Zoho Banner September 2011

Archive for August, 2013

I’ve recently been looking at Microsoft’s Security Compliance Manager 3.0.  SCM allows provides a rich set of server-role-based security baselines for deployment using either GPO or SCCM.  This latest version includes baselines for Windows Server 2012. 

After deploying the “WS2012 Domain Controller Security Compliance 1.0″ baseline settings via GPO into my lab environment I found RDP sessions to my Windows Server 2012 DCs to be horrendously slow – almost to the point of not being able to do anything.

My on-line searches for the cause revealed nothing official from Microsoft, but I did find some references to one specific setting being the probable cause.  The setting is “Use FIPS compliant algorithms for encryption, hashing, and signing” set to Enabled.

Computer Config->Policies->Windows Settings->Security Settings->Local Policies->Security Options->System Cryptography->Use FIPS compliant algorithms for encryption, hashing, and signing

After setting the value to Disabled and updating Group Policy on the DCs my RDP sessions returned immediately to normal speed.

I hope this information helps others who might come across the same behaviour.

 

Have you ever considered running BitLocker to encrypt the drives within a Virtual Machine running on, e.g. Hyper-V or VMWare? On the face of it, it seems a sensible thing to do, especially considering how portable VHDX and VMDK files are. Despite the process of enabling BitLocker for VMs being described online, you should be aware that it is not actually supported.

The Microsoft support statement is here:

Can I use BitLocker within a virtual machine operating environment?

BitLocker is not supported for use within a virtual machine. Do not run BitLocker Drive Encryption within a virtual machine. You can use BitLocker in the virtual machine management operating system to protect volumes that contain configuration files, virtual hard disks, and snapshots.

Source: http://technet.microsoft.com/en-us/library/hh831507.aspx

The VMWare support statement follows logically from Microsoft’s:

As the operating system vendor does not support this configuration, it is unsupported by VMware in a Player, Workstation, Fusion or ESX/ESXi virtual machine.

Source: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2036142

In the context of Active Directory Domain Controllers, Microsoft makes the following recommendations for securing virtual domain controllers:

If you implement virtual domain controllers, you should ensure that domain controllers run on separate physical hosts than other virtual machines in the environment. Even if you use a third-party virtualization platform, consider deploying virtual domain controllers on Hyper-V Server in Windows Server 2012 or Windows Server 2008 R2, which provides a minimal attack surface and can be managed with the domain controllers it hosts rather than being managed with the rest of the virtualization hosts. If you implement System Center Virtual Machine Manager (SCVMM) for management of your virtualization infrastructure, you can delegate administration for the physical hosts on which domain controller virtual machines reside and the domain controllers themselves to authorized administrators. You should also consider separating the storage of virtual domain controllers to prevent storage administrators from accessing the virtual machine files.

Source: Best Practices for Securing Active Directory

It will be interesting to see whether Microsoft change their support statement in future versions of Windows.  I’ve not seen anything in Windows Server 2012 R2 to indicate a change, so it might be a while yet.