Thursday, December 16, 2010

Fix an Unsuccessful DC Demotion

How can I manually delete a server object from the Active Directory database in case of a bad DCPROMO procedure?

The DCPROMO (Dcpromo.exe) utility is used for promoting a server to a domain controller and demoting a domain controller to a member server (or to a standalone server in a workgroup if the domain controller is the last in the domain). As part of the demotion process, the DCPROMO utility removes the configuration data for the domain controller from the Active Directory. This data takes the form of an "NTDS Settings" object, which exists as a child to the server object in the Active Directory Sites and Services Manager.
The information is in the following location in the Active Directory:CN=NTDS Settings,CN=, CN=Servers,CN=,CN=Sites, CN=Configuration,DC=...


The attributes of the NTDS Settings object include data representing how the domain controller is identified in respect to its replication partners, the naming contexts that are maintained on the machine, whether or not the domain controller is a Global Catalog server, and the default query policy. The NTDS Settings object is also a container that may have child objects that represent the domain controller's direct replication partners. This data is required for the domain controller to operate within the environment, but is retired upon demotion.In the event that the NTDS Settings object is not removed properly (for example, the NTDS Settings object is not properly removed from a demotion attempt), the administrator can use the Ntdsutil.exe utility to manually remove the NTDS Settings object. The following steps list the procedure for removing the NTDS Settings object in the Active Directory for a given domain controller. At each NTDSUTIL menu, the administrator can type help for more information about the available options.

Caution: The administrator should also check that replication has occurred since the demotion before manually removing the NTDS Settings object for any server. Using the NTDSUTIL utility improperly can result in partial or complete loss of Active Directory functionality.
Procedure

  1. Click Start, point to Programs, point to Accessories, and then click Command Prompt. At the command prompt, type ntdsutil and then press ENTER.
  2. Type metadata cleanup and then press ENTER. Based on the options given, the administrator can perform the removal, but additional configuration parameters need to be specified before the removal can occur.
  3. Type connections and press ENTER. This menu is used to connect to the specific server on which the changes occur. If the currently logged on user does not have administrative permissions, alternate credentials can be supplied by specifying the credentials to use before making the connection.
    To do so, type set creds domain nameusernamepassword and press ENTER. For a null password, type null for the password parameter.
  4. Type connect to server servername and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and the credentials you supplied have administrative permissions on the server.
    Note: If you try to connect to the same server that you want to delete, when you try to delete the server that step 15 refers to, you may receive the following error message:
    Error 2094. The DSA Object cannot be deleted0x2094
    Note: Windows Server 2003 Service Pack 1 eliminates the need for steps 3 and 4.
  5. Type quit and then press ENTER. The Metadata Cleanup menu appears.
  6. Type select operation target and press ENTER.
  7. Type list domains and press ENTER. A list of domains in the forest is displayed, each with an associated number.
  8. Type select domain number and press ENTER, where number is the number associated with the domain to which the server you are removing is a member. The domain you select is used to determine if the server being removed is the last domain controller of that domain.
  9. Type list sites and press ENTER. A list of sites, each with an associated number, is displayed.
  10. Type select site number and press ENTER, where number is the number associated with the site to which the server you are removing is a member. You should receive a confirmation listing the site and domain you chose.
  11. Type list servers in site and press ENTER. A list of servers in the site, each with an associated number, is displayed.
  12. Type select server number where number is the number associated with the server you want to remove. You receive a confirmation listing the selected server, its Domain Name Server (DNS) host name, and the location of the server's computer account you want to remove.
  13. Type quit and press ENTER. The Metadata Cleanup menu appears.
  14. Type remove selected server and press ENTER. You should receive confirmation that the removal completed successfully. If you receive the following error message:
    Error 8419 (0x20E3) The DSA object could not be found the NTDS Settings object may already be removed from the Active Directory as the result of another administrator removing the NTDS Settings object, or replication of the successful removal of the object after running the DCPROMO utility.
    Note: You may also see this error when you attempt to bind to the domain controller that is going to be removed. Ntdsutil needs to bind to a domain controller other than the one that is going to be removed with metadata cleanup.
  15. Type quit at each menu to quit the NTDSUTIL utility. You should receive confirmation that the connection disconnected successfully.
  16. Remove the cname record in the _msdcs.root domain of forest zone in DNS. Assuming that DC is going to be reinstalled and re-promoted, a new NTDS settings object is created with a new globally unique identifier (GUID) and a matching cname record in DNS. You do not want the DC's that exist to use the old cname record.
  17. As best practice you should delete the hostname and other DNS records. If the lease time that remains on Dynamic Host Configuration Protocol (DHCP) address assigned to offline server is exceeded then another client can obtain the IP address of the problem DC. 
  18. Now that the NTDS setting object has been deleted we can now delete the following objects:
    1. Use ADSIEdit to delete the computer account in the OU=Domain Controllers,DC=domain...
      Note: The FRS subscriber object is deleted when the computer object is deleted, since it is a child of the computer account.
    2. Use ADSIEdit to delete the FRS member object in CN=Domain System Volume (SYSVOL share),CN=file replication service,CN=system....
    3. In the DNS console, use the DNS MMC to delete the cname (also known as the Alias) record in the _msdcs container.
    4. In the DNS console, use the DNS MMC to delete the A (also known as the Host) record in DNS.
    5. If the deleted computer was the last domain controller in a child domain and the child domain was also deleted, use ADSIEdit to delete the trustDomain object for the child in CN=System, DC=domain, DC=domain, Domain NC.

