December 2009 Archives

How To: Choose A VPN Tunneling Protocol

By Konstantin Boyandin on December 25, 2009 11:46 AM | | No TrackBacks
If you plan to use Virtual Private Networking in Windows, keep in mind it supports two tunneling protocols, namely L2TP and PPTP. To determine which of them to use in a particular case, follow these recommendations.

If your enterprise doesn't have its CA to issue computer certificates and/or you need to maintain compatibility with legacy  Windows platforms, use PPTP.

To support data integrity and non-reputability, use L2TP. It provides  these above data confidentiality, provided with PPTP.

If your VPN clients work behind NAT, PPTP is the answer. Most NATs can be configured to work with this protocol, but not with L2TP.

How To: Simplify Quota Management With Quota Templates

By Konstantin Boyandin on December 24, 2009 7:44 PM | | No TrackBacks
One of the most important tasks of a system administrator is to set disk quotas. This will help to prevent exhausting free disk space on a server, especially in case of a large number of users.

It can be done manually on a per-user basis, while the number of users is not large; when that number grows, Quota Templates could be of help.

The idea is to apply groups of settings to folders and volumes quickly. Open File System Resource Manager, open quota management node, right click on a quota templates node. Now click 'Create Quota Template'. You create the basic settings set (space, hard or soft, notification threshold etc).

Now you can apply the defined settings to folders or volumes, 'in a single click'.

How To: Force WSUS Updates

By Konstantin Boyandin on December 24, 2009 4:33 PM | | No TrackBacks
When WSUS is set up, update time can be set as required; however, there may be cases when the process must be forced. An example of such a case is when WU is run for the first time.

Prior to changing settings, WU must be stopped. Open a command prompt (cmd.exe) and type the command
net stop wuauserv

Start registry editor, regedit (you are encouraged to make a backup of your registry first) and navigate to
HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
and locate and delete the following keys:
LastWaitTimeout
DetectionStartTime
NextDetectionTime

Now return to the command prompt and restart the WU by typing
net start wuauserv
and the WU process will then contact the WSUS server and look for available updates.

Alternatively, type in command prompt
Wuauclt /detectnow

That forces WU to contact the WSUS server and find whatever updates are missing, with option to install them immediately.

How To: Configure Windows Update Using GPO

By Konstantin Boyandin on December 24, 2009 11:30 AM | | No TrackBacks
To maintain an appropriate level of security, all the computers in the intranet must be properly updated. Configuring automatic update schedule on every individual computer can take a significant amount of time. Group policy can make this simpler.


Import the appropriate ADM file into GPO you wish to use. To achieve that, open the group policy object, expand "Computer Configuration" tab. Right-click on "Administrative Templates", select "Add/Remove Template". Click on "Add" and select wuau.adm file from %WinDir%\Inf folder.

Now you can configure Windows Updates by opening
Computer Configuration > Administrative Templates > Windows Components > Windows Update
All the general configuration parameters for the Windows Update (including general configuration, download location, scheduling, and auto-restart feature) can be set up there.

How To: Remove IE Supervisor Password

By Konstantin Boyandin on December 23, 2009 7:27 PM | | No TrackBacks
If a user has enough privileges, he can change many a setting making computer usage inconvenient. One of such setting is setting a supervisor password on Internet Explorer; that restricts Web usage (certain sites will become inaccessible).

If this is what should be removed, registry modification can fix the situation. Please note you are strongly advised to backup your registry before attempting to modify it.

Start regedit and navigate to
HKLM\Software\Microsoft\Windows\Current Version\Policies
enter Ratings folder, look for an entry named Key and remove it. Close regedit to commit the changes and the content advisor password is removed. To finish unlocking the browser you have to restart the computer.

How To: Delete System Blocked Files

By Konstantin Boyandin on December 23, 2009 2:42 PM | | No TrackBacks
At times a runaway application and/or service may prevent you from deleting a file. The typical types of diagnostics may include:
"Access Is Denied"
"Sharing Violation Error"
"File/Folder is being used by applications. Please close the application and then try again."

To delete the file, you should first kill the handle. You would need a Process Explorer from Sysinternals package available at Microsoft site. After you have installed the utility, follow these steps:
  • start Process Explorer
  • proceed to 'Find' menu, 'Enter File/Folder name' and then click on 'Search'. A list of processes will be displayed, those blocking the file/folder.
  • right click on the process and then click on Close Handle > Click OK to confirm
After the blocking processes are terminated, you can remove the file/folder.

How To: Uninstall Applications In Safe Mode

By Konstantin Boyandin on December 23, 2009 11:18 AM | | No TrackBacks
In cases when corrupt configuration or any other system-related failures prevents uninstalling an application, the only option could be to use Safe Mode. However, Windows Installer may malfunction while in Safe Mode.

The following steps could help in such a case:
  • press F8 when booting the system, while in splash screen, to invoke Safe Mode
  • open a command prompt window (run cmd.exe)
  • run the following commands:
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer" /VE /T REG_SZ /F /D "Service"
net start msiserver

Now double-click on the application .msi file to uninstall the application from your system.

Tips: Map Your Network For Better Protection

By Konstantin Boyandin on December 22, 2009 7:15 PM | | No TrackBacks
In a large intranet with thousands (or mroe) devices the primary goal is to maintain a  decent security level. It's quite hard to find an unauthorized (rogue) device connected in case the administrative policy is of permissive type.

In another words, if it is assumed that any device online is a legitimate ones and belongs to someone authorized, it's hard to maintain security, even if all the data access attempts are properly logged and checked.

