switchport Security

70-648, NAP, DHCP, IPNG, IPv4, IPV6, DNS, Global Names, WDS, Server Core, WAS, Server Manager, OCSP, WBAdmin, Group Policy, BitLocker, Active Directory, switch module, route module, firewall module, auto secure, network, router ospf, authentication, drupal.org

Thursday, December 27, 2007

IPv6 Address Assignment and Subnetting!!! (Part 1)

In IPv4, we have had Classful and Classless subnetting. The reason for subnetting was because the IP addresses were dwindling but it was originally allocated by class.

How do we perform IPng subnetting?


What's in here?
-IPv6 Address Assignment
-IPv4 VLSM Sample
-IPv6 Subnetting Sample


IPv6 Address Assignment
The example below shows (even including the part where IANA handed off the IP address assignment task to ICANN) how IPv6 addresses are assigned.This starts with ICANN assigning an IPv6 block to a Regional Internet Registry, ARIN for that matter, the IPv6 block 2310::/12. With ARIN now having an IP block, it can assign ISPs IP addresses.

IPv4 VLSM Sample
VLSM is actually one of my favorite topics. Everything I want to say is actually in the picture. You can actually perform faster IPv4 subnetting with the technique displayed in the picture. I learned it the hard way -dealing with 1s and 0s to doing it using decimal numbers, which is the way to go.
Note: The graphic has a green background because I love the blackboard and chalk combination of the older days. VLSM is a classless subnetting technique whereas when IP subnetting was first devised it was classfulbased. What I mean is that everything was built around following the default prefixes of /8, /16, and /24 and depending on how many subnets were required, subnetting was then performed.


IPv6 Subnetting Sample
How are we to perform subnetting for IPv6? We do this the way we perform classless IPv4 subnetting. Let's make use of the same figure as we have for the VLSM sample I gave only this time we use v6 addresses. Also, let's assume that the network will be using the IPv6 address of 2310:1234:0003::/48.

One other thing to consider is that we shouldn't mind ourselves that much with subnet and broadcast addresses. And note what subnet mask value to assign to assign to the network with the lowest IP allocation.

Sample 1
Referring to the VLSM sample I gave (the green pic) and instead of using IPv4 we use IPv6, subnetting the example gives us the following:


Net # Alloc IP
LAN 3 - 33 - 2310:1234:0003::/58
LAN 4 - 21 2310:1234:0003:40/59
LAN 1 - 14 - 2310:1234:0003:60/60
LAN 2 - 04 - 2310:1234:0003:70/61
SL 01 - 02 - 2310:1234:0003:74/62
SL 02 - 02 - 2310:1234:0003:7c/62
SL 03 - 02 - 2310:1234:0003:80/62

Sample 2
Well, look at these:

Net # Alloc IP
LAN 3 33 2310:1234:0003::/64
LAN 4 21 2310:1234:0003:1/64
LAN 1 14 2310:1234:0003:2/64
LAN 2 04 2310:1234:0003:3/64
SL 01 02 2310:1234:0003:4/64
SL 02 02 2310:1234:0003:5/64
SL 03 02 2310:1234:0003:6/64

So, what's the difference? That's easy to spot. In sample 1, subnet IDs incremented with how many each subnet allocation incremented.

In sample 2, subnets incremented by 1 from 0.

Why?

Because when hosts are stateless, they will pickup the configuration for the routers and append their interface IDs in the last 64-bits of the v6 address.

Wednesday, December 26, 2007

Address Randomization and Non-unique addresses for IPv6

If IPv6 addresses are to be always static, this will certainly bring up concerns. What's one of the benefits on IP masquerading?

That's anonymity!!!

There should be a mechanism that allows the creation of random IPv6 Addresses. That's what my last blog post informed you about.

Defined in RFC 3041, Privacy Extensions for Stateless Address Autoconfiguration in IPv6, the Windows family of operating system starting Windows CE and later offer this feature and gives preference for this address type for outgoing communication because the address has a short lifetime and will be regenerated periodically.


Non-Unique IPv6 address
Not all IPv6 addresses would be unique. Consider the diagram on the right side.
The right-most 24-vits for Routers B and C are very much the same.
Let's say all nodes have the /64 prefix. This would mean that the network for both routers B and C will be 2001:100:200:300::/64.
A solicited-node multicast address is used in v6 for resolving v6 addresses to a MAC address on a LAN segment.
The two routers will then be listening to the same solicited-node multicast address. If a packet is sent there, each would have a copy but the main point here is that only the host whose full destination address matched the address of the multicast packet will process the data and then respond with a neighbor advertisement.

