Windows Server 2012 R2 server hardening and best practices

You can search for Windows Server hardening until you’re blue in the face, and find a little bit here and there. The sum of the parts are still less than the whole of this article. I’m going to provide you with my own personal hardening guidelines, as well as the Powershell code/GPO settings to easily implement them. In addition, I’m going to throw in some best practices. That said, every environment is different… so… do your own testing and research, but feel free to use this as your baseline.

Powershell

Set TcpTimedWait to 30 seconds to avoid running out of ephemeral ports

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' -name TcpTimedWaitDelay -propertytype dword -value 30 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' -name TcpTimedWaitDelay -value 30 -errorAction SilentlyContinue | Out-Null

Set Priority Separation to background services

Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\PriorityControl' -name Win32PrioritySeparation -value 24 -errorAction SilentlyContinue | Out-Null

Disable NIC power management

new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0009' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0012' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0013' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0014' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0015' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0016' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0017' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0018' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0019' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0020' -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0009' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0009' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0012' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0012' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0013' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0013' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0014' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0014' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0015' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0015' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0016' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0016' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0017' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0017' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0018' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0018' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0019' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0019' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0020' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0020' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null

Turn UAC off since it just gets in the way and doesn’t add as much security as Microsoft tried to sell us on

Set-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name ConsentPromptBehaviorAdmin -value 0 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name EnableLUA -value 0 -errorAction SilentlyContinue | Out-Null

Set DEP to Opt-In

bcdedit /set nx OptIn | Out-Null

Configure WinRM

winrm quickconfig -quiet | Out-Null

Enable Windows Firewall

netsh advfirewall set allprofiles state on | Out-Null

Disable Server Manager from running at login

schtasks /change /disable /tn "\Microsoft\Windows\Server Manager\ServerManager" | Out-Null

Disable IE (make sure you have Chrome installed… or don’t use web browsing at all on the server and use a central software repo)

dism /online /disable-feature /featurename:Internet-Explorer-Optional-amd64 | Out-Null

Disable SMBv1. If you have any vendors at all still using SMBv1, open up a support ticket every day until they fix it. That’s just stupid.

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi | Out-Null
sc.exe config mrxsmb10 start= disabled | Out-Null
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force | Out-Null
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -NoRestart | Out-Null

Rename the Administrator account

$admin=[adsi]“WinNT://./Administrator,user”
$admin.psbase.rename(“therealadmin”)

Configure NTP

sc config w32time start= auto > nul
sc start w32time > nul
timeout 5
w32tm /config /syncfromflags:domhier /update > nul

Configure Windows to dump full memory.dmp file

wmic recoveros set debuginfotype = 1 > nul

Group Policy

Disable last username (because there are python scripts out there that can scrub usernames using OCR via RDP). Yea, it’s that easy for people to find usernames to bruteforce on your network. We’re also going to disable cached logons, it’s too easy for attackers to exploit these saved credentials.

Computer>Policies>Windows Settings>Security Settings>Local Policies/Security Options>Interactive Logon

Interactive logon: Do not display last username: Enabled
Interactive logon: Number of previous logons to cache: 0

Enable SMB signing. Without it you’re basically giving your network away to attackers.


Computer>Policies>Windows Settings>Security Settings>Local Policies/Security Options>Microsoft Network Client

Microsoft Network client: Digitally sign communication (if server agrees): enabled

Computer>Policies>Windows Settings>Security Settings>Local Policies/Security Options>Microsoft Network Server

Microsoft Network server: Digitally sign communication (always): enabled
Microsoft Network server: Digitally sign communication (if client agrees): enabled

Full paranoia mode… let’s clear that pagefile at shutdown.


Computer>Policies>Windows Settings>Security Settings>Local Policies/Security Options>Shutdown

Shutdown: Clear virtual memory pagefile: enabled

Disable WPAD because it leaks NTLMv1 hashes which are easy to crack.


Computer>Policies>Windows Settings>Security Settings>System Services

WinHTTP Web Proxy Auto-Discovery Service (Startup Mode: Disabled)

Turn off LLMNR, because poisoning is bad mmmmkay.


Computer>Policies>Administrative Templates>Network/DNS Client

Turn off multicast name resolution: enabled

Turn off wdigest, another leaky NTLM hash hole.


Computer>Preferences>Windows Settings>Registry

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
UseLogonCredential 0x0 (DWORD)

Enable NLA for Remote Desktop. There’s zero reason NOT to do this.


