Beruflich Dokumente
Kultur Dokumente
Licensing restrictions
Some applications require licence keys or must be installed with a
specific user account. Verify CPU architecture compatibility too
You can use App-V to control licencing on deployed applications(For
instance, only allow a certain amount to be installed)
Digital signing
When you install a new program, Windows checks for a certificate
and digital signature to authenticate the publisher of the program.
To verify the digital signature properly, the local computer must
trust the root CA for the publisher certificate. (Root CA for publisher
certificate must be in Trusted Root certification Authority)
If the publisher is not trusted you will receive a UAC warning, which
you can click past. You should avoid running programs from
unsigned publishers
Avoid installing software that hasnt passed Windows 7 logo
testing(anti spyware guidelines, isolation from protected windows
resources, reversible installation and a digital signature on all files)
Password expiry
The maximum and the minimum password age
cannot be the same value
Use RSOP to view someones effective password policy
You can identify locked out accounts by examining logon audit
failures ID 4625
APIPA
Can potentially mean the computer is not authorised to connect to
the network
TCP/IP
IPv4 TCP/IP settings are in network and sharing center
(Know the advanced settings)
Proxies
Internet explorer>Internet
options>connections>LAN
settings>advanced>exceptions
When you use Bypass proxy for local
addresses requests that use the host name bypass
the proxy server. However, if you specify a FQDN or
an IP address (even if they are local addresses)
they will be routed through the proxy server. You
must add these to the exception list
Use proxycfg.exe to configure proxies
A global query block list protects a DNS server against spoofing.
When users use WPAD(WPAD is a protocol that web browsers rely on
to discover network proxy server settings), this address can be
spoofed, and users may be lead to a compromised network.
Configure a global query block list to block address ranges(the
leftmost portion of a FQDN is blocked)
Configure by using dnscmd /config /globalqueryblocklist wpad
blacktea (blacktea.greentea.org)
Default gateway
Make sure the Default Gateway is not set to the broadcast address
Printer failure
Problem printing to an existing printer, use the printer
troubleshooter by right clicking the printer in devices and printers
and selecting troubleshoot
Monitor print events by going to applications and services
logs\microsoft\Windows\printservice\admin
You can also log an event in the security log when a user connects to
a printer. This is done by enabling audit logon events policy in
computer configuration(GP)
Network issues
Problem connecting to a shared printer, use the Printer
troubleshooter action center>troubleshoot common computer
problems>hardware and sound>use a printer
allow print spooler to accept client connections(GP) verify this
setting is enabled if you have difficulties sharing a printer
Troubleshoot from the client:
o Stop offline file service may cause Windows to see a
server as online when it isnt
o Attempt to establish a netbios connection with net
view \\server25 (only if you are connecting via file and print
sharing. Other protocols wont work)
o Restart offline files service net start cscservice
o Verify dns resolution. If not working, connect via IP
o Use portQry to connect to TCP 445/TCP 139(only if you
are connecting via file and print sharing. If using IPP use port
80)
Troubleshoot from the server:
o Verify printer functionality from the server
o Verify folder/printer is shared
o Verify server/print spooler services are started
o Verify users have permission to the resource
o Check the firewall configuration(file and print sharing
needs to be allowed explicitly from the server)
File and print sharing uses UNC
IPP uses HTTP. (Windows 7 can only act as
an IPP client, not a server)
Driver issues
In order to force drivers that have been individually configured, to
run in a separate process use override print driver execution
compatibility setting reported by print driver. (GP) Use this and
execute print drivers in an isolated process(GP) if the spooler is
failing
The quickest way to reinstall a driver is to reinstall the
printer(remove the printer and reinstall)
o If reinstalling the driver doesnt fix your problem, you
may have to remove some files located in
system32\spool\drivers remove any numbered subfolders
Disabling advanced print features may solve a driver related problem