It is advised to have a complete map of network activity; all the MAC addresses, IP addresses assigned etc. must be regularly gathered and studied for unknown entries. All the devices must be registered and there should be an easy way to detect whether a given MAC address belongs to a legitimate device.

And, finally, the default administrator's policy towards new or unknown devices must be to forbid access to intranet resources. Although it could require slightly more work to check every such a case, it would prevent serious security issues in the long run.

Constant network monitoring within intranet is also a must to keep an acceptable level of security.

Tips: Preventing Rogue DHCP Clients

By Konstantin Boyandin on December 22, 2009 3:12 PM | | No TrackBacks
Apart from rogue DHCP servers, there can also be a problem of rogue DHCP clients
To make sure no unauthorized client obtains IP from your DHCP servers, there are a few steps to follow.

1. Make sure physical security is enforced. That is, prevent physical connections to your network if there is public access to your network hardware.
2. Use Use 802.1x or IPSec to secure your existing clients from rogue ones. That doesn't prevent  from obtaining IPs, but can help to prevent making anything undesirable afterwards.
3. Use fixed IP assigned to your clients. In case of a small intranets and/or cases when there are no actual need in supporting dynamic IP addresses, this can help to prevent an outside user from obtaining IP from your network.
4. Use network monitoring tool to detect rogue activity and prevent it wherever possible. Firewalling and logging connections can also be of use.

Tips: Metabase Changes Not Applied Immediately

By Konstantin Boyandin on December 22, 2009 11:09 AM | | No TrackBacks
In case of IIS 6 on Windows Server 2003 R2 it's now possible to edit metabase file directly using Notepad or any other text editor of choice. Unlike the metabase of previous versions, this one is in XML format, thus it's human writable.

Please do not forget to make a backup copy of the file, since an error in file structure may lead to unpredictable results. The XML must remain well-formed.

After the changes are written, they are not applied immediately The problem is the IIS caches previously read metadata, and it can take approximately 5 minutes for changes to take effect.

To speed up the process, you can either select 'Save Configuration To Disk' from IIS Manager, or restart the IIS.

How To: Cut and Paste Virtual Directories

By Konstantin Boyandin on December 21, 2009 7:26 PM | | No TrackBacks
It is necessary at times to make a replica of a virtual directory from one IIS-powered server to another. However, the IIS 6 GUI has no tool to perform that. The following could allow to copy a virtual directory from one site to another (running the same IIS Web server).
  • right-click the source virtual directory, choose 'Save Configuration To File'. That copies the chunk of the XML metabase containing the configuration info for the virtual directory
  • after copying the file with saved configuration onto the other server, right-click on it and select 'New', 'Virtual Directory From File', select the file, click 'Read File', select what to import and click 'OK'

Another means is to use Iiscnfg.vbs script to export the virtual directory data from one site and import it on another.

How To: Copying a Web Server Configuration

By Konstantin Boyandin on December 21, 2009 1:03 PM | | No TrackBacks
At times it is required to make a clone of your Windows-based Web server. The first idea is to just copy the IIS metabase file across the servers to clone the configuration. However, that would not work as expected; ACLs and GUIDs, as well as certain other settings specific to the source computer.

However, the correct way is rather obvious: create a backup copy of metabase of one computer and restore it on the other one. This method would correctly handle the ACL and GUIDs mapping.

You should also be sure there are the same user accounts and directories structure on the target computer to make this cloning work.

How To: Disable Caching Failed DNS Lookups

By Konstantin Boyandin on December 21, 2009 10:00 AM | | No TrackBacks
Normally, DNS lookup results are cached, to lower the stress upon name servers; under normal circumstances, DNS changes are rare, and caching the responses is OK.

However, failed DNS lookups are cached, as well. In many cases, when the failure is temporary (DNS server times out, or there are other transient error states), this could lead to a perfectly valid domain name failing to resolve. There are several means to handle that.

1. Reboot the computer to clear the DNS cache. Not a good solution in many cases.

2. Flush DNS cache by running
ipconfig /flushdns
command. However, this cures the consequences, but does not cure the reason.

3. Update your registry. Run regedit utility (please do not forget to make a backup copy of your registry), navigate to
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
and set the following keys to zero:
NegativeCacheTime
NetFailureCacheTime
NegativeSOACacheTime

That will make the computer to request DNS lookup from the upstream DNS server every time. If significant delays are noticed when making DNS queries, it could mean you are asking for a wrong domain name.

Tips: Naming Network Connections

By Konstantin Boyandin on December 18, 2009 6:56 PM | | No TrackBacks
In case your Windows server has more than one network card installed, it's generally a good idea to name every connection (giving it a descriptive name), to determine at once which is which.

This approach can especially be useful when troubleshooting network connectivity; using non-standard names (different from Local Area Connection N) can allow you to pinpoint the problem quickly.

It is also very convenient if parameters of a certain network card are to be changed quickly or if it is necessary to disable an interface quickly.

Along with using netsh-based backup of the entire network configuration, it can save you precious time when you need to restore a configuration to a known state.

How To: Save And Restore Network Configuration From Command-Line

By Konstantin Boyandin on December 18, 2009 1:53 PM | | No TrackBacks
There's a command-line utility, netsh, able to control almost all the aspects of network configuration. Thera are cases when it's necessary to save or restore the entire network configuration.

Command-line method could be much faster, especially if the switch should be performed frequently and/or on a number of computers.

To backup your network configuration:
netsh interface dump > netcfg-saved.dat

(the data are stored in netcfg-saved.dat)

To restore your network configuration afterwards:
netsh exec netcfg-saved.dat

Saving several frequently used network configurations would help you to save much time setting up one of the saved network settings. If you travel much, or are using the same notebook to connect at home, at the ofice and elsewhere, the above means could be very convenient.