Computer>Administrative Templates>Windows Components>Remote Desktop Services>Remote Desktop Session Host/Security

Require user authentication for remote connections by using Network Level Authentication

Change DNS TTL to 300 seconds (5 minutes) instead of the default. If something happens and the IP changes, this will minimize the outage for clients.


Computer>Administrative Templates>Network>DNS Client

TTL value for A and PTR records: enabled, 300 seconds

… and that’s all I have. These are lessons learned through various security audits and technical issues I’ve run into over the years. I deploy these to every server that gets spun up, and recently received praise from the guys at Rapid7 during our last security audit. I made it very difficult for them 🙂

Did you find value in this article?
Feel free to donate!
BTC 13QFVycCaP3QV8uRXKSm7picypE1a2gLYx
LTC LPA3M2mHcwJG5WpKi8oyS2RiJoLHt1bXyw
ETH 0x0cd8434f8C47fC2d92197748958824B8e7bFD2f2

The “easy” way to setup a Nutanix Disaster Recovery site

Nutanix is great for many reasons, I won’t go into all of them here, but one of my favorite features is the asynchronous replication. If your environment is configured correctly, setting up a disaster recovery environment can be super simple.

Let’s start with prerequisites:

  • At least 2 sites running Nutanix
  • Network infrastructure capable of configuring VRFs
  • Virtual IPAM solution, or duplicate IPAM hardware for test/dev
  • Asynchronous replication is already configured to the remote site

Now, let’s make some assumptions. Your corporate network is 10.0.0.0/16, and you have multiple subnets for various things. The only subnet we care about for this scenario are the subnet(s) added to networking within Nutanix. Let’s pretend it’s a single subnet, 10.0.1.0/24, on VLAN 101. Your second site can be any site; dedicated to disaster recovery or ROBO. Networking for the DR site is irrelevant for now.

The first thing we’re going to do is plan out the DR networking requirements. You have 1 or more PDs being replicated on a single VLAN. The remote site probably has it’s own networking. There are a whole bunch of things we could probably do (VXLAN for instance), but we’re going to make this simple. VRFs allow us to create duplicate networks without having a conflict on interfaces or in routing tables. You’ll need a single VRF and 1 VLAN assigned to that VRF. I’m going to use Brocade VDX (NOS) in this example.

First, the VLAN interfaces. Remember how I said we only needed 1? Yea, well… you could probably get away with 1 but I like to use /30 for firewalls, so we’ll add that now as well as the WAN VLAN. I’ll explain later. We’ll be making all of these changes to the switching/routing infrastructure at your disaster recovery site.

int vlan 1099
name DR_WAN
int vlan 1100
name DR_FWP2P
int vlan 1101
name DR_SUBNET10_1

Now I’m going to define the VRF. The VDX in my example is running in a VCS fabric. The default gateway will come into play later. Also, we’re enabling OSPF to make things easy. The default gateway for the new VRF will be whatever firewall you use. Virtual firewall, dedicated firewall… whatever you want.

rbr 1
vrf dr-vrf
address-family ipv4 unicast
ip route 0.0.0.0/0 10.255.255.1
router ospf vrf dr-vrf
area 0

Next up, we’re going to setup the router interfaces. I’m going to assume you use DHCP and have 2 DHCP servers. I actually prefer to use DHCP and DHCP reservations for servers (cattle not pets; see devops mentality). The IPAM solution I use has great APIs that are leveraged during the automated build process to automatically reserve an IP in a pool of addresses. The WAN VLAN does not require a routed interface, we just need that layer 2 connection.


interface Ve 1100
vrf forwarding dr-vrf
ip ospf area 0
no ip proxy-arp
ip address 10.255.255.2/30
no shutdown
interface Ve 1101
vrf forwarding dr-vrf
ip ospf area 0
ip dhcp relay address 10.0.1.10
ip dhcp relay address 10.0.1.11
no ip proxy-arp
ip address 10.0.1.1/24
no shutdown

At this point, we now have 3 VLANs on a VRF with two routed interfaces. The next step would be to add all 3 VLANs, 1099-1100 and 1101 to all of your Nutanix interfaces, and also into Prism networking. I typically use the VLAN name in the switch as the name in Prism for consistency. Once the VLANs are added, you will go into the Protection Domains at both sites and remap the production network to the DR VRF network. Let’s visualize it…

Now… why the firewall VLAN? To make things REALLY easy, I recommend using a permanent virtual firewall that is always running in your DR environment. Several vendors offer virtual instances now, and many of them will offer discounted rates for non-production environments. This applies to load balancers as well… If you use the same vendor, likely, you can backup and restore the config periodically so that the firewall and load balancers are always ready for a DR event. You will need a dedicated internet connection, or at the very least, a spare dedicated IP you can assign to the DR firewall (which would end up reusing a pre-existing WAN VLAN or moving WAN connections to a switched VLAN). You will likely not be able to use your ROBO firewall due to IP and routing conflicts (firewalls are not VRF aware), hence a separate virtual firewall. In this case, I’m using VLAN 1099.

