Archive

Archive for the ‘Security’ Category

Disable Exclusive Rights for roaming profiles

January 25th, 2013 No comments

When administrators implement Roaming Profiles they define folder where roaming profile should be stored on fileserver. By default file permissions for the newly generated profile are full control for the user, full control to SYSTEM and no file access for the administrators group. You can not access this profiles with administrator account and clean it up. First you had to take ownership and then you can change ACL, but this is not what you want, because owner should be user.

You can fix this in two steps:

New roaming profile folders

You can change default behaviour on new profile folder creation. It can be changed by applying GPO to domain controllers with following setting Enabled:

Change new roaming profile security

Change ACLs for existing profile folders

This will be in couple steps:

  • Download SubInACL.exe
  • Download PsExec
  • Log into fileserver where profiles are stored
  • Run cmd.exe under SYSTEM account by running command

psexec -sid cmd.exe

  •  In new cmd.exe window go into directory where roaming profiles are stored. For example: cd G:\Profiles\
  • Add BUILTIN\Administrators into ACLs of roaming profiles by running following command:

subinacl /subdirectories=directoriesonly G:\Profiles\*.* /GRANT=Administrators=F

Enjoy accessible roaming profile  folders 🙂

 

Quickie: Service Accounts description

January 14th, 2013 No comments

More often I see people (IT admins) not understand differences between Local Service Accounts so I decided to write more about it:

SYSTEM

This account has full access to local computer. It can access network resources with rights (account) of the computer. This account has full access to domain it self when used on Domain Controller.

LOCAL SERVICE

This account has same right as local Users group. It goes to network as annonymous user (null session).

NETWORK SERVICE

It’s almost same as LOCAL SERVICE. Only difference is that it uses computer account to access network resources.

Quickie: Software Restricion Policy vs AppLocker

November 30th, 2012 No comments

Just a quick image about differences between “old” Software Restricion Policy and “new” AppLocker:

Software Restiction Policy vs AppLocker

Now it’s easy to describe and remember.

 

Quickie: Couple minutes with Internet Explorer 10.0

November 23rd, 2012 No comments

Three days ago I installed Internet Explore 10.0 on my Windows 7 SP1. I downloaded it from here.

Internet Explorer 10

Internet Explorer 10

After couple seconds I found out only little changes. Design of buttons changes little bit. Also design of check boxes.

After couple minutes I found following new things:

Text box change

Now you can delete content of text box in one click. Clicking by X on the end of the box:

Delete text box

Delete text box

Password box change

On password box you can see what’s under stars:

Password password in box

Hidden password in box

Show password in box

Show password in box

Easy copy and paste

When you select text and pictures in IE 10.0, you can drag and drop it into some application (e.g. Word, Outlook, …). This is very neat and cool.

Faster

My personal feeling is that webpages are displayed much faster than before, but this can be just feeling 🙂

TMG 2010: Site to site clients cannot access TMG server

October 8th, 2012 No comments

When I upgraded from ISA 2006 to TMG 2010 I found some special problem. There was HQ with TMG 2010 and one branch with ASA 5505. Between those two location there was Site to Site VPN tunnel created. Everything worked fine, beside one problem. Users in branch couldn’t access anything on TMG server. They couldn’t ping it or do anything with it. They couldn’t browse Internet, because TMG was also web proxy server for them.

Read more…

Upgrade from ISA 2006 to TMG2010

September 25th, 2012 No comments

Customer wanted to upgrade his ISA 2006 server to “new” TMG 2010. I thought it would be nice and easy process. It could be if there were no problems which I didn’t expect to be a problem in “new” software. Old server was still functional and I wanted to prepare new server and migrate all settings and certificates.

Requirements

To install all requirements you can install required packages by yourself or you can use Run Preparation Tool from installation screen of TMG. Why didn’t they include it into installation package it self?

Messed up console

When I was done with installation I ran TMG console and I received following error:

An error has occured in the script on this page.

Read more…

Quickie: MaxTokenSize increased significaly in Windows Server 2010 and Windows 8

September 12th, 2012 No comments

Regarding to official blog article from Directory Service Team MaxTokenSize for Access Token tickets, which is four times more than before.

 

 

Quickie: Remove data in AD after unsuccessful domain controller demotion

August 23rd, 2012 No comments

Today my ex-colleague called me that Windows 2000 Active Directory domain, he is taking care of, is not fully functional. He mentioned that “primary” domain controller is dead and now domain has some problems.

I had to seize all FSMO roles to live Domain Controller using ntdsutils as mentioned at this Microsoft article:

http://support.microsoft.com/kb/255504

I manually deleted dead domain controller’s information from Active Directory using following Microsoft article:

http://support.microsoft.com/kb/216498

After checking events I found out that there was also Certification Authority on dead domain controller and I needed to clean up all Enterprise Domain Certification Autorhority information from Active Directory Domain using following Microsoft article:

http://support.microsoft.com/kb/555151

PS: Don’t forget to put your account into all “administrative” groups: Domain Admins, Enterprise Admins and Schem Admins.

Problem with enterprise certificate distribution

July 2nd, 2012 1 comment

Once upon the time I played with enterprise certification authority at one of our customers. I’ve created new certificate for certification authority. And then problem begun.

Read more…

Certification Authority – decrease key lenght

June 27th, 2012 No comments

One my colleague wanted to make one of our customer’s environment very secure so he decided to install Enterprise Certification Authority environment with 4kB keys. He created one offline root CA with 4kB key (Windows 2003). This computer is offline all the time. Another CA is Issuing CA which key is signed by root CA. This issuing CA also had 4kB key (Windows 2008 R2). Certificates issued by issuing CA were from 2kB-16kB.

Problem raised when customer wanted to create certificate for Cisco devices to secure Wifi. To make those devices use and trust certificates from issuing CA customer needed to import Root and Issuing CA public certificates into those Cisco devices. And this was a problem. Those Cisco devices didn’t want to work with more than 2kB certificates.

Read more…