Email Security – Protect your domain and your Brand

With the advent of Cloud-based email solutions (Google Suite, O365 etc.) and stringent mail filtering and Protection, this note describes DKIM, SPF, and DMARC DNS records that help administrators in guaranteeing that the emails that are relayed from Mail servers or Relay servers are delivered to the recipients.

There are also scenarios where Organization Signs-up for marketing mailers like Mail Chimp and other Cloud-based solutions to send Marketing and other forms of communication to customer email addresses.

Certain Good Practices

 

  • If using an On-Premise email solution, always ensure that the IP used for Relaying emails if dedicated only to the email servers. For example, we had a customer report a problem wherein their Domain/ Public IP was always blacklisted. It was later found that they shared this with the other server for Internet access which was causing the Risk to the IP reputation.
  • If using a third Party marketing email solutions ensure that you either use a different domain or a subdomain than your corporate email domain. This will protect your IP/ domain reputation.
  • If you are a Bulk email sender use Multiple IP addresses to relay your emails.
  • Always ensure that you use an antivirus solution to scan all your outgoing emails.
  • Use SPF, DKIM, DMARC to ensure that recipient email servers / Gateways or other filtering solutions are guaranteed senders authenticity.
  • Use Transport level security between your email servers and the recipient’s email servers.

 

Reverse DNS records

 

AntiSpam solutions sometimes depend upon Reverse DNS to compare the FQDN of the originating server against the IP address used to relay the emails.

 

Though generating NDR (nondelivery receipts ) for reverse DNS is not a part of the RFC, certain mail filtering appliances may block emails based upon reverse DNS. This method of mail filtering is being replaced by other technologies with the advent of Cloud email solutions where Mail from < recipient@domain.com > might be different from the SMTP relay Host FQDN names.
Sender Policy Framework (SPF)

SPF allows the DNS administrator to publish a DNS TXT record on their Public DNS zones specifying the IP address, IP address Block or Host/ FQDN of servers that are authorized to send emails on behalf of the domain. The recipient Antispam agent will validate the SPF record against the server that relayed the email. In case SPF hard fail is configured the recipient Antispam Solution could drop the email or give it a High Score for Spam confidence level thereby delivering it to the recipients’ Junk folder List.

 

The -all at the end of the example SPF defines it as a Hard fail, which means that the SPAM filter should discard the email. If it is replaced with a ~all it means a soft fail, which causes the mail filtering appliance to accept the email but tag it as a SPAM or suspicious before delivering it to the recipients’ mailbox.

 

Example SPF for Microsoft.com

v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com ip4:147.243.128.24 ip4:147.243.128.26 ip4:147.243.1.153 ip4:147.243.1.47 ip4:147.243.1.48 -all

 

Domain Key Identified email (DKIM)

 

DKIM is used to prevent spoofing, SPAM’s by affixing the email message with a digital signature. The SPAM filter infrastructure compares this against the Public Key (DKIM record) published on the Sender domains DNS to validate the authenticity of the email.

Example DKIM Record on the Public DNS and the domain Key information in Message Headers

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkHq3ztGIm1R8alD+7oZiaG5mTUttFdFOlpKHRBZCPFG4sugV1EfF5F6JpwbJDzZmyIlqYfTgUkmYOvbHsoYvW7rddLKVTh+vE1SZ5P9coIHrw759hXbpPDSQ9JNP8aN+Bfrg6YMEWnOGA+PL+ZpyvswcB0jz9M6yMvowOxCHv5QIDAQAB; n=1024,1435867504,1

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com,

s=selector1;

h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;

bh=9AI7to4IxPPpelCbo/ZYz3x7EorWs4gaG91e09iQQYA=;

b=ijvlm+1+YDVBwufOuqZIixmdyDax01oUNwNnS1BXd5lNviGclzpbycKJnGxFetdj1b4Y6ma8cjUf6nIoWfNmvCNQELGiEPJL9Rr+gVkYxiJajJYhf0OKhE9zdQP/HgT4tL33rfWUc0OSi9uzlik/Ey+SloC8uebog7+e+Og2QPw=

 

 

DMARC

Domain message authentication, reporting, and conformance rely on DKIM and or SPF records. The DMARC policy is published by the domain owner. DMARC Alignment could be classified into Strict and Relaxed. For Strict Alignment, the domain in FROM: must be identical with the Published record. For relaxed it should match the Organizations TLD.

 

Example – For strict alignment FROM: testdomain.com should match and should pass the DKIM/SPF for the domain. For Relaxed it could be FROM: subdomain.testdomain.com

 

Example DMARC for Microsoft.com

 

v=DMARC1; p=reject; pct=100; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com; fo=1

 

The rua and ruf are URLs for sending the aggregate reports / forensic reports. “p” is the policy that defines that the emails should be rejected and “pct” is the percentage of times the policy should be applied in case of DMARC check failures.

I hope this is useful for Mail server administrators and security assessors/ auditors.

cannot checkout documents from Sharepoint 2010 document library over Internet


I was recently tasked with an issue where in the users of a sharepoint document library were unable to checkout documents.

The organization has a farm of 2 Web front end servers running  Sharepoint 2010. The users when they are on the Intranet can check in and checkout documents absolutely fine. However when accessing this over the Internet, it fails the check in check out. The sharepoint application itself is published using the Microsoft Threat Management Gateway 2010. Since it works internally, the issue could be only on the TMG server 2010.