WAN connection -> switch port on VLAN 1099 -> VLAN 1099 added to all Nutanix interfaces -> VLAN 1099 assigned to virtual firewall NIC 1 “WAN”
VLAN 1100 added to all Nutanix interfaces -> VLAN 1100 assigned to virtual firewall NIC 2 “LAN”

Configure your firewall appropriately. I assigned 10.255.255.2/30 to the switch, so assign 10.255.255.1/30 to the firewall LAN interface. Assign an appropriate IP to your WAN interface. You have a lot of remote access options here… SSL VPN, IPSEC VPN, RemoteApp (if you are a Windows environment), Citrix, etc. Essentially however your users typically access your production environment will be how you want to configure your DR firewall. You can use Amazon’s Route53 or DNSMadeEasy for DNS failover, or a specific DR DNS record. For example, if production users goto remote.whateveryourdomainis.com, then DR would be remote-dr.whateveryourdomainis.com. The rest is user education.

So, to recap, we have our PDs mapped to our new VRF network. A virtual firewall that mimics our production firewall, with it’s own dedicated IP. At this point you can activate the PD on the ROBO site. All of the VMs will get added to Prism… double check the VLAN assignment if you wish. Power everything up. Your self contained DR is now ready to go. If your team is compartmentalized (network admins, server admins, Nutanix admins, etc.) this may be more difficult to accomplish as it requires a great deal of teamwork. However, I highly recommend this route as it is extremely easy to setup, test and run. When you’re done testing, shut everything down and deactivate the PD.

If you have a DMZ in addition to a production network, you can create a second VRF or add the DMZ network to the same VRF as production. This would obviously remove security constraints, but in a DR scenario… what do you want to be troubleshooting? ACLs and multiple VRFs? or would you rather focus on restoring access to end users… Every environment is unique, some environments will require mirrored security constraints. Others will not, and for those I suggest dumping ALL VLANs into a single DR VRF for simplicity.

Side note: Fortinet, in my opinion, has an amazing product line and an UI/UX similar to what I’ve come to appreciate about Nutanix. We use them pretty heavily at the office, so they provided us with a virtual Fortigate and virtual FortiADC (load balancer) for practically nothing. Took about 5 minutes to spin them both up. I highly recommend looking at their products. As an alternative, their larger hardware firewalls support virtual domains (think: virtualized firewalls or VRF but for firewalls). If your company is budget-minded, you can place your DR and Production firewall on the same hardware. I’m sure other vendors are capable of this, but I’ve found that Fortinet makes it super easy.

Did you find value in this article?
Feel free to donate!
BTC 13QFVycCaP3QV8uRXKSm7picypE1a2gLYx
LTC LPA3M2mHcwJG5WpKi8oyS2RiJoLHt1bXyw
ETH 0x0cd8434f8C47fC2d92197748958824B8e7bFD2f2

Small Business Server 2011 migration issues

Here are some of the common issues I’ve run into on back to back migrations from Microsoft Small Business Server 2003 to Small Business Server 2011:

Error: Object not found when trying to migrate mailboxes from Exchange 2003
Solution: Add the SBS 2011 computer object to the “Exchange Domain Servers” group manually. Reboot SBS 2011 to complete the process.

Error: Trying to login to Outlook Web Access results in IIS server error 500
Solution: Ensure that the Microsoft Exchange Forms-Based Authentication service is started. One way to ensure this starts in the future is to modify the service to be Automatic (Delayed).