The Extended Universal Identifier

Given a network address and prefix, how would you know the network address of a host in IPv6?



What's in here?
-EUI-64
-IEEE 802 address conversion example
-Randomly generated Interface IDs

EUI-64
Interface Identifiers in global unicast and other types of v6 addresses must be 64-bits long and follow a certain format as defined by EUI-64.

This format is dereived from the 48-bit link-layer address of interface cards - the MAC address - and is inserted with the hex value of FFFE between the upper 3-bytes of the OUI and the lower 3-bytes of the link-layer address.
But it doesn't stop here. The other issue is to make the IPv6 address you've just conjured up, or your machine for that matter, to be universally unique. This is done by flagging the seventh (7th) bit of the higher order, most significant byte to be either 0, as in locally, or 1, as global. This then ensures uniqueness of the address.
The 7th bit is known as the U/L-bit. The 8th bit in the higher order, most significant byte is known as the G-bit.

The G-bit is used to manage groups - signifying groups or single hosts. In English, this indicates whether the address is either unicast , set to 0, or multicast, set to 1.


IEEE 802 address conversion example (From http://www.microsoft.com)
In this example, Host A has an IEEE 802 address (Ethernet MAC) of 00-AA-00-3F-2A-1C. The following steps occur when converting this address to IPv6:

To convert the MAC address to EUI-64 format, FF-FE is inserted between the third and fourth bytes. This yields 00-AA-00-FF-FE-3F-2A-1C.

The U/L bit, which is the seventh bit in the first byte, is complemented. The first byte in binary form is 00000000. When the seventh bit is complemented, it becomes 00000010 (0x02).

Note: When complementing the U/L bit, perform the following steps:

  • If the EUI-64 address is universally administered, add 0x2 to the first byte.
  • If the EUI-64 address is locally administered, subtract 0x2 from the first byte.

The result, 02-AA-00-FF-FE-3F-2A-1C, is converted to colon-hexadecimal notation, yielding the interface identifier 2AA:FF:FE3F:2A1C.

Thus, in this example, the link-local address that corresponds to the network adapter with the MAC address of 00-AA-00-3F-2A-1C is FE80::2AA:FF:FE3F:2A1C.

Randomly generated Interface IDs
Because IPv6 address identifiers remain static, for security reasons, a method is required to provide temporary addresses. The IPv6 protocol for Windows CE .NET 4.1 and later creates temporary addresses for global address prefixes by default.

In the IPv4-based Internet it is difficult to track a user's traffic on the basis of IP address. A typical user connects to an Internet service provider (ISP) and then obtains an IPv4 address by using the Point-to-Point Protocol (PPP) and the Internet Protocol Control Protocol (IPCP). Each time the user connects to the Internet, a different IPv4 address might be obtained, making it difficult to track their usage.

For IPv6-based dial-up connections, after the connection is made through router discovery and stateless address autoconfiguration, the user is assigned a 64-bit prefix. If the interface identifier is based on a EUI-64 address derived from the static IEEE 802 address, the traffic of a specific node can be identified regardless of the prefix. This makes it easy to track a specific user and their use of the Internet. To address this concern and provide a level of anonymity, an alternative IPv6 interface identifier can be randomly generated and changed over time. This method is described in RFC 3041.

The following list shows how the initial interface identifier is generated by using random numbers:

  • For IPv6 systems that cannot store historical information for generating future interface identifier values, a new random interface identifier is generated each time the IPv6 protocol is initialized.

  • For IPv6 systems that have storage capabilities, a history value is stored. When the IPv6 protocol is initialized, a new interface identifier is created through the following process:
  1. Retrieve the history value from storage and append the interface identifier based on the EUI-64 address of the adapter.
  2. Compute the Message Digest-5 (MD5) one-way encryption hash over the quantity in step 1.
  3. Save the last 64 bits of the MD5 hash computed in step 2 as the history value for the next interface identifier computation.
  4. Take the first 64 bits of the MD5 hash computed in Step 2 and set the seventh bit to zero. The seventh bit corresponds to the U/L bit which, when set to 0, indicates a locally administered interface identifier. The result is the interface identifier.
The IPv6 address based on this random interface identifier is known as a temporary address. Temporary addresses are generated for public address prefixes that use stateless address autoconfiguration - routers give the addresses.
Temporary addresses are used for the lower of the valid and preferred lifetimes values shown in the following table.
After the valid lifetime of temporary address expires, a new interface identifier and temporary address are generated.