Posted by at No comments:

Tuesday, April 20, 2010

10 steps to harden Windows Server 2008


10 steps to harden Windows Server 2008

Ever since it’s debut, Microsoft Windows 2008 Server has awed security and systems administrators with its complex and innovative features. With threats becoming each day more immanent and efficient, security system administrators face the tedious task of protecting Microsoft’s new giant. In this article we compiled some of the industries best practices such as NISTto show you some of the features and ways to reduce your windows 2008 servers’ exposure. 

1. Configure a security policy

The first step in securing the 2008 server is to configure a security policy. In order to configure a security policy, you will need to use the SCW (Security Configuration Wizard), which can be installed through “add and remove windows components”. The SCW detects ports and services, and configures registry and audit settings according to the servers “role” or installed applications. The SCW uses a set of XML templates which can easily be deployed and managed. The version of SCW in Windows Server 2008 includes over 200 server role configurations and security settings than the version of SCW in Windows Server 2003. Also, by using the version of SCW in Windows Server 2008, you can:
  • * Disable unneeded services based on the server role. 
  • * Remove unused firewall rules and constrain existing firewall rules.
  • * Define restricted audit policies.
SCW_ConfigAction_Fig1_small.png

The server’s operating system will be changed according to the profile or template selected. Administrators can create custom profiles and deploy them using a set o XML files.

2. Disable or delete unnecessary accounts, ports and services

Attackers often gain access to servers through unused or not configured ports and services. To limit entry points, server hardening includes blocking unused ports and protocols as well as disabling services that are not required. Although this can be done as seen above using the SCW, the server administrator would need to double check to see if all the services are configured properly and that only the necessary ports are open.  During the installation of the 2008 server, by default, three local user accounts are automatically created: the Administrator, Guest and Help Assistant. The Administrator account bears high privileges, and requires special diligence. As a security best practice the administrator account should be disabled or renamed to make it more difficult for an attacker to gain access. Both Guest and Help Assistant accounts provide an easy target for attackers which exploited this vulnerability before on the earlier Windows Server 2003.  These accounts should be disabled at all times.


3. Uninstall Unnecessary Applications

Remember, your server is a vital part of your network and services that you provide. The number of applications installed on these servers should be role related and set to a minimum. It is a good idea to test these applications out in a separate environment before deploying them on the production network. Some applications make use of service backdoors, which can sometimes compromise the overall security of the server. After installing each application, make sure that you double check to see if the application created any firewall exception or created a service user account.

      • Belarc Advisor : The Belarc Advisor “builds a detailed profile of your installed software and hardware, missing Microsoft hot fixes, anti-virus status, and displays the results in your Web browser.” This tool is free for personal use. Commercial, government, and non-profit organizations should look at their other products which include many more features for managing security on multiple computers.

      • * Microsoft SysInternal Tools: Microsoft provides a set of tools which can be used to monitor the server’s activity. These tools include:REGMONFILEMON, Process Explorer, Root Kit Revealer. These tools are great for understanding what a certain application or software does “under the sheets”.

4. Configure the windows 2008 Firewall

Windows 2008 server comes with a phenomenal built in firewall called the Windows Firewall with Advanced Security. As a security best practice, all servers should have its own host based firewall. This firewall needs to be double checked to see if there are no unnecessary rules or exceptions. I have outlined some of the new features that the Windows Server 2008 provides.

