Posts Tagged ‘Server’

Restricting Anonymous Access to Active Directory

Posted: March 28, 2010 in Active Directory, Security, Server, System Information
Tags: , ,
3


Problem

You want to enable or disable anonymous access to the information stored in the Active Directory database.

Solution

Using a graphical user interface

  1. Open the Active Directory Users and Computers (ADUC) snap-in.
  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select “Connect to Domain,” enter the domain name, and click OK.
  3. Navigate to the Builtin container. Double-click on the Pre-Windows 2000 Compatible Access group.
  4. Click the Members tab.
  5. Select the Everyone group and click the Remove button. Click Yes and then OK to confirm.
  6. Select the Anonymous Logon user and click the Remove button. Click Yes and then OK to confirm.
  7. If the Authenticated Users group is not present in the group membership list, click Add to include it and then click OK.

Using a command-line interface

You have three command-line choices to modify the Pre-Windows 2000 Access security group: net localgroup, DSMod, or AdMod. net localgroup takes the following syntax:

> net localgroup ”

Pre-Windows 2000 Compatible Access” Everyone /delete

> net localgroup “Pre-Windows 2000 Compatible Access” “Anonymous Logon” /delete

> net localgroup “Pre-Windows 2000 Compatible Access” “Authenticated Users” /add

To update the group membership using DSMod so that it only includes Authenticated Users, enter the following:

> dsmod group “cn=Pre-Windows 2000 Compatible Access,cn=Builtin,

<DomainDN>” -chmbr “cn=S-1-5-11,cn=ForeignSecurityPrincipals,<DomainDN>”

To use AdMod, use the following syntax:

> admod b “cn=Pre-Windows 2000 Compatible Access,cn=Builtin,

<DomainDN>” member::”cn=S-1-5-11,cn=ForeignSecurityPrincipals,<DomainDN>”

Discussion

Anonymous access to Active Directory is controlled by membership in the Pre-Windows 2000 Compatible Access security group, located in the cn=Builtin container. This group is named like that because some legacy applications and operating systems, most notably Windows NT 4.0 RAS servers, required anonymous access to the information stored in AD in order to function properly. The default membership of this group depends on whether you selected “Permissions compatible with pre-Windows 2000 operating systems” or “Permissions compatible with only Windows 2000 and Windows 2003” when you ran dcpromo. If you selected the former, the Everyone group and the Anonymous Logon SID were added to Pre-Windows 2000 Compatible Access; if the latter, only Authenticated Users was added.

In the DSMod, AdMod, and VBScript solutions, the Authenticated Users group was specified using an SID and it resides in the ForeignSecurityPrincipals container. This is because Well-Known SIDs such as Everyone (S-1-1-0) and Authenticated Users (S-1-5-11) are not maintained within Active Directory itself and are therefore stored in the FSP container.

Restricting Hosts from Performing LDAP Queries

Posted: March 28, 2010 in Active Directory, Security, Server, System Information
Tags: , ,
1


Problem

You want domain controllers to reject LDAP queries from certain IP addresses. This can be useful if you want to prohibit domain controllers from responding to LDAP queries for certain applications or hosts.

Solution

Using a command-line interface

The following adds network 10.0.0.0 with mask 255.255.255.0 to the IP deny list:

> ntdsutil “ipdeny list” conn “co t s <DomainControllerName>” q

IP Deny List: Add 10.0.0.0 255.255.255.0

*[1] 10.0.0.0 GROUP MASK      255.255.255.0

NOTE: * | D – uncommitted addition | deletion

IP Deny List: Commit

[1] 10.10.10.0 GROUP MASK 255.255.255.0

NOTE: * | D – uncommitted addition | deletion

Discussion

The IP deny list is stored as an octet string in the lDAPIPDenyList attribute of a query policy.

When the IP deny list is set, domain controllers that are using the default query policy will not respond to LDAP queries from any IP address specified in the deny list address range. To test whether a certain IP address would be denied, run Test x.x.x.x (where x.x.x.x is an IP address) from the IP Deny List subcommand in ntdsutil.

By setting the IP deny list on the default query policy, you would effectively restrict the IP address range from querying any domain controller in the forest. If you need to restrict queries only for a specific domain controller, you’ll need to create a new LDAP query policy and apply it to only the domain controller in question.

Enabling Anonymous LDAP Access

Posted: March 28, 2010 in Active Directory, Security, Server, System Information
Tags: , ,
3

Problem

You want to enable anonymous LDAP access for clients. In Windows 2000 Active Directory, anonymous queries were enabled by default, although they were restricted. With Windows Server 2003 Active Directory, anonymous queries are disabled by default except for querying the RootDSE.