Tuesday, December 25, 2007

IP Next Generation (ng): IPv6

For starters, we don't have IPv5 that works the way we think it should work. It's somewhat a streaming protocol defined in RFCs 1190 and 1819 and works the same way as MPLS does, in some respect.

Ever wondered what an IPv6 number is? Do you understand what ipconfig /all and ifconfig spits out in the CLI about your IPv6 address? And do you know that you have more than one IPv6 address?

If you don't, read on!

What's in here?
-What is IPv6?
-The IPv6 Header

-Addressing Notation
-Zone Indices and Multi-homed servers
-Address and Communication Types
-WKA
video

What's IPV6?

IPv6 is a new IP protocol designed to replace IPv4, the Internet protocol that is predominantly deployed and extensively used throughout the world. IPv6 quadruples the number of network address bits from 32 bits (in IPv4) to 128 bits or approximately 3.4 x 1038 addressable nodes, which provides more than enough globally unique IP addresses for every network device on the planet. (From http://www.cisco.com)

How different is this from IPv4?

  • larger address space

Uses a 128-bit addressing format capable of 2^128 IPv6 addresses

  • Option for Stateless autoconfiguration and Stateful configuration for hosts through DHCPv6
  • Multicast
  • Link-local addresses
  • Support for payload of arounbd 65535 octets
  • Network layer security native support

IPSec is natively supported and built into IPv6.

  • MIPv6

MobileIP is available for both v4 and v6 that enables mobile devices to move seemlessly throughout a network. This is native in IPng.

  • faster processing due to no checksums
The IPv6 Header
The v6 header is noticeably more streamlined than its predecessor. This gives it the notion that v6 communication is a lot faster and more effiecient. Let's take a closer look at it.

Version
From the figure above, the first part of the header is the version field that has a value of 6, meaning IPv6.

Traffic Class is an 8-bit field that distinguishes a packet with different real-time delivery requirements used in differentiated services (Diffserv.)

MobileIP is available for both v4 and v6 that enables mobile devices to move seemlessly throughout a network. This is native in IPng.

Flow Label
Tags flow of packets; used for multilayer switching techniques and faster packet-switching performance

Payload length
As it denotes.

Next Header
This is like the Transport field in IPv4 telling you what's the content of the next header - TCP, UDP, or extension headers.

Hop limit
Better name for TTL where the default value decreases every router traversed by the packet. The advantage for this part in v6 is that there is no checksum involved and v4 incurs extra processing time.

Source Address

Destination Address

Extension headers
There might be a need for the missing fields in IPv4 so here is where this comes in handy. Currently, 6 types are defined as follows:
  • Hop-by-hop options - used for router alerts like for RSVP (resource reservation protocol) and MLD (multicast listener discovery v1) and the jumbograms
  • Destination options - carries optional info needed to be processed by destination nodes
  • Routing - used for source routing and MIPv6
  • Fragmentation - well, we still do have this one but it's used when we have to fragment
  • Authentication and Encapsulating Security payload headers - IPSec protocol stuff
  • Upper-layer header - kind like what the Next field does
Though we still can perform fragmentation for IPv6, what it normally does is to send MTU discover packets so that it can determine the optimum maximum transmission unit for a given session. It queries the link till it gets an appropriate response for what MTU to use when sending data on the line. This is done per link and cached to track the responses. But this can also be performed using the flow labels.

Source-based routing has the source telling how data should traverse the network.

Addressing Notation
It's very easy to distinguish what an IPv6 address looks like. The hard thing is writing it down and memorizing the address - that's why DNS becomes VERY important as well.

Given the ip 2002:03c9:0000:0000:0000:0000:1526:69ab, what are other alternatives to representing the address?

2002:03c9:0000:0000:0000:0000:1526:69ab can also be written as

  • 2002:03c9:0000:0000:0000::1526:69ab
  • 2002:03c9:0:0:0:0:1526:69ab
  • 2002:03c9:0:0::1526:69ab
  • 2002:03c9::1526:69ab
Note: You can only cut down on leading zeroes.

Representing the IPv4 address 192.168.168.170

  • ::ffff:192.168.169.170
  • ::ffff:c0a8:a9aa
or

  • 0:0:0:0:0:ffff:c0a8:a9aa


Note: c0a8:a9aa, if my conversion was correct (top of my head, sorry)

Special Addresses in IPv6

  • Link-local Address
  • Site-local Address
  • Multicast address


Link-local
:: /128 means software only
::1/128 means the loopback address for IPv6, not like IPv4 with 127.0.0.0/8!!!
fe80:: /10 the IPv4 APIPA equivalent

Site-local
fc00:: /7 unique site-local address that is centrally administered
fd00:: /7 unique site-local address that is locally administered

Note: Does this remind you of RFC1918-type of addresses?

