Posts

#Syspeace stops due to license server inaccessable on #Windows Server 2003 #infosec

Syspeace service stops due to license server not reachable / inaccessibility on Windows Server 2003

We’ll actually update the troubleshooting section with info for Windows 2003 Servers but here’s why this can occur.

Apparently root certificates are not automatically updated on Windows Server 2003:

http://support.microsoft.com/kb/931125

The automatic root update mechanism is enabled on Windows Server 2008 and later versions, but not on Windows Server 2003. Windows Server 2003 supports the automatic root update mechanism only partly. (This is the same as the support on Windows XP.) And because the root update package is intended for Windows XP client SKUs only, it is not intended for Windows Server SKUs. However, the root update package may be downloaded and installed on Windows Server SKUs, subject to the following restrictions.

If you install the root update package on Windows Server SKUs, you may exceed the limit for how many root certificates that Schannel can handle when reporting the list of roots to clients in a TLS or SSL handshake, as the number of root certificates distributed in the root update package exceeds that limit. When you update root certificates, the list of trusted CAs grows significantly and may become too long. The list is then truncated and may cause problems with authorization. This behavior may also cause Schannel event ID 36885. In Windows Server 2003, the issuer list cannot be greater than 0x3000.

This can be resolved for Syspeace by manually installing the gd-class2-root.crt certificate from this page: https://certs.godaddy.com/anonymous/repository.pki

Using Syspeace also for internal protection and access reporting.

Using Syspeace for internal server protection

Most Syspeace users have the software in place to protect them from mainly from external threats from the Internet such as hacking attempts via bruteforce attacks and dictionary attacks.

Quite often, the internal netowrk ranges are excluded in the local whitelist by sysadmins , thus never blocking anything from those IP addresses or network ranges.

Some of our customers though have also discovered Syspeace to be an excellent tool to keep track of failed internal logins and those might actualy be important to keep track of.

If you’re not keeping track of internal failed login attempts, it might be hard to spot for instance a virus/trojan infected PC on your network that tries to login to every PC and server that is available or if a user is trying to access servers or assets they’re not supposed to. With Syspeace, the attack is automatically blocked, reported and and the sysadmin is alerted that something’s going on.

There can be downsides to not excluding internal IP ranges since there is a risk of for instance blocking a server from communicating with another but if you’re vigilant and think these things through, it’s mostly an administrative task to remember that yov’ve got Syspeace when you’ve changeed an administrators password or whatever.

Creating reports on user logins

Another great feature of Syspeace is the reporting section that enables for sysadmins to create reports and staistics about user logins such as when, from where and even hof often from that locationc they’ve actually been logged in.

For instance, if a user claims to have been working from home in July, it’s quite easy for a sysadmin to actually verify this using the Access Reports section to create .csv files with statistics.
Now, if the IP address for instance originates from Spain and your company is located only in Sweden…

If you’re using a Windows Server-based Cloud Service for instance, it might be difficult for you to get hold of such information, even if you ask for it.

Howerver, if your cloud Service provider is running Syspeace to protect you and other customers it’s a walk in the park for the provider to get you that infomation if you need it for some reason.

Syspeace stores failed and successful login in a local database so even the Windows securiy eventlog is cleared , the information can still be obtained by Syspeace.

Download a free, fully functional trial at / and have your Windows, Citrix, RDS, Sharepoint, Exchange, OWA, RDWEB, SQL servers and more instantly protected from hacking attempts.

By Juha Jurvanen

Syspeace logo

Syspeace – Intrusion prevention for Windows Servers