How To: Easiest way to migrate shares from SBS 2003 to SBS 2011
Ycopy (has a easy to use GUI interface)

How To: Migrating Recipient Policies and Address Lists
Get-EmailAddressPolicy | where {$_.RecipientFilterType -eq "Legacy"} | Set-EmailAddressPolicy -IncludedRecipients AllRecipients
Set-AddressList "All Users" -IncludedRecipients MailboxUsers
Set-AddressList "All Groups" -IncludedRecipients Mailgroups
Set-AddressList "All Contacts" -IncludedRecipients MailContacts
Set-AddressList "Public Folders" -RecipientFilter {RecipientType -eq "PublicFolder"}
Set-GlobalAddressList "Default Global Address List" -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))}

Outlook error: Cannot open default mail folders
Option 1. Verify the MS Exchange RPC Client Access service is running
Option 2. Set-RpcClientAccess –Server server_name –EncryptionRequired $False

Unable to create VPN sessions

If you receive any of the following errors in your event log when trying to establish a VPN session or PPP session, then the fix for you is listed below. I noticed this when trying to establish a VPN session through a Netgear VPN box. I checked my event logs and found the event IDs listed below.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Description:
The Remote Access Connection Manager service terminated with the following error:
The specified procedure could not be found.

Event Type: Error
Event Source: Rasman
Event Category: None
Event ID: 20063
Description:
Remote Access Connection Manager failed to start because the Point to Point Protocol failed to initialize. The specified procedure could not be found.

Event Type: Error
Event Source: RemoteAccess
Event Category: None
Event ID: 20070
Description:
Point to Point Protocol engine was unable to load the C:\Program Files\Symantec AntiVirus\SymRasMan.dll module. The specified module could not be found.

Quote from http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008010718082848

“To work around this problem, restore the registry string values with the following variable path to rastls.dll:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
ConfigUiPath %SystemRoot%\System32\rastls.dll
IdentityPath %SystemRoot%\System32\rastls.dll
InteractiveUIPath %SystemRoot%\System32\rastls.dll
Path %SystemRoot%\System32\rastls.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\25
ConfigUiPath %SystemRoot%\System32\rastls.dll
IdentityPath %SystemRoot%\System32\rastls.dll
InteractiveUIPath %SystemRoot%\System32\rastls.dll
Path %SystemRoot%\System32\rastls.dll”

Microsoft Outlook: “the account you have added is not fully configured” error

I recently discovered a fix for the rare but annoying “the account you have added is not fully configured” when attempting to add an Exchange mailbox in Outlook 2003. I discovered it by mentioning it to a co-worker who happened to know about this rare issue– which is not documented anywhere that I searched (brief Google search including Microsoft KB or Experts Exchange). I probably didn’t give it my best effort, but nonetheless, the fix was incredibly simple.

The fix is to search for mapisvc.inf and delete both instances (windows/system32 and program files/common files), then re-create the Outlook profile which will be wiped out as a result.

Preventing Spyware

You wouldn’t be reading this if you weren’t curious about spyware… I’ve shown you how to get rid of it (easily) so lets look at how to prevent it.

I’m not going to repeat myself so I won’t go into detail, but spyware has several limitations. If you don’t want to get too advanced, here are a few easy ways to prevent spyware:

1. Use Internet Explorer 8 (stop whining, it does work very well)

2. Use Google Chrome (preferred method)

3. Use Mozilla Firefox (whatever the lastest version is)

4. Don’t click on pop-ups… if you have a pop-up blocker, turn it on!

5. If it tells you that you have a virus, the thing telling you is probably the virus… stop clicking on things!

6. Download and install MalwareBytes… then do a full scan occasionally

Now for more advanced ways!

1. Set security on C:\windows\system32\drivers\etc\hosts to Everyone read-only

2. Use regedt32 to set permissions on HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN and HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN to Everyone Read-Only. *** SOME SOFTWARE INSTALLS WILL NOT LIKE THIS: meaning future installations of software may fail because they cannot write to this key ***

3. Research CLEANMGR and use it’s “autopilot” function to clean temp files every time you reboot.

4. If you are in a domain environment, lock down Internet Options (specifically the proxy part)– and if you ARE in a domain environment, get a web filter… Barracuda even has its own spyware removal tool. There are some free ones out there like Untangle that even work pretty well.

5. Change your DNS to OpenDNS servers (http://opendns.org/) by setting it manually on your NIC or where ever you get DHCP from (at home this would be your “Linksys” router)

6. Set these registry keys to everyone read-only as well HKEY_CLASSES_ROOT/.exe and HKEY_CLASSESROOT/exefile

Dealing With Spyware

Let’s face it… I’ve never had spyware and I look at porn, and browse the web for hours at a time… whats your problem? 🙂 All kidding aside, spyware is a real problem. I’m sure everyone reading this at some point or another has had or dealt with fake antivirus software that just will NOT go away! Luckily for you I do this for a living and understand the limitations of spyware and how to deal with it. Coders are lazy people… they do just enough to get things to work and patch/update as problems arise rather than spending a few extra days to plan out every possible scenario and code it into their program– I suppose if Microsoft tried that… well… lol