IPv4 special Addresses
::ffff:0:0 /96 - obsolete though
2002:: /16


Multicast
ff00:: /8 multicast addressing usage

Examples

  • ff02::1 - all hosts on segment
  • ff02::2 -
  • ff02::5 - must be for OSPF routers
  • ff02::6 - must be for OSPF DRs and BDRs
  • ff02::9 - all rip routers, most certainly
  • ff02:::1::ffxx:xxx - IPv6 arp message
  • ff05::101 - all NTP servers


Note: ff02::6, hmm? Remember IPvr OSPF DR and BDR multicast address? That's 224.0.0.6!

Zone Indices and Multi-homed servers
All IPv6 hosts, per NIC, have link-local addresses that are on the same network boundary or subnet. In that case, there will be problems when having a multi-homed server or router.

But how do we go around this problem?

Simple.

Through RFC4007, adding zone index for the interface solves the problem.

Example:

  • Microsoft - fe80::3%1
  • BSD - fe80::5%pcn0
  • Linux - fe80::5%eth0




Address and Communication Types
A multicast group is an arbitrary group of receivers that expresses an interest in receiving a particular data stream. This group has no physical or geographical boundaries—the receivers can be located anywhere on the Internet or in a private network. Receivers that are interested in receiving data flowing to a particular group must join the group by signaling their local router. This signaling is achieved with MLD protocol, which is the IPv6 equivalent of the IGMP protocol on IPv4. The network then delivers data to potentially unlimited receivers, using only one copy of the multicast data per subnet. (From http://www.cisco.com)

Unicast - host-to-host
Multicast - host-to-group
Anycast - host-to-closest host

[Side_Note]
What is MLD?
Multicast Listener Discovery (MLD)v1 performs the functions and is derived from version IGMPv2, while MLDv2 is equivalent to IGMPv3 and requires working with PIM-SSM. Unlike IGMP on IPv4, MLD uses ICMPv6 to carry its messages. All MLD messages are local to the link with a hop Limit of 1, and have enabled the Router Alert option.

There are three types of MLD messages:
1. Query
2. Report
3. Done

1. Query (Type = decimal 130)
General and Group Specific
In a Query message, the Multicast Address field is set to zero when it sends a General Query, which learns which Multicast addresses have listener on an attached link.

Group Specific or Multicast-Address-Specific Query, the address field is set to a specific IPv6 Multicast address. Thisquery learns whether a particular Multicast address has any listeners on an attached link.

2. Report (Type = decimal 131)
In a Report message, the Multicast Address field is that of the specific IPv6 Multicast address to which the sender islistening.

3. Done (Type = decimal 132)
In a Done message, the Multicast Address field is that of the specific IPv6 Multicast address to which the sender is ceasing to listen, respectively.
[/Side_Note]


Link-local Addresses

  • assigned automatically as host goes online
  • kind of like APIPA
  • always begins with fe80, first 10 bits are 1111 1110 10
  • last 64-bits are the 48-bit physical address of each NIC with FFFE in the middle
Say you MAC address is 00-00-0C-19-ab-cd. Your link-local address is fe80::0000:0Cff:fe19:abcd

Unique-local(RFC 4193)/Site-local Addresses(RFC 3513)

  • used within Enterprise networks to indetify boundary of their networks
  • kind of Private IP adddressing for IPv6
8-bits 40-bits 16-bits 48-bits
111 110[10] GlobalID SubnetID InterfaceID

fc00:: /8, which becomes fd00:: /8 if locally administered or assigned


Global Addresses
global routing prefix is 48 bits or less
subnetID is comprised of whatever bits are left after the global routing prefix demarc
have the high-level 3-bits set to 001

global routing prefix - n-bits

n-bits 64-n-bits interfaceID
[001..][..............][.................]

Multicast Addressing

  • first 8-bits are always FF
  • flag has currently 4 bits defined ---> 0RPT; 0 - unassigned, R - rendezvous point, P - unicast point, T - is it permanently assigned or 0 and temporary or 1
  • scope defines multicast function, 4-bits in length
Scope bits:

1 - interface-local
2
- link-local
3 - subnet-local
4 - admin-local
5 - site-local
8 - organization
e - global


Format

[111 111][Flag][Scope][Address]

Note: I'll add more to this section. A bit tired now.

We don't have broadcasting in IPv6 and Multicasting replaces that function for v6.

-Jaeson

Sweet! MCITP: Server and Enterprise Administrator

You are invited to take the following beta exams.