Internally the sharepoint runs on Port 80 (http) and externally over port 443 (https). This was the catch. verified the web publishing rule and found that the following was enabled in the sharepoint publishing rule.

– Forward the original host header instead of the actual one (specified in internal site name field)

TMG

disabled this and the users were able to check in and check out the documents over the Internet as well.

Hope this helps.

Eseential Business server installation after an Installation Failure – Help


Issue:
During the installation of Essential Business server, in an Existing domain after unsucessful install if you try to change the names of the Management server during setup it gives you a message that the “old server name” could not be found.

Cause: this issue is caused due to the MMSconfiguration in AD stores the names of the Management, Messaging and the security server. You can try changing the entries there, however it may or may not work.

EBS team blog recommends the following. If you delete the management, messaging and the security server accounts from AD then use Adrestore to undelete those accounts and try either to remove EBS by running the wizard again. This should remove the server entries gracefully.

In cases where you cannot use Adrestore or it does not work. You could delete the MMSconfiguration container under Active directory.

CN=MMScontainer, CN=services, CN=Configuration,DC=domainname,DC=net

note: before you delete any container in AD make sure that you take a system statebackup and delete.

Migrating a windows Enterprise Certificate authority from windows 2003 to Windows 2008 R2


One challenge that Administrators face is the periodic Upgrade of Operating system. In most cases the upgrades are seamless, however you might encounter scenarios where there are limitations that prevent you from a direct upgrade path.

Details the steps to Migrate an Enterprise CA from windows 2003 to Windows 2008 R2.

Existing server: windows 2003 Sp, running Domain controller ( multiple available), DNS and Certificate authority.

Target: CA on windows 2008 R2.

one of the Major reasons to do so was because the windows 7 and windows 2008 R2 clients were unable to enroll for a certificate using the web enrollment feature.

The solution:

Now you would have read in multiple MS articles and posts that the Name should be the same to migrate the CA. Please note that this is a CA Name and not the Host name of the server hosting the Certificate authority. The details of all your CA’s is stored in Active Directory (Ent CA is not available in workgroup only stand Alone root or subordinate CA’s are available in WG)

1. demote the domain controller — This would be the first step. however you may retain the DC and want only to migrate the CA.

2. first migrate the CA to windows 2003 Sp1 (new server) and then do an inplace upgrade to windows 2008 R2 (remember that in this case the existing CA should be X64) else if possible do an inplace upgrade to windows 2008 R2 and then migrate CA role to another windows 2008 R2.

steps: 

1. Backup the enterprise CA, to do this go to Administrative tools, Certificate authority. open the CA console and right click the CA name, all tasks and click on Backup CA. the backup wizard kicks in.

2. follow the wizard and then select  a) Private Key and CA certificate

                                                     b)certificate Database and Certificate Database logs.

The backup contains the CA database and the root certificate with the CAname.p12

MS also recommends backup of the following registry keys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration

 

once this has been created, you will need to uninstall the Certificate authority on the windows 2003. Go to control panel, Add/remove programs, Add/ remove windows components and then uninstall the CA.

 

You might find posts that say stop the CA service, and then restore the Backup on the New server. That never works, please ensure that the Backup is taken and then uninstall the Certificate authority.

on the new certificate server, install the CA from control panel , add remove windows components.

on the On the Set Up Private Key page, click Use existing private key, point to the .p12 file in the backup taken.

In the Public and Private Key Pair dialog box, verify that Use existing keys is selected.

point the wizard to the CA database and complete the setup.

Start the CA service in windows.

Note that if you need the web enrollment make sure that you install the CA web enrollment feature.

the Certificate templates that you might have created (custom) would need to be recreated, however We have seen that this should not be a challenge.

now do an inplace upgrade to windows 2008 R2

If you need any assistance, contact support@securesine.com and we will extend a free CA migration service to small and medium businesses.

Regards,

The Wyseadmin

 

windows server 2008 Terminal services/ Remote Desktop


Installing and configuring a Terminal Server with windows 2008:
Microsoft first introduced Terminal server with its Windows NT operating system. Terminal server today has come a very long way since Windows NT.
In windows 2000 the terminal server had to be installed from the control panel Add remove programs and ADD / Remove windows components. It offered you two options:
  1. Installing Terminal services for remote admin mode.
  2. Terminal server in application server mode.
This was later modified with windows 2003 & its subsequent R2 release with the Remote Tab under My computer properties, so that you do not need to install the terminal server for remote admin mode.
With Windows server 2008 and 2008 R2 a lot of additional features were added and improved with windows 2008 R2. This discussion only deals with Terminal server in windows server 2008 and not the remote desktop role with windows server 2008 R2.
To install the terminal server role.
Open the server Manager console, click on ADD roles.
Under the list of server roles, select Terminal services.

