Archive

Archive for the ‘Windows’ Category

TrendMicro Worry-Free Business Security debug logs

February 22nd, 2013 2 comments

Problem

Today I was at one customer which recently installed TrendMicro Worry-Free Business Security solution. It’s firewall and anti-* product. Today I noticed there is no free space on C:\ disk. Trend Micro ate 19 GB! The biggest portion of space was located at C:\Program Files\Trend Micro\Security Server\PCCSRV\Log. There were files called ofcdebug-*.log which were about 150 MB of size and there was lots of them. And there new comming and comming 🙂

Solution

Those file are debugging log files. There is really weird way to disable them. In management website you need to click on little small letter “M” in the logo:

TrendMicro Worry-Free

New window appears where you can enable/disable debug logs:

TrendMicro Debuging Log

This is really weird way to set logging by looking for some small letter “M” 🙂

More about it on official site.

Prezentácia BranchCache

February 19th, 2013 No comments

ShowIT-BrachCache_Zilinec

Ak by ste mali nejaké otázky, sem s nimi.

 

Categories: Windows Tags: , ,

Maximum Validity For Certificates

February 19th, 2013 No comments

You can configure expiration period for Certification Template. By default there are default maximum validation periods set to:

  • One year for Stand-alone Certification Authority
  • Two years for Enterprise Certification Authority

This means you have Certification Template set its validity for example for 10 years, but you can enroll certificates with validity 1 or 2 years (Stand-alone / Enterprise Certification Authority).

This can be changed via registry keys described in KB254632.

Thank you for my colleague Róbert Švec.

Disable Exclusive Rights for roaming profiles

January 25th, 2013 No comments

When administrators implement Roaming Profiles they define folder where roaming profile should be stored on fileserver. By default file permissions for the newly generated profile are full control for the user, full control to SYSTEM and no file access for the administrators group. You can not access this profiles with administrator account and clean it up. First you had to take ownership and then you can change ACL, but this is not what you want, because owner should be user.

You can fix this in two steps:

New roaming profile folders

You can change default behaviour on new profile folder creation. It can be changed by applying GPO to domain controllers with following setting Enabled:

Change new roaming profile security

Change ACLs for existing profile folders

This will be in couple steps:

  • Download SubInACL.exe
  • Download PsExec
  • Log into fileserver where profiles are stored
  • Run cmd.exe under SYSTEM account by running command

psexec -sid cmd.exe

  •  In new cmd.exe window go into directory where roaming profiles are stored. For example: cd G:\Profiles\
  • Add BUILTIN\Administrators into ACLs of roaming profiles by running following command:

subinacl /subdirectories=directoriesonly G:\Profiles\*.* /GRANT=Administrators=F

Enjoy accessible roaming profile  folders 🙂

 

DFS Problem in multi domain environment

January 21st, 2013 No comments

Couple months ago we have created Active Directory domain for one of our customer. His AD was subdomain of existing AD domain hosted in Germany. Let’s call them following:

  • DOMAIN.LOCAL <– Main AD in Germany
  • SK.DOMAIN.LOCAL <– New created domain in Slovakia

To make administrators life easier in future, we have created DFS Shares in domain SK.DOMAIN.LOCAL. One of those DFS shares is called “Common”. So people in Slovakia were accessing DFS share \\\\SK.DOMAIN.LOCAL\\Common and share data. Under this DFS Namespace following share was hidden \\\\FSSERVER\\Common.

Everything worked just fine.

Problem

Problem appeared when users from Germany (from domain DOMAIN.LOCAL) wanted to access this share. There were following symptomps:

There were no firewalls between two domains. All ports were accessible.

Solution

After couple tries (and using dfsutil) I figured out that client machine from DOMAIN.LOCAL get as DFS Refferal NetBIOS server name FSSERVER and it cannot translate FSSERVER to IP (FSSERVER is from SK.DOMAIN.LOCAL). Client machine from DOMAIN.LOCAL although can translate FQDN of FSSERVER.SK.DOMAIN.LOCAL. I tried to put FSSERVER IP record into client machine’s hosts file and everything started to work perfectly. So we have more solutions to solve issue:

  • Synchronize NetBIOS names between two domain (weird)
  • Add DNS Search suffixes to clients in domain (not nice solution and can slowdown DNS queries)
  • Force DFS to propagate FQDN as refferals (winner)

I decided to force DFS to propagate FQDN as refferals. It’s made by change in registry keys for DFS service. More about it is at http://support.microsoft.com/kb/244380/en-us. One more important thing is that you need to remove and re-add refferal servers from DFS Namespaces. I used DFS console because I didn’t use DFS Replication. If you do use DFS Replication it’s recommended to do it using cmd line (dfscmd.exe).

That’s all folks,

Quickie: Service Accounts description

January 14th, 2013 No comments

More often I see people (IT admins) not understand differences between Local Service Accounts so I decided to write more about it:

SYSTEM

This account has full access to local computer. It can access network resources with rights (account) of the computer. This account has full access to domain it self when used on Domain Controller.

LOCAL SERVICE

This account has same right as local Users group. It goes to network as annonymous user (null session).

NETWORK SERVICE

It’s almost same as LOCAL SERVICE. Only difference is that it uses computer account to access network resources.

Quickie: GetMac.exe

November 30th, 2012 No comments

I was just browsing Internet a looking for built-in utilities in Windows. I found one nice one getmac.exe which can get the list of MAC addresses on local or remote computer. It’s nice utility and it’s better to use it to find out MAC addresses, because looking into ipconfig /all verbose output is very time consuming (look in it when IPv6 is enabled). 🙂

Also ipconfig cannot be run on remote machine without using other utility (for example psexec).

More information here.

 

Quickie: Couple minutes with Internet Explorer 10.0

November 23rd, 2012 No comments

Three days ago I installed Internet Explore 10.0 on my Windows 7 SP1. I downloaded it from here.

Internet Explorer 10

Internet Explorer 10

After couple seconds I found out only little changes. Design of buttons changes little bit. Also design of check boxes.

After couple minutes I found following new things:

Text box change

Now you can delete content of text box in one click. Clicking by X on the end of the box:

Delete text box

Delete text box

Password box change

On password box you can see what’s under stars:

Password password in box

Hidden password in box

Show password in box

Show password in box

Easy copy and paste

When you select text and pictures in IE 10.0, you can drag and drop it into some application (e.g. Word, Outlook, …). This is very neat and cool.

Faster

My personal feeling is that webpages are displayed much faster than before, but this can be just feeling 🙂

Quickie: How to find out some info about user in AD for free

November 14th, 2012 3 comments

Sometimes you need to find out some basic informations about user in domain when you are regular user. You can use command:

net user USER_name /domain

and you get some informations:

net user /domain

net user /domain

Thanks to my coleague Peter Ivanco 🙂

Categories: Quickie, Windows Tags: ,

Open File – Security Warning

November 7th, 2012 3 comments

Couple days ago something started to bother me. I use Microsoft Windows 7 and Internet Explorer 9.0 to browse on Internet. When you download some application from web, for example my favorite SSH/Telnet/Console client Putty, and you run this application, you get following warning:

Open File - Security Warninig

Open File – Security Warninig

Read more…