Solution

Using a graphical user interface

  1. Open ADSI Edit.

  2. In the Configuration partition, browse to cn=Services cn=Windows NT cn=Directory Service.

  3. In the left pane, right-click on the Directory Service object and select Properties.

  4. Double-click on the dSHeuristics attribute.

  5. If the attribute is empty, set it with the value 0000002.

  6. If the attribute has an existing value, make sure the seventh digit is set to 2.

  7. Click OK twice.

Enabling SSL/TLS

Posted: March 28, 2010 in Active Directory, Security, Server, System Information
Tags: , ,
0

Problem

You want to enable SSL/TLS access to your domain controllers so clients can encrypt LDAP traffic to the servers.

Solution

Using a graphical user interface

  1. Open the Control Panel on a domain controller.

  2. Open the “Add or Remove Programs” applet.

  3. Click on Add/Remove Windows Components.

  4. Check the box beside Certificate Services and click Yes to verify.

  5. Click Next.

  6. Select the type of authority you want the domain controller to be (select “Enterprise root CA” if you are unsure) and click Next.

  7. Type the common name for the CA, select a validity period, and click Next.

  8. Enter the location for certificate database and logs, and click Next.

  9. After the installation completes, click Finish.

  10. Now open the Domain Controller Security Policy GPO.

  11. Navigate to Computer Configuration Windows Settings Security Settings Public Key Policies.

  12. Right-click on Automatic Certificate Request Settings and select New Automatic Certificate Request.

  13. Click Next.

  14. Under Certificate Templates, click on Domain Controller and click Next.

  15. Click Finish.

  16. Right-click on Automatic Certificate Request Settings and select New Automatic Certificate Request.

  17. Click Next.

  18. Under Certificate Templates, click on Computer and click Next.

  19. Click Finish.

Managing Auto-Quotas

Posted: March 28, 2010 in Active Directory, Server, System Information
Tags: ,
1

Problem

You want to create a quota that will apply to any new folders created on a file server.

Solution

Using a graphical user interface

  1. Open the File Server Management MMC snap-in. Navigate to File Server Management File Server Resource Manager Quota Management.

  2. Right-click on Quotas and select “Create quota.” Under “Quota path,” specify the directory that this quota should apply to or click Browse to navigate to it using Windows Explorer.

  3. Select the radio button next to “Auto apply template and create quotas on existing and new subfolders.”

  4. Create the remainder of the quota.

Using a command-line interface

The following command will create an auto-quota on the D:\ drive based on the “DefaultAutoQuota” template:

	> dirquota autoquota /path:d:\* /sourcetemplate:"DefaultAutoQuota"

Discussion

When you create a new disk quota, by default the quota will apply only to the individual folder that you specify. By using auto-templates, you can configure a quota that will automatically be applied to any subfolders that are created beneath the folder you named in the quota definition. This is a useful setting for many scenarios, such as specifying an auto-quota for a root folder that houses your users’ home folders or roaming profiles so that any new user will receive the auto-quota by default. Every time a new subfolder is created to which an auto-quota applies, a new quota entry will be automatically created that can be viewed within the File Resource Manager.

Managing Disk Quotas

Posted: March 28, 2010 in Active Directory, Server, System Information
Tags: ,
0

Problem

You want to create a disk quota on a file server.

Solution

Using a graphical user interface

  1. Open the File Server Management MMC snap-in. Navigate to File Server Management File Server Resource Manager Quota Management.

  2. Right-click on Quotas and select “Create quota.” Under “Quota path,” specify the directory that this quota should apply to or click Browse to navigate to it using Windows Explorer. Select the radio button next to “Create quota on path.”

  3. To base the quota on a quota template, select the “Derive properties from this quota template (recommended),” and select the template from the drop-down box. To manually specify a quota, select the “Define custom quota properties” radio button. Click on Custom Properties to define the properties for this quota; the process is similar to the steps used in defining a quota template.