Current spyware has several limitations:

  • Unable to cross user profiles (possibly due to Windows Vista/7 and UAC… limiting coders options to the current user). While this is not a REAL limitation, when you code a program to mass infect, you have to make it as compatible as possible. Sticking around in the current user’s profile makes the software very compatible.
  • Relies on reboots/triggers to activate. Usually spyware will associate itself with .exe (exefile) in the registry, other times it will load as a hook… because of this it has more limitations. One of these triggers is setting Internet Options to use a proxy… the proxy is the spyware usually as a service or as a DLL hook
  • It can’t effectively control where you go in explorer.exe (Windows shell) or it would potentially block itself…
  • It usually can’t block regedit because it makes changes to the registry… or it would potentially block itself…
  • To deal with antivirus and AWESOME programs like MalwareBytes… it has to remain anonymous. Thus, its very easy to spot 130e9rjfm312rja.exe in a folder or in task manager
  • If you are lucky enough to be in a domain environment, it can’t stop domain admin from another PC using PSTOOLS! 🙂

I think you get the point, so here’s what I am going to do for you today… I’m going to teach you… how to count….all the way… to schffifty schvive. Actually… I’m going to show you how to solve 99% of spyware problems.

Problem: You have spyware!

Solution: Taking what we know into account, the first thing you should do is create a new user and set a good password. If you anticipate having lots of spyware problems, leave the account in place when we are done. In almost all verisons of windows, its the same process to add a new user

1. Start

2. Control Panel

3. User Accounts

4. Add a new user (administrative user, not standard user)

5. Call it… swsvc or AntiSpyware or.. Joe (me) and everytime you get spyware you can login as me (Joe)

6. Create a password… preferably a pass-phrase. A pass-phrase is at least 14 characters… you can use your phone number spelled out, i.e. “four eight zero five five five one two three four”

7. Reboot

When the computer comes back up, login as the new user you created. If you are lucky, the spyware hid itself in an obvious place and we can delete it before we continue. Once you are logged in, click Start, click Run (or use Windows key + R) and launch “regedit” then navigate to LOCAL MACHINE>SOFTWARE>MICROSOFT>WINDOWS>CURRENTVERSION>RUN

This is usually how the spyware starts everytime you reboot. Check for items that have a path starting with \users\<your username>\appdata\local or \documents and settings\<your username>\. These paths usually end up somewhere in a temp folder with a random lettered/numbered executable.

Honestly though, you can probably delete everything under Run and be safe. Most of that stuff is your quick launch, antivirus tray icon (not the service), adobe quick launch, java update, etc. Once that is done, browse to USERS>long string of numbers>SOFTWARE>MICROSOFT>WINDOWS>CURRENTVERSION>RUN. There are going to be quite a few “SIDs” which are the long string of numbers, but y0u won’t find that path if it isn’t a valid user. So take the time and explore them all. Delete anything “weird” under Run.

Just for the heck of it, Windows Vista/7 users should open up My Computer and browse to \users\<their username>\appdata\local\ and look inside temp and microsoft for folders that have random letters and numbers. XP users will do the same, except use \documents and settings\<their username>\application data\ or \documents and settings\<their username>\local settings\.

Once you’re done looking, whether you find anything or not, goto Start > Control Panel > Internet Options > Connections tab > LAN Settings button and clear all the check boxes.

Next step is to download the greatest tool ever made, MalwareBytes. Here is a link: http://download.cnet.com/3001-8022_4-10804572.html?spi=cd39b95079d2256cc6dc1fc880e6e8d0&part=dl-10804572

MalwareBytes is small, compact, FREE… it doesn’t have bloat-ware or annoying ads… and it WORKS! It is your typical Next>Next>Finish type of installation. No tricks… At the very end  of the install leave “Update” and “Launch” checked.

After it updates and opens up, close it. — yea… lol. You could have unchecked “Launch” but let’s face it… we’re already worn out trying to search for this article.

In Vista/7 we have to right click MalwareBytes and “Run as Administrator” or it will not search other user’s profiles.

Once its loaded, do a full scan on C:\ … and wait… depending on how many files (usually 100,000 per hour if you have a decent PC) you might have to wait a while.

Once the scan is completed, it will have undoubtedly found your spyware. Remove all of it and reboot. Login as your regular user and verify the spyware is gone. You will have to double check Internet Options again (as noted above) and verify the same things. If you don’t, internet might not work right away.

