Category Archives: Windows

Apply a Windows 2012 R2 Domain GPO to a standalone Windows 2012 R2 server

18 Saturday Jul 2015

Posted by in Security, Windows

Leave a comment

Tags

,

This post demonstrates how to apply a Windows 2012 R2 Domain GPO to a standalone Windows 2012 R2 server that is not in the domain. For this example, I’ll use the Internet Explorer 11 (IE11) lock downs I applied using a domain GPO.

This process also worked when I applied the 2012 R2 IE policy to a standalone Windows 7 Enterprise workstation.

1) Launch Group Policy Management on the Domain Controller. Browse to the policy you want to apply to the standalone servers (in my case IE11), right-click it and select Backup. Save it to a location of your choice and give it a description, such as IE11 GPO.

2) Download and install Microsoft SCM 3.0 (not on your domain controller). I just built a VM since SCM is only needed temporarily. I was only able to get it fully installed without errors on Windows 2008 R2. It supposedly supports Vista through 2012. I opted to install the bundled SQL Express since all I want is the LocalGPO executable. No need to point to a SQL server. You can uninstall the whole thing when done. The only reason to install the full package is so you can get a copy of the LocalGPO folder. Download it from:

Security Compliance Manager (SCM) Info:
https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

Download page:
https://www.microsoft.com/en-us/download/details.aspx?id=16776

a) When done downloading, double-click the Security_Compliance_Manager_Setup.exe > click Run > deselect Always check for SCM baseline updates (you don’t care about them right now) and click Next > accept the license and click Next > Next > Next > accept the SQL Express license and click Next > Install > Finish. The app will auto-load the baselines. Just let it finish.

b) When done installing, browse to C:\Program Files (x86)\Microsoft Security Compliance Manager. Copy the LocalGPO folder to a location of your choice. You will need to install the executable in this folder on each standalone server that will receive the Domain GPO.

5) Login as a local admin on the server to receive the GPO. Install LocalGPO on your standalone server. When done, browse to the C:\Program Files (x86)\LocalGPO folder, right-click LocalGPO.wsf, select Properties, select the Security tab and give your admin user full control of the file.

6) Create a folder on this server called c:\gpos. Copy your IE11 GPO backup folder into the c:\gpos folder.

7) Edit the LocalGPO.wsf file to recognize 2012 R2 (Windows 2012 R2 is version 6.3). Open C:\Program Files (x86)\LocalGPO\LocalGPO.wsf in notepad (right-click > Edit). Search for 6.2. On the first instance of 6.2, change it to 6.3.

From this: If(Left(strOpVer,3) = “6.2”) and (strProductType <> “1”) then

To this: If(Left(strOpVer,3) = 6.3) and (strProductType <> “1”) then

8) The Windows Firewall must be running temporarily before you run this tool. Even though you may have disabled the firewall and use a third-party product like McAfee Firewall, etc., turn on the native Windows firewall in the services.msc applet now.

9) Click start (lower left corner), and then Search icon in the upper right. Enter LocalGPO. Right-click LocalGPO Command line and select Run as Administrator. Before you run the next command, close all Windows except the cmd prompt.

Enter this command:

> cscript localgpo.wsf /path:”C:\gpos\{A81C84F4-F8F5-4E8A-B077-9EA1471B3886}”

– note: your IE11 GPO backup folder name inside c:\gpos will be different. Just add your folder name in the command above.

You should see Applied valid Machine POL and Applied valid User POL. No valid audit or INF is OK.

10) Clean up after yourself. Uninstall LocalGPO if you don’t plan to use it again. Delete the gpo backup in c:\gpos.

You can run > gpupdate /force or reboot the server to apply the policy completely.

11 Verify that it applied the policy. Launch IE11 and verify your settings are locked down. Note that on a fresh system, you  may have to launch IE and then immediately close it. Launch it again and the lock downs will be set. Sometimes it takes two startups for the settings to apply. Not sure why. If you had the Windows firewall turned off, open services.msc and disable it.

HOWTO check compatability of your website on multiple platforms

02 Saturday Aug 2014

Posted by in Linux, Windows

Leave a comment

Tags

,

The sites listed below allow you to verify how your website renders on multiple platforms and browser combinations. Each has their advantages so check both.

http://www.browserstack.com
1) Launch a browser and enter http://www.browserstack.com/screenshots. Enter your URL, select the OS, browser version and click the orange Generate Screenshots button at the bottom of the page.

bc-1
2) The site will render your front page on each of the platforms you selected and create a thumbnail. Click an image and it opens in a larger window so you can verify that it renders properly. In this test, IE on XP and Chrome 35 on Windows 8.1 didn’t fair so well.