How To: Installing the Windows Server 2003 Network Monitor

By Konstantin Boyandin on December 18, 2009 9:50 AM | | No TrackBacks
There's a free packet sniffer by Microsoft, WIndows Server 2003 Network Monitor. It can be a useful tool for network troubleshooting. To install the basic version, following these steps:
  • open Control Panel, click on 'Ad/Remove Programs'
  • click 'Add/Remove Windows Components'
  • select 'Management and Monitoring Tools', click 'Details'
  • check 'Network Monitor Tools', click 'OK'
  • click 'Next'; if necessary, either insert the proper removable media with original Windows Server 2003 CD/DVD or enter the appropriate location
  • click 'Finish'

The mentioned version allows only to view data frames coming sent/received by the computer. You should use more powerful type of software to set up actual network monitoring, using higher level protocols.

How To: VPN Quick Setup

By Konstantin Boyandin on December 17, 2009 4:36 PM | | No TrackBacks
VPN (Virtual Private Network) is a means to establish secure encrypted communication tunnel between two network endpoints. Thus it can be quite useful if security is the primary goal. It is easy to set up a VPN in both Windows XP and Windows Server 2003. Here are the instructions.
  • open Control Panel
  • proceed to 'Network Connections'
  • click on 'Create New Connection', click 'Next', select 'Setup an advanced connection' and 'Next' again
  • select 'Accept incoming connections', click 'Next' twice, click 'Allow virtual private connections', click 'Next' again
  • check the users you allow to connect via VPN, click 'Next', 'Next' and 'Finish'

The VPN is set up. In case you're behind a firewall, perhaps you should forward port 1723 (standard PPtP port) to allow VPN connections. There are several third-party pieces of software to establish a VPN, but the above steps are the simplest way to start with.

Servers And Automatic Updates

By Konstantin Boyandin on December 17, 2009 1:04 PM | | No TrackBacks
Automatic Updates (AU) are, in general, designed for client computers; it is assumed the end users should use the AU and receive the updates as soon as possible.

However, the servers should not, in general, rely on AU or use that feature.

The reasons are:
  • all the patches/fixes should be well-tested first, prior to installing on real-life server
  • mission-critical applications may be quite sensible to any changes, including the fixes applied to system components

The general idea is to turn off the AU for servers; in case the updates are critical (refer to significant vulnerabilities), they should first be tested on a sever replica (sandbox server) first, otherwise there's a risk to break the existing services on a real-life server. And, of course, full system and user data backup should be made before such patches are applied.

Value Of Auditing Workstations

By Konstantin Boyandin on December 17, 2009 10:21 AM | | No TrackBacks
Under normal circumstances, administrators prefer to audit servers only, leaving workstations alone. However, there may be cases when auditing on workstations is quite reasonable.

In most situations the workstations are exempted from auditing, since there are many workstations but few servers; the workstations are often volatile, they could be rebuilt from an image and thus it's often easier to restore the OS image than to handle and investigate whatever failures happened that prevent the system from functioning.

If security logs are kept, however, on workstations as well, it becomes much more easier to keep tracks of all the network activity and pinpoint possible unauthorized access cases, along with credentials leaks. Studying the logon/logoff attempts records could be a significant time saver when network activity should be tracked and monitored.

Since auditing doesn't impose much load on workstations, most important types of events (logon and logoff attempts, shared resources access etc) should be logged even on workstations.

A Common Misconception Regarding Security Logs

By Konstantin Boyandin on December 16, 2009 8:47 PM | | No TrackBacks
Active Directory, responsible for security of Windows-based networks, is hosted by domain controllers. Active Directory information is replicated across the controllers. So, within the replication delay interval, all the data on the controllers is identical. It means all the security information (such as login credentials, access control lists etc) is the same.

However, security logs are not the same across controllers. Every domain controllers registers only the actual security-related events; they are not copied to other controllers, for obvious reason: only the actual events, related to the given controller, are left in its security logs.

So it is  a mistake to assume the logs are replicated as well; it also means all the security-related monitoring and analysis must scan all the logs of all the domain controllers present.

How To: Auditing On A Per-User Basis

By Konstantin Boyandin on December 16, 2009 1:41 PM | | No TrackBacks
Normally, all the audit functions are system-wide; there is not much granularity; in systems with a number of users it's hard to perform  detailed audit, since there will be too many events logged. Logs can become quite resource- and time-consumed, if configured poorly.

However, starting from Windows Server 2003 SP1 a new function is available, named "Per-User Selective Audit". It means that you can override the settings for system-wide audit for a given user, thus preventing unnecessary events from being recorded.

The practical usage of this option is watching the actions of a given user you are suspicious about.

To configure and learn more about this function, run the following command in a command-line session:

auditusr /?

Disabling LM Authentication

By Konstantin Boyandin on December 16, 2009 8:23 AM | | No TrackBacks
The security system can't be stronger than its weakest link. E.g., it is important to make users to choose strong passwords and change them often enough. However, if the passwords are transmitted in plain or easily deciphered. Another example is the so called LAN Manager (LM) authentication. This out-of-date method stores passwords in form that can be cracked easily, thus making all the security measures, related to password strength effectively nullified.

In cases when legacy, old clients are used that require LM authentication, you can do nothing about that. In all the other cases it could be a good idea to disable LM authentication
entirely.