      • GUI interface: a MMC snap-in available for the Advanced Firewall Configuration.
      •  
      • Bi-directional filtering: the firewall now filters outbound traffic as well as inbound traffic.
      •  
      • IPSEC operability: now the firewall rules and IPSEC encryption configurations are integrated into one interface.
      •  
      • Advanced Rules configuration: you can create firewall rules using Windows Active Directory objects, source & destination IP addresses and protocols.

 wfas.jpg

5. Configure Auditing

One of the most significant changes on Windows Server 2008auditing is that now you can not only audit who and what attribute was changed but also what the new and old value was.
This is significant because you can now tell why it was changed and if something doesn’t look right you’re able to easily find what it should be restored to.

Another significant change is that in the past Server versions you were only able to turn auditing policy on or off for the entire Active Directory structure. In Windows Server 2008 the auditing policy is more granular.
As a security best practice, the following events should be logged and audited on the Windows Server 2008.

        • * Audit account logon events
        • * Audit account management
        • * Audit directory service access
        • * Audit logon events
        • * Audit object access
        • * Audit policy change
        • * Audit privilege use
        • * Audit process tracking
        • * Audit system events
 audit.png

Most log events on the event viewer have registered incident ID numbers; these numbers can be used to troubleshoot the server. http://www.eventid.net/is a good site which aids security and system administrators in finding out what actually happened with their servers. A best practice would also be to forward these audit logs to a centralized server as required by PCI DSS 10.5.3 and other industry standards. Windows Server 2008 offers a native log subscription feature which forwards all system and security audit logs to a centralized server.


6. Disable unnecessary shares

Unnecessary shares pose a great threat to vital servers. After a server or application deployment, system and security administrators should check to see if the server has any unnecessary shares.  This can be done using the following command:
·         Net Share
This will display a list of all shares on the server. If there is a need to use a share, system and security administrators should configure the share as a hidden share and harden all NTFS and Share permissions.

C:\Documents and Settings>net share

Share name   Resource                        Remark
-------------------------------------------------------------------------------
ADMIN$       C:\WINDOWS           Remote Admin
C$                C:\                             Default share
IPC$                                              Remote IPC

In order to create a hidden share, put a $ sign after the share name. The share will still be accessible; however it will not be easily listed through the network. Example:

·          Accounting$

7. Configure Encryption on 2008 server

According to industry best practices, such as HIPAA and GLBArequire that certain servers which host sensitive information should make use of encryption.  Windows Server 2008 provides a built in whole disk encryption feature called BitLocker Drive Encryption (BitLocker). BitLocker protects the operating system and data stored on the disk. In Windows Server 2008, BitLocker is an optional component that must be installed before it can be used. To install BitLocker, select it in Server Manager or type the following at a command prompt:

·         ServerManagerCmd -install BitLocker –restart

 bit.jpg

8. Updates & Hot fixes

Updates and hot fixes are key elements when hardening a server. System and security administrators should be constantly updating and patching their servers against zero day vulnerabilities. These patches are not limited to the operating system, but also any application which is hosted on them. Administrators should periodically check the vendor’s websites for updates. Windows Server 2008 offers a set of tools which helps administrator update and patch their servers.

·         * WSUS:  Windows Server Update Services (WSUS) provides a software update service for Microsoft Windows operating systems and other Microsoft software. By using Windows Server Update Services, administrators can manage the distribution of Microsoft hot fixes and updates released through Automatic Updates to computers in a corporate environment. WSUS helps administrators track the “update health” of each individual server.

·         * MBSA: Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems.


 wsus.gif


9. Anti Virus & NAP
           
Anti Virus software is also a crucial step for hardening a server. Windows Server 2008 offers a set of tools which can help combat unauthorized network access and malicious code execution.
Windows Server 2008 offers a Network Access Protection (NAP), which helps administrators to isolate viruses from spreading out into the network. Windows server 2008 NAP uses a set of policies which cleans the affected machines and when they are healthy, permits them access to parts of your production network.
NAP consists of client server technology which scans and identifies machines that don't have the latest virus signatures, service packs or security patches. Some of the key functions of a Windows Server 2008 NAP server includes:
        • Validating Machines:  The mission of NAP is to preserve the integrity of the network by allowing only healthy machines to have IP addresses.

        • Restricting Network Access:  Computers or servers which don't meet the established policy standards can be restricted to a “quarantine” subnet where they would later be remediate the security issues. 

