Posted by: Ken Harthun
Here are the answers I promised to yesterday’s post, “Could you pass this LAN Engineer test?”
|Q1. A company believes that a workstation on their network has a worm because everyone’s Internet access is slow and their T1 utilization is high. You only have remote access to their firewall. How would you figure out what traffic on the Internet connection is causing the slowdown, what IP address the traffic is coming from, and how would you prevent that traffic from causing problems until the workstation causing the issue is disabled? Assume that the firewall that is in place is one you are familiar with, and note that information in your response.|
|A1. I had a similar thing happen to one of my clients last year. One PC had been infected with a spam trojan. In this case, it was on a DSL connection and everyone was having major problems accessing the Internet. I had web-based remote administration configured on their 3Com firewall. I logged into it and accessed the traffic log. The log was virtually full of entries showing connection attempts from one internal address to an ever-changing list of external IP addresses on port 25. I created two rules, one denying all traffic from the DHCP range of addresses on port 25, the other allowing traffic on port 25 only from the IP address of the Exchange server. This immediately improved the situation and I was able to get the infected PC cleaned up shortly thereafter.
I would follow a similar procedure on a PIX. I’m not a PIX expert by any means, but I did some research in the Cisco PIX documentation and figured out that I would use “show xlate” to find the IP with a bunch of translations to different IP addresses. Once I found the culprit, I’d create an ACL to block traffic on the port or ports the worm was using. Sticking with my example above, with the client running SBS 2003, I’d go with this configuration: access-list no-spam permit tcp host 10.1.1.2 any eq 25; access-list no-spam deny tcp any any eq 25; access-list no-spam permit ip any any; access-group no-spam in interface inside.
|Q2. Please provide a few lines of a Windows network login script that you have created. Please explain what the script accomplishes.|
|A2. I have gravitated toward doing most of the heavy lifting using AD and GPOs, but one pesky issue seems to always come up with remote users with client VPN connections—network drive mapping. Here’s one that has served me well: NET USE X: /DELETE
NET USE X: \\pdc1\shared\home\
NET USE Y: /DELETE
NET USE Y: \\pdc1\rclient
This deletes any existing mapping, preventing an error message (those always confuse the users), and maps the two drives to the specified folders.
|Q3. A user connects remotely to a Citrix MetaFrame 4.0 server. The user just purchased an HP 1150 Laserjet printer and has it connected locally to their workstation. The server doesn’t have this driver on it. What are 3 different ways you could get the printer to work, and which one would you choose, and why?|
|Q4. A company is assigned the network 18.104.22.168/30 for a T1 to the Internet. The ISP sets the router at 22.214.171.124. The company sets up a workstation at 126.96.36.199 with a default gateway of 188.8.131.52, but can’t get to the Internet. What is the most likely issue?|
|A4. 184.108.40.206 isn’t a valid address. There is only one usable address in a CIDR /30 subnet and that address in this network would be 220.127.116.11. The gateway is OK. 18.104.22.168 would be the broadcast address.|
|Q5. A company has a network with 30 servers and 500 workstations. They are still running a Windows NT domain with a PDC and a single BDC. The company has purchased a new server and 3 licenses of Windows Server 2003. The company operates 24 hours per day and can’t take the network down. Please list the steps you would go through to convert the NT Domain to AD in Native Mode with 3 DCs.|
|Q6. A company has a network of 200 Windows XP workstations and 5 Windows 2003 servers. Active Directory is running in Native Mode and all of the workstations have been added to the domain. The network administrator would like to apply all of the critical MS updates to all of the workstations and force the workstations to automatically apply updates nightly. If possible, he would also like to have one of his servers download the patches and have the workstations pull from that server. How can this be accomplished without going to every desktop?|
|A6. Windows Server Update Services (WSUS) will allow the administrator to deploy the latest updates to every computer in the domain. AD native mode isn’t necessary , but it’s a good thing–I have WSUS running in a mixed (NT, W2K, W2K3) AD environment with no issues. The WSUS server will be configured to automatically download the patches on whatever schedule the admin chooses. Assuming that all workstations are running XP SP2, no WSUS client installations will be necessary; regardless, SUS client will be automatically installed through self-update if it’s missing on any computers (that doesn’t seem likely in this scenario). Worst case, the SUS client software (WUAU22.msi) can be deployed through AD using a GPO. Likewise, all domain computers will be configured through the Automatic Update policy settings to point to the WSUS server. The process is well documented by Microsoft in Microsoft Windows Server Update Services 3.0 SP1 Operations Guide.|