The LM hash is transmitted throughout the network, and to prevent that from the single computer, follow these steps:
  • open the registry editor, navigate to HKLM\System\CurrentControlSet\control\LSA
  • search the key named "LMCompatibilityLevel"
  • change the value of this key to "5"; that will completely disable LM authentication

However, disabling this won't remove the existing copies of LM hashes. To eliminate them
  • create a new policy using the Group Policy Management Console; navigate to Computer Configuration, then to Windows Settings > Security Settings > Local Policies.
  • select Security Options
  • double-click "Network Security: Do Not Store LAN Manager Hash Value On Next Password Change".
  • select Enabled and click "OK"

The last thing you have to do is to change the password for a user account to remove whatever hashes were stored for it.

Preventing Ping Responses From Hidden Servers

By Konstantin Boyandin on December 15, 2009 8:21 PM | | No TrackBacks
By default, servers do respond to ICMP requests ('pings'). It is a normal way to check existence of a computer. However, in many a case certain kinds of servers should not be exposed to everyone; thus, there can be cases when system should not response to such inquiries.

The most general means of preventing ICMP response is provided by Windows firewall. To access it, right-click on network connection to modify, then select Properties, Advnaced, Settings. There, in Advanced tab, you can see  'ICMP' section. ICMP is the protocol used to 'ping' sites. By unchecking setting "Allow incoming echo requests" you will effectively prevent ping response.

Note that this method will entirely prevent ping responses from happening. If you wish to have finer means of control, perhaps Personal Firewall or similar solution could be used. Also, server monitoring may also be done without ICMP responses available.

The Power Of Power Users

By Konstantin Boyandin on December 15, 2009 1:34 PM | | No TrackBacks
The Power Users group provides significant privileges to those included; these privileges may jeopardize the security of your computer unless used wisely. Power Users may alter a number of computer-wide settings, create user accounts, install device drivers (either signed or unsigned), and install uncertified programs as well.

These capabilities are sufficient to install a malicious piece of software. It can be installed so that it runs under administrator's account and thus can entirely compromise the system.

Care should be taken when you add users to this group. Unless absolutely necessary,  users should not be given such privileges. In many a case less powerful groups can be used in case a user should be given access to certain resources.

How To: Prevent Users From Installing Software

By Konstantin Boyandin on December 15, 2009 11:10 AM | | No TrackBacks
Users like installing software on workstations; however, in business-type environment this can lead to a number of problems, can destabilize the intranet and create a number of security holes. For example, installing IMs such as ICQ or Skype, any other type of network utility that can create uncontrolle connections.

There are several means to prevent users from installing software and/or running unapproved type of software. First, users should not be Power Users or local Administrators on their workstations. This will prevent hem from installing most software.

Also, Group  Policy can be used to forbid running certain executable/etc files (including .msi packages).

Proper firewall configuration can also prevent users from downloading software from known sites and, most important, from connecting to certain ports (thus rendering most dangerous programs, such as instant messengers, from running.

Along with installing efficient malware detection and protecting system settings from modification, this can give a decent level of defense against running unwanted software.

Pre-Staging Computer Accounts

By Konstantin Boyandin on December 14, 2009 7:27 PM | | No TrackBacks
When you join a computer to a domain, its account gets placed into Computers container. However, that container isn't an organizational unit (OU) and, as such, can't be linked to a group policy object (GPO). It is a possible security breach (an unmanaged area).

It can be solved by pre-creating user accounts for computers prior to joining them. Use Active Directory Users and Computers to create a computer account within an OU. Afterwards, when computer is being joined, it will look for the same-name account and thus can be controlled by group policy. This process is called pre-staging.

User Accounts And Domain Password Policies

By Konstantin Boyandin on December 14, 2009 1:43 PM | | No TrackBacks
Password policies for user accounts in Active Directory environment are controlled by group policy settings located at

Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy

There are six policies there. They affect all the domain users and normally there are no means to exempt an account from the policies.

The only exception: if you check 'Password never expires' setting on the user's properties in Active Directory Users and Computers, domain setting for maximum password age can be overridden for that user.

However, this can lead to certain security breaches, so the option should only be used for services accounts only; for even more security, event logs should be monitored for any authentication attempts for such 'never-expiring' accounts.

User Profiles For Service Accounts

By Konstantin Boyandin on December 14, 2009 9:22 AM | | No TrackBacks
There are Windows accounts that do not normally require standard user's profile. However, there are cases when such an environment could be of use.

One example is when you need to pass an environment variable to a service process.

Another example: if you need to run a SSH session under the special account, and wish to use a key method of authentication. Unless a user profile is created, that is impossible to do.

The trick is to call a standard API function LoadUserProfile(). The full details and the sample source code of such an application are given in the article How To Programmatically Cause the Creation of a User's Profile

Server Based Printers And Security Issues

By Konstantin Boyandin on December 11, 2009 5:18 PM | | No TrackBacks
When a printer is shared through a server it is installed on, it's called a server-based printer. The drawback of this is that server resources are spent on using the printer. The advantage is that advanced security settings are available in such a configuration.

Open the control panel and navigate to the printer you mean to configure security for. Right click on the printer, choose properties and security tab. The security settings are very much alike those available for files and folders, to asign permissions for users and groups. The access rights include print, manage printing and manage the printer itself.

It must be taken into account that every time you add a server-based printer, you should adjust the permissions, since the default settings may be unacceptable in many situations.

Enabling Windows Firewall On Domain Controllers

By Konstantin Boyandin on December 11, 2009 1:19 PM | | No TrackBacks
Firewall is an important tool of creating acceptable level of security. Under normal circumstances, it must be turned on with 'whitelist' approach (everything not allowed explicitly is blocked). However, one should be careful when enabling firewall on domain controllers, since they can be efficiently rendered broken if firewall is improperly configured (e.g. preventing workstations from connecting).

Below are instructions on what should be done to enable firewall on a domain controller.

Enable the Fire And Print exception in firewall settings.