Click Next.
Under Role services, choose the role services that need to be installed.
Src=file:///C:/DOCUME~1/pradeep.k2/LOCALS~1/Temp/msohtml1/01/clip_image004.jpg
If installing the session broker, you need to have multiple Terminal servers to build a session broker farm.
I have had a lot of questions whether the TS gateway should be implemented in a DMZ. It is not advisable, Though you may install it in DMZ. The gateway is a member of the domain which means additional ports need to be opened on the domain member, rather you may install the gateway in your internal network and open Port 443 on the firewalls.
Src=file:///C:/DOCUME~1/pradeep.k2/LOCALS~1/Temp/msohtml1/01/clip_image006.jpg
Choose network level authentication if you have all clients supporting network level authentication. Example windows Vista/ XP sp3 etc with the RDP 6.0 & above.
Under terminal server licensing either configure the licensing option or configure later.
Choose who can access the terminal server, you may add members to this group later.
Choose the scope of licensing server:
  1. whether its scope is in the same domain
  2. Or the entire Forest.
If you choose the domain then Terminal servers in child domain or other domains in the same forest will not be serviced by the License server.
Src=file:///C:/DOCUME~1/pradeep.k2/LOCALS~1/Temp/msohtml1/01/clip_image008.jpg
If you have a certificate you may use it to secure the gateway or configure it later.
Src=file:///C:/DOCUME~1/pradeep.k2/LOCALS~1/Temp/msohtml1/01/clip_image010.jpg
Configure the CAP / RAP for the Gateway server later.
The Installation is complete. We need to now configure the Terminal server & application for Remote access.
Note: If you plan to Install Microsoft Office on the Terminal server. Make sure that the product of MS office is VL and can be installed on TS.
Configuring the windows 2008 Terminal services:
The Setup for the Lab:
In this case the test Lab that is being used has the following servers.
  1. windows 2003 Active Directory ( domain controller)
  2. Terminal server running windows server 2008.
We will introduce 2 windows 2008 servers, for session broker Farm setup.

Terminal services


Microsoft Presentation Virtualization:
Microsoft first introduced Terminal server with its Windows NT operating system. Terminal server today has come a very long way since Windows NT.
In windows 2000 the terminal server had to be installed from the control panel Add remove programs and ADD / Remove windows components. It offered you two options:
  1. Installing Terminal services for remote admin mode.
  2. Terminal server in application server mode.
This was later modified with windows 2003 & its subsequent R2 release with the Remote Tab under My computer properties, so that you do not need to install the terminal server for remote admin mode.
With Windows server 2008 and 2008 R2 a lot of additional features were added and improved with windows 2008 R2. This discussion only deals with Terminal server in windows server 2008 and not the remote desktop role with windows server 2008 R2.
To install the terminal server role.
Open the server Manager console, click on ADD roles.
Under the list of server roles, select Terminal services.
Click Next.
Under Role services, choose the role services that need to be installed.
If installing the session broker, you need to have multiple Terminal servers to build a session broker farm.
I have had a lot of questions whether the TS gateway should be implemented in a DMZ. It is not advisable, Though you may install it in DMZ. The gateway is a member of the domain which means additional ports need to be opened on the domain member, rather you may install the gateway in your internal network and open Port 443 on the firewalls.
Choose network level authentication if you have all clients supporting network level authentication. Example windows Vista/ XP sp3 etc with the RDP 6.0 & above.
Under terminal server licensing either configure the licensing option or configure later.
Choose who can access the terminal server, you may add members to this group later.
Choose the scope of licensing server:
  1. whether its scope is in the same domain
  2. Or the entire Forest.
If you choose the domain then Terminal servers in child domain or other domains in the same forest will not be serviced by the License server.
If you have a certificate you may use it to secure the gateway or configure it later.
Configure the CAP / RAP for the Gateway server later.
The Installation is complete. We need to now configure the Terminal server & application for Remote access.
Note: If you plan to Install Microsoft Office on the Terminal server. Make sure that the product of MS office is VL and can be installed on TS.

windows server/ domain / DNS


Windows server 2008:

