finally, I would like to know if I need to change the subnet mask on the hosts, the switches, or both.

matiu asked the question of how they can do port forwarding for a single source IP address. You can read the original question here.

I provided the following commands as an answer. I based my answer on research of firewalld commands and my existing knowledge of port forwarding with Cisco routers. I realize Cisco is a completely different platform than firewalld but I suspected the concept of an ACL and then NAT would be similar enough for my answer to work. Based on matiu's feedback that was wrong.

Can anyone explain why the firewalld commands below does not result in only source IP address 1.2.3.4 being allowed to pass the firewall and then be port forwarded from TCP 22 to TCP 5678?

firewall-cmd --permanent --zone=public --add-rich-rule="rule 
family="ipv4" \
source address="1.2.3.4/32" \
port protocol="tcp" port="22" accept"
firewall-cmd --permanent --zone=external --add-forward-port=port=22:proto=tcp:toport=5678:toaddr=*private translated IP address*
firewall-cmd --reload

Does anyone have an example of how to script (preferably as a batch file) to set ACLs on multiple printers installed on multiple servers? I searched Google and found some examples of settings ACLs on a single printer but not for multiple printers on multiple servers.

If no one has any available solutions I will write something from scratch but if I don't have to reinvent the wheel great!

I have a number of remote users who are issued mobile broadband devices from one of two mobile broadband providers.

These users connect to mobile broadband and then create a VPN connection to the main office and then initiate an RDP connection to a server located in the main office.

A handful of remote users who try to connect to the main office using one mobile broadband provider are able to create the VPN but when they try to connect to the RDP server the connection times out.

I changed the client RDP settings for low bandwidth and the RDP connection still fails.

Does anyone have any ideas on what is causing the RDP connection to fail even though the VPN connection succeeds? It seems like remote users who have this problem are only users with one mobile broadband provider while mobile broadband users of the other provider are able to connect to the VPN and RDP server.

Edit: I could be wrong in that it may be users of both mobile broadband providers have problems connecting to the RDP server after they are logged into the VPN. I have only witnessed the error happen with users of one of the mobile broadband providers though. I can say that users connected remotely not using the mobile broadband devices do not have any problems connecting to the VPN or RDP server.

I have three servers.

• Server 1 - Print Server, Windows Server 2008 Standard
• Server 2 - Domain Controller, Windows Server 2008 R2 Standard
• Server 3 - Terminal Services Server, Windows Server 2008 R2 Standard

On Server 1 I have 5 printers installed. All printers are TCP/IP printers. One printer should be restricted so that only members of a specified AD group are able to print to it. Therefore, in Print Management, in the Security tab for the restricted printer the AD Security Group RESTRICTED Printers - Authorized Domain Users is given the Print Allow permission. The default Everyone group which has the Print Allow permission has been removed.

The only member of the RESTRICTED Printers - Authorized Domain Users is Domain\TestAllowed.

All 5 printers are installed on Server 3 through a GPO on Server 2 which automatically adds the printers. This works correctly.

I then login to Server 3 as Domain\TestProhibited and try to print to the restricted printer and the page prints.

Why does the page print and what do I need to do to ensure that only members of RESTRICTED Printers - Authorized Domain Users are able to print to the restricted printer?

I have already read (and confirmed that I configured the ACL correctly) Microsoft's TechNet page on setting permissions for print servers.

I went so far as to explicitly deny the Print permission for Domain\TestProhibited on the restricted printer on Server 1. I logged out of Server 3, logged back in, and Domain\TestProhibited was still able to print to the restricted printer.