Add program exceptions for lsass.exe and ntfrs.exe locate usually in %WINDIR%\SYSTEM32

Allow the following port exceptions: 53 (TCP and UDP), 88 (TCP and UDP), 123 (UDP), 135 (TCP), 137 (TCP), 389 (UDP), 464 (TCP and UDP) and 636 (TCP).

The above is the minimal exception set to allow normal domain controller functioning.

Port 445 And Trust Creation

By Konstantin Boyandin on December 11, 2009 9:35 AM | | No TrackBacks
TCP port 445 (Windows standard SMB port) is used to create trust between two domains. It must be open on both sides to do that.

By itself, keeping port open is a possible security breach. The port may be exploited by a number of worms and so on, this is why it's usually kept strictly firewalled, only the trusted computers may access it.

However, after the trust has been created, the port may be safely closed, even between the two domain controllers. This is an not well-documented feature, yet it may be used to strengthen security.

Enforcing Group Policy

By Konstantin Boyandin on December 10, 2009 7:28 PM | | No TrackBacks
Local administrator accounts on Windows workstations can arbitrarily edit the registry and thus override many Group Policy settings initially applied. The best approach is not to grant local administrative privileges but it can't always be done, and in most cases isn't convenient.

For example, a number of pieces of software will only run as privileged user. Installing software will also require administrative privileges in many cases.

To prevent Group Policy workaround, the following might be a solution:

Open
Computer Configuration \ Administrative Templates \ System \ Group Policy

Look for the policies with names ending in "...policy processing". Open every such policy and select the checkbox "Process even if the Group Policy objects have not changed". This will force these policies to always be applied regardless of whether the GPO settings have actually changed or not.

This will make any local changes be undone next time the Group Policy is refreshed in the background.

How To: Choose a VPN Auth Protocol

By Konstantin Boyandin on December 10, 2009 1:10 PM | | No TrackBacks
VPN, or Virtual Private Networking services in Microsoft Windows supports a number of authentication protocols such as EAP-TLS, mS-CHAPv2 and so on. Since the security of VPN must be superior, you should choose the protocol that best matches your environment.

EAP-TLS assumes using smart cards, or your network has a CA (certificate authority) issuing user certificates.

MS-CHAPv2 assumes using password-based authentication method, hence you will need to make use of Group Policy and other means to force using strong passwords.

Less secure protocols such as MS-CHAP, CHAP, PAP and so on should only be used if backward compatibility must be provided. Proper monitoring is also advised in such cases to prevent accounts compromising or at least providing means to detect such attempts as soon as possible.

Warning Signs of a Rogue DHCP Server

By Konstantin Boyandin on December 10, 2009 9:26 AM | | No TrackBacks
There may be more than one DHCP server in a network; care should be taken when setting several DHCP servers, to prevent dynamic/etc address space overlapping and subsequent IP address conflicts.

The following could start happen if there are conflicts in DHCP servers settings:

  • workstations begin to lose their IP addresses, other settings (DNS, for example)
  • workstations report IP addresses conflicts
  • DHCP-related traffic grows significantly (UDP ports 67 and 68)

However, the above, in case you are sure your DHCP service is set up properly, may also be a sign of a rogue (unauthorized) DHCP server running within your network. Primary goal of such a server is providing false DNS addresses, thus redirecting connections to dangerous locations; possible consequences may be virus and other malware distribution - they can be detected by malware/antivirus scanners in you network.

The traits above should not be neglected; also, proper monitoring of the crucial resources and related traffic might also be a good idea.

Changing the IP Address of a Server

By Konstantin Boyandin on December 9, 2009 7:22 PM | | No TrackBacks
To change an IP address (or addresses) of a Windows computer, either server or workstation, isn't a complex task, but possible consequences may often confuse people having forgotten those.

If the computer is running a DNS server, you should change all the records associating the name of the server with the old IP address.

If the computer is running a DHCP server, make sure you are using the correct range, and the new IP is excluded from dynamically lent addresses.

If processes/devices are using IP address to connect to the computer, perhaps it's worth to retain the old address when possible, to make the switch smoother.

If connection is done by domain name, you should take into account that, unless it's an intranet (private) address, DNS propagation may take several days to happen throughout the world (typical range is 48-72 hours).

All these notes should be well taken into account to prevent service disruption or any other disaster that can happen due to connectivity loss.

Dynamic Port Range in Windows Server 2008

By Konstantin Boyandin on December 9, 2009 1:31 PM | | No TrackBacks
Dynamic port range means ports reserved by the operating system. This range is assigned by the Internet Assigned Numbered Authority (IANA). Applications may not hardcode any port in dynamic port range(s). There was one such range priori to Windows Vista and Windows Server 2008; one more range has been added for the mentioned OS.

The default dynamic port range is 1024 through 5000 (for Windows 2003 and earlier types). For WIndows Vista and Windows Server 2008 the range 49152 through 65535 has also been reserved.

Netsh command-line utility may be used to view or change the dynamic port range.

To display the range, use the following command:

netsh int, [ipv4|ipv6] show dynamicport [udp|tcp]

To change the range, issue a command like

netsh int, [ipv4|ipv6] set dynamicport [tcp|udp] start=NNNNN num=MMMMM

The string in brackets, separated by vertical line mean 'use either of the string'.

Tips for Securing Your Wireless LAN

By Konstantin Boyandin on December 9, 2009 9:56 AM | | No TrackBacks
Making wireless LAN a secure place requires an approach somewhat different from those used for wired LANs. This is especially important if you run a business and prepare to deploy a wireless LAN facility. Unless you take measures to prevent eavesdropping intercepting raw packets to analyze them and obtain all the information about traffic structure and, in the worst possible case, intercept passwords and other confidential data.