I was hoping to write about some of the cool features that were introduced with windows server 2008
But a brief introduction on the features of windows server 2008. By introducing the Hypervisor, Microsoft launched windows 2008 with and without Hypervisor in its editions.  With windows 2008, Microsoft has introduced a role based installation per server. What does that mean?
It means that you now need to install binaries needed only for specific purposes. If you ever wondered why you need Internet Explorer on your server, you now can implement the Core editions.
A feature wise comparison sheet provided by Microsoft:
Comparison by server role:
What edition should you choose?
Unless of course you are a large enterprise and have a lot of money to spend you could invest in a Datacenter edition. It’s licensed usually on a per processor + cal basis. It also allows you unlimited virtual machines per host server.
Enterprise and Standard are what we would be interested in. If you need clustering feature then Enterprise or Datacenter edition would be needed. Else a standard server should be sufficient.
Deciding next on 32 or 64 bit editions to install. A lot of new applications are built for X64 based system. So if you plan to install Exchange 2007 then you would need a X64, best thing to do is check the application system requirements or contact your vendor. An X86 has a memory issue beyond 4 GB of RAM.
The server Manager:
The server Manager is installed by default as a part of windows 2008 Installation on all editions except if you opt to install the Core editions.
You may enable roles and features needed by the server through the server manager. What is the advantage of such a setup? Well you will only install the binaries / tools needed for that particular role. This would also reduce the attack surface for the server and will have a minimum footprint.
What roles and features can be installed through the server Manager?
Active Directory certificate services: installing certificate services & web enrollment. If you have a windows 2003 CA and need to generate a certificate for windows Vista or windows server 2008 then refer to the following table for interoperability. Also on a windows 2008 you need to lower the security for web enrollment, this occurs due to issues with Active X scripts need for windows 2003 and windows 2008 being different. This is due to change from Xenroll and cert enroll.
OS
Windows Server 2003 and Windows Server 2003 SP1
Windows Server 2003 SP2
Windows Server 2008
Client computers that are earlier than Windows Vista
Supported
Supported
Supported but with reduced functionality
Windows Vista-based client computers
Unsuccessful together with a “Downloading ActiveX control” message
Unsuccessful together with a message that states that the Web pages must be updated
Supported
Active Directory Domain services: needed for the Active directory domain controller role. Please note that if you are installing the win2k8 in an existing forest / domain. You need to run the Adprep utility for extending the schema.
Adprep / forestprep: run on the schema master role. The credentials needed are enterprise admin and schema admin.
Adprep / domainprep / Gpprep : run on the infrastructure master. Need min of domain admin credentials.
Adprep / rodcprep (optional) for installing Read only domain controllers. Run on infrastructure master. Need min of domain admin credentials.
We will discuss the functioning of a read only domain controller in a later post.
Active Directory federation services: Provides a single sign on to different applications for a user across multiple forests through the implementation of federated TRUSTS.
Active directory Light weight Directory services: AD LDS is a role that was formerly called ADAM or active directory application mode.
Active directory rights Management: formerly called the rights management services, used to secure RMS enabled application data. For example protecting a document in a SharePoint library or an email sent to the entire company. RMS enabled applications have the capability for example prevent a user from copying or Forwarding an email or a document etc.
Application server: Install MSMQ/ COM+ etc enabled through the application server role.
DHCP: Provide dynamic Ip addresses to client / sessions. Both V4 and V6.
DNS: Provide network name resolution.
File services: File server / installing distributed file systems.
Fax server: configure the server with a Fax Modem and make it send / Receive Faxes.
Hyper-V : Run Multiple guest Operating system on a single host by implementing the Hypervisor layer.
Network policy & access services or NAP: Network access protection, you may provide a way for only compliant clients to access the system. Non compliant clients could be on a quarantined network VLAN.
Example: A large corporation’s policy specifies that if a computer does not have Antivirus or Firewall enabled it cannot access the corporate business applications. In such a scenario we could implement NAP on DHCP, VLAN, Remote access, Terminal server Gateway. If a non compliant client connects over the network then it is automatically quarantined if it does not meet the requirements.
Print services: Provide solution for configuring large network print devices.
UDDI
WEB Server or Internet Information services.
Terminal services: Now includes terminal server, TS licensing server and TS gateway and TS web.
We will discuss terminal services in windows server 2008 in much detail in later posts.
Windows deployment services:  Remote installation of windows & preconfigured images through a pxe.
List of Features:
Microsoft .NET Framework 3.0 Features Microsoft .NET Framework 3.0 combines the power of the .NET Framework 2.0 APIs with new technologies for building applications that offer appealing user interfaces, protect your customers’ personal identity information, enable seamless and secure communication, and provide the ability to model a range of business processes.
BitLocker Drive Encryption BitLocker Drive Encryption helps to protect data on lost, stolen, or inappropriately decommissioned computers by encrypting the entire volume and checking the integrity of early boot components. Data is decrypted only if those components are successfully verified and the encrypted drive is located in the original computer. Integrity checking requires a compatible trusted platform module (TPM).
BITS Server Extensions Background Intelligent Transfer Service (BITS) Server Extensions allow a server to receive files uploaded by clients using BITS. BITS allows client computers to transfer files in the foreground or background asynchronously, preserve the responsiveness of other network applications, and resume file transfers after network failures and computer restarts.
Connection Manager Administration Kit Connection Manager Administration Kit (CMAK) generates Connection Manager profiles.
Desktop Experience Desktop Experience includes features of Windows Vista®, such as Windows Media Player, desktop themes, and photo management. Desktop Experience does not enable any of the Windows Vista features by default; you must manually enable them.
Failover Clustering Failover Clustering allows multiple servers to work together to provide high availability of services and applications. Failover Clustering is often used for file and print services, database, and e-mail applications.
Group Policy Management Group Policy Management makes it easier to understand, deploy, manage, and troubleshoot Group Policy implementations. The standard tool is Group Policy Management Console (GPMC), a scriptable Microsoft Management Console (MMC) snap-in that provides a single administrative tool for managing Group Policy across the enterprise.
Internet Printing Client Internet Printing Client enables clients to use Internet Printing Protocol (IPP) to connect and print to printers on the network or Internet.
Internet Storage Name Server Internet Storage Name Server (iSNS) provides discovery services for Internet Small Computer System Interface (iSCSI) storage area networks. iSNS processes registration requests, deregistration requests, and queries from iSNS clients.
LPR Port Monitor Line Printer Remote (LPR) Port Monitor enables the computer to print to printers that are shared using any Line Printer Daemon (LPD) service. (LPD service is commonly used by UNIX-based computers and printer-sharing devices.)
