Run a portqry on ports 1024 and 1025 from the host to your DC's and from the server to the workstation to see if you get blocked responses. I have seen it where Firewall and router jockey's like to block these ports because they are "known ports that viruses use". The problem is the MS RPC service hits them first before dynamically selecting a higher port. Todd Myrick
________________________________ From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Fri 3/10/2006 2:07 AM To: [email protected] Subject: RE: [ActiveDir] OT: Netlogon Service For all we know, someone did exactly what you did (connect remotely using administrative credentials) and disabled the services. Do you have logon auditing enabled? If so, have you checked to see who's logged onto the machine? Cheers Ken ________________________________ From: [EMAIL PROTECTED] on behalf of Aaron Visser Sent: Fri 3/10/2006 4:47 PM To: [email protected] Subject: [ActiveDir] OT: Netlogon Service Well I know this is a little off topic but I cannot find any answers so I have decided that I need to tap into this huge fountain of knowledge. Computer - Win XP Pro SP2 latest Updates Problem - Computer was working fine and all of a sudden after a reboot today I can no longer login to it via the Domain (it says that the NetLogon Service is not started) So I logged onto another computer and remotely connected to the computer thru the Computer Management MMC Snap-In and checked the Netlogon Service and sure enough it was disabled, so I set it to Auto and then proceeded to start the Service. But it will not start because it says that the RPC Locator Service (to the best of my recollection) needs to be started, so I check that and sure enough it is disabled also. So I try to start that service but it gives me some error that I cannot recall at this time. Anyways trying to make this story short I am pretty sure that the computer in question was targeted from within the LAN remotely. So the big question or questions are is it possible to attack a computer in this manner? If it is possible does anyone have any info on how to accomplish this so that I can try and figure out how or what what used and maybe even nail the person (student) who did this. Thanks, Aaron List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