bc-2

http://browsershots.org/
1) What elevates browsershots.org is its support for Linux. Launch a browser and enter http://browsershots.org/. Enter your URL at the top. At the bottom you may select screen size, color depth, Javascript, Java and Flash. Just avove that you can select the OS. Next, select the browsers you want to test, or just select “all” just above the screen size drop-down box on the lower left. When you have selected your options, on the upper right click the green Submit button.

bc-3
2) The site will start rendering your selections and generate a thumbnail. Click the image to verify.

bc-4

HOWTO Create an Offline Patch ISO for Windows

27 Sunday Jul 2014

Posted by in Windows

Leave a comment

Tags

This walks you through the process of creating an ISO image of patches for your version of Microsoft Windows. This is handy for systems without internet access, standalone systems or maybe as a archive of patches just before Microsoft pulls the plug on support. A good example is Windows 2003. Its slated for EOL/EOS next year. Other scenarios include disaster recovery or forensic reconstitution.

1) Download http://download.wsusoffline.net/wsusoffline931.zip and extract it to a location of your choice. Make sure you have enough space for your patch set. To be safe, make sure you have at least 4 gigs of space for the ISO file that gets created.

2) Browse to the folder where you extracted the zip file above and double-click UpdateGenerator.exe. Select the products you need to patch. For this post, I’ll create a library for Windows 2003 to archive. On the Legacy products tab select:
a.    Select English under Windows 2003 (for x32).
b.    Select Clean up download directories.
c.    Include Service Packs.
d.    Verify Downloaded Updates.
e.    Include C++ Runtime Libraries and .NET Frameworks.
f.    Create ISO images(s) per selected product and language.
g.   Click Start to begin the download of patches. If asked to update your Root certificates, click Yes.

WSUS_ISO_1

3)  A command prompt will open and start the download process.

WSUS_ISO_2

a.  When the download is finished a popup appears. Click Yes to view the log. Scroll through the log and verify no errors.

WSUS_ISO_3

4)  When the download completes you now have a patch repository. Browse to the ISO folder where you extracted the files (….\wsusoffline\iso). You should see an .iso file in the folder. Burn that file to DVD.
a. Note: if a you are patching a VM, copy the iso file to a datastore and mount through Edit Settings CD/DVD on the VM.
b. If a phaysical server, burn to a DVD or use Daemontools, MagicISO or similar ISO mounting utility to mount the iso.WSUS_ISO_4

5) Insert the new DVD. The update installer should automatically launch. If auto launch is disabled, browse to the DVD and double-click UpdateInstaller.exe. Select the following options:
a.    Update C++ Runtime.
b.    Install .NET Framework 3.5 SP1.
c.    Update Root Certificates.
d.    Install Internet Explorer 8.
e.    Install Powershell 2.0.
f.    Update Remote Desktop Client.
g.    Verify Install Packages.
h.    Automatic reboot and recall.
i.    Click Start to begin. Offline Update scans the systems to see what updates are required.
j.    Note: If your system is quite old or a GA release, you will be prompted to manually reboot. Watch the cmd prompt that launches and check to see if it asks you to manually reboot and restart the update process. If so, simply reboot the server, login and run <cd cdrive>:\UpdateInstaller.exe again. You may be asked to do this a few times. Also, don’t forget to select “Automatic Reboot and Recall” if you are asked to launch UpdateInstaller.exe.
k.    Keep running this process until there are no more updates to apply.WSUS_ISO_5

 

 

HOWTO Find Unsigned Executables on Windows

03 Monday Mar 2014

Posted by in Security, Windows

Leave a comment

Tags

,

From the Sigcheck website, “Sigcheck is a command-line utility that shows file version number, time stamp information, and digital signature details, including certificate chains. It also includes an option to check a file’s status on VirusTotal, a site that performs automated file scanning against over 40 antivirus engines, and an option to upload a file for scanning.” It runs on XP/2003 and higher versions of Windows.

Download sigcheck and unzip to a location of your choice. Run the commands below to get a feel for the output. When the command prompt returns, open the file in Excel, Calc or your favorite spreadsheet program. The Verified column will show “signed” or “unsigned.”

Sigcheck page:
http://technet.microsoft.com/en-us/sysinternals/bb897441

Sigcheck download:
http://download.sysinternals.com/files/Sigcheck.zip

Full Sysinternals Suite download:
http://download.sysinternals.com/files/SysinternalsSuite.zip

1) The following command scans executables only, shows extended version information, recurses sub-directories in c:\windows\system32 and writes the output to a file called sigcheck-Win7.csv.
> sigcheck -e -a -s -c c:\windows\system32 > sigcheck-Win7.csv

2) To run a check through VirusTotal, add the -v option. Note that when using the Virustotal option it may take 20 minutes or more to complete.
> sigcheck -e -a -s -v -c c:\windows\system32 > sigcheck-Win7-virustotal.csv

Determine what applications are using .NET on Windows with Process Explorer and Version Detector

03 Monday Feb 2014

Posted by in Windows

Leave a comment

Tags

,

I was asked recently whether a certain app or service required the .NET framework and while I generally knew the answer was no, I had no proof. I kept thinking, how can I determine what apps on this server were actually .NET? The following is a quick way to find those apps.