Message Queuing Message Queuing provides guaranteed message delivery, efficient routing, security, and priority-based messaging between applications. Message Queuing also accommodates message delivery between applications that run on different operating systems, use dissimilar network infrastructures, are temporarily offline, or that are running at different times.
Multipath I/O Microsoft Multipath I/O (MPIO), along with the Microsoft Device Specific Module (DSM) or a third-party DSM, provides support for using multiple data paths to a storage device on Windows.
Network Load Balancing Network Load Balancing (NLB) distributes traffic across several servers, using the TCP/IP networking protocol. NLB is particularly useful for ensuring that stateless applications, such as a Web server running Internet Information Services (IIS), are scalable by adding additional servers as the load increases.
Peer Name Resolution Protocol Peer Name Resolution Protocol (PNRP) allows applications to register on and resolve names from your computer, so other computers can communicate with these applications.
Quality Windows Audio Video Experience Quality Windows Audio Video Experience (qWave) is a networking platform for audio and video (AV) streaming applications on Internet protocol home networks. qWave enhances AV streaming performance and reliability by ensuring network quality-of-service for AV applications. It provides admission control, run time monitoring and enforcement, application feedback, and traffic prioritization. On Windows Server platforms, qWave provides only rate-of-flow and prioritization services.
Remote Assistance Remote Assistance enables you (or a support person) to offer assistance to users with computer issues or questions. Remote Assistance allows you to view and share control of the user’s desktop in order to troubleshoot and fix the issues. Users can also ask for help from friends or co-workers.
Remote Differential Compression The Remote Differential Compression (RDC) feature is a set of application programming interfaces (APIs) that applications can use to determine if a set of files have changed, and if so, to detect which portions of the files contain the changes.
Remote Server Administration Tools Remote Server Administration Tools enables remote management of Windows Server 2003 and Windows Server 2008 from a computer running Windows Server 2008, by allowing you to run some of the management tools for roles, role services, and features on a remote computer.
Removable Storage Manager Removable Storage Manager (RSM) manages and catalogs removable media and operates automated removable media devices.
RPC over HTTP Proxy RPC over HTTP Proxy is a proxy that is used by objects that receive remote procedure calls (RPC) over Hypertext Transfer Protocol (HTTP). This proxy allows clients to discover these objects even if the objects are moved between servers or if they exist in discrete areas of the network, usually for security reasons.
Services for NFS Services for Network File System (NFS) is a protocol that acts as a distributed file system, allowing a computer to access files over a network as easily as if they were on its local disks. This feature is available for installation on Windows Server 2008 for Itanium-Based Systems; in other versions of Windows Server 2008, Services for NFS is available as a role service of the File Services role.
Simple TCP/IP Services Simple TCP/IP Services supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day. Simple TCP/IP Services is provided for backward compatibility and should not be installed unless it is required.
SMTP Server SMTP Server supports the transfer of e-mail messages between e-mail systems.
SNMP Services Simple Network Management Protocol (SNMP) is the Internet standard protocol for exchanging management information between management console applications—such as HP Openview, Novell NMS, IBM NetView, or Sun Net Manager—and managed entities. Managed entities can include hosts, routers, bridges, and hubs.
Storage Manager for Storage Area Networks Storage Manager for Storage Area Networks (SANs) helps you create and manage logical unit numbers (LUNs) on Fibre Channel and iSCSI disk drive subsystems that support Virtual Disk Service (VDS) in your SAN.
Subsystem for UNIX-based Applications Subsystem for UNIX-based Applications (SUA), along with a package of support utilities available for download from the Microsoft Web site, enables you to run UNIX-based programs, and compile and run custom UNIX-based applications in the Windows environment.
Telnet Client Telnet Client uses the Telnet protocol to connect to a remote telnet server and run applications on that server.
Telnet Server Telnet Server allows remote users, including those running UNIX-based operating systems, to perform command-line administration tasks and run programs by using a telnet client.
Trivial File Transfer Protocol Client Trivial File Transfer Protocol (TFTP) Client is used to read files from, or write files to, a remote TFTP server. TFTP is primarily used by embedded devices or systems that retrieve firmware, configuration information, or a system image during the boot process from a TFTP server.
Windows Internal Database Windows Internal Database is a relational data store that can be used only by Windows roles and features, such as UDDI Services, AD RMS, Windows Server Update Services, and Windows System Resource Manager.
Windows Internet Name Service (WINS) Windows Internet Name Service (WINS) provides a distributed database for registering and querying dynamic mappings of NetBIOS names for computers and groups used on your network. WINS maps NetBIOS names to IP addresses and solves the problems arising from NetBIOS name resolution in routed environments.
Windows PowerShell™ Windows PowerShell is a command-line shell and scripting language that helps IT professionals achieve greater productivity. It provides a new administrator-focused scripting language and more than 130 standard command-line tools to enable easier system administration and accelerated automation.
Windows Process Activation Service Windows Process Activation Service (WAS) generalizes the IIS process model, removing the dependency on HTTP. All the features of IIS that were previously available only to HTTP applications are now available to applications hosting Windows Communication Foundation (WCF) services, using non-HTTP protocols. IIS 7.0 also uses WAS for message-based activation over HTTP.
Windows Server Backup Features Windows Server Backup Features allow you to back up and recover your operating system, applications, and data. You can schedule backups to run once a day or more often, and can protect the entire server or specific volumes.
Windows System Resource Manager Windows System Resource Manager (WSRM) is a Windows Server operating system administrative tool that can control how CPU and memory resources are allocated. Managing resource allocation improves system performance and reduces the risk that applications, services, or processes will interfere with each other to reduce server efficiency and system response.
Wireless LAN Service Wireless LAN (WLAN) Service configures and starts the WLAN AutoConfig service, regardless of whether the computer has any wireless adapters. WLAN AutoConfig enumerates wireless adapters, and manages both wireless connections and the wireless profiles that contain the settings required to configure a wireless client to connect to a wireless network.
Reference by Microsoft TechNet.
The server Manager starts when you start windows and Login. This behavior can be changed:
If you feel that server manager is a Nag, which I seriously do at times. And do not want it to open when you logon then you need to tweak the following registry keys.
Don’t open the server manager when you logon:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Server Manager
By default the value is 0. Change it to 1 to prevent the window from opening.
There is also an initial configuration task window that opens up. Well that can be disabled as well
To not open the initial configuration task window:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Server Manager\oobe
Default value is 0, change it to 1.
We will discuss in depth about the active directory domain services.
Active directory & AD DS on windows server 2008:
The active directory domain services is installed if you plan to make the server a domain controller. Other tools like DCdiag, netdom etc are installed by default when you install the role. Unfortunately Replmon is no longer present.