Point and print allows users to automatically install
trustworthy(digitally signed drivers included with Windows) drivers
o Enabling point and print allows you to specify a list of
print servers to which clients are allowed to print to
o You can add specific servers to contain point and print
to drivers on those servers
o If users are getting UAC prompts edit the point and
print restrictions settings
o The only use package point and print is used to
determine whether clients can point and print to ptinters that
use package aware device drivers. It does not control the
printers that are available
You can also use the deployed printers setting to specify which
printers are available to an OU/domain etc
Encryption types
802.1x provides authentication but no encryption
WPA2 supports fast roaming (When users need to connect to
different WAPs constantly in the building)
Encryption keys
Usually generated after entering a passphrase
Wireless profiles
You need to extend the ADDS schema on DCs released prior to
Server 2008. This is done by importing 802.11Schema.ldf with ldifde
If you try to connect to a device using netsh wlan, you must first
have a profile containing the SSID/security information saved. You
can export profiles in an XML and distribute it to other computers
Load the imported profile with netsh wlan add profile filename=
You can use scripts and profiles to prevent users from ever having to
enter a wireless key
You can use netsh to allow or block access to wireless networks
based on their SSIDs:
o Netsh wlan add filter permission=allow ssid=toast
o Networktype=infrastructure
You can configure per-user profiles on computers with multiple
users(all-user profiles are the default)
netsh wlan show networks - shows networks in range (mode =bssid
option includes signal strength wireless radio type, channel, basic
rates and other rates) (show all option displays all infor about
interfaces) (mode=ssid outputs ssid, authentication and encryption
type. If you do not specify an option, the command runs in ssid
mode)
Mobile devices
The first time you connect with EAP, if you dont have the Enterprise
CAs certificate in trusted root, clear the validate server certificate
check box
If you cant reconnect to a wireless network, it is probably because
security settings have changed
Use the applications and services logs> Microsoft>Windows> WLAN-
autoconfig to analyse wireless problems (or applications and
services logs> Microsoft>Windows>\diagnostics-
networking\operational if you used windows networks diagnostics
troubleshooter)
Choose Smart card USER template if you need to encrypt the users
data
IPv6 support
DA clients must have globally routable IPv6 address
ISATAP is used on internal networks
6to4 is used on the internet. Converts global IPv4 to IPv6. Their
routers IPv4 address is embedded in their IPv6 address
Teredo allows clients located behind an IPv4 NAT device to
communicate with IPv6 over the internet. Converts private IPv4 to
IPv6 (Only used when 6to4 isnt available.) Relies on clients, servers,
relays
IP-HTTPS allows hosts located behind a web proxy or a firewall to
connect to the IPv6 internet.(Only used when 6to4 and teredo arent
available)
NAT-PT/NAT64 allows connectivity through a NAT between global IPv6
and private IPv4 addresses
To configure a DA client, add them to a Windows group and specify
this group when you run the DA configuration wizard on the server
The network location server is a web server located on the perimeter
network
ISATAP makes an internal network fully IPv6 compatible
You can also use a NAT-PT device to translate DA traffic and make
your network IPv6 compatible
A CDP needs to be available for both internal and external clients(for
client and server authentication certificates, as well as NAP if it has
been implemented)
Perimeter firewall exceptions:
o UDP 3544 Teredo inbound
o IPv4 protocol 41 - 6to4
o TCP 443 IP-HTTPS
o Native IPv6 support:
ICMPv6
IPv4 protocol 50
When configuring teredo/6to4/IP-HTTPS use netsh interface and
connect to the first public IP of the direct access server(use the
FQDN with IP-HTTPS)
HRA must be located on the internet in order to distribute health
certificates to clients
Teredo client should be set to enterprise client
Remove ISATAP from global query block lists in DNS servers. Intranet
DNS server should also have an ISATAP A record
When using NAT-PT, the intranet servers will not have a global IPv6
address, ensure the NAT-PT device instead has a global IPv6 address
DA client must correctly determine that is not on the intranet use
netsh namespace show effectivepolicy. If not check the NLS server