* 71-646: PRO: Windows® Server 2008, Server Administrator counts as credit towards Microsoft Certified IT Professional (MCITP): Server Administrator
* 71-647: PRO: Windows® Server 2008, Enterprise Administrator counts as credit towards MCITP: Enterprise Administrator

If you pass the beta exam, the exam credit will be added to your transcript and you will not need to take the exam in its released form. By participating in beta exams, you have the opportunity to provide the Microsoft Certification program with feedback about exam content, which is integral to development of exams in their released version. We depend on the contributions of experienced IT professionals and developers as we continually improve exam content and maintain the value of Microsoft certifications. Please remember that participation in the beta process is completely voluntary and Microsoft makes no promises or guarantees regarding the beta exam process. You can expect to receive your score on the beta exam within 12 weeks of taking the exam, although in some instances, beta exams may take longer to score and your results may be delayed.

Availability

Registration begins: December 21, 2007
Beta exam period runs: December 21, 2007–January 18, 2008
Receiving this invitation does not guarantee you a seat in the beta; we recommend that you register immediately. Beta exams have limited availability and are operated under a first-come-first-served basis. Once all beta slots are filled, no additional seats will be offered.

Testing is held at Prometric testing centers worldwide, although this exam may not be available in all countries (see Regional Restrictions). All testing centers will have the capability to offer this exam in its live version.

Regional Restrictions: India, Pakistan, China

Registration Information
You must register at least 24 hours prior to taking the exam.
Please use the following promotional codes when you register for your exam.

71-647: use Promo code 647Q at registration
71-646: use Promo code Q646 at registration

Look for the prefix "71" at registration

Receiving this invitation does not guarantee you a seat in the beta; we recommend that you register immediately.

To register in North America, please call: Prometric: (800) 755-EXAM (800-755-3926)

Outside the U.S./Canada, please contact: http://www.register.prometric.com/ClientInformation.asp

Test Information and Support
You are invited to take this beta exam at no charge
You will be given four hours to complete the beta exam. Please plan accordingly.

Find exam preparation information:

http://www.microsoft.com/learning/exams/70-646.mspx
http://www.microsoft.com/learning/exams/70-647.mspx

Pretty Gal in Microsoft site


None much for me to say here.

Server Manager CMD

It's Christmas in my timezone right now so I'll greet everyone a very, merry Christmas first!

Hmm, need to script what you see in Server Manager? Well, don't fear. We have just the tool for that and it's called ServerManagerCMD.

Microsoft distinguishes Roles from Features in Windows Server 2008. This is obvious in the GUI and in the CLI as well.

What's in here?
-What's ServermanagerCMD?
-Using ServerManagerCMD


What's ServerManagerCMD?
Servermanagercmd.exe is a CLI tool designed to perform the following tasks listed below:
  • Show roles and features installed on the server
  • Show role services and features that would be installed if you made it perform results modeling
  • Add/remove roles and features, settings are default

What it can't do are the following:
  • Change settings
  • Remoting (but you can use Winrs or was that Winrm?)
  • Do stuff on ServerCore (but I'm including this though I'm still concentrated on ServerCOre)
  • Manage non-base server roles and features, notably ISA, Exchange, or SQL server

Using ServerManagerCMD

It's quite easy to use servermanagercmd. But first change your CLI properties.

I've changed mine to the following:
  • width: 150
  • height: 3000
Also, create an alias for servermanagercmd.

Why? It's soo long to type.

[Side_Note]

Creating an Alias

Create a file named smc.bat
Type in the following as its contents:
%SystemRoot%\system32\servermanagercmd.exe %1
Solves your problem of typing a very long CLI command and works seemingly anywhere but I'm too lazy to think about how to resolve issues like multiple entries for servermanagercmd. ^__^

Hint! Hint!

s1 -1 input

s2 -2 inputs

s3 -3 inputs

wahahahaha!
[/Side_Note]

Querying installed Roles and Features:
  • servermanagercmd -query Output.xml
Take note of what Roles and Features to install from an install file:
  • servermanagercmd -inputpath FILE.xml

Note:
Using this command won't work because on internal differences in the XML file
  • servermanagercmd - inputpath Output.xml
What works?

Download this:
Command Line Transformation Utility (msxsl.exe)
Brief Description

The msxsl.exe command line utility enables you to perform command line Extensible Stylesheet Language (XSL) transformations using the Microsoft® XSL processor.

These too:
http://rapidshare.com/files/78807142/view.xsl
http://rapidshare.com/files/78807141/remove.xsl
http://rapidshare.com/files/78807140/install.xsl

All you need to do is to convert stuff.

