Cupfighter.net

The MSS: settings used to be here...

I recently got involved in a project where I defined the Baseline Security settings for windows and Linux. I used the settings provided by the Center for Internet Security (CIS).

We decided on the following approach:

• Based on the CIS templates we created a baseline document specific to our company
• I, in my security role, created a Nessus .audit file, so we could audit compliance to our own baseline with Seccubus
• The windows administrator created GPOs to apply the settings.

When creating in the GPOs we did a strange discovery. In a windows the settings that are normally marked as MSS: in the category Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options do not appear in a domain if its functional level is Windows 2008.

This made us wonder, have these setting become irrelevant ? If this is not the case, how can we still set them, preferably via group policy?

The settings are not irrelevant, as e.g. Peter van Eeckhoutte’s blog points out. Windows 2008 does not forward IPv4 packets that have source routing on them,  but it does accept them if the machine is the final destination. However for IPv6 Windows 2008 will forward these packets by default.

So if the settings are not irrelevant, how can we apply them if they are not in the Group Policy Editor? For this purpose we created an .adm file, which can be loaded into the Group Policy editor as a Classic Administrative template. Read more…

For whatever reason Microsoft removed the accessible way of removing hardware profiles in Vista and Windows 7. To help out a collegue with a corrupt profile I made a tiny Powershell script to perform this action. It’s easily done by hand in the registry, the downside is you won’t see the profile descriptions which is a tad errorprone. Also, feel free to use this but I will take no responsibility whatsoever if you use this and you break your Windows install

# 20091218 – vo.o1 – PZO    – Initial hack to delete hardware profiles in Windows Vista/7
#
#————————————————————————————————————————————–
# Let’s see which profiles exist..
#————————————————————————————————————————————–
$i = 0
Write-Host “”
Write-Host “The following hardware profiles have been found on this computer:” -f white
foreach ($profile in (ls -path “HKLM:\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\”) ) {
Write-Host 000$i – (get-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\000$i”).FriendlyName
$i++
}
#————————————————————————————————————————————–
# Now we can ask which to remove..
#————————————————————————————————————————————–
Write-Host “”
Write-Host “You are strongly advised not to remove profile 0000 – New Hardware Profile” -f red
Write-Host “”
$input = read-host “Which profile is causing you headaches and should be removed?”
Write-Host “deleting.. “HKLM:\SYSTEM\CurrentControlSet\Hardware Profiles\$input”"
Remove-Item -Path “HKLM:\SYSTEM\CurrentControlSet\Hardware Profiles\$input”

Finally: do _not_ remove profile 0000 unless you know what you are doing. YMMV!

[BBG]

Finally I have seen a nice Microsoft solution for light touch deployment of servers and workstations. During a half-hour demo session on TechEd MS demonstrated that deploying new desktops and servers doesn’t have to be a tough job if you use the new Deployment Toolkit 2010 and WAIK 2.0. It was impressive to see how easy automated deployment for various operating systems becomes when you use the new Deployment Workbench which wraps like a management shell around the individual WAIK 2.0 components. Big plus for the Deployment Workbench is that all UI management operations are also accessible from Powershell by loading a single powershell snap-in making it easier to automate.

WAIK 2.0 comes with some new tools like DSIM.exe which is a combination of previous WAIK tools like Pkgmgr.exe, Intlcfg.exe, PEimg.exe and has basic functionality to mount and maintain Windows images (either WIM or VHD file format) by adding or removing device drivers, patches, software packages etc..

Other new features in this toolkit:

• BCDboot is a new tool used to quickly set up a system partition, or to repair the boot environment.
• USMT. User State Migration Tool used for doing an in place migration while maintaining all user data and settings.
• Volume Activation Management Tool. Manages volume activation of Windows clients using a Multiple Activation Key (MAK)
• Hardware recognition and driver injection (also during pre-installation stage while booting from WinPE).
• Create image files for media-based deployments from existing deployment shares (WIM and/or ISO image files).

It supports deployment of Windows XP, Vista, Windows 7, Windows Server 2003/2008/2008 R2

Read more about MDT 2010:
http://technet.microsoft.com/en-us/solutionaccelerators/dd407791.aspx

What’s new in MDT 2010 (link to Word doc):
http://go.microsoft.com/fwlink/?LinkId=163309

Of course there was a warning, as all speakers must have done the last couple of years, about the `ending` of IPV4. We are running out of ip addresses, we’ve heard that before.

Here you will find a nice link of where Geoff Huston is predicting the end of time:http://www.potaroo.net/tools/ipv4/index.html 

And in fact, we cannot ignore this. It will happen. And I want to be prepared, so that’s why I attended this session. I cannot longer sit back and hoping this would only happen when I’m retired. (and the Dutch government is not helping as well, as they have decided to extend pensioning from 65 to 67 years..)

