Sometimes, i really hate microsoft. (server2008)

[Acanthus]

Worked on hardening a 2008R2 web server all night, because one of our admins insisted he couldn't get an app working in Linux.

Firewalled everything but ports 80,443,and 442 manually (TCP and UDP). Disabled all of the crappy default exceptions, added manual rules to allow 80, 443, and 442 (both TCP and UDP). Changed RDP to work over port 442.

Installed 135 updates, needed a reboot.

Rebooted, server is up, website is up, can be pinged, cant remote in.

Nice one, MS.

 

[AMCRambler]

Rebooted, server is up, website is up, can be pinged, cant remote in.

Nice one, MS.

Y

Rebooted, server is up, website is up, can be pinged, cant remote in.

Nice one, MS.

You configured the server to block the default RDP ports, installs updates that reset the defaults and this is Microsoft's fault that you can't remote in? Heh, ok.

All updates go first. Configuration come last. Rookie mistakes grasshopper.

 

[Oyeve]

Y

You configured the server to block the default RDP ports, installs updates that reset the defaults and this is Microsoft's fault that you can't remote in? Heh, ok.

All updates go first. Configuration come last. Rookie mistakes grasshopper.

This. I hope you wrote down the settings prior to updating.

 

[bearxor]

Installed 135 updates, needed a reboot.

Rebooted, server is up, website is up, can be pinged, cant remote in.

Nice one, MS.

I laughed.

 

[Acanthus]

Y

You configured the server to block the default RDP ports, installs updates that reset the defaults and this is Microsoft's fault that you can't remote in? Heh, ok.

All updates go first. Configuration come last. Rookie mistakes grasshopper.

I'm sorry that I expected their $80B software to retain settings through updates.

Clearly I should have the experience to know that their OS is shit

Wouldn't have happened in Ubuntu/OpenBSD, that's all I know.

 

[Oyeve]

Wouldn't have happened in Ubuntu/OpenBSD, that's all I know.

Probably true, but who the hell uses that anyway? I know of no companies using this except for the IT dorks (myself included) and we dont roll this out in serious production.

 

[Zxian]

Also, no IPMI on that server?

 

[lightningbaron]

Firewall incoming rule and listening port for RDP in registry updated?

 

[Acanthus]

Firewall incoming rule and listening port for RDP in registry updated?

Yeah, it appears that it simply doesn't work properly on ports below 1500, regardless of firewall settings. I simply changed it something else and it worked properly. Weird.

 

[smakme7757]

Hehe interesting story. Windows is a bit like that. I spent a few hours last night wondering why I couldn't use the remote mmc snap in for device manager from Win 8 to Hyperv core 2012. It turns out MS completely disabled remote management of device manager in the latest OS.

 

[imagoon]

It turns out MS completely disabled remote management of device manager in the latest OS.

Until you turn it on in server manager yes.

Rock and a hard place. People complain that they leave to much on and open so they harden it and disable most stuff. Then people complain that all that stuff isn't on.


I am also not sure why RDP would fail below port 1500. It is TCP and I have seen it on port 80 before. I would suspect something specific to your machine is preventing it.

 

[Acanthus]

Until you turn it on in server manager yes.

Rock and a hard place. People complain that they leave to much on and open so they harden it and disable most stuff. Then people complain that all that stuff isn't on.


I am also not sure why RDP would fail below port 1500. It is TCP and I have seen it on port 80 before. I would suspect something specific to your machine is preventing it.

You can change the listen port to whatever you want, but if you want to firewall 3389, you can't run RDP below port 1500(ish, the actual cutoff is 14XX)

 

[imagoon]

You can change the listen port to whatever you want, but if you want to firewall 3389, you can't run RDP below port 1500(ish, the actual cutoff is 14XX)

That doesn't make any sense... I am staring at a server with RDP on 80 with the firewall on... Is there an MS tech doc mentioning this anywhere?

 

[ViRGE]

I am also not sure why RDP would fail below port 1500. It is TCP and I have seen it on port 80 before. I would suspect something specific to your machine is preventing it.

In the *nix world ports 1024 and below are "special" ports. However even if MS copied that tradition, I don't know why 1024 to 1500 would be similarly special.

 

[imagoon]

In the *nix world ports 1024 and below are "special" ports. However even if MS copied that tradition, I don't know why 1024 to 1500 would be similarly special.

Yes but in linux root can bind the ports below 1024 to what ever they want. Same with Windows, administrators generally can remap what ever they want in the low ports. I mean mail / http / exchange etc all bind below 1024.

442 as mentioned above is a "well known port" but it looks like it was used mostly in the sun world with cvc_hostd which looks to be some drive array protocol. Doubt that would be floating around in Windows land but who knows, maybe something else bound it.