Can you upgrade a server running windows 2003 active directory to a windows 2008 AD DS : The answer is yes. However inplace upgrade of certain other roles are not supported. I would recommend doing a fresh install of windows 2008 AD DS and then demote the existing after transferring the FSMO roles, Global catalog etc.  There is a change in ways in which the group policy is implemented in a window 2003 / XP Vs windows Vista / windows 2008.
We will discuss the other details in the Part 2 of this post.

windows server 2008


Windows server 2008:

I was hoping to write about some of the cool features that were introduced with windows server 2008

But a brief introduction on the features of windows server 2008. By introducing the Hypervisor, Microsoft launched windows 2008 with and without Hypervisor in its editions. With windows 2008, Microsoft has introduced a role based installation per server. What does that mean?

It means that you now need to install binaries needed only for specific purposes. If you ever wondered why you need Internet Explorer on your server, you now can implement the Core editions.

A feature wise comparison sheet provided by Microsoft:

http://www.microsoft.com/windowsserver2008/en/us/r2-differentiated-features.aspx

Comparison by server role:

http://www.microsoft.com/windowsserver2008/en/us/r2-compare-roles.aspx

What edition should you choose?

Unless of course you are a large enterprise and have a lot of money to spend you could invest in a Datacenter edition. It’s licensed usually on a per processor + cal basis. It also allows you unlimited virtual machines per host server.

Enterprise and Standard are what we would be interested in. If you need clustering feature then Enterprise or Datacenter edition would be needed. Else a standard server should be sufficient.

Deciding next on 32 or 64 bit editions to install. A lot of new applications are built for X64 based system. So if you plan to install Exchange 2007 then you would need a X64, best thing to do is check the application system requirements or contact your vendor. An X86 has a memory issue beyond 4 GB of RAM.

The server Manager:

The server Manager is installed by default as a part of windows 2008 Installation on all editions except if you opt to install the Core editions.

You may enable roles and features needed by the server through the server manager. What is the advantage of such a setup? Well you will only install the binaries / tools needed for that particular role. This would also reduce the attack surface for the server and will have a minimum footprint.

What roles and features can be installed through the server Manager?

Active Directory certificate services: installing certificate services & web enrollment. If you have a windows 2003 CA and need to generate a certificate for windows Vista or windows server 2008 then refer to the following table for interoperability. Also on a windows 2008 you need to lower the security for web enrollment, this occurs due to issues with Active X scripts need for windows 2003 and windows 2008 being different. This is due to change from Xenroll and cert enroll.

OS

Windows Server 2003 and Windows Server 2003 SP1

Windows Server 2003 SP2

Windows Server 2008

Client computers that are earlier than Windows Vista

Supported

Supported

Supported but with reduced functionality

Windows Vista-based client computers

Unsuccessful together with a “Downloading ActiveX control” message

Unsuccessful together with a message that states that the Web pages must be updated

Supported

Refer to MS KB http://support.microsoft.com/kb/922706

Active Directory Domain services: needed for the Active directory domain controller role. Please note that if you are installing the win2k8 in an existing forest / domain. You need to run the Adprep utility for extending the schema.

Adprep / forestprep: run on the schema master role. The credentials needed are enterprise admin and schema admin.

Adprep / domainprep / Gpprep : run on the infrastructure master. Need min of domain admin credentials.

Adprep / rodcprep (optional) for installing Read only domain controllers. Run on infrastructure master. Need min of domain admin credentials.

We will discuss the functioning of a read only domain controller in a later post.

Active Directory federation services: Provides a single sign on to different applications for a user across multiple forests through the implementation of federated TRUSTS.

Active directory Light weight Directory services: AD LDS is a role that was formerly called ADAM or active directory application mode.

Active directory rights Management: formerly called the rights management services, used to secure RMS enabled application data. For example protecting a document in a SharePoint library or an email sent to the entire company. RMS enabled applications have the capability for example prevent a user from copying or Forwarding an email or a document etc.

Application server: Install MSMQ/ COM+ etc enabled through the application server role.

DHCP: Provide dynamic Ip addresses to client / sessions. Both V4 and V6.

DNS: Provide network name resolution.

File services: File server / installing distributed file systems.

Fax server: configure the server with a Fax Modem and make it send / Receive Faxes.

Hyper-V : Run Multiple guest Operating system on a single host by implementing the Hypervisor layer.

Network policy & access services or NAP: Network access protection, you may provide a way for only compliant clients to access the system. Non compliant clients could be on a quarantined network VLAN.

Example: A large corporation’s policy specifies that if a computer does not have Antivirus or Firewall enabled it cannot access the corporate business applications. In such a scenario we could implement NAP on DHCP, VLAN, Remote access, Terminal server Gateway. If a non compliant client connects over the network then it is automatically quarantined if it does not meet the requirements.

Print services: Provide solution for configuring large network print devices.

UDDI

WEB Server or Internet Information services.