  4. Click Create.

Using a command-line interface

The following command will create a 100 MB soft disk quota entry on the D:\ drive:

	> dirquota quota add /path:d:\* /limit:100mb /type:soft

Using VBScript
	'---------SCRIPT CONFIGURATION------------------------
	strComputer = "<ComputerName>"   ' Use "." for local computer
	strDomain = "<DomainDN>"         ' e.g. RALLENCORP
	strUser = "<UsersAMAccountName>" ' e.g. jsmith
	strDeviceID = "<DriveLetter>"    ' e.g. D:
	'-----------------------------------------------------

	Set objWMIService = GetObject("winmgmts:" _
	    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2"

	Set objAccount = objWMIService.Get _
	    ("Win32_Account.Domain=strDomain,Name=strUser")
	Set objDisk = objWMIService.Get _
	    ("Win32_LogicalDisk.DeviceID=strDeviceID")
	Set objQuota = objWMIService.Get _
	    ("Win32_DiskQuota").SpawnInstance_

	objQuota.QuotaVolume = objDisk.Path_.RelPath
	objQuota.User = objAccount.Path_.RelPath
	objQuota.Limit = 10485760
	objQuota.WarningLimit = 8388608
	objQuota.Put_

Discussion

Once you’ve created one or more quota templates, you can specify actual disk quotas that apply to folders that reside on a particular hard drive. It’s a good idea to create quotas based on templates rather than specifying them manually, since this will simplify the administration of your file server. (For example, if you need to change a quota template after it is initially created, you can specify that those template changes should be automatically propagated to any quotas that are based on that template.) Otherwise you can create a quota manually, specifying the same information as is required when creating a quota template.

Managing Disk Quota Templates

Posted: March 28, 2010 in Active Directory, Server, System Information
Tags: ,
0

Problem

You want to create and manage disk quota templates on a Windows file server.

Solution

Using a graphical user interface

  1. Open the File Server Management MMC snap-in. Navigate to File Server Management File Server Resource Manager Quota Management.

  2. Right-click on Quota Templates and select “Create quota template.”

  3. If you want to copy information from an existing template, select it in the “Copy properties from quota template (optional)” drop-down box and click Copy.

  4. Under Settings, enter a Template Name and optional Label.

  5. Under Space Limit, specify the disk space limit in KB, MB, GB, or TB. Select either “Hard quota: do not allow users to exceed limit” or “Soft quota: Allow users to exceed limit (used for monitoring).”

  6. In the Notification Threshold section, you can specify one or more actions that Windows will take when a user reaches a certain percentage of her quota limit.

  7. Click Add to create a new notification. Under “Generate notifications when usage reaches (%),” specify the percentage of the disk quota that should initiate the notification.

  8. To send an email notification, on the E-mail Message tab, place a checkmark next to “Send e-mail to the following administrators” and/or “Send e-mail to the user who exceeds the threshold.” On this tab you can also specify the subject and body of the email message to be sent to the user.

  9. To generate a message in the Event Log, go to the Event Log tab and place a checkmark next to “Send Warning to Event Log.” Under the Log Entry text box, specify the text of the message that should be logged.

  10. To run a command when a threshold is generated, go to the Command tab and place a checkmark next to “Run this command or script.” Under “Command settings,” specify any command-line arguments and the working directory. Under “Command security,” specify the account that the script should run as: Local Service, Network Service, or LocalSystem.

  11. To generate one or more reports when a threshold is generated, go to the Report tab and place a checkmark next to “Generate reports.” Select one or more of the following reports to be generated:

    • Duplicate files
    • File screening audit
    • Files by File Group
    • Files by Owner
    • Large Files
    • Least Recently Accessed Files
    • Most Recently Accessed Files
    • Quota Usage

  12. To email the reports, place a checkmark next to “Send reports to the following administrators” and specify one or more email addresses separated by semicolons, and/or place a checkmark next to “Send reports to the user who exceeded the threshold.”

  13. Once you’ve created one or more notification thresholds, click OK to create the quota template.

Discussion

While you can create disk quotas manually, disk quota templates allow you to create consistent quota settings for multiple quotas on a single server as well as on multiple servers. In addition to the space limitation that’s imposed by the quota, you can specify whether it is a hard or a soft quotathat is, whether a user is prohibited from saving files when they’ve gone over their quota (a hard quota), or just the OS makes note of the fact that a user has overrun his quota without preventing him from saving additional files. You can also specify what types of notifications (if any) will be generated when a user exceeds a defined quota threshold: sending an email to an administrator when a user exceeds 85 percent of her quota, generating an Event Viewer message when she exceeds 95 percent, etc. You can configure multiple notification thresholds for a single quota; no notifications are configured by default.

Viewing Mailbox Sizes and Message Counts

Posted: March 27, 2010 in Active Directory, Exchange Server, Server, System Information
Tags: , ,
0

Problem

You want to view the sizes and message counts of all mailboxes on a server.

Solution

Using a graphical user interface

  1. Open the Exchange System Manager (ESM) snap-in.

  2. In the left pane, browse to the mailboxes container of the server, storage group, and database you want to view mailboxes in.