        • Fixing Unhealthy Machines:  Windows Server 2008 NAP has the ability to direct hosts to a remediation server, where the latest antivirus signatures and patches are deployed through SMS packages.
 vista-nap.jpg

10. Least Privilege

The concept of least privilege has been adopted by many of today’s industry standards. A hardened server needs to have all its access reduced to a bare operational minimum. Most of the known security breaches are often caused by elevated privileges bared by accounts. Server services should not be configured using enterprise wide administrator accounts. Windows Server 2008 has a couple of tools which can aid administrator to grant or revoke access to specific sections of the server.

  • Script Logic’s Cloak: Script Logic Cloak is a product which enhances the Windows NT File System (NTFS) by providing increased security, more accurate audits and a vastly streamlined experience for users of the network.

  • PolicyMaker Application Security: PolicyMaker is an add-on for the Group Policy Management Console (GPMC). This tool allows administrators to adjust application privilege levels to the lowest possible point in order to limit damages stemming from network attacks or user error. The ability to control security at such a granular level also helps organizations comply with regulatory mandates such as the Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley acts.
Posted by at No comments:

Friday, March 5, 2010

My name is not Khan, I am Mr Kaul

A well written article By Tarun Vijay. A must read because what he has stated is a truth which most of us do not relate to as we should!!

My name is not Khan, I am Mr Kaul
Tarun Vijay,  22 December 2009, 08:55 AM IST

I am not Khan. My name bears a different set of four letters: K A U L. Kaul. As those who know Indian names would understand I happened to be born in a family which was called Hindu by others. Hence, we were sure, we would never get a friend like KJ to make a movie on our humiliations, and the contemptuous and forced exile from our homeland. It's not fashionable. It's fashionable to get a Khan as a friend and portray his agony and pains and sufferings when he is asked by a US private to take off his shoes and show his socks. Natural and quite justifiable that Khan must feel insulted and enraged. Enough Masala to make a movie.

But unfortunately I am a Kaul. I am not a Khan.

Hence when my sisters and mothers were raped and killed, when six-year-old Seema was witness to the brutal slaughtering of her brother, mother and father with a butcher's knife by a Khan, nobody ever came to make a movie on my agony, pain and anguish, and tears.

No KJ would make a movie on Kashmiri Hindus. Because we are not Khans.

We are Kauls.

When we look at our own selves as Kauls, we also see a macabre dance of leaders who people Parliament. Some of them were really concerned about us. They got the bungalows and acres of greenery and had  their portraits  were worshipped by the gullible devotees of patriotism.

They made reservations in schools and colleges for us. In many many other states. But never did they try that we go back to our homes. They have other priorities and 'love your jihadi neighborhood' programmes. They get flabbier and flabbier with the passing of each year, sit on sacks of sermons; issue instructions to live simply and follow moral principles delivered by ancestors and kept in documents treated with time-tested preservatives.

They could play with me because my name is Kaul. And not Mr Khan. I saw the trailer to this fabulous movie, which must do good business at the box office.

There was not even a hint that terror is bad and it is worse if it is perpetuated in the name of a religion that means Peace. Peace be upon all its followers and all other the creatures too.

So you make a movie on the humiliation of taking off shoes to a foreign police force which has decided not to allow another 9/11.

The humiliation of taking off the shoes and the urge to show that you are innocent is really too deep. But what about the humiliation of leaving your home and hearth and the world and the relatives and wife and mother and father? And being forced to live in shabby tents, at the mercy of nincompoop leaders encashing your misery and bribe-seeking babus? And seeing your daughters growing up too sudden and finding no place to hide your shame?
No KJ would ever come forward to make a movie, a telling, spine-chilling narration on the celluloid, of five-year-old Seema, who saw her parents and brother being slaughtered by a butcher's knife in Doda. Because her dad was not Mr Khan. He was one Mr Kaul.

Sorry, Mr Kaul and your entire ilk. I can't help you.

It's not fashionable to side with those who are Kauls. And Rainas. And Bhatts. Dismissively called KPs. KPs means Kashmiri Pandits. They are a bunch of communalists. They were the agents of one Mr Jagmohan who planned their exodus so that Khans can be blamed falsely. In fact, a movie can be made on how these KPs conspired their own exile to give a bad name to the loving and affectionate Khan brothers of the valley.

To voice the woes of Kauls is sinful. The right course to get counted in the lists of the Prime Minister's banquets and the President's parties is to announce from the roof top: hey, men and ladies, I am Mr Khan.

The biggest apartheid the state observes is to exclude those who cry for Kauls, wear the colours of  Ayodhya, love the wisdom of the civilisational heritage, dare to assert as Hindus in  a land which is known as Hindustan too and  struggle to live with dignity as Kauls. They are out and exiled. You can see any list of honours and invites to summits and late-evening gala parties to toast a new brand. All that the Kauls are allowed is a space at Jantar Mantar: shout, weep and go back to your tents after a tiring demonstration.