Terminal services: Now includes terminal server, TS licensing server and TS gateway and TS web.

We will discuss terminal services in windows server 2008 in much detail in later posts.

Windows deployment services: Remote installation of windows & preconfigured images through a pxe.

List of Features:

Microsoft .NET Framework 3.0 Features

Microsoft .NET Framework 3.0 combines the power of the .NET Framework 2.0 APIs with new technologies for building applications that offer appealing user interfaces, protect your customers’ personal identity information, enable seamless and secure communication, and provide the ability to model a range of business processes.

BitLocker Drive Encryption

BitLocker Drive Encryption helps to protect data on lost, stolen, or inappropriately decommissioned computers by encrypting the entire volume and checking the integrity of early boot components. Data is decrypted only if those components are successfully verified and the encrypted drive is located in the original computer. Integrity checking requires a compatible trusted platform module (TPM).

BITS Server Extensions

Background Intelligent Transfer Service (BITS) Server Extensions allow a server to receive files uploaded by clients using BITS. BITS allows client computers to transfer files in the foreground or background asynchronously, preserve the responsiveness of other network applications, and resume file transfers after network failures and computer restarts.

Connection Manager Administration Kit

Connection Manager Administration Kit (CMAK) generates Connection Manager profiles.

Desktop Experience

Desktop Experience includes features of Windows Vista®, such as Windows Media Player, desktop themes, and photo management. Desktop Experience does not enable any of the Windows Vista features by default; you must manually enable them.

Failover Clustering

Failover Clustering allows multiple servers to work together to provide high availability of services and applications. Failover Clustering is often used for file and print services, database, and e-mail applications.

Group Policy Management

Group Policy Management makes it easier to understand, deploy, manage, and troubleshoot Group Policy implementations. The standard tool is Group Policy Management Console (GPMC), a scriptable Microsoft Management Console (MMC) snap-in that provides a single administrative tool for managing Group Policy across the enterprise.

Internet Printing Client

Internet Printing Client enables clients to use Internet Printing Protocol (IPP) to connect and print to printers on the network or Internet.

Internet Storage Name Server

Internet Storage Name Server (iSNS) provides discovery services for Internet Small Computer System Interface (iSCSI) storage area networks. iSNS processes registration requests, deregistration requests, and queries from iSNS clients.

LPR Port Monitor

Line Printer Remote (LPR) Port Monitor enables the computer to print to printers that are shared using any Line Printer Daemon (LPD) service. (LPD service is commonly used by UNIX-based computers and printer-sharing devices.)

Message Queuing

Message Queuing provides guaranteed message delivery, efficient routing, security, and priority-based messaging between applications. Message Queuing also accommodates message delivery between applications that run on different operating systems, use dissimilar network infrastructures, are temporarily offline, or that are running at different times.

Multipath I/O

Microsoft Multipath I/O (MPIO), along with the Microsoft Device Specific Module (DSM) or a third-party DSM, provides support for using multiple data paths to a storage device on Windows.

Network Load Balancing

Network Load Balancing (NLB) distributes traffic across several servers, using the TCP/IP networking protocol. NLB is particularly useful for ensuring that stateless applications, such as a Web server running Internet Information Services (IIS), are scalable by adding additional servers as the load increases.

Peer Name Resolution Protocol

Peer Name Resolution Protocol (PNRP) allows applications to register on and resolve names from your computer, so other computers can communicate with these applications.

Quality Windows Audio Video Experience

Quality Windows Audio Video Experience (qWave) is a networking platform for audio and video (AV) streaming applications on Internet protocol home networks. qWave enhances AV streaming performance and reliability by ensuring network quality-of-service for AV applications. It provides admission control, run time monitoring and enforcement, application feedback, and traffic prioritization. On Windows Server platforms, qWave provides only rate-of-flow and prioritization services.

Remote Assistance

Remote Assistance enables you (or a support person) to offer assistance to users with computer issues or questions. Remote Assistance allows you to view and share control of the user’s desktop in order to troubleshoot and fix the issues. Users can also ask for help from friends or co-workers.

Remote Differential Compression

The Remote Differential Compression (RDC) feature is a set of application programming interfaces (APIs) that applications can use to determine if a set of files have changed, and if so, to detect which portions of the files contain the changes.

Remote Server Administration Tools

Remote Server Administration Tools enables remote management of Windows Server 2003 and Windows Server 2008 from a computer running Windows Server 2008, by allowing you to run some of the management tools for roles, role services, and features on a remote computer.

Removable Storage Manager

Removable Storage Manager (RSM) manages and catalogs removable media and operates automated removable media devices.

RPC over HTTP Proxy

RPC over HTTP Proxy is a proxy that is used by objects that receive remote procedure calls (RPC) over Hypertext Transfer Protocol (HTTP). This proxy allows clients to discover these objects even if the objects are moved between servers or if they exist in discrete areas of the network, usually for security reasons.

Services for NFS

Services for Network File System (NFS) is a protocol that acts as a distributed file system, allowing a computer to access files over a network as easily as if they were on its local disks. This feature is available for installation on Windows Server 2008 for Itanium-Based Systems; in other versions of Windows Server 2008, Services for NFS is available as a role service of the File Services role.

Simple TCP/IP Services

Simple TCP/IP Services supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day. Simple TCP/IP Services is provided for backward compatibility and should not be installed unless it is required.

SMTP Server

SMTP Server supports the transfer of e-mail messages between e-mail systems.