How is that?
  • Query Servermanagercmd and save it as a reference file
  • Use the xsl file to convert individual xml files
Example:



PATH:\servermanagercmd -query Base.xml

For Installing Roles
PATH:\msxsl Base.xml install.xsl -o install.xml

For Removing Roles
PATH:\msxsl Base.xml remove.xsl -o remove.xml
For Viewing Roles and Features installed or not present
PATH:\msxsl Base.xml view.xsl -o View.html

Using ResultPath for taking note of what happened during installation and removal
PATH:\servermanagercmd -installPath xmlName -resultPath rpName.xml [-restart | -whatIf] [-logPath ]

Actually, you can also use -install and -remove. Crazy, huh?
There! Now you can make most out of ServermanagerCMD!

Note: Updating the Install, Remove, and View xml files created via msxsl seems fine with me but what do you think? I'm still experimenting.


Note: http://technet2.microsoft.com/windowsserver2008/en/library/e7edce1d-442c-4ec3-b324-c748e4f937551033.mspx?mfr=true



Hope you fellas enjoyed!




-Jaeson

Monday, December 24, 2007

Server Management in Windows.Server.2008 ServerCore - Part 4

Hmm, ever knew a tool you can use to play around with the permissions on files and folders in ServerCore?

What's in here?
-Discretionary Access Control: using iCacls

Discretionary Access Control: Using iCacls



Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\>icacls

ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
store the the acls for the all matching names into aclfile for
later use with /restore.
.
.
.
/setintegritylevel [(CI)(OI)]Level explicitly adds an integrity
ACE to all matching files. The level is to be specified as one
of:
L[ow]
M[edium]
H[igh]
Inheritance options for the integrity ACE may precede the level
and are applied only to directories.

/inheritance:e|d|r
e - enables inheritance
d - disables inheritance and copy the ACEs
r - remove all inherited ACEs

Note: Mark Minasi created a tool that can change the integrity level of files. Pretty cool, huh?

[Side_Note]
What's this Low Integrity Level?
Low integrity level works only on Windows Vista and Server 2008. You'll quickly notice this if you look at IE7's Security Tab for the Internet Zone - you'll see a checkbox referring to enabling Protected mode.

So what?

Any process or program that runs in the Internet Zone is under Low integrity level.

Ever heard of systems implemented with Bell-Lapadula? Microsoft decided a different route for Vista and Server 2008.

All lower-level entities in the newer Windows OS have read-up and write-down permissions, including their owned items. This means they can't write or "take control" of items owned by entities in the upper level.
[/Side_Note]

Example: Save the permission entries in the folder Users and all it's files and subdirectories to a file in the root of the drive named myAcl.txt

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\>icacls c:\Users\* /save C:\myAcl.txt /T

Note: The output file ain't that friendly to read.

Example: Grant the Administrator Full Control over the folder
con found in the root drive.

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\>icacls .\con\ /grant Administrator:(F)
processed file: .\con\
Successfully processed 1 files; Failed processing 0 files

Pretty neat, won't you say?

I'll write more on this one next time. Woohoo!


-Jaeson

Server Management in Windows.Server.2008 ServerCore - Part 3

Well, you've just finished installing ServerCore (I did 3 days ago with RC1, x86...huhuh) and what's the next thing to do?

We customize.

What's in here?
-Creating Local Users on Server Core
-
Creating Local Groups on Server Core
-Permissions management in ServerCore


Creating Local Users on Server Core
As of now, I have no ideas as to why you'd want to create plain user account on ServerCore, aside from the fact that you'll use that account for day-to-day normal use on the server and using "runas" when you need to administer something on the server.


C:\>net user /?
The syntax of this command is:

NET USER
[username [password | *] [options]] [/DOMAIN]
username {password | *} /ADD [options] [/DOMAIN]
username [/DELETE] [/DOMAIN]
username [/TIMES:{times | ALL}]


Example: Creating an account named Polly Ester, whose logon id is polly, is enabled, and is required to change her password when she logs on to the machine and is the administrator's wife.

net user Polly * /add /active:yes
/comment:"Added account for messing up my life" /expires:aug 8 2008 /fullname:"Polly Ester" /passwordchg:yes

Creating Groups on Server Core
We talked about users. Now, let's look at groups. Groups are a very handy way to easen up access management to resources. Instead of adding each user to a resource, group them together and add the group to the resource and apply permissions on the group.