Wireless LAN security depends on layers and thus can't be reduced to certain strict rules. The main idea is to eliminate non-encrypted traffic entirely and be in full control of all the connections being established.

Certain pieces of advice include:

* Use WPA encryption: Encryption is the only means to render all sniffing (eavesdropping) useless. WEP encryption is not that hard to crack; thus you should make use of more reliable WPA. Please keep in mind that most secure WPA Enterprise version a RADIUS server is required.
* Enable MAC address filtering. It is essential to limit what devices are allowed to connect; whitelisting is the best approach. Even though the MAC address may be spoofed in certain cases, this level of protection won't harm.
* Reduce outside coverage. Do not allow to connect from the territories well outside of your facility, even if that's parking lot in your building.
* Disable SSID broadcast. It won't keep the professional hacker off, but since the hidden network names can't be picked up easily, that will grant a bit more protection, as well.

Think of wireless security as of multi-layered armor: the more layers you provide, the stronger is the overall security.

Listening Ports And Services

By Konstantin Boyandin on December 8, 2009 2:26 PM | | No TrackBacks
At times it's necessary to learn what ports the current system is listening on and what service uses a given port.

The simplest approach is to open a command-line box and type
netstat -anb

It will collect and print all the information about applications listening to ports, this kind of report is sufficient in majority of cases.

If you need more details, perhaps the Port Reporter tool, available from Microsoft site, is what you need. The utility can provide the following information:

  • The ports that are used
  • The processes that use the port
  • Whether a process is a service
  • The modules that a process loaded
  • The user accounts that run a process

Logging Windows Firewall Events

By Konstantin Boyandin on December 8, 2009 1:26 PM | | No TrackBacks
The firewall capabilities to block unwanted traffic is what it is responsible for, yet the ability to log all the traffic events is often overlooked. Run 'firewall.cpl' applet, choose the 'Advanced' tab and select 'Settings', below security logging title.

There are several logging options found. First, you can choose whether or not to log the dropped packets (those stopped by firewall), successful connections (allowed by firewall) or both. You can also select where the log file should be situated. The latter could be useful if you choose a mapped network drive to store log files onto. Finally, you can specify the maximal size of log files.

Keeping these log files could be of much use in cases there are attempts of unauthorized network access, other suspicious network activity or other problems that might be related to firewall.

How To: Modify Logon Rights On Multiple Computers

By Konstantin Boyandin on December 8, 2009 9:49 AM | | No TrackBacks
"Log on locally" rights may be tedious to modify on a number of servers. A command may be used to speed up the process.

The mentioned "Log On Locally" rights allow your users to log on locally on the server. All the users in the Active Directory Forest are allowed to log on to any server by default, except for domain controllers. Local users security group is added in the example below to the "Allow Log On locally" rights of local server; the security group contains the Domain Users security local group.

If a security group is created and you wish to allow only the members of that group to log on locally on specified servers, it should be done either manually, or by using a script.

In the example below a group named "Remote Access" has been created and only members of that security group are granted the right to log on to the selected servers. Put the names of the servers to a text file, say 'servers.txt', one per line, and run the following command (in a command-line box):

For /F "Tokens=*" %a in (servers.txt) Do ntrights.exe -m \\%a -u "MYDOMAIN\Remote Access" +r SeInteractiveLogonRight

The command above will assign "log on locally" rights to members of "Remote Access" group oif domain MYDOMAIN on the servers listed in the file servers.txt.

How To Change The Backup Interval Of DHCP Database

By Konstantin Boyandin on December 7, 2009 5:01 PM | | No TrackBacks
his article is dedicated to Windows Server 2008 means of tuning DHCP parameters.

It is important to remind that any direct registry changes should only be performed with great care to prevent irreparable damage to the system.

DHCP database in Windows 2008 can be backed up in three ways:
  • synchronous backups (those we mention here), these settings are stored in Windows registry
  • asynchronous backups (those initiated with DHCP console)
  • Windows backups (performed using wbadmin.msc in Windows Server 2008)

The default is to back up DHCP database once an hour. To change that, modify the following registry value:
Key: HKLM\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters
Name: BackupInterval

The value means minutes between backups.

Importing/Exporting Wireless Profiles in Vista/Server 2008

By Konstantin Boyandin on December 7, 2009 12:52 PM | | No TrackBacks
Every system settings aspect requires ability to be stored, backed up, in cases when quick system restoration in unattended mode is required.

A command-line utility netsh can be used to import and export the profiles for wireless networks. It will eliminate manual creation of the profiles, especially when you need to replicate the existing configuration. This technique works in Windows Server 2008 and Vista.

To view the profile names issue the following command:

To view the profile names:

netsh wlan show profiles

To export profile into a file:

netsh wlan export profile folder="PATH\TO\STORAGE" name=PROFILENAME

To import the saved profile, run command looking like:

netsh wlan add profile filename="PATH\TO\PROFILE\filename.xml" 

Enabling and Using Wireless Tracing

By Konstantin Boyandin on December 7, 2009 10:44 AM | | No TrackBacks
W-Fi connections setup and/or maintenance may be quite tricky; it could be hard to determine what is the exact reason of connection failure. In case of Windows Server 2008 or Vista, you can use the powerful command-line tool, netsh, to provide you with a lot of relate information.

netsh can be used in so called tracing mode, in which case it creates a detailed report on connection whereabouts. To manage tracing, use the following command line:

netsh wlan set tracing mode={yes|no|persistent}

Once the tracing is complete, the report is placed in %WINDOWSROOT%\tracing\wireless where it can be viewed with Windows performance monitor.