SNMP Services

Simple Network Management Protocol (SNMP) is the Internet standard protocol for exchanging management information between management console applications—such as HP Openview, Novell NMS, IBM NetView, or Sun Net Manager—and managed entities. Managed entities can include hosts, routers, bridges, and hubs.

Storage Manager for Storage Area Networks

Storage Manager for Storage Area Networks (SANs) helps you create and manage logical unit numbers (LUNs) on Fibre Channel and iSCSI disk drive subsystems that support Virtual Disk Service (VDS) in your SAN.

Subsystem for UNIX-based Applications

Subsystem for UNIX-based Applications (SUA), along with a package of support utilities available for download from the Microsoft Web site, enables you to run UNIX-based programs, and compile and run custom UNIX-based applications in the Windows environment.

Telnet Client

Telnet Client uses the Telnet protocol to connect to a remote telnet server and run applications on that server.

Telnet Server

Telnet Server allows remote users, including those running UNIX-based operating systems, to perform command-line administration tasks and run programs by using a telnet client.

Trivial File Transfer Protocol Client

Trivial File Transfer Protocol (TFTP) Client is used to read files from, or write files to, a remote TFTP server. TFTP is primarily used by embedded devices or systems that retrieve firmware, configuration information, or a system image during the boot process from a TFTP server.

Windows Internal Database

Windows Internal Database is a relational data store that can be used only by Windows roles and features, such as UDDI Services, AD RMS, Windows Server Update Services, and Windows System Resource Manager.

Windows Internet Name Service (WINS)

Windows Internet Name Service (WINS) provides a distributed database for registering and querying dynamic mappings of NetBIOS names for computers and groups used on your network. WINS maps NetBIOS names to IP addresses and solves the problems arising from NetBIOS name resolution in routed environments.

Windows PowerShell™

Windows PowerShell is a command-line shell and scripting language that helps IT professionals achieve greater productivity. It provides a new administrator-focused scripting language and more than 130 standard command-line tools to enable easier system administration and accelerated automation.

Windows Process Activation Service

Windows Process Activation Service (WAS) generalizes the IIS process model, removing the dependency on HTTP. All the features of IIS that were previously available only to HTTP applications are now available to applications hosting Windows Communication Foundation (WCF) services, using non-HTTP protocols. IIS 7.0 also uses WAS for message-based activation over HTTP.

Windows Server Backup Features

Windows Server Backup Features allow you to back up and recover your operating system, applications, and data. You can schedule backups to run once a day or more often, and can protect the entire server or specific volumes.

Windows System Resource Manager

Windows System Resource Manager (WSRM) is a Windows Server operating system administrative tool that can control how CPU and memory resources are allocated. Managing resource allocation improves system performance and reduces the risk that applications, services, or processes will interfere with each other to reduce server efficiency and system response.

Wireless LAN Service

Wireless LAN (WLAN) Service configures and starts the WLAN AutoConfig service, regardless of whether the computer has any wireless adapters. WLAN AutoConfig enumerates wireless adapters, and manages both wireless connections and the wireless profiles that contain the settings required to configure a wireless client to connect to a wireless network.

Reference by Microsoft TechNet.

The server Manager starts when you start windows and Login. This behavior can be changed:

If you feel that server manager is a Nag, which I seriously do at times. And do not want it to open when you logon then you need to tweak the following registry keys.

Don’t open the server manager when you logon:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Server Manager

By default the value is 0. Change it to 1 to prevent the window from opening.

There is also an initial configuration task window that opens up. Well that can be disabled as well

To not open the initial configuration task window:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Server Manager\oobe

Default value is 0, change it to 1.

We will discuss in depth about the active directory domain services.

Active directory & AD DS on windows server 2008:

The active directory domain services is installed if you plan to make the server a domain controller. Other tools like DCdiag, netdom etc are installed by default when you install the role. Unfortunately Replmon is no longer present.

Can you upgrade a server running windows 2003 active directory to a windows 2008 AD DS : The answer is yes. However inplace upgrade of certain other roles are not supported. I would recommend doing a fresh install of windows 2008 AD DS and then demote the existing after transferring the FSMO roles, Global catalog etc. There is a change in ways in which the group policy is implemented in a window 2003 / XP Vs windows Vista / windows 2008.

We will discuss the other details in the Part 2 of this post.

ISA Error 14075


One of these days, I received a call stating that the Firewall service at one of the customers had gone down. The server is running on a windows 2003 sp2 with ISA 2006 Sp1.
Also installed on the same server is Surfcontrol. How did it start, well one of the administrator restarted the service !

Event id: 14057.
the source is Mocrosoft Firewall.
Description:
The firewall services stopped because an application filter module C:\windows\system32\alockout.dll generated an exception code c00000005 in address 710DBE2C. when function complexAsyncIO was called. To remove recently installed application filters and restart the service.

well I was not so sure whether surf control needed to implement alockout.dll, I was pretty sure that it would not. so I asked the site Admin to figure out any changes were made,.. none to his knowledge.

The administrator had restored from a backup, complete system state. no way to audit who had installed them, no forensic evidence there ( not a good practice to be followed ). asked the administrator to rename it back to alockout.dll, once done asked to run the regsvr32 / u alockout.dll, it said that the file failed to register. It was fine as long as we could find the registry entry.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\

Windows AppInit_DLLs

deleted the appinit. and asked to delete the file. ISA seems to be working.