Side notes:

Under rare circumstances, spyware will associate itself with .exe and exefile in the registry. If you open up regedit, navigate to HKEY_CLASSES_ROOT\.exe, default should be set to exefile. If it is not, it is probably set to scefile or something else. In any case, browse to HKEY_CLASSES_ROOT\exefile or scefile or whatever is there, and check the load options (SHELL>OPEN>COMMAND) and see if it provides you with a strange path.  Command default should be set to “%1 %*”

Also a rarity, once in a while the spyware will infect your hosts file. This file is located at C:\windows\system32\drivers\etc\hosts. The easiest way to open this file, is to have notepad open, and drag/drop it into notepad. It should have ONE entry (two if you have IPv6):

127.0.0.1       localhost
::1             localhost

If you can’t figure this out, or something isn’t working and you haven’t removed your spyware… leave a comment with the exact steps and messages you get and I will surely (inb4 don’t call me Shirly) try to answer your questions. If you are in the Phoenix area, I can always come over and fix your problems for a nominal fee.

Disappearing E-mail Text

Problem: Random e-mails (most notably distribution group e-mails) are delivered to users with stripped bodies, i.e. no text inside the e-mail.

I was not sure where to start with this, so I began my search in the obvious places… Microsoft Message Tracking and the spam filter. Well… for one, the company was not using a smart-host and this was happening on internal e-mails, so I could rule out the spam filter. I attempted to troubleshoot using message tracker, but of course it would only tell me the e-mail was delivered.

I patched and configured the server until I was blue in the face to make sure all the bugs were removed. The server was configured identically to most 2003 servers I’ve come across. The server had Eset anti-virus (non-Exchange version) which we upgraded… uninstalled… replaced… nothing resolved the issue.

Finally, I did some research on CommVault and NetVault (both running on the server, unsure of job status because at the time I did not have access to the backup software as I was an outside consultant only given specific access. On a whim I disabled both and had them do several tests… all of which worked successfully.

Internally they made the decision to discontinue the use of one of the backup solutions on the Exchange server.

Resolution: Don’t use two  log-based backup solutions on an Exchange server. I imagine both solutions had some sort of continous backup technology where they were constantly monitoring and backing up logs, causing the e-mail text to be misplaced.

Is your e-mail broken? Blame Cisco.

Just a few things you may eventually come across:

Getting an NDR stating #500 Firewall Error# is usually the fault of Cisco IOS. Chances are you have the ip inspect command set for smtp/esmtp. Removing this resolves the error (which may be inconsistent and difficult to replicate on demand).

Fixing Fake AntiVirus spyware infections is very easy in a domain environment through the use of PSLIST/PSKILL from the PSTOOLS package that Microsoft has available through Sysinternals. It appears that most fake antivirus programs associate themselves with the “exefile” class and redirect .exe to a “scefile” class where it loads its own executable as a wrapper. If by chance you can still run regedit (some block it… others don’t) you can remove the wrapper from the key in regedit and then set permissions on the key to read only for everyone. This will allow you to download and install MalwareBytes and/or ComboFix. Other times regedit is blocked and you will have to locate the file itself (almost always in the user’s temp files) and set permissions to deny full control to everyone and end the task. If you are looking for AntiVirus software that works well in preventing this type of spyware infection, either Symantec Endpoint (11.0.5 is latest release) or Microsoft Forefront Client Security seem to work very well.

20-20 Worksheet: The file format was not recognized

A while back I was troubleshooting an error for a user running 20-20 Worksheet on a Windows XP machine. The user was one of many running the program, but had a specific issue opening sif files that no one else had.

If she attempted to open a sif file, she would get the file format was not recognized. Other users would attempt to open the same file and they would not have errors.

Like most technicians… I don’t have the patience to call other companies for technical support. So I sent 2020 customer support an e-mail and while I waited I decided to do it on my own.

I quickly downloaded process monitor and excluded all the crap. I opened the sif file and magic! It couldn’t find a few registry entries (HKCU/Software/Classes/CLSID and HKCR/CLSID). I went to a machine that was working and exported the missing keys and it fixed the problem.

Problem: Opening a .sif file within 20-20 Worksheet produced a “The file format was not recognized” error message.
Resolution: Import missing registry keys

…the best part is the e-mail correspondence between myself and “technical support”

“Great,

What registry key did you import into her machine that fixed it?? And where in the registry did you find this key?

Thanks

Sincerely, 20-20 Technical Support Team”