Microsoft’s recommendation is to have your roaming clients get their updates from an internet facing WSUS server if they normally do not connect to your network. If you have users who are about to depart for an extended period of time, it may be beneficial to have an alternate GPO that changes the WSUS server they are using from the internal WSUS server to one facing the internet in your DMZ. Just make sure they have an opportunity to get the changed GPO before departing. When they return, remove the alternate GPO and let the primary location take over.
Monday, August 30, 2010
Friday, August 27, 2010
Unfortunately, you cannot choose which notifications pop up using Group Policy. You however prevent them from popping up. Configure a Group Policy with the following settings:
User Configuration / Policies / Administrative Templates / Start Menu and Task Bar
Configure the Hide the notification area to Enable will only allow the Start button, taskbar buttons, custom toolbars, and system clock to be displayed. Pop-ups will be gone.
Wednesday, August 25, 2010
How to prevent a user from using the sticky key command from exposing the command prompt without logging in.
First off, several things would have to fail before this vulnerability is exposed. The organization in question would not be following the Defense-in-Depth concept that we discussed listed below. In particular, the first level “Policies, Procedures, & Awareness” would not be followed.
Monday, August 23, 2010
On a standard installation of Windows Server 2008, you can easily add users to the Remote Desktop Users group to allow them to access the server with Remote Desktop. In Server Core, you do not get the nice GUI to work with. You have two options for adding users; command line and Group Policy.
Command Line option:
Log into Server Core
To see a list of users currently in the Remote Desktop Users group, type: net localgroup “Remote Desktop Users”
To add a user, type: net localgroup “Remote Desktop Users” /add
Group Policy Option:
The command line option works well if you are only setting it for one or two servers. For many servers, Group Policy is the option of choice. In particular, we are going to be looking at the GPO for Restricted Groups.
For this to work you need to make sure this policy setting applies only to your Server Cores, or other systems that you want this setting .
Open Group Policy Management
Create and GPO and give it the name of your choice.
Edit the policy.
Expand Computer Configuration \ Windows Settings \ Security Settings \ Restricted Groups.
Right mouse click Restricted Groups and select New Group.
Type Remote and click Check Names.
Click OK. You should see the window below.
In the Members of this Group section, click Add.
Add the users or groups that you want to ensure they are a member of the Remote Desktop Users Group. Click Browse if you need help finding the users or groups.
This will also ensure that only these users and groups are the only accounts listed in this group To add others later or to remove them, you will have to edit the list in this Group Policy.
Make sure you link the group policy to the OUs that hold the computer accounts of the Server Cores.
Friday, August 20, 2010
- DNS Resolver Cache
- DNS Server
- NetBIOS Name Cache
- WINS Server
Essentially the client will try to use its local resources first (with exception to the LMHOST file.) I looks at its cache from DNS queries, which also contain the contents of the HOST file. Next it will utilized the more desirable network resources. Since DNS is a requirement for and Active Directory network, DNS should be available. Next it looks at the WINS resources. First its NetBIOS Cache and the WINS. These Flat names for network resources are still supported, but on their way out. Next a broadcast across the local subnet will be made. Finally, it will look at and static entries in the LMHOST file. This file will hold flat names like WINS.
Wednesday, August 18, 2010
Can a batch file with the command “command” or “CMD” launch a command prompt even if it is blocked by GPO?
Tuesday, August 17, 2010
WinRM is intended to help improve your ability to manage your hardware in a network environment. You can use WinRM to help collect data from remote computers. In order to utilize WinRM, you need to run the command WimRM Quickconfig on each client. Well, if you do not want to go to each client you can use group policy to turn on the WinRM listeners.
Computer Configuration / Policies / Administrative Templates / Windows Components / Windows Remote Manager (WinRM) / WinRM Service
Depending on which port you need to listen on, you can enable Turn On Compatibility HTTP Listener for port 80 and Turn On Compatibility HTTPS Listener for port 443. These are for backward compatibility purposes. WinRM2.0 uses port 5986.
Monday, August 16, 2010
Windows Server 2008 gives you 30 days to activate the OS. If you change hardware on the physical server, Windows may require re-activation. You will get 3 days for this activation grace period. For those with evaluation copies, your grace period is 60 days. You can re-arm the grace period by following the procedure below.
1. Click Start, and then click Command Prompt.
2. Type slmgr.vbs -dli, and then press ENTER to check the current status of your evaluation period.
3. To reset the evaluation period, type slmgr.vbs –rearm, and then press ENTER.
4. Restart the computer.
Friday, August 13, 2010
The Active Directory Recycle Bin is the newest, and most reliable way of restoring objects into active directory. In the past, you could use an Authorative Restore of the object. The big problem here is that you would have to take a domain controller offline to do it. You also had the ability to re-animate tombstoned objects. When you delete an object from Active Directory, it is tombstoned. That means that it is no longer available for normal Active Directory operations and nearly all of its attributes are cleared. Recovering these objects meant that you had to manually re-apply the attributes like group membership.
