September 25, 2018

Join Windows 10 to Windows 2000 domain

We bought new computers that only support Windows 10. I tried to install Windows 7 on them but it didn't work very well, besides, we could no longer get Windows 7 licenses, so we finally started rolling out Windows 10 to the users. I immediately ran into issues joining them to the old Windows 2000 domain. Google search returns Windows 10 no longer supports Windows 2000 domains and old servers need to be upgraded. Hmm, I distinctly remember joining Windows 10 computers to the domain since some managers have had new computers since last year, it's only the users are getting Windows 10 right now.

After more searching I found sites saying that security policy needs to be modified. I also don't remember doing anything like that previously. I checked my notes and I had nothing on issues with Windows 10. After some brain wrangling I figured that it must be something about SMB. It turns out that SMBv1 is not installed by default only on newer versions of Windows 10 as described in this article. We did new installs using 1803 and SMBv1 is no longer included which was why it worked last year and no longer works now.

Adding SMBv1 back is just a matter of turning on a Windows feature, and after that Windows 10 can be joined to the Windows 2000 domain without issues.

End note: yes yes, I know that old servers should be upgraded, we have some new servers but they've yet to be put into production mostly because old programs need a lot of time to be ported. I hate it when people tell me old hardware or software are no longer supported, just upgrade.

September 21, 2018

Siemens PG 720 PII

The Siemens PG series was specialized notebook with a special port for connecting to their PLC devices. Many years ago I asked Siemens whether we could use a regular notebook and buy just the special PLC adapter, they said it was possible and is actually recommended. However, the the purchasing people said we're rich, and Siemens notebooks are very rugged and should last much longer than regular notebooks, so we ended up buying a PG 720 PII for a lot of money.

And rugged they are! I got called in recently to support the PLC, and was surprised to find that the PG still worked.

This is what a new PG 720 P looks like, picture found on the net. The PII is identical except for better hardware specs. Oh, one special thing about the PG 720 PII we have (not sure about the P) is that it has a 2.88 MB floppy disk drive with laser tracked heads so it was able to read any floppy disk we throw at it. Back when we used a lot of floppy disks I used to borrow the PG just to read the bad disks.

It has a keyboard that also works as the screen cover, ours was long broken so it was just unplugged and replaced with regular mouse and keyboard. The LCD screen still works but is cracked and faded, so we use an external monitor. The plastic around the screen was all brittle. I wanted to move the PG a bit for a better angle to photograph and another huge chunk of plastic broke off. The engineers yelled at me to get my hands off his precious. Good times.

September 13, 2018

ARP cache poisoning attack

After years of putting in purchase request after purchase request for an antivirus program. It took a ransomware attack for my bosses to see the light, and we finally bought ESET Endpoint Security. ESET (NOD32) has a pretty bad reputation locally for being the antivirus product that you install if you want to be infected with a virus. I'm not sure for the reason why it was so badly rated, but perhaps because everyone was running pirated versions, and maybe the pirated copies don't actually work, but that's another story for another time.

Of course, we looked at several competing products, and I almost decided on Bitdefender, but during the 30-day trial period I discovered that Bitdefender was really slow if I was scrolling through my files in Windows Explorer with my cursor keys. I asked the support people and their clever answer was: don't move around with the cursor keys, just use the mouse and click on the file you want to use. So I put in a request and bought ESET Endpoint Security.

The morning after I received the licenses in email, boss called and asked if I've finished installing the antivirus. (Oh, there's another story involving the email, which is also another story for another time.)

"Finished? I've just started downloading the setup files, and I have to setup the management server."

"Good, so after that every computer will have the new antivirus?"

"Uh... not exactly, we have to set up the management server, create policies and exceptions, then deploy the client software to the domain, shouldn't take more than a week or two. But we have some really old computers that are being replaced next month, so we'll hold off installation for those after they're replaced."

"Good, finish installing everything by noon and sign off the project."

"What? It's not a home product that I just click on setup and use the defaults, we have hundreds of computers in different configurations and it will take at least a few days to get all the policies correctly, and we must test the policies then do a phased rollout so we don't run into too many problems all at once. Plus we have to remove the old antivirus which have to be done manually since you won't buy a commercial product and all we used were free home versions."

"That's why you have your staff to help you. I'll give you some extra time, just finish everything by today."

So I booted up the management server, created a default policy, let my guys go around the office uninstalling the old antivirus (if any) and rolled everything out all at once. Less than a minute later my phones started ringing off the hook and the management server started reporting ARP cache poisoning attack. Users were reporting pop-up menu complaining ARP something something, they can't access the ERP, and they couldn't print to an old cheap printer shared from one of the computers.

Printing to the shared printer was easy, just a matter of adding an exception to the firewall, but it took longer than it should, since I was unfamiliar with ESET, and it took me more a few minutes to find the option and deploy the updated policy to the clients.

ARP cache poisoning attack was less obvious. I looked and it was coming from the SQL database server (which also explains why access to the ERP was blocked). Hmm, strange, then I realized the database server has a NIC team. Aha, some doc reading led me to adding an entry to IDS exception setting. (The ESET support pages said to add entries to Trusted zone and Addresses to be excluded from IDS didn't work at all. The entry had to be added to the Network attack protection settings page.) After that, no more ARP cache poisoning attack messages, and then I started getting warnings of duplicate IP address on the network.

Okay, add another entry to the IDS exception. Yay! All done, except the shared printer still didn't work. It's probably another non-obvious setting which I'll figure out another time.