|Q7. A company decides to get a point to point T1 to connect their main office to an office across town. The T1 will be connected to a Cisco 1841. All of the servers and workstations at the main office currently have a PIX 501 on a DSL connection set as their default gateway. The PIX is running 6.3(5). How would you reconfigure their network to route Internet traffic out the DSL line, and traffic bound for the remote office over the T1?|
|A7. Let me give you another specific example of how I configured this for one of my clients. Before the T1 was installed, the SGS 1600 was the default gateway at 22.214.171.124. When the T1 was installed, I configured the network to point to the router (Cisco 1841) as the default gateway. I then configured the router as follows (partial config listing). Note that the phone engineer configured the voice vlan:
description local lan
ip address 126.96.36.199 255.255.0.0
description VOICE VLAN
ip address 10.10.10.1 255.255.255.0
description point to point to milford
ip address 192.168.200.1 255.255.255.252
router eigrp 10
network 10.10.10.0 0.0.0.255
network 10.10.51.0 0.0.0.255
network 188.8.131.52 0.0.0.255
network 192.168.200.0 0.0.0.3
ip route 0.0.0.0 0.0.0.0 184.108.40.206
ip route 10.10.51.0 255.255.255.0 Serial0/0/0
Traffic for Milford now goes on the T1 and Internet traffic goes to the SGS 1600.
|Q8. A company has an Exchange 2003 server and remote users needing to synchronize their e-mail securely. The remote users are running workstations with Windows XP SP2 and Outlook 2003. How can this be accomplished?|
|A8. We implemented this using PIX/ASA VPNs with the Cisco VPN client running on the remote PC. Outlook is configured to run in cached mode so email is available when off line.|
|Q9. Please describe a time where you solved a difficult problem.|
|A9. One of the most memorable and challenging problems I ever encountered was a network printing issue on P&G’s Netware/Win95 implementation. People would be able to print one minute and then the network printer icons would all gray out as if the printers were offline. Logoff/logon, warm boot, power cycling the PC were all ineffective; the printers went away and they wouldn’t come back. We had tried removing and reinstalling the printer drivers from known good copies, flashing the NIC ROMs and flashing the PC BIOS all to no avail. The project manager finally mandated that we re-image the PC when this problem surfaced, but at the time, that was a two-hour process.
I made a wild assumption and decided that the problem was rooted either in Windows or in the Novell Client and I suspected that driver files or related DLLs were getting corrupted somehow. The next time I encountered a PC with this problem, I used process explorer to see what was running. I then compared this with a PC that didn’t have the problem. The actual details escape me now, but I started pulling some strings on specific processes until I narrowed things down to a few (I think there were 5) Netware-specific files.
One by one, I used a hex editor to intentionally corrupt the files and see if I could duplicate the problem. When I did this to a file called NETWARE.DRV, all the printers I was watching immediately grayed out. I reversed the “corruption” I had introduced into the file and was amazed to see that the printers all came back. Problem solved. From that point forward, every tech had a floppy disk with a clean copy of NETWARE.DRV on it. I can’t even begin to estimate how much that solution saved P&G worldwide.
|Q10. Optional – Extra Credit – Create an account on http://www.hackthissite.org and complete levels 1 through 4 of the Basic Web Hacking Challenge and explain how you figured out each level.|
|A10. Level 1 truly is an idiot test. I tried a couple of guesses with blank password, “password,” “let me in,” and “idiot” for good measure, then did a View>Source and found this: <!– the first few levels are extremely easy: password is 1e79cde6 →. That got me in.
Level 2—since he neglected to upload the password file, I just clicked the Submit button and it let me in.
Level 3– He left the password file open to the world and I just opened password.php to reveal 792debbc as the password.
Level 4—I had a bit of trouble with this at first (I’m not a big-time hacker!), though I was on the right track in thinking that I had to figure out a way to change the email address. Finally, I realized that Google is my friend and found out why my hacked page wasn’t working: I forgot the absolute URL and was still using the relative one. Anyway, I entered the following code in my page:
<form action=”http://www.hackthissite.org/missions/basic/4/level4.php” method=”post”>
This revealed “password: 50c3072c.” I entered that and completed the level. Along the way, I discovered a neat add-on to Firefox called “Tamper Data.” Nice hacker tool: https://addons.mozilla.org/en-US/firefox/addon/966