Windows has already implemented the IPV6 stack from 2003 (and XP sp2) onwards and IPV6 from Vista onwards is the preferred protocol by default. Of course you can disable this, but in Win2k8 IPV4 is built on the IPV6 stack, so even when you disable IPV6, you’re always able to ping your local-home-address (::1).

Something I found during my research: Exchange 2003 on Windows 2008 needs IPV6, unless you disable it via a reghack (http://msmvps.com/blogs/ehlo/archive/2008/06/12/1634433.aspx).

You need to understand the principles (doh…) but networking is a piece of cake with IPV6

IPV4 is all about routing, IPV6 is all about shouting, was a statement of Mark Minasi.

Motivators to use IPV6:

• China is knocking at the internet-door.
• All European car-manufacturers have agreed to implement IPV6 in their cars as the standart protocol for car applications. (so beware, breaking will done via commands transported via IPV6..)

I don’t want to get in detail here, plenty of explanation on the web, but the modern OS-es all are capable of doing IPV6, and certainly I will dive deeper into this.  

You should too.

Remote Management.
Well finally, PowerShell v2 is included and holds an AD Module, so the Quest ActiveRoles Management Shell for Active Directory is now ‘sort of’ native.  A comprehensive set of AD cmdlets for AD DS and AD LDS administration, configuration and diagnostic tasks.

PowerShell drives for AD will simplify navigation in AD Directory Services. And most of all: certain tasks can only be achieved through PowerShell hurrah for the shell.

AD Web services (ADWS) will create a web service ‘gateway’ for managing windows 2008 R2 servers through PowerShell. Be sure you have port 9289 opened on the firewalls and your home free.

For backward compatibility Active Directory Management Gateway Service (ADMGS) is available for Windows Server 2003 and 2008, however this does not support instances of AD Mounting Tool (get-PSdrive)

AD Administrative Center
The users and computers interface is enriched by progressive disclosure of data, which means, the interface builds up navigation history and anticipates on tasks you’re about to do and fill the interface accordingly. Big plus is that you can connect to multiple domains at the same time.

Managed Service Accounts
Currently using built in accounts for services does not provide service isolation. And in case we run the services using standard user accounts with some extensive privileges. But then again, changing services account passwords on a regular basis did cause some unexpected service failures.

So managed service accounts are presented, though the accounts must be created and managed through Windows PowerShell. J. It’s delivered in three steps. The sweet thing is that a reset of the password is done on a regular basis (default by 30 days) by the system itself.

However:
1: Service / application requiring managed account must be running on Windows 7 or Server 2008 R2
2: Managed accounts cannot be shared across multiple servers

The latter is a major setback since the whole security of the password changes are embedded, so why don’t enable it cross hosts, so keep it simple and transparent does not apply here.

Djoin.exe
Now, Windows 7 or Windows 2008 R2 machines can be joined to a domain while offline, it’s not PowerShell driven though. During deployment the machine has already domain joined the domain at startup, so no reboot required. This will definitely speed up deployment of VMs and scripted installs. The sysprep process will create a new section in unattended.xml to supports offline domain joins which will actually simplifies domain joins to RODCs.

Recycle Bin for AD
Here it is: a fast and decent failsafe of accidently deletion of AD objects; the recycle bin for AD.
You need to promote to 2008 R2 Forest functionality and, of course, it’s PowerShell driven.
Bear in mind, once enabled it cannot be disabled, but then again, it restores all attributes including linked attributes.  Of course it will impact storage, but no more than 5 -10% increase of the AD database. Here is how it will work:

Session by: Andrew Fryer

In this interactive lab I learned how to install and configure SQL 2008 on Windows 2008 R2 Core, which has the following technical advantages and characteristics:

-          Running on R2 Core instead of normal setup, limits the need of patching and maintenance of a SQL OS to the minimum R2 core components updated, minimizing the instance downtime.

-          Running several SQL instances is possible as it is on the GUI enabled full OS setup.

-          All installations and configurations needs to be done using Powershell cmdlets, which are limited to installation of .Net framework 3.5, configuring windows firewall to allow 1433 and installing base components of SQL 2008, and of course the GUI components of SQL including management studio is not to run from the R2 core and the instance needs to be managed by remote machine.

-          It makes the life really easy to prepare an R2 image with pre-installation of SQL 2008 using Sysprep for fast deployment of an SQL Server. We have reached an OS/SQL deployment time of 5 minutes in the lab.

-          Running on R2 core is has also security advantages for SQL Server instance as major windows vulnerabilities are related to higher levels and Windows 2008 core is mostly not affected.

-          It is possible to cluster an SQL instance running on R2 core.

-          This implementation is not supported by Microsoft at this moment, but several factors shows it will be supported in the near future.

The how to guide will be shortly available on Codeplex. If not, I will add an installation guide to this blog too.