Microsoft Sysinternals Suite is an excellent set of utilities used to get under the hood of Windows and various Microsoft services. You can download the individual utilities but I just download the entire Suite. This post will use Process Explorer from the Suite but will barely scratch the surface of this powerful utility.

http://technet.microsoft.com/en-us/sysinternals/bb842062

To find out what .NET assembly versions you have installed, run Asoft’s .NET Version Detector. There is more to .NET detection than just looking in Add/Remove Programs, Program Files or the Registry.

http://www.asoft.be/prod_netver.html

1) Download and unzip Asoft’s .NET Version Detector. Double-click the dotnet.exe file, click OK on the license page and it will render your versions on the left and in the lower section. On the right they conveniently provide you with the default .NET version for each Windows OS. This is a great time saver. Thanks Asoft devs!

DotNet-04

2) Download the Sysinternals Suite at the URL above or just download Process Explorer itself. Unzip and copy the procexp.chm and procexp.exe files to C:\Windows\System32 or if you don’t want to place them in System32 just park them in a location of your choice. Process Explorer is standalone so no installation is required.

3) In order to access the .NET tabs, it must be run as Administrator. I prefer to execute it from the CLI. Start > enter cmd.exe in the search field and cmd.exe will appear at the top. Right-click it and select Run As Administrator. If you didn’t place it in the System32 folder, change directories to the location of procexp.exe.  To run it just type procexp.exe and press enter. You can also just right-click the procexp.exe file and select Run As Administrator. Click Yes on the User Account Control pop-up window.

4) Select Options > Configure Colors.

DotNet-00

5) Select the check box next to .Net Processes in the yellow box and click OK. This will highlight .NET processes in yellow.

DotNet-01

6) Scroll up and down in the process column and look for yellow highlighted entries. Note that there may not be any. If you suspect that an application might be a .NET application simply start it and check the process column again for that app. In this case, the first instance I find is Microsoft AD web services.

DotNet-02

7) Right-click the service that is highlighted in yellow and select Properties. Select the .NET Assemblies and .NET Performance tabs to dig deeper into the service.

DotNet-03

8) A less useful but honorable mention goes to wmic. It provides the installed version but little else. I need to play around with it a bit more and see what I can find. Running the command below will provide the installed version and takes about 30 seconds to run.

C:\Windows\system32> wmic product where “Name like ‘Microsoft .Net%'” get Name, Version

Name                                    Version
Microsoft .NET Framework    4.5.1  4.5.50938

Using HFS Standalone Web Server to Upgrade NetApp Data ONTAP and SP Firmware

23 Monday Dec 2013

Posted by in Linux, NetApp, Windows

Leave a comment

Tags

, ,

For a while I have been using XAMPP as my goto quick and easy web server to temporarily serve files like ONTAP or SP firmware upgrades. Its easy to use and always works. Then there was Z-WAMP which was great because it was zero install. Again easy to use and always works. The problem was they also carried the extra baggage of PHP, MySQL, etc. All I needed was a simple http instance. And then I found HFS. It stands for HTTP File Server. Its simple, incredibly small, very portable, very easy to use and is a standalone executable. No installation. Just double-click hfs.exe and you are ready to go.

HFS also works perfectly on Linux using wine 1.4 and later. Just don’t use the Wine Gecko option when prompted. On Linux, when you run >wine hfs.exe you will be prompted to download the Gecko option. Just click cancel to continue.

From a NetApp perspective, its perfect for updating Data ONTAP and SP firmware over the network. Especially for shops that don’t run CIFS or NFS or where your Security overlords won’t allow you to NFS export and mount the root volume. I run HFS from my OnCommand Unified Manager server where I have all of my NetApp tools and utilities installed.