  3. In the right pane, scroll down through the list of mailboxes noting the Size and Total Items columns.

Using VBScript
	' This code displays all mailboxes and their sizes
	' ------ SCRIPT CONFIGURATION ------
	strComputer = "< 
Exchange Server>" 'e.g. ExchServer2
	' ------ END CONFIGURATION ---------

	set objWMI = GetObject("winmgmts:\\" & strComputer & _
	                       "\root\MicrosoftExchangeV2")
	set objMbxs = objWMI.ExecQuery("Select * from Exchange_Mailbox",,48)
	for each objMbx in objMbxs
	  Wscript.Echo objMbx.MailBoxDisplayName & " " & objMbx.size & "KB " _
	               & objMbx.TotalItems & " items"
	Next
	Wscript.Echo "Script completed successfully."

Discussion

Mailbox sizes and message counts are items on Exchange systems that administrators routinely want to know about for the purposes of reporting and metrics. Administrators want to know if their mail system is balanced and if users are spread across the mailbox stores evenly. Knowing the number of users and the size of their mail-boxes in each mailbox store, the administrator can make better decisions about where new user mailboxes should be placed or if some leveling of mailboxes is required.

Restricting DHCP Administrators

Posted: March 27, 2010 in Active Directory, Server, System Information
Tags: ,
0

Problem

You want to restrict who can administer your DHCP servers in your domain.

Solution

Using a graphical user interface

  1. Open the Active Directory Users and Computers MMC snap-in.

  2. In the console tree, click Active Directory Users and Computers Domain-Name Users.

  3. In the details pane, click DHCP Administrators.

  4. Click Action Properties Members.

  5. Remove all users and groups you do not want to have administering your DHCP server by clicking their names and then clicking Remove.

  6. To add new DHCP administrators, click Add, provide the user or group name, and then click OK.

  7. Click OK.

Using a command-line interface

Add a member to a group with DSMod by passing the -addmbr option:

	> dsmod group "<GroupDN>" -addmbr "<MemberDN>"

To add a group member with AdMod, use the following syntax:

	> admod -b "<GroupDN>" member:+:"<MemberDN>"

Remove a member from a group with DSMod by passing the -rmmbr option:

	> dsmod group "<GroupDN>" -rmmbr "<MemberDN>"

To remove a group member with AdMod, use the following syntax:

	> admod -b "<GroupDN>" member:-:"<MemberDN>"

Replace the complete membership list with DSMod by passing the -chmbr option:

	> dsmod group "<GroupDN>" -chmbr "<Member1DN Member2DN … >"

To replace the membership of a group with AdMod, use the following two commands:

	> admod b "<GroupDN>" :-
	> admod -b "<GroupDN>" member++::"<Member1DN>;<Member2DN>;<Member3DN>"

Using VBScript
	' This code adds a member to the  
DHCP  
Administrators group.
	' ------ SCRIPT CONFIGURATION ------
	strGroupDN = "<GroupDN>" ' e.g. "cn= 
DHCP Administrators,cn=Users,<DomainDN>
	strMemberDN = "<MemberDN>" ' e.g. cn=jsmith,cn=users,dc=rallencorp,dc=com
	' ------ END CONFIGURATION --------

	set objGroup = GetObject("LDAP://" & strGroupDN)
	' Add a member
	objGroup.Add("LDAP://" & strMemberDN)

	' This code removes a member from the  
DHCP Administrators group.

	set objGroup = GetObject("LDAP://" & strGroupDN)
	objGroup.Remove("LDAP://" & strMemberDN)

Discussion

Windows Server 2003 is better than its predecessors about supporting role separation. Most roles can be assigned independently of one another rather than just making a user a Domain Admin or an Enterprise Admin. This is great for security administrators who want to ensure that users have only enough rights to perform their assigned tasks. For example, a user Fred might need to modify an enterprise-wide object. You could just add Fred to the Enterprise Admin groups to solve the problem. However, Fred now has access to virtually any object in the entire forest and could cause irreparable harm to your network, not to mention compromise all security in place. Instead, you can grant Fred access to just that object.

This can be done in separate ways. One method is the “Delegation of Control” wizard. Another way is that Windows has several built-in groups that are created and populated when specific services are installed. One such group is DHCP Administrators, which is created when the first DHCP server is brought up in a domain. You can control administrative access to the DHCP function of these servers through this group membership.

Authorizing a DHCP Server

Posted: March 27, 2010 in Active Directory, Server, System Information
Tags: ,
0


Problem

You want to permit (i.e., authorize) a DHCP server to process DHCP requests from clients. This is necessary only if the DHCP server is a member of an Active Directory domain.