A note of warning: persistent tracing means the tracing must be stopped manually using the 'no' parameter.

If 'yes' parameter was used, tracing is automatically turned off after a system reboot.

How To: Allow DSRM Account To Log On Normally

By Konstantin Boyandin on December 4, 2009 4:04 PM | | No TrackBacks
Directory Service Restore Mode (DSRM) Administrator could only log on to a domain controller  while DSRM was in effect. In Windows Server 2008 there 's a new feature allowing to control the way the DSRM Administrator may run. To change the default behavior, use registry editor to enter the value mentioned below. Please keep in mind that any registry changes may render your system non-functional if applied incorrectly.

HKLM\System\CurrentControlSet\Control\Lsa
Key name: DsrmAdminLogonBehavior
Entry type: REG_DWORD
Value: 0, 1 or 2

where

0 forces DSRM Administrator to log on only in the DSRM Mode. This is the default  behavior.
1 means DSRM Administrator can log on when NTDS is stopped.
2 means DSRM Administrator can log on to domain controller anytime.

Changing the Local Administrator Password on Domain Workstations with Group Policy

By Konstantin Boyandin on December 4, 2009 12:59 PM | | No TrackBacks
Until Windows Server 2008 release, many security-related tasks should have been
performed manually or mostly manually, repeated on every computer they should  have been applied on. Windows Server 2008 Group Policy provides more flexibility in solving frequently appearing tasks. One of these is local administrator account management on domain workstation.

Previously, you should have used scripting to perform the similar task on a number of workstations. Currently you could do that much easier.

Local administrator settings can \be accessed when configuring a new GPO (browse  Computer Configuration, Preferences, Control Panel). Right click local users and groups, click New - Local user. Now select Update from action drop-down box, type Administrator as user name. At this point you can change its password, rename the account or disable.
This section of group policy can be used to handle any user account on your domain workstations. It all is done via a simple action of applying the policy.

Securing Windows images

By Konstantin Boyandin on December 4, 2009 9:53 AM | | No TrackBacks

When making use of customized Windows images, security should be provided to prevent unauthorized access to sensitive, proprietary or otherwise restricted information.

If Deployment Services are used,, the following steps are advised.

  1. Create a security group; give it name to indicate its users are allowed to install images from your Windows Deployment Services.

  2. In Windows Deployment Services console, select your Windows DS server, open Install Images node, right click on Image Group, proceed to Properties.

  3. On the Security tab make user you grant Read and Execute permissions to the group mentioned and revoke all the rights for all the other users different from SYSTEM and Administrators group. Do the same for all the Image Groups.

The settings applied to Image Groups are automatically propagated to every single image within these groups.

You can also secure images individually.

How to: Remove Cached 802.1X/PEAP Login Information In Windows Vista

By Konstantin Boyandin on December 3, 2009 9:14 PM | | No TrackBacks

Although memorizing the login credentials is convenient, it creates a security risk. It is often required to purge all the stored credentials to make sure they are not used by unauthorized third parties.

Login credentials used by 802.1X authentication can be purged in exactly the same way they are cleared in Windows XP. There's more convenient means in Vista; especially in case of multiple users. All you should do is to uncheck a checkbox at the Network's Properties dialog window.

The steps are:

1) Right-click the Network and Sharing Center icon, navigate to Network and Sharing Center.

2) Click the Manage Wireless Networks link (see Tasks on the left).

3) Select a network, double click it, choose Security tab on its Properties window.

4) Uncheck "Cache User Information for Subsequent Connections" and click OK to save.

How To: Firewall Commands In Server Core

By Konstantin Boyandin on December 3, 2009 6:06 PM | | No TrackBacks

There are no GUI tools for Server Core to handle firewall tasks. All of them can be handled using netsh command-line utility. To start, enter the ADv Firewall context of netsh by using the command

NetSH ADVFirewall

Use 'help' command in any context to get the list of available (sub)commands.

Three Firewall Profiles are configured in Windows Vista and Windows Serverv 2008. To get the information on all of them, run this:

NetSH ADVFirewall Show Allprofiles

State column of the output displays the profile state (on or off).

To enable all the profiles, use the command

NetSH ADVFirewall Set Allprofiles State on

to turn them all on (use 'off' to turn them all off).

To reset the firewall completely and restore default values, run the command

NetSH ADVFirewall Set Allprofiles FirewallPolicy BlockInbound,AllowOutbound

To switch on or off a single featurem use 'Settings' modifier to specify what is to change, i.e.

NetSH ADVFirewall Set AllProfiles Settings remotemanagement enable / disable

will change the state of Remote Management service.

Switch Off Internet Explorer Enhanced Security In Windows Server 2008

By Konstantin Boyandin on December 3, 2009 4:55 PM | | No TrackBacks

Internet Explorer Enhanced Security feature can become a nuisance and may be effectively unnecessary under certain circumstance.

The master switches for IEES are stored in the Windows registry. The steps mentioned below must be followed to disable it. Note that any registry modification can result in irreparable damage to your system. You can either make the changes manually, or run a script using Group Policy, to affect a number of computers in your network.

The steps are:

1) Change the following to zero (value 0):

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}

Key name: InInstalled, set it to 0.

2) Issue the next commands from command prompt. Administrator privileges required.

Rundll32 iesetup.dll, IEHardenLMSettings

Rundll32 iesetup.dll, IEHardenAdmin

3) Delete the following:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}

All of this can be done either manually or by using a script.