Download HFS here:
http://www.rejetto.com/hfs/?f=dl

1) To start, double-click hfs.exe.
a) Select No to add it to your right-click menu (unless you really want to).
b) If you need to change the default port 80 perform this step. If not, skip it. In the upper left, click the Port: 80 button and change it to something like 8082. Click OK.
Notes:
– Depending on how your NetApp applications are deployed, port 80 will probably be taken. A simple port change avoids conflicts. Don’t forget to create a firewall rule if you use a non-standard port.
– If you are running this from a laptop or server without other apps using port 80, then its probably safe to leave on port 80.
– If you want to click the “You Are in Easy Mode” button to change it to “Expert Mode,” you get additional transfer details. Its up to you.
c) Copy the downloaded version of Data ONTAP you will be upgrading to onto the server where you are running HFS.
d) In the HFS window on the upper left under the house/ icon, right-click and select Add files.

hfs01
e) Browse to the Data ONTAP file and select Open. It will now be listed under the home root /. Note that you can also drag and drop the file into this window.

hfs02

2) On the NetApp controller, if not already done, create the software directory and then verify your version and backup kernel.
netapp> software
netapp> software list
netapp> version
netapp> version -b

3) Download and install the Data ONTAP image from your HFS instance. Note the :8082 port definition in the URL below. If you changed it to something other than the default port 80, you must change it on the command line as well. If not, the default port 80 is correct.
netapp> software update http://10.10.10.81:8082/814_q_image.tgz

software: You can cancel this operation by hitting Ctrl-C in the next 6 seconds.
software: Depending on system load, it may take many minutes
software: to complete this operation. Until it finishes, you will
software: not be able to use the console.
software: copying to 814_q_image.tgz
software: 5% file read from location.

<And that’s it. Output of the update truncated to shorten the post>

When a VMware Tools Upgrade Goes Bad – Fixing NICs

27 Wednesday Nov 2013

Posted by in VMware, Windows

Leave a comment

Tags

,

Scenario: you upgrade VMware tools on one of your VMs and your IP address will not maintain a static configuration. It reverts back to a Microsoft APIPA address (169.254.0.1 – 169.254.255.254). It’s Sunday at 9:00 PM, the outage window is closing and now you are angry.

Solution: you have to clean out all references to current and previous NICs in the registry. This post tells you how to do this for Windows 2008R2 x64. Make sure you have a local administrator account and know the password before you start. You don’t want to lock yourself out of the VM should something go haywire.

Note: Make sure your VM hardware is set to a version compatible with your version of vSphere. For this post, I’m set to version 9 (for 5.1 U1c). You can run into issues related to buggy hardware mismatches.

1) Remove the NIC and reboot the VM.
a) Right-click the VM > Edit Settings > select the NIC and click Remove > OK.

2) Delete the Interfaces and Adapters from the Registry.
a) Click Start > Run and enter regedt32 and press enter.
b) Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces
c) Expand Interfaces and delete all entries (delete folders from the left pane).
d) Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Adapters
e) Expand Adapters and delete all entries (delete folders from the left pane).
f) Close the registry editor and reboot the VM.

3) Add the VMXNET3 NIC back to the VM.
a) Right-click the VM > Edit Settings > click Add > select Ethernet Adapter and click Next.
b) On the Network Connection page, select the VMXNET3 adapter type, select the network you want to connect to and most importantly, DESELECT connect at power on, and then click Next > Finish > OK.
c) Reboot the VM. Don’t skip this reboot.

4) Configure your IP address.
a) Login to the VM. Click Start > Control Panel > Network and Internet > Network and Sharing Center > Change Adapter Setting.
b) Right-click the NIC > Properties > select IPv4 and click Properties.
c) Enter your IP, mask, gateway, dns and click OK > OK.
d) Right-click the VM > Edit Settings > select the NIC and in the upper right, click both Connect at power on and Connected, then click OK.
e) The NIC will connect and you should have a clean network configuration.
f) Open a cmd prompt and enter ipconfig -all to verify. Ping other hosts to test.

HOWTO Generate a new SID on Windows 2008

09 Wednesday Oct 2013

Posted by in Security, Windows

Leave a comment

Tags

,

Despite what Microsoft has stated you need to generate a new SID when using Windows 2008 images. On Windows 2008, you can use the native sysprep.exe utility. Note that running sysprep.exe will reset your hostname, IP and local Administrator password. When done generating a new SID you have to change your hostname, password and set your IP. If you want to see the before and after SID, download the PStools package at the URL below and run psgetsid.exe before you sysprep and then after.

http://technet.microsoft.com/en-us/sysinternals/bb896649

 

1) Open Windows explorer and browse to C:\Windows\System32\sysprep and double-click sysprep.exe.

sysprep2k8-01

2) Make sure the Generalize option is checked under System Cleanup Action and click OK.

sysprep2k8-02

3) When the system reboots it automatically prepares it for first use.

sysprep2k8-03

4) On the Windows Setup screen, select your county, language and click Next.

sysprep2k8-04

5) Accept the license and click Start.

sysprep2k8-05

6) Click OK to set the local Administrator password.

sysprep2k8-06

7) Enter a password and click the blue arrow to complete the setup. The system will log you in. Make sure you change your hostname and IP before you join the domain. Also, if the old server object is still in AD, delete it before joining the domain.

sysprep2k8-07