With AD Recycle Bin, you have up to 180 days to bring it all back. For many, the draw back is going to be the requirement of all Domain Controllers running Windows Server 2008 R2 and the forest functional level of Windows Server 2008 R2.
Wednesday, August 11, 2010
The answer is yes.
RODC (Read Only Domain Controller) is Microsoft’s solution to a branch office or other area where the security of the server may be questionable. It contains a read only copy of Active Directory and DNS. Should the server be stolen, only the passwords, if any, that you designate to be cached on that server need to be changed. The TGT (Ticket Granting Ticket) on a RODC is different than the one actually used by the domain. Therefore, a stolen RODC cannot be used to infiltrate a network.
The Global Catalog (GC) contains a subset of all objects in a forest. In a single domain environment, the domain controllers are aware of all objects in Active Directory. You can search for users, computer, printer, etc. The problem lies when you are in a multi-domain environment. The information on objects is not shared between domains. To help mitigate this issue, Domain Controllers can also be Global Catalog servers. The data contained in GCs only contains the attributes that are normally searched for. In a multi-domain environment, it is recommended to make every Domain Controller a Global Catalog server as well.
In respect to the question, the GC will not hold any sensitive data should the RODC be stolen. On a record which domain the objects are stored in.
Monday, August 9, 2010
Since Server Core does not have a GUI, you need to manage it via command line. To help with this, Microsoft included a script to help configure certain settings. Windows Server 2008 has two separate modes for remote acess depending on the client that you will be using. For Windows XP/2003, we have the tried and true version of Remote Desktop. For Vista and Windows 7, we have the Network Level Authentication version available for a more secure terminal session. To set the desired level, we would go to the Remote tab of the System Properties page as seen below.
Since this is not an option in Server Core, we have to use the SCRegEdit.wsf script that is included in server core. Notice that there is an additional step if you are using an XP or 2003 client to establish the connection.
Enable Remote Desktop for Administrators
· Enable Remote Deskop from Windows Vista/2008:
o Cscript %windir%\system32\SCRegEdit.wsf /ar 0
· Enable Remote Desktop from Windows XP/2003 and earlier
- Cscript %windir%\system32\SCRegEdit.wsf /ar 0
- Cscript %windir%\system32\SCRegEdit.wsf /cs 0 and press Enter
Friday, August 6, 2010
Public folders are a common way people exchange information in an exchange environment. Even though the GUI is simple to use, you may need to create or work with public folders in mass. The example below will create a public folder using the PowerShell cmdlet New-PublicFolder.
We are going to create a new public folder called HR on the server Exch04.
· On your Exchange 2010 server, open the Exchange Management Shell.
· Type New-PublicFolder –Name HR –server Exch04
If you check the Public Folder Management Console (look for it in the Tools of the Exchange Management Console) you will see your new public folder.
For a complete description of the New-PublicFolder cmdlet, type Get-Help New-PublicFolder -Full in your Exchange Management Shell.
Wednesday, August 4, 2010
Tuesday, August 3, 2010
6420 : Fundamentals of Windows Server 2008 Network and Applications Infrastructure, is now availible
Monday, August 2, 2010
Yes you do.
I contacted Matt Gerber at ENS Group in Fort Wayne, IN and confirmed it with this email from Matt:
RMS Licensing Basics
To use RMS, organizations need the following licenses:
· Windows Server 2008 R2 Server License
· Windows Server 2008 Client Access Licenses (Windows Server CALs)
· Windows Rights Management Services 2008 Client Access Licenses (RMS CALs)
A Windows Server 2008 R2 Server License is required, since RMS is a component of Windows Server. A Windows Server 2008 CAL is required for every user who accesses or uses the server software. In addition, every user who creates or views rights-protected information through Rights Management Services requires an RMS User CAL. As an alternative to User CALs, customers may acquire RMS Device CALs for the devices used to create or view rights-protected content. Both user and device CAL options are available for RMS and Windows Server 2008.
In addition, organizations have the option to acquire an RMS 2008 External Connector (EC) license. The RMS EC license gives organizations the right to permit an unlimited number of external users to access or use a single, licensed copy of the RMS server software without the need to acquire CALs for each external user. The EC is an alternative to CALs when, for example, an organization creates rights-protected information or documents and needs to allow customers or business partners to view this information. Each copy of RMS server software being used by external users requires its own EC license.
Since external users must also be licensed to access Windows Server 2008 R2, the Windows Server 2008 EC license may be used as an alternative to Windows Server 2008 CALs.
But this link gives more details: