Archive

Archive for June, 2009

Windows Deployment Options

June 30, 2009 Leave a comment

The latest generation of Windows operating systems has introduced a number of new deployment technologies, all of which are based on the new Windows Imaging format (WIM). These images are file based which means that they are composed of collections of files and not just sector based snapshots of a data disk, such as ISO’s. The main advantage of using WIM over ISO is that you can modify them before, during and after deployment. Besides storing file data, WIM files include XML-based metadata describing the files and directories that make up each image. WIM files offer additional deployment advantages, including

  • Hardware independent and thus requires only one image to support different HAL’s
  • Customizable using scripts
  • Automated installs using answer files
  • Modify contents of image to add, delete or update drivers
  • Keeps only one copy of disk files common to all the images stored in file
  • Create bootable WIM images

Windows Automated Installation Toolkit

Windows offers a free downloadable tool called the Windows Automated Installation Toolkit (WAIK) which helps you to preinstall, customize and deploy WIM images. It also includes documentation for performing unattended installs of Server 2008, Vista and some earlier versions of Windows (XP\2003). WAIK includes the following tools:

  • Windows Preinstallation Environment (Windows PE)
    • Bootable lightweight version of windows used to capture or deploy images
    • Also used to troubleshoot or recover an installed OS
  • ImageX
    • Command line tools used to capture, modify and apply WIM images
      • Ex: imageX /capture path\wimfilename.wim “Image_Name”
      • Ex: imageX /apply path\winfilename.wim 1 ( 1 represents the index number of the image within the file)
    • Enables the mounting of a WIM file image in Windows in order to modify the contents
  • Windows System Image Manager (SIM)

Sysprep

Is a tool found in C:\Windows\System32\Sysprep folder and used to generalize a model computer installation image so that it can be deployed to other machines requiring less setup time per machine. It removed the following information and then runs through a mini-setup wizard:

  • Computer name
  • Domain membership
  • Time Zone
  • Product key
  • Security Identifier (SID)

Once the machine has completed Sysprep it can then be imaged using ImageX or Windows Deployment Services

Windows Deployment Services

WDS is far more scalable and manageable solution that simply using WIM files on a network. It does however require additional services to function:

  • Active Directory
  • DHCP
  • DNS
  • NTFS

Creating a Windows PE CD

  1. Install the WAIK toolkit
  2. Launch the Windows PE Tools Command Prompt from the WAIK program group
  3. In WinPE Tools Command Prompt type the following: copype.cmd x86 C:\WinPE
    1. The copype.cmd script create a new directory with the name specified
    2. It will contain a files, folders and an ISO directory that will contain the contents of WinPE
    3. Copy tools such as ImageX to this ISO directory
  4. In WinPE Tools Command Prompt type the following: copy “C:\Program files\Windows AIK\Tools\x86\imagex.exe” c:\WinPE\ISO
  5. In Notepad create an empty file named Wimscript.ini and save it to the new C:\WinPEx86\ISO folder
  6. Edit the file to contain the following:

[ExclusionList]

Ntfs.log

Hiberfil.sys

Pagefile.sys

“System Volume Information”

RECYCLER

Windows\CSC

[CompressionExclusionList]

*.mp3

*.zip

*.cab\WINDOWS\inf\

*.pnf

  1. In WinPE command prompt type the following: oscdimg –n –bc:\WinPE\etfsboot.com c:\WinPE\ISO c:\WinPE\WinPE.iso
    1. Oscdimg command makes an .ISO file of the specified ISO directory.
    2. The –b switch makes the image bootable by specifying the location of the boot sector file, etfsboot.com
    3. The –n switch enables long file names in the ISO file
  2. You are now able to import the ISO into VirutalPC using the CD menu option and then browse to C:\WinPE_x86\WinPE.iso

Once the image has completed the C:\WinPE directory will include the following:

ISO Directory
Mount Directory
Etfsboot File
Winpe.wim File
Winpe.iso File

 

Issues Using WSIM

  1. Unable to load DLL “wimgapi.dll” the specified module could not be found when trying to “Select Windows Image”
Categories: Server2008

SSTP VPN Client Connection Issue

June 14, 2009 2 comments

 

I recently was having issues trying to connect from Vista to a Server 2008 VPN server using SSTP (Secure Sockets Tunneling Protocol).  I was getting the following error:

SSTP Error Msg

Both PPTP and L2TP\IPSec worked fine so I knew the VPN Server was functional and that Certificates were working as IPSec VPN’s require computer certificates.  After reviewing the Microsoft Press Book “Networking and Network Access Protection (NAP)” I realized that not only does SSTP require a server side computer certificate and that the root certificate is trusted by the clients and but that the server needs to verify the validity of the server certificates by querying the Certificate Revolaction List (CRL) or an Online Responder.   I verified that the CRL was setup using the Microsot Press Book “Configuring Windows Server Active Directory”  and that the root certificate is trusted in the domain as seen below:

*DC1-INFRA-CA is the Root Certificate Authority… Trusted Root Certificates

 

After doing some more research I found the a blog by Brad Ratkowski which had a posting to the the Microsoft “Server 2008 Step-By-Step Guides“.  After reviewing the site I noticed a step-by-step in how to configure SSTP which I will be using and hopefully resolve the issue.

Categories: Security

Server 2008 VPN Connections

June 12, 2009 Leave a comment

Server 2008 still offers PPTP and L2TP\IPSec VPN capabilities  but now includes the new Secure Socket Tunneling Protocol (SSTP).  The VPN server role is added using Roles\Network Policy and Access Services\Routing and Remote Access.  It still comes with the following default policies, however now they are disabled by default:

  • Connection to Microsoft Routing and Remote Access Server
  • Connection to other remote access servers

 Once installed all VPN protocols are enabled by default and the firewall creates the following inbound rules:

  • PPTP – TCP: 1723
  • L2TP – UDP: 1701
  • SSTP – TCP: 443

During my intial testing both PPTP and L2TP\IPSec worked fine.  PPTP is the easiest protocol to use as doesn’t require any additional configuration on either the server or client and it is used by default.  Both L2TP\IPSec and SSTP require the additional functionality of certificates and so I installed configured the following:

  • Installed Active Directory Certificate Services role
  • Configured a Root Certificate Authority
  • Created Domain GPO and Configured Computer Configuration for  “Automatic Certificate Requests” for Computer Certificates

The following table identifies the requirements for each of the Microsoft VPN protocols.

Type

Authentication

Data

Certificates

 

User

Computer

Data

Encryption

Integrity

Computer

User

PPTP

PPP

None

None

MPPE

None

None

None

L2TP\IPSec

PPP

IPSec

IPSec

IPSec

IPSec

Yes

None

SSTP

PPP

None

SSL

SSL

SSL

Yes

None

 

 I was also able to produce the foll0wing client connection failures and error codes:

  • 800: Unable to establish VPN connections (no policy enabled)
  • 812: Prevented due to policy (changed Day\Time restrictions or Authentication method)
  • 766: Certificate could not be found (deleted client computer certificate)
  • 0x804B0109: Certificate chain not trusted (unable to resolve) SSTP only
  • 0x80420400: Unable to validate server certificate (unable to resolve) SSTP only

After doing some research I discovered that not only does SSTP require the VPN server to have a computer certificate but it also needs to contact the current Certificate Revocation List (CRL) or Online Responder (new to server2008) in order to verify the current validity of existing certificate.

Categories: Security

Vista’s Default Running Services

June 11, 2009 Leave a comment

Anyone familiar with troubleshooting performance or security  issues on Vista\XP\2000 would, at some point in time, had to have either killed a running process or started\stopped a service.  Any running process has a cooresponding service that has been started.  Some processes. like svchost.exe can actually be responsible for running several different services and have multiple instances of themselves running simultaneously.  i just checked a recenlty installed version of Vista Enterprise and it has 11 svchost.exe processes running.

Services are available using the following methods:

  • Start – Run – Services.msc or
  • Start – All Programs – Administrative Tools   

Services can have be configured for the following startup types:

  • Automatic
  • Manual
  • Disabled

Currently running processes are viewable using the following methods:

  • Ctl + Alt + Del – Task Manager – Processes Tab
  • Start – Run – taskmgr
  • CMD – tasklist (use tasklist /SVC for more information regarding specific processes)
  • Hijackthis (free third party tool available for download)

All ruuning services and processes are possible access points into you machine and many times viruses\malware\spyware will be viewable as a process and theresofe the processes tab is usually the first place I check to begin any troubleshooting regarding infections or performance issues.   Some services you needed and others are not.  It all depends upon the functionality that is required of a particular machine, such as access to the network or internet.    I was going to come up with a list of default servics\processes for Vista but after doing some research found a site that already did a great job of listing them and provided some additional information that was beyond what i had originally intended to document.

The list was created by BlackViper and is available here:  http://www.blackviper.com/WinVista/servicecfg.htm.  The BlackViper site has been around for sometime now has come up often in the past when doing internet research for issues with Vista\XP.  His list is concise and contains info for all default services running on the following versions of Vista:

  • Home Basic (139)
  • Home Premium (145)
  • Business (147)
  • Ultimate (153)

He also includes the following list of suggested services that you might consider disabling:

  • Safe (18 services disabled)
  • Tweaked (52 services disabled)
  • Barebones (76 services disabled) – No Network Connectivity – Most secure

The site also has some Service Registry File downloads that will either start\stop services depending on the option you decide, not to mention his Custom Registry File Tool.   The site is worth some reading and if you want to gain a better understading into

Categories: Server2008

NAP Troublehsooting

June 10, 2009 Leave a comment

Troubleshooting Network Access Protection

I just setup a lab environment to test several of the following NAP enforcement features:

  • IPSec Connection Security
  • 802.1x Access Point
  • VPN Server
  • DHCP Server

The first NAP enforcement feature I configured was for DHCP.  It is the least complicated and easiest scenario to test.  I’ve also used as a guideline the following Microsoft white paper Step by Step Guide: Demonstrate NAP DHCP Enforcement in a Test Lab .  All servers in the setup were 2008 Enterprise Edition and the following were the roles available on the network:

DC1

  • Domain Controller
  • NPS
  • DHCP Server

SRV1

  • Member Server joined to domain
  • DHCP Client

The issue I encountered was that SRV1 was unable to get an IP address from the DHCP server.  If I turned off NAP on the DHCP server either at the IPv4 or Scope level then SRV1 was able to obtain an address.  After doing some testing I was able to get it to work but only changing the “Error Code Resolution” features in the Windows Security Health Validator to the following:

  • SVH unable to contact required services – Noncompliant
  • SHA unable to contact required services – Noncompliant
  • SHA not resonding to NAP client – Compliant
  • SHV not responding – Noncompliannt
  • Vendor specific error code received – Noncompliant

The issue I discovered is that Server2008 doesn’t have a Security Health Agent.  The SHA also depends on the Windows Security Center, which isn’t included in Server2008 either.  Only after chaning the “SHA not responding to NAP client” setting to “Compiant” was SRV1 able to receive an address via DHCP. 

After discovering the issue with SHA on Server2008 I did some research and found the following posting “Include Security Center and Windows SHA on Server 2008” on the Microsoft Technet forum for NAP.

Categories: Security

Network Access Protection

June 9, 2009 1 comment

Network Access Protection (NAP)

One of the new security services being offered Windows Server 2008 is called Network Access Protection.  NAP requires that clients (Vista SP1, XP SP3, Server 2008) to complete a health check of thier system which is then submitted to a NAP server.  NAP then compares the results with some preconfigured System Health Validators and based on the results the NAP server will place the client onto one of the following networks:

  • Private Network:  Client meets all required SHV’s
  • Remediation Network: Segmented network used to remediate any current health issues
  • No Network Connectivity: Client is denied network access

Here is a list of the current acronyms being used when discussing NAP:

  • NPS = Network Policy Server (the NAP server)
  • SHA = System Health Agent (client-side NAP plug-in)
  • SHV = System Health Validator (server-side NAP plug-in)
  • SoH = Statement of Health (created by the  client)  
  • SSoH = System Statement of Health  (sent by client, combination of several SoH’s)
  • SoHR = System of Health Response (response from server to SS0H)

There are several different NAP enforcement types available:

  • IPSec Connection Security
  • 802.1x Access Point
  • VPN Server
  • DHCP Server
  • TS Gateway

Here is the list of the default Windows Security Health Validators which are used to evaluate the current health of the client machine. 

  • Windows Firewall
  • Antivirus (additonal: updated virus definitions)
  • Spyware Protection (additional: updated spyware definitions)
  • Automatic Updating
  • Security Update Protection (additional: Important, Moderate, Low, WSUS or Windows Updates)

In order to configure client workstations to be configured to used NAP there are several GPO Client Computer Settings that should be configured:

  • Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Network Access Protection Agent
  • Computer Configuration\Policies\Windows Settings\Security Settings\NAP\NAP Client Configurations\Enforcement Clients
  • Computer Configuration\Policies\Administrative Templates\Windows Components\Security Center

NAP can also be extended and centralized using the following Microsoft products:

  • System Center Configuration Manager 2007
  • Forefront Security Security

References:

Categories: Security