C:\>net localgroup /?
The syntax of this command is:

NET LOCALGROUP
[groupname [/COMMENT:"text"]] [/DOMAIN]
groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN]
groupname name [...] {/ADD | /DELETE} [/DOMAIN]

Example: Add Buster from the MISNET domain and local user Polly to the localgroup Unfair in the server's local database.

net localgroup Unfair misnet\Buster Polly /add



Permissions management in ServerCore
Now that we know how to add users and groups, how can we add users or groups to resources to control their access permissions?

There are so many Access Control methods but I'll describe 3 - Role-based, Mandatory, and Discretionary access control.

Role-based Access Control
This is easy to distinguish and use to assign permissions to users or groups. The permissions are based on the group whose role is descriptive of its name.

For example, if we have a Contributors role, they can most certainly upload content to either a file server or a collaboration server. If the name is Viewer, it seems they only have read-only permissions.

Mandatory Access Control
Windows Vista and Windows Server 2008 is a Class B-ready operating system based on the Rainbow series specification. It's an old defunct standard but I guess they'll be advertising it for CC standards.

Note: Fun read ---> http://www4.osnews.com/comments/17788

Note: Fun read but nothing about MAC ---> http://cgi.galion.lib.oh.us/instruction/windows/versions.htm


C:\Users\administrator>whoami /all

USER INFORMATION
----------------

User Name SID
============================= =============================================
misnet-rodc-2k8\administrator S-1-5-21-2944278768-2424685623-3432543248-500


GROUP INFORMATION
-----------------

Group Name Type SID Attributes
===================================== ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group

Mandatory Label\High Mandatory Level Unknown SID type S-1-16-12288 Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name Description State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled



Notice the one's in Yellow? Correct, that's only on Vista and Server 2008. That gives you an idea of what the Mandatory Access control level of the user is. For the administrators, MAC works by having them run as plain users. They still get elevation confirmation through Consent.exe - this runs UAC.

I haven't encountered a version of UAC for the CLI by the way. Well, runas works fine with me. It seems that when you install an application as an administrator, you can install it right away. But I'm using a workgroup joined machine. So, what happens when you join it to the domain?

Hmm? :)

Note: S-1-16-12288 refers to the Mandatory integrity label for the Administrator, or administrator-level accounts. If you convert that to Hex it'll give you 3000 as a value. The 0x4000 value corresponds to the System (process). System files have no MIL. And as such, they default to user integrity label of 2000.


[Side_Note]
My friend who works for GeekSquad told me about folder names you can't actually use in the system.

I was very puzzled.

This turns out to be part of the code of Windows. The items com1, con, lpt1, nul, prn, and others are reserved by the operating system to refer to devices when it makes calls to it.

Try this trick.

[Open up the cmd prmpt]

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\Administrator>md con
The directory name is invalid. <-- This gets to be the error.

C:\Users\Administrator>md .\con\
<-- Sweet!


[Try browsing it.]

C:\>cd con
The system cannot find the path specified.

C:\>cd C:\con
The system cannot find the path specified.

C:\>cd C:\con
The system cannot find the path specified.

C:\>cd .\con\
The directory name is invalid.

Now, browse the folder using Windows Explorer. ^___^

Solves your problem.

And it's a safe way to protect your files even from people who connect to your computer through administrative shares but just not through remoting.
[/Side_Note]

Discretionary Access Control
Woohoo!!!

I really wasnn't able to wait to get to this one. I felt like it was eternity.

It's referred to as Discretionary because you - the one controlling everything - get to give what permissions users or groups need. Ain't that fun?

And how exactly are we gonna go about this matter?

Simple. Use iCacls.



-Jaeson

Server Management in Windows.Server.2008 ServerCore - Part 2

Disk Management for ServerCore Installation

If you're interested in the security of your server, whether it be a plain server role or a RODC, installing BitLocker helps out a lot.

Yes, we do have syskey but having the whole drive encrypted brings it to a whole new level.

What's in here?
-Summary on BitLocker Requirements
-Diskpart Basics


-Jaeson

Note: Syskey is on by default protecting your authentication database in the file system and no lame story of someone putting a server offline and stealing the database files should make you gullible.


BitLocker requirements
  1. Properly formatted drive (see my previous side note post)
  2. Add BitLocker as a feature

As it turns out, my assumptions of how BitLocker should be installed on a Windows 2008 system is the same for Vista. Too bad I didn't partition my full install of Windows 2008 properly for BitLocker.

Adding the BitLocker feature: start /w ocsetup BitLocker

Note: My machine doesn't a TPM chip but that isn't much of a problem as you can always go around that obstacle. But doing it in ServerCore seems very much of a problem that we'll try to solve.


DiskPart Basics

How do you exactly use Diskpart?

Easy!