Solution

Using a graphical user interface

Windows 2000 DHCP servers cannot be authorized with the Windows Server 2003 version of the DHCP snap-in unless the DHCP server has Service Pack 2 or higher installed.
  1. Open the DHCP snap-in.
  2. In the left pane, right-click on DHCP and select Add Server.
  3. Type in the name of the DHCP server you want to target and click OK.
  4. Click on the server entry in the left pane.
  5. Right-click on the server and select Authorize.
If the DHCP server is not a member of an Active Directory domain, you will not see the Authorize option.

Using a command-line interface

The following command authorizes a DHCP server in Active Directory:

> netsh dhcp add server <DHCPServerName> <DHCPServerIP>

This example shows how to authorize the DHCP server named dhcp01.rallencorp.com with IP 192.168.191.15:

> netsh dhcp add server dhcp01.rallencorp.com 192.168.191.15

Using VBScript

‘ The following script prints out the list of

‘ authorized DHCP Servers in Active Directory.

‘ —— SCRIPT CONFIGURATION ——

strForestRootDN = “<ForestRootDN>” ‘ e.g. dc=rallencorp,dc=com

‘ —— END CONFIGURATION ——–

set objCont = GetObject(“LDAP://CN=DhcpRoot,CN=NetServices,CN=Services,” & _

“CN=Configuration,” & strForestRootDN)

colDHCPServers = objCont.GetEx(“dhcpServers”)

for each strDHCPServer in colDHCPServers

Wscript.Echo strDHCPServer

next

Discussion

Windows 2000 and Windows Server 2003based DHCP servers that belong to an Active Directory domain must be authorized before they can give leases to clients. This feature helps reduce the danger of a rogue Windows 2000 or Windows Server 2003 DHCP server that an end user sets up, perhaps even unintentionally.

However, this still doesn’t prevent someone from plugging in a non-Windows DHCP server (e.g., a Linksys router with the DHCP server enabled) and causing clients to receive bad leases. A rogue DHCP server can provide incorrect lease information or deny lease requests altogether, ultimately causing a denial of service for clients on your network.

If the DHCP server service is enabled on a domain controller, it is automatically authorized. A DHCP server that is a member server of an Active Directory domain performs a query in Active Directory to determine whether it is authorized. If it is, it will respond to DHCP requests; if not, it will not respond to requests.

A standalone Windows DHCP server that is not a member of an Active Directory domain sends out a DHCPINFORM message when it first initializes. If an authorized DHCP server responds to the message, the standalone server will not respond to any further DHCP requests. If it does not receive a response from a DHCP server, it will respond to client requests and distribute leases.

DHCP servers are represented in Active Directory as objects of the dhcpClass class, in the cn=NetServices,cn=Services,cn=Configuratation,<ForestRootDN> container. The relative distinguished name of these objects is the IP address of the DHCP server. There is also an object in the same container named cn=dhcpRoot, which is created after the first DHCP server is authorized. It has an attribute named dhcpServers that contains all authorized servers. We enumerated this attribute in the VBScript solution to display all authorized servers.

By default, only members of the Enterprise Admins group can authorize DHCP servers. However, you can delegate the rights to authorize a DHCP server. Do the following to delegate the necessary permissions to a group called DHCP Admins:

  1. Open ADSI Edit from the Support Tools while logged on as a member of the Enterprise Admins group.
  2. In the left pane, expand the Configuration Container CN=Configuration CN=Services CN=NetServices.
  3. Right-click on CN=NetServices and select Properties.
  4. Select the Security tab.
  5. Click the Advanced button.
  6. Click the Add button.
  7. Use the object picker to select the DHCP Admins group.
  8. Check the boxes under “Allow for Create dHCPClass objects” and “Delete dHCPClass objects.”
  9. Click OK until all dialog boxes are closed.
  10. Back in ADSI Edit, right-click on CN=dhcpRoot (if you’ve previously authorized DHCP Servers) and select Properties.
  11. Select the Security tab.
  12. Click the Advanced button.
  13. Click the Add button.
  14. Use the object picker to select the DHCP Admins group.
  15. Check the boxes under Allow for “Write for all properties.”
  16. Click OK until all dialog boxes are closed.

Using a graphical user interface

You can quickly determine whether a DHCP server has been authorized by looking at its server node in the left pane of the DHCP snap-in. If the icon has a little red flag, it isn’t authorized; if the flag is green, it is authorized.

Using a command-line interface

To see the list of authorized servers using the command line, run the following command:

> netsh dhcp show server

Older Entries
Newer Entries