Roger, you will love this one: I tracked down the problem with ICS going
to Automatic start on a Windows 2000 firewall as being a GPO problem. It
turns out that if you develop a GPO to turn on the Windows Firewall service,
it also turns on Internet Connection Sharing on Windows 2000 computers!!
So the GPO that turns on firewalls on Windows 2003 has the lovely side
effect of turning your Windows 2000 servers (and in this case Windows 2000
firewall) into a proxy server. Now if that doesn't make your eyes,
nostrils, and sides of your lips move in six different directions at once,
nothing will.
I posted about this in the Microsoft group_policy newsgroup, and personally
I think this really bad misfeature has a pretty serious security
implication.
I know how to take care of this for now.
--
Will
"Roger Abell [MVP]" wrote in message
news:u$1A6TKqIHA.5416@TK2MSFTNGP06.phx.gbl...
> "Will" wrote in message
> news:ybWdnclml_MCXonVnZ2dnUVZ_jydnZ2d@giganews.com...
>> "Michael Bednarek" wrote in message
>> news:rbj814h1f1qpti9d057lnufh26qom1qlqm@4ax.com...
>>> On Sat, 26 Apr 2008 17:06:50 -0700, Will wrote in
>>> microsoft.public.security:
>>>
>>> >I have a strange situation on a firewall I need help with. The
>>> >server
>> is
>>> >Windows 2000 running ISA Server 2004. For reasons I cannot determine
>> yet,
>>> >the Internet Connection Sharing (ICS) service keeps getting set to
>>> >Automatic. I set it manually to disable, and I have verified that
>>> >nothing in group policy should be turning it on. A few days go by,
>>> >and
>>> >then I login and see the service set to Automatic, and sometimes turned
>> on.
>>> >I don't believe the other operator of that particular server has enough
>>> >knowledge to make this change, nor do I believe he would be malevant
>> enough
>>> >to do it. So I have a problem.
>>> >
>>> >What is the best method to get an email alert at the moment that:
>>> >
>>> >1) A particular service has its service status changed to Automatic?
>>> >
>>> >2) The service is started?
>>> >
>>> >I assume there is a third party tool that would monitor services and do
>> the
>>> >notification for me. I would appreciate pointers to the best tools of
>> this
>>> >type.
>>>
>>> Write a batch script. Use SC.EXE to query the service, parse its output
>>> with FIND{STR}.EXE, wait/sleep with PING.EXE. Use BLAT.EXE to send the
>>> e-mail. Avoid sending endlessly e-mails either by setting the service to
>>> the desired state, or use logic to send the e-mail only when the state
>>> changes.
>>
>> I would like other things, like the process id that started the service,
>> the
>> user name /security context, name of program running in that process etc.
>>
>> We have programmers who could write this program, or we could go with a
>> script, but I'm trying to find something off the shelf first.
>
> I sort of doubt you are going to find all of that off-the-shelf Will.
> The reason is that you imply reading into the security log, as the
> history of who started / altered the service is not kept by the SCM
> so querying the SCM state will not show process that started etc.
> Also, just how much other than "service xyz entered started state"
> sort of event messages depends on OS version.
> You might want to think about guaranteeing sufficent items are
> logged to event logs, and then have a little monitoring service
> that uses eventing to subscribe to event log messages of interest.
> When a service transitions it could at least snapshot what is
> running on the system.
> Another question: Are you satisfied with the watcher software
> running on the same, watched machine? I mean, if something is
> changing services on you can you trust info frome software that
> is also on that machine and subject to similar changes?
> --
> Roger