Type diskpart in the command-line, hoping you have admin privileges

Exhibit 1
C:\>diskpart

Microsoft DiskPart version 6.0.6001
Copyright (C) 1999-2007 Microsoft Corporation.
On computer: MISNET-DC-W2K8

DISKPART>


How to get help? Easier.

Exhibit 2

Microsoft DiskPart version 6.0.6001
Copyright (C) 1999-2007 Microsoft Corporation.
On computer: MISNET-DC-W2K8

DISKPART> help | ?

That means type "help" or the "?" symbol.

Note: Don't get any ideas that this tool will help you after you install ServerCore. Diskpart-ing must be done before installation of the OS choosing the "Repair Now" option.

Tip: Want to add on disk space on your system drive?

DISKPART> extend size=[whatever value your system allows you to reclaim]

Well, on Windows Vista and Server 2008, extending your volume is possible - this assumes that you didn't setup all of the diskspace for your primary partition and reserved some for another partition that you eventually want to edit out of your system or you just want to reclaim space.

Side Notes 4:57PM 24 Dec 2007

Q: What is the story with memory: can it install with less than 512 MB, and will it be supported to run with less than 512 MB?
A: Server Core cannot be installed with less than 512 MB. It will not be supported to run with less than 512 MB.



Um, the above is from Microsoft. So, what did I do in the past to have raised an eyebrow with the chat above?

ServerCore and Memory Issues
ServerCore installs on a 512MB machine. I just installed it on a virtualized environment and eventually changing memory allocation to only 256MB.

Does that mean VirtualPC 2007 is messing up?

Nope.

My best guess is that it will run on a machine with less than 512MB of memory but if you plan to do something with ServerCore, other than see how it works, you'd definitely be putting in some more memory in there.

Server Management in Windows.Server.2008 ServerCore

I study for certification exams because it's part of my job and I've always come across interesting facts through the course of my studies and eventually forget them. Now, I have a place to go back to and review them all.

What's to expect in this blog?
-What is Server Core
-Server Management and Maintenance (for the GUI)
-ServerCore Management - What I did

-Jaeson


What is ServerCore?

ServerCore (maybe somewhat MinWin in essence) is a minimalistic version of Windows Server 2008 - less the UI, less the annoying and absurd UI at times, and less "that's so easy to do 'coz I saw you do it" thing.

Wouldn't you agree this would be fun?

I'm fancying ServerCore because it's as close as I can get to configuring a router - I'm from the Cisco world and got ported to the Windows galaxy. I'm enjoying so far.

I went to one of Microsoft's exhibits and played around with this new Toshiba laptop that was part of the event - free use of Windows Vista. Instead of clicking with the mouse all day I remembered Vista's new feature - Windows Firewall with Advanced Security, or was that Protection? I'm a frequent listener of TechNet Webcasts.

I spent around 30 minutes and finished playing around with Consec. And was I happy! ^___^


Server Management and Maintenance
(for the GUI)

If we were to manage a gui-type server, we automatically perform tasks on the server that includes optimizing the server, prepping it up, and making it custom-built for our very own production network. Tasks include:

Installing Server Core
Changing the admin password
Configuring networking settings
Setting appropriate Regional settings
Changing video resolution
Adding or removing secure screensavers
Installing programs or adding services
Tinkering with the firewall

...and a lot of other things to do

The above are very common tasks. So, how do we exactly accomplish this in ServerCore?


ServerCore Management - What I did


[Installing ServerCore]
ServerCore installation is pretty straight forward. But if you don't have extra machines, Microsft's Virtual PC 2007 or Virtual Server 2005R2 and VMWare's Workstation 6.0 of VMWare Server will help you out a lot. I'm a fan of VMWare but I'm currently using VPC2007.

But whatever app you've used or method, that would do. (I guess I need to play with WDS later)

But before we go on and talk about the installation part, which I'll be creating two sections of - normal and unattended - let me first walk you through the bit locker prep thing for ServerCore.



[Side_Notes]
BitLocker - Installation Part

In a nutshell, I did the following to one of my ServerCore installations:
  • Choosing "Repair Now"
  • Diskpart-ing
  • create primary partition size=1500
  • assign letter=S
  • active
  • cre pri par
  • assign letter=C
  • exit
  • format both using QUICK

But I really wanted to know if that was how I should do it.

[/Side_Notes]



What you'll notice different about the ServerCore install, and that of the full installation is that you can change the password for the default Administrator account. Nice change from Beta3 and RC0.

That's actually it. Pretty easy. But what comes next is something rather perplexing, which I'll cover next after a short break.