Block Users from Seeing or Connecting to Other Wi-Fi Networks

By Konstantin Boyandin on December 2, 2009 5:27 PM | | No TrackBacks

There's a powerful utility, netsh, that can perform a number of useful administrative tasks. You can prevent users from accessing other Wi-Fi networks, thus hardening the security: unauthorized connection to such networks can result in an uncontrolled data leak.

The technique mentioned will work in Windows Server 2008 or Vista. To see the list of enabled filter, run the following command:

netsh wlan show filters

You can block an unwanted connection to outer network by creating a filter, the syntax is:

netsh wlan add filter permission={allow|block|denyall} ssid=NETWORKNAME networktype={infrastructure|adhoc}

The 'denyall' value doesn't require a ssid parameter. It allows to block all infrastructure or adhoc networks, but retain explicitly the ability to connect to other networks.

To remove an existing filter run this:

netsh wlan delete filter permission={allow|block|denyall} ssid=NETWORKNAME networktype={infrastructure|adhoc}

(just use the same parameters used when creating a filter).

Finally, to either hide or display the blocked networks on the Connect to a Network dialog, run this:

netsh wlan setblockednetworksdisplay={show|hide}

'hide' value can be most useful in most cases.

Enabling Recycle Bin for network resources

By Konstantin Boyandin on December 2, 2009 3:23 PM | | No TrackBacks
When you are using network resources, deleted files are deleted at once and permanently, without being placed in a recycled bin.

There is no default support of such a facility for network shares and certain kinds of removable media (i.e. flash cards).  This makes it quite dangerous the whole deletion operations and can cause data loss in an accidental deletion.

There are no direct ways to create a recycle bin replacement, but third-party tools such as Undelete utility from Diskeeper Corporation can be used instead.

With Undelete installed, the deleted files on both network devices and certain removable media (flash cards, for example) are protected from actual deletion. This can be used along with other means to protect data on remote media, thus preventing significant data loss in case files are accessed from another computer. Consider also using backup services to create actuial backups of all the important data.
 

Authorizing a DHCP server using Netsh

By Konstantin Boyandin on December 2, 2009 1:20 PM | | No TrackBacks

You can use netsh command to authorize a DHCP server from command line. Also, it's possible to remove a previously authorized DHCP server off the network via command line, too.

This technique may be useful in certain cases, an example: if you perform a maintenance works and the regular DHCP server must go offline for a while. Thus, authorizing another server may allow you to set up a backup DHCP service quickly (the procedure of loading the current DHCP configuration is not described here in details).

To authorize a DHCP server named backup-dhcp-05 with address 10.50.12.1 at the EXAMPLE domain use the following command:

netsh dhcp add server backup-dhcp-05.example.com 10.50.12.1

To make sure the changes are in effect, use the following command

*netsh dhcp show server * To remove the server afterwards, use the following command:

netsh dhcp delete server backup-dhcp-05.example.com 10.50.12.1

Please note that all the DHCP servers should have a proper domain authorization before starting to run. Make sure you have run the command like

dhcp server 10.50.12.1 set dnscredentials username domain password

Where username, domain and password must be replaced with actual domain user's name, domain name and current user's password of an account used to run the DHCP server as.

Creating and managing DHCP scopes using Netsh

By Konstantin Boyandin on December 1, 2009 5:36 PM | | No TrackBacks

DHCP server offers flexible means top control the way it provides IP addresses and other information. All the major options may be changed on the fly using tools such as netsh utility.

DHCP scope is a pool (set) of IP addresses that a DHCP server may lease when requested. Those can be created from command-line, thus offering an automated means of manipulation scope

For example, the following command

netsh dhcp server add scope 10.50.12.0 255.255.0.0 "Building One"

will create a scope with network ID 10.50.12.0 and IP mask 255.255.0.0.

The subsequent command

netsh dhcp server scope 10.50.212.0 add iprange 10.50.12.50 10.50.12.100

wil create a range of dynamic IP addresses from the specified scope.

To exclude certain address from that dynamic pool, use command like

netsh dhcp server scope 10.50.12.0 add excluderange 10.50.12.75 10.50.12.80

the above command will excldue the six addresses from dynamical assignement.

You can create static address assignment for a specific MAC address using command like

netsh dhcp server scope 10.50.12.0 add reservedip 10.50.12.99 6E7A55109F0B

Similarly, the above records may be deleted with 'del' subcommand.

Authorizing a DHCP server using Netsh

By Konstantin Boyandin on December 1, 2009 1:38 PM | | No TrackBacks

One can use netsh command to authorize a DHCP server from command line. Also, it's possible to remove a previously authorized DHCP server off the network via command line, too.

This technique may be useful in certain cases, an example: if you perform a maintenance works and the regular DHCP server must go offline for a while. Thus, authorizing another server may allow you to set up a backup DHCP service quickly (the procedure of loading the current DHCP configuration is not described here in details).

To authorize a DHCP server named backup-dhcp-05 with address 10.50.12.1 at the EXAMPLE domain use the following command:

netsh dhcp add server backup-dhcp-05.example.com 10.50.12.1

To make sure the changes are in effect, use the following command

netsh dhcp show server

To remove the server afterwards, use the following command:

netsh dhcp delete server backup-dhcp-05.example.com 10.50.12.1

Please note that all the DHCP servers should have a proper domain authorization before starting to run. Make sure you have run the command like

netsh dhcp server 10.50.12.1 set dnscredentials username domain password

Where username, domain and password must be replaced with actual domain user's name, domain name and current user's password of an account used to run the DHCP server as.

« November 2009 | Main Index | Archives | January 2010 »

About this Archive

This page is an archive of entries from December 2009 listed from newest to oldest.

November 2009 is the previous archive.

January 2010 is the next archive.

Find recent content on the main index or look in the archives to find all content.