Windows Server 2012 R2 server hardening and best practices

You can search for Windows Server hardening until you’re blue in the face, and find a little bit here and there. The sum of the parts are still less than the whole of this article. I’m going to provide you with my own personal hardening guidelines, as well as the Powershell code/GPO settings to easily implement them. In addition, I’m going to throw in some best practices. That said, every environment is different… so… do your own testing and research, but feel free to use this as your baseline.

Powershell

Set TcpTimedWait to 30 seconds to avoid running out of ephemeral ports

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' -name TcpTimedWaitDelay -propertytype dword -value 30 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' -name TcpTimedWaitDelay -value 30 -errorAction SilentlyContinue | Out-Null

Set Priority Separation to background services

Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\PriorityControl' -name Win32PrioritySeparation -value 24 -errorAction SilentlyContinue | Out-Null

Disable NIC power management

new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0009' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0012' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0013' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0014' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0015' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0016' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0017' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0018' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0019' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0020' -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0009' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0009' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0012' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0012' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0013' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0013' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0014' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0014' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0015' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0015' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0016' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0016' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0017' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0017' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0018' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0018' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0019' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0019' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0020' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0020' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null

Turn UAC off since it just gets in the way and doesn’t add as much security as Microsoft tried to sell us on

Set-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name ConsentPromptBehaviorAdmin -value 0 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name EnableLUA -value 0 -errorAction SilentlyContinue | Out-Null

Set DEP to Opt-In

bcdedit /set nx OptIn | Out-Null

Configure WinRM

winrm quickconfig -quiet | Out-Null

Enable Windows Firewall

netsh advfirewall set allprofiles state on | Out-Null

Disable Server Manager from running at login

schtasks /change /disable /tn "\Microsoft\Windows\Server Manager\ServerManager" | Out-Null

Disable IE (make sure you have Chrome installed… or don’t use web browsing at all on the server and use a central software repo)

dism /online /disable-feature /featurename:Internet-Explorer-Optional-amd64 | Out-Null

Disable SMBv1. If you have any vendors at all still using SMBv1, open up a support ticket every day until they fix it. That’s just stupid.

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi | Out-Null
sc.exe config mrxsmb10 start= disabled | Out-Null
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force | Out-Null
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -NoRestart | Out-Null

Rename the Administrator account

$admin=[adsi]“WinNT://./Administrator,user”
$admin.psbase.rename(“therealadmin”)

Configure NTP

sc config w32time start= auto > nul
sc start w32time > nul
timeout 5
w32tm /config /syncfromflags:domhier /update > nul

Configure Windows to dump full memory.dmp file

wmic recoveros set debuginfotype = 1 > nul

Group Policy

Disable last username (because there are python scripts out there that can scrub usernames using OCR via RDP). Yea, it’s that easy for people to find usernames to bruteforce on your network. We’re also going to disable cached logons, it’s too easy for attackers to exploit these saved credentials.

Computer>Policies>Windows Settings>Security Settings>Local Policies/Security Options>Interactive Logon

Interactive logon: Do not display last username: Enabled
Interactive logon: Number of previous logons to cache: 0

Enable SMB signing. Without it you’re basically giving your network away to attackers.


Computer>Policies>Windows Settings>Security Settings>Local Policies/Security Options>Microsoft Network Client

Microsoft Network client: Digitally sign communication (if server agrees): enabled

Computer>Policies>Windows Settings>Security Settings>Local Policies/Security Options>Microsoft Network Server

Microsoft Network server: Digitally sign communication (always): enabled
Microsoft Network server: Digitally sign communication (if client agrees): enabled

Full paranoia mode… let’s clear that pagefile at shutdown.


Computer>Policies>Windows Settings>Security Settings>Local Policies/Security Options>Shutdown

Shutdown: Clear virtual memory pagefile: enabled

Disable WPAD because it leaks NTLMv1 hashes which are easy to crack.


Computer>Policies>Windows Settings>Security Settings>System Services

WinHTTP Web Proxy Auto-Discovery Service (Startup Mode: Disabled)

Turn off LLMNR, because poisoning is bad mmmmkay.


Computer>Policies>Administrative Templates>Network/DNS Client

Turn off multicast name resolution: enabled

Turn off wdigest, another leaky NTLM hash hole.


Computer>Preferences>Windows Settings>Registry

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
UseLogonCredential 0x0 (DWORD)

Enable NLA for Remote Desktop. There’s zero reason NOT to do this.