URL in the registry. Ensure it matches an exemption entry or does
not match the DNS suffix for your intranet namespace in the NRPT
DA client cant be assigned the domain firewall profile. If it is, ensure
you dont have an active VPN connection or a Domain Controller is
accessible and disable that connection
DA client must be able to contact its intranet DNS server through
IPv6. Use netsh namespace effectivepolicy to obtain the intranet
DNS servers and ping them
DA server must contain IPv4 routes on the intranet interface to allow
it to access all IPv4 destinations on the intranet
Ping IPv6 DNS intranet servers
Ping IPv6 intranet servers
Must be able to connect with application layer protocols. If file and
print sharing is enabled use net view \\intranetFQDN to test
Name Resolution Policy Table
The NRPT is used to separate intranet traffic from internet traffic(If a
name query is not found in the NRPT it is sent to the locally
configured DNS server)
DirectAccess requires special handling for name queries for specific
portions of the DNS namespace. If the DNS name matches specified
portions of the namespace, apply the special handling. If the DNS
name does not match the specified portions of namespace, perform a
normal DNS query using locally configured DNS servers. For example
o If you set suffix to greentea.org, all DNS requests that
end in greentea.org will be sent to the specified IPv6 DNS
server/s
o If you set prefix to server15, all DNS requests that
start with server15 will be sent to the specified IPv6 DNS
server/s
o To specify all DNS names select Any(rather than
suffix/prefix etc). Only use this with DirectAccess when route
all traffic through internal network GPO is enabled (This is like
the use Default gateway on remote network setting for a VPN
connection)
The network Location server must either be exempt from the NRPT
policy rules or must not match them (have a different suffix when
using suffix based rules for example)
Advanced settings
Security Settings
Protected mode is not enabled by default in intranet zone and
trusted sites
All trusted sites must be secured with an SSL certificate
Use the custom level button in the security tab of internet options
to configure ActiveX control behaviour, scripting and user
authentication settings
You can also use the advanced settings to configure settings such as
whether internet explorer performs revocation checks, whether
smartscreen filter is enabled by default, which versions of SSL/TLS
are supported, whether windows authentication is supported, and
whether IE should display a warning when theres a mismatch
between an SSL certificate and a website address
Protected mode means any processes spawned by IE run with very
limited privileges. It does this by using Mandatory Integrity Control
(MIC) which labels processes/files/regkeys with 1 of 4 integrity levels
o Protected mode compatibility layer redirects write
locations to safe locations. So if a process tries to write to the
document library, its redirected to appdata\temp internet
files\virtualised. This only applies to add ons written for OS
lower than Vista. As Vista + natively write to these locations
Compatibility logging Some web applications/add ons developed for
earlier versions of IE dont work properly in IE8. Enable compatibility
logging in admin templates (GP) to find out the exact problem. Then
find the logs in application and services logs\internet explorer
Disable protected mode Internet Options>security> disable
protected mode for a particular zone. Retest application with
protected mode disabled(or add to trusted sites which disables
protected mode for that site permanently)
Protected mode is not available on Windows XP even with IE8
Group Policy - Enable the turn on Internet Explorer 7 standards
mode to enable compatibility view for websites in IE 8
Installing plug-ins
Tools>manage add-ons
If an add-on is preventing you from opening ie open the internet
options from control panel>network and internet>internet
options>manage browser add-ons
You can start ie without add-ons by opening internet explorer(no
add-ons) from programs>accessories>system tools or run
iexplore.exe extoff
To enable add ons in group policy (user configuration) provide the
class identifier for it (CLSID) eg {BDB57FF2-79B9-4205-9444-
F5FE85F37312}. This can be found in the <object> html tag of a web
page that references the add-on. Deny with 0. Allow with 1. Allow
and allow management by users with 2
You can also deny all add-ons unless theyre explicitly allowed in
group policy
Turn off crash detection(GP) use this to ensure an add on still runs
even if its causing IE to crash
ActiveX add-ons may include:
o A component that allows you to manage VMs from a
MS virtual server web page
o A Microsoft update component that scans for missing
updates
o Shockwave Flash
o A component that tries to install malware
Configure activeX opt in by Internet Options>Security> Select Zone
> Custom Level > Allow previously unused ActiveX controls to run
without prompt Disabled means ActiveX Opt-in is enabled, and you
will be prompted. Enabled means ActiveX Opt-in is disabled, and
ActiveX controls will run without a prompt
Active-X opt in is enabled by default for internet and restricted sites
zone, but disabled for local intranet and trusted sites(so intranet and
trusted sites websites will install without prompting the user)
Active-X Opt in does not apply to Active-X controls in the
preapproved list which is contained in
HKLM\software\Microsoft\Windows\CurrentVersion\Ext\Preapproved
(Contains the CLSID of preapproved Active-X controls)
Automatic Prompting for ActiveX controls bypasses the information
bar and actively prompts the user to install the control. This is
disabled on all zones by default
You can reduce the number of prompts a user receives by enabling
download signed activex controls
Run activeX controls and plug ins If this is disabled, users will not
be able to run ActiveX controls at all
Configure the ActiveX installer service to allow standard users to
install ActiveX Controls on specific approved websites. Computer
Configuration\Administrative Templates\Windows
Components\ActiveX installer Service specify URLs that can
distribute activeX controls. Configure values for the approved
installation sites between 0 to block, 1 to prompt, 2 to install
automatically)
Certificates
Certificate presented by a website was issued for a different website
address:
o Host name (or IP address) youre using to access the
site is not the sites primary address
o Server is impersonating a different server
You can add certificates to IE certificate store to trust certificates
To import a certificate, Internet
Options>content>certificates>import
Analysing programs
Use msconfig to remove startup programs
Delete associated regkeys in both HKLM/HKCU, and write down the
paths of associated programs. Then delete these programs in
Windows explorer
If problems persist after virus scans, run startup repair and run a
system restore
Analysing processes
Use task manager to identify unusual processes
Key management
Configure AD DS before configuring bitlocker on clients. Otherwise
recovery information for those PCs will not automatically be added
to AD. (This can be done manually with manage-bde/bitlocker WMI
provider
Bitlocker recovery information is stored in a child object of the
computer object(incorporates a GUID+ date and time)
The CN for the recovery object is ms-FVE-RecoveryInformation, which
has several attributes. One of which is:
o Ms_FVE- KeyPackage This contains the encryption
key and allows you to decrypt a volume
If any Domain Controllers are running Server 2003 you need to
extend the schema with bitlocker and TPM attributes ldifde I v f
BitlockerTPMSchemaExtension.ldf. Then you must run cscript Add-
TPMSelfWriteACE.vbs to add an Access Control Entry to allow TPM
recovery information to be backed up
Group Policy configuration:
o Computer Configuration\Administrative
Templates\Windows Components Bitlocker Drive Encryption>
Choose how Bitlocker Protected fixed Drives can be recovered:
Enabled Save Bitlocker recovery
information to Active Directory Domain Services
(selected by default
Select Bitlocker recovery information to
store:
Recovery passwords and key
packages
Recovery Packages only
o Key Packages are
used with the repair-bde tool to perform
specialised recovery when a disk is damaged
or corrupted
Select Do not enabled Bitlocker until
recovery information is stored in AD DS for fixed data
drives - if you want to prevent users from enabling
bitlocker until the computer is connected to the domain,
and the recovery information has been successfully
restored
o Computer Configuration\Administrative
Templates\System Trusted Platform Module Services Turn on
TPM backup to Active Directory Services
Enabled (Require TPM backup to AD DS
selected by default) This means the TPM owner
password cannot be set or changed unless the computer
is connected to the domain and AD DS backup succeeds
To turn on bitlocker and create a recovery password manage-bde
on C: -Recoverypassword
After it has encrypted run manage-bde protectors adbackup C: -id
{recoveryGUID}