Mr Kaul, you have got a wrong name.

A dozen KJs would fly to take you atop the glory - posts and gardens of sympathies if you accept to wear a Khan name and love a Sunita, Pranita, Komal or a Kamini. Well, here you have a sweetheart in Mandira. That goes well with the story.

And you pegged the movie plot on autism.

I wept. It was too much. I wept as a father of a son who needed a story as an Indian. Who cares for his autistic son, his relationship with the western world, his love affair with a young  sweet something as a human, as someone whose heart goes beyond being a Hindu, a Muslim or a proselytizing Vatican-centric aggressive soul. Not the one who would declare in newspaper interviews: "I think I am an ambassador for Islam".  Shah Rukh is Shah Rukh, not because he is an ambassador for Islam. If that was true, he could have found a room in Deoband. Fine enough. But he became a heartthrob and a famousl star because he is a great actor. He owes everything he has to Indians and not just to Muslims. We love him not because he is some Mr Khan. We love him because he has portrayed the dreams, aspirations, pains, anguish and ups and downs of our daily life. As  an Indian. As one of us.
If he wants to use our goodwill and love for strengthening his image as an ambassador for Islam, will we have to think to put up an ambassador for Hindus? That, at least to me, would be unacceptable because I trust everyone: a Khan or a Kaul or a Singh or a Victor. Who represents India represents us all too, including Hindus. My best ambassadorship would be an ambassadorship for the tricolour and not for anything else because I see my Ram and Dharma in that. I don't think even an Amitabh or a Hritik would ever think in terms Shah Rukh has chosen for himself.  But shouldn't these big, tall, successful Indians who wear Hindu names make a movie on why Kauls were ousted? Why Godhra occurred in the first place? Why nobody, yes, not a single Muslim, comes forward to take up the cause of the exiled and killed and contemptuously marginalized Kauls whereas every Muslim complainant would have essentially a Hindu advocate to take on Hindus as fiercely as he can?

If you are Mr Khan and found dead on the railway tracks, the entire nation would be shaken. And he was also a Rizwan. May be just a coincidence that our Mr Khan in the movie is also a Rizwan.

Rizwan's death saw the police commissioner punished and cover stories written by missionary writers. But if you are a Sharma or a Kaul and happened to love an  Ameena Yusuf in Srinagar, you would soon find your corpse inside the police thana and NONE, not even a small-time local paper would find it worthwhile to waste a column on you.  No police constable would be asked to explain how a wrongly detained person was found dead in police custody?

Because the lover found dead inside a police thana was not Mr Khan. No KJ would ever come forward to make a movie on 'My name is Kaul. And I am terror-struck by Khans'.

Give me back my identity as an Indian, Mr Khan and I would have no problem even wearing your name and appreciating the tender love of an autistic son.
Posted by at No comments:

Friday, January 8, 2010

modify Group Policy's refresh interval


By default, Group Policy refreshes every 90 minutes for typical machines and users and every 5 minutes for domain controllers (DCs). To change these intervals, perform the following steps:
  1. Open the relevant Group Policy Object (GPO). For example, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, right-click the organizational unit (OU) or domain, select Properties, select the Group Policy tab, select the GPO, then click Edit.
  2. Expand Computer Configuration, Administrative Templates, System, Group Policy.
  3. Double-click "Group Policy refresh interval for computers," then select Enabled. Enter the new refresh rate and the maximum random time to wait for the refresh (to avoid all machines updating at the same time), then click OK.
  4. If required, double-click "Group Policy refresh interval for domain controllers," then select Enabled. Enter the new refresh rate, which should be significantly less than the average computer policy refresh rate, and the maximum random time to wait for the refresh (to avoid all machines updating at the same time), then click OK. 
    Click here to view image
  5. Expand User Configuration, Administrative Templates, System, Group Policy.
  6. Double-click "Group Policy refresh interval for users."
  7. Again, select Enabled, set the necessary values, then click OK.
  8. Close the Group Policy Editor (GPE).

You don't have to configure both the user and computer value--you can modify just one of them. You shouldn't set these values too low: Every update requires processing and adds to the network traffic, and short refresh rates can quickly cause larger network problems. For example, setting the update frequency to 0 would result in Group Policy attempting a refresh every 7 seconds, which probably isn't good for anyone.
Posted by at No comments:
Subscribe to: Posts (Atom)