Computer>Administrative Templates>Windows Components>Remote Desktop Services>Remote Desktop Session Host/Security

Require user authentication for remote connections by using Network Level Authentication

Change DNS TTL to 300 seconds (5 minutes) instead of the default. If something happens and the IP changes, this will minimize the outage for clients.


Computer>Administrative Templates>Network>DNS Client

TTL value for A and PTR records: enabled, 300 seconds

… and that’s all I have. These are lessons learned through various security audits and technical issues I’ve run into over the years. I deploy these to every server that gets spun up, and recently received praise from the guys at Rapid7 during our last security audit. I made it very difficult for them 🙂

Did you find value in this article?
Feel free to donate!
BTC 13QFVycCaP3QV8uRXKSm7picypE1a2gLYx
LTC LPA3M2mHcwJG5WpKi8oyS2RiJoLHt1bXyw
ETH 0x0cd8434f8C47fC2d92197748958824B8e7bFD2f2

Small Business Server 2011 migration issues

Here are some of the common issues I’ve run into on back to back migrations from Microsoft Small Business Server 2003 to Small Business Server 2011:

Error: Object not found when trying to migrate mailboxes from Exchange 2003
Solution: Add the SBS 2011 computer object to the “Exchange Domain Servers” group manually. Reboot SBS 2011 to complete the process.

Error: Trying to login to Outlook Web Access results in IIS server error 500
Solution: Ensure that the Microsoft Exchange Forms-Based Authentication service is started. One way to ensure this starts in the future is to modify the service to be Automatic (Delayed).

How To: Easiest way to migrate shares from SBS 2003 to SBS 2011
Ycopy (has a easy to use GUI interface)

How To: Migrating Recipient Policies and Address Lists
Get-EmailAddressPolicy | where {$_.RecipientFilterType -eq "Legacy"} | Set-EmailAddressPolicy -IncludedRecipients AllRecipients
Set-AddressList "All Users" -IncludedRecipients MailboxUsers
Set-AddressList "All Groups" -IncludedRecipients Mailgroups
Set-AddressList "All Contacts" -IncludedRecipients MailContacts
Set-AddressList "Public Folders" -RecipientFilter {RecipientType -eq "PublicFolder"}
Set-GlobalAddressList "Default Global Address List" -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))}

Outlook error: Cannot open default mail folders
Option 1. Verify the MS Exchange RPC Client Access service is running
Option 2. Set-RpcClientAccess –Server server_name –EncryptionRequired $False

Lab in a Box

If you are on a budget, but you have a Cisco PIX 515, Cisco layer-3 switch (I’m using a 3550) and a HP DL/ML 3-series server, you can create an entire lab with just these three devices. Obviously, it doesn’t have to be Cisco or HP… but as long as the Firewall supports trunking and VLAN subinterfaces, the switch supports VRF routing and the server supports trunking/vlans, then you should be able to modify this to work for any setup accordingly.

Lets start with the core switch, here is relevant config from the 3550 I’m using:

ip vrf INET
rd 2600:2
route-target export 2600:2
ip vrf NET1
rd 2600:3
route-target export 2600:3
ip vrf NET2
rd 2600:4
route-target export 2600:4

interface FastEthernet0/1
description Trunk to HP Server
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-4
switchport mode trunk
no ip address
spanning-tree portfast

interface FastEthernet0/10
description Uplink to PIX Outside
switchport access vlan 2
switchport mode access
no ip address
spanning-tree portfast

interface FastEthernet0/11
description Trunk to PIX Inside
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 3-5
switchport mode trunk
no ip address
spanning-tree portfast

interface Vlan2
description LAB-INET
ip vrf forwarding INET
ip address 1.1.1.1 255.255.255.0

interface Vlan3
description LAB-NET1
ip vrf forwarding NET1
ip address 192.168.10.254 255.255.255.0

interface Vlan4 description LAB-NET2
ip vrf forwarding NET2
ip address 192.168.20.254 255.255.255.0

ip route vrf NET1 0.0.0.0 0.0.0.0 192.168.10.1
ip route vrf NET2 0.0.0.0 0.0.0.0 192.168.20.1

Here is the relevant config on the Cisco PIX:

interface Ethernet0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0

interface Ethernet1
no nameif
security-level 100
no ip address

interface Ethernet1.10
vlan 3
nameif inside-net1
security-level 100
ip address 192.168.10.1 255.255.255.0

interface Ethernet1.20
vlan 4
nameif inside-net2
security-level 100
ip address 192.168.20.1 255.255.255.0

access-list OUTSIDE_IN extended permit ip any any

global (outside) 6 1.1.1.4
global (outside) 7 1.1.1.5

nat (inside-net1) 6 192.168.10.0 255.255.255.0
nat (inside-net2) 7 192.168.20.0 255.255.255.0

access-group OUTSIDE_IN in interface outside

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

On the HP server, configure the trunk interface to have vlan 1, vlan 2, vlan 3 and vlan 4 (name the interfaces appropriately, assign them IP addresses). I used the following IPs:

vlan 1 (n/a)

vlan 2 1.1.1.3

vlan 3 192.168.10.2

vlan 4 192.168.20.2

Then, on the HP server install VMWare Server (free). Configure the VM networks to be bridged to vlan 2, 3 and 4.

Provision a virtual server on each interface and assign a corresponding bridged network.

You now have an “internet” server and two “private” servers behind NAT. On the “internet” server, setup DNS and assign the other servers to use it for DNS.

To test that I had NAT and firewall working properly, I installed IIS on each server and configured a host header and the appropriate DNS A records on the “internet” server.

I set each website to use index.asp (enabled ASP first) and used the following code:

<html>
<head>
<title>Teh Interwebs</title>
</head>
<body>
Welcome to teh interwebs.
Your IP Address = <%=Request.ServerVariables("REMOTE_ADDR")%>
</body>
</html>

You should be able to hit each website and have the correct “WAN” IP address display on each website. If you can successfully hit the “internet” from each server, and each server from the “internet” then you have a working setup. You can now dcpromo, install Exchange… do whatever it is that you want to test. Modify my setup slightly, and you can test DMZ configurations, among other things.

Microsoft Outlook: “the account you have added is not fully configured” error

I recently discovered a fix for the rare but annoying “the account you have added is not fully configured” when attempting to add an Exchange mailbox in Outlook 2003. I discovered it by mentioning it to a co-worker who happened to know about this rare issue– which is not documented anywhere that I searched (brief Google search including Microsoft KB or Experts Exchange). I probably didn’t give it my best effort, but nonetheless, the fix was incredibly simple.

The fix is to search for mapisvc.inf and delete both instances (windows/system32 and program files/common files), then re-create the Outlook profile which will be wiped out as a result.

Virtualizing your environment with Microsoft Hyper-V

After having completed 3 more virtualization projects this month, I have decided that anyone who hasn’t done so yet must be the same type of people running CRT monitors, Intel Pentium 4 processors and Windows XP.  So… let me explain the benefits of virtualization.

First of all, if you pay your own electric bill and you have more than 2 servers this will reduce your power bill. The new HP servers, in combination with Windows 2008 R2, have excellent “green” features such as the ability to shut off cores that are not in use (google: p-states). Newer processors run somewhere in the neighborhood of 65 to 80 watts. Older processors fall somewhere above 100 watts. Chalk one up for savings: You are running all of your servers on 1 or 2 servers that can run on a fraction of their cores when idle.

Second… ease of management. If you have ever worked for a company that offers managed services then you know how ridiculous it is to managed a customer with lets say… 10 different physical servers. I’m sure you just love trying to manage 10 open RDP windows. On top of that… one of those 10 physical servers locks up. Does it have iLO? If it does, did I document it? I didn’t… crap, now what! Hyper-V allows you to manage the console of each virtualized server from one server. You can shutdown, restart, pause/save state without having to RDP into the server. You can manage the consoles the way you would manage 10 open word documents (Windows 2008 R2, like Windows 7, has that nifty taskbar grouping feature).

Third… if you spend a little extra dough you should add a second server (hopefully you decided on the enterprise version of Windows Server) and implement a Hyper-V cluster. You can have failover and the ability to avoid downtime even when its time to do all those pesky maintenance tasks. Live migration is pretty awesome, I just wish that when a Hyper-V node crashed, that the server wouldn’t reboot unexpectedly. They should really figure that one out… anyways… FAILOVER AND LESS DOWNTIME.

Lastly, and least important of all… you get to put all your old hardware on eBay… clean out that rack and have it look presentable again. Cosmetic, I know… but any IT guy can appreciate a clean, clutter-free rack space.

Something new to me that I have been playing around with is Microsoft’s Windows Deployment Services in R2… its benefits really stand out in a virtual environment. Deploying new servers, or prepping virtual servers for customers has never been easier.

If you want consulting to see if you can benefit from virtualization, or perhaps you already know the benefits and you need a company with several years of virtualization experience over a wide variety of platforms (yea, yea… VMWare can do it too), head on over to www.dcicorporation.com and drop us a line.