Zoho Banner September 2011

Archive for the ‘Windows Server 2012’ Category

Short answer:  No, AppLocker is not supported on Windows Server 2012 Server Core.

Slightly more long-winded answer:

My Google/Bing mojo failed to find a definitive answer to this question on-line.  In fact, I found two apparently conflicting sources of information.

This was the first one:

Windows PowerShell can used to manage AppLocker on Server Core installations using the AppLocker cmdlets and, if administered within a GPO, the Group Policy cmdlets. For more information, see the AppLocker PowerShell Command Reference.

http://technet.microsoft.com/en-us/library/hh831440.aspx

I tried to test this, but switching from “Server with a GUI” to Server Core removes the Application Identity service, which is required for enforcement of AppLocker rules.   The AppLocker event log is also removed.

This was the second one I found:

In Windows Server 2012 and Windows 8

AppLocker is supported on all Windows beta evaluation versions except the Server Core installation option.

http://technet.microsoft.com/en-us/library/ee619725(v=ws.10).aspx

Mmm, it only mentions the “beta evaluation” version, so a strong hint, but no definitive statement.

In the end I received a response from someone within Micrsoft to a Technet Forum post.  You can read the full thread here:

http://social.technet.microsoft.com/Forums/en-US/4d78ac57-df3d-444f-b6a4-9df892db8df8/applocker-on-server-core?forum=winservercore

 

I’ve recently been looking at Microsoft’s Security Compliance Manager 3.0.  SCM allows provides a rich set of server-role-based security baselines for deployment using either GPO or SCCM.  This latest version includes baselines for Windows Server 2012. 

After deploying the “WS2012 Domain Controller Security Compliance 1.0″ baseline settings via GPO into my lab environment I found RDP sessions to my Windows Server 2012 DCs to be horrendously slow – almost to the point of not being able to do anything.

My on-line searches for the cause revealed nothing official from Microsoft, but I did find some references to one specific setting being the probable cause.  The setting is “Use FIPS compliant algorithms for encryption, hashing, and signing” set to Enabled.

Computer Config->Policies->Windows Settings->Security Settings->Local Policies->Security Options->System Cryptography->Use FIPS compliant algorithms for encryption, hashing, and signing

After setting the value to Disabled and updating Group Policy on the DCs my RDP sessions returned immediately to normal speed.

I hope this information helps others who might come across the same behaviour.

 

Have you ever considered running BitLocker to encrypt the drives within a Virtual Machine running on, e.g. Hyper-V or VMWare? On the face of it, it seems a sensible thing to do, especially considering how portable VHDX and VMDK files are. Despite the process of enabling BitLocker for VMs being described online, you should be aware that it is not actually supported.

The Microsoft support statement is here:

Can I use BitLocker within a virtual machine operating environment?

BitLocker is not supported for use within a virtual machine. Do not run BitLocker Drive Encryption within a virtual machine. You can use BitLocker in the virtual machine management operating system to protect volumes that contain configuration files, virtual hard disks, and snapshots.

Source: http://technet.microsoft.com/en-us/library/hh831507.aspx

The VMWare support statement follows logically from Microsoft’s:

As the operating system vendor does not support this configuration, it is unsupported by VMware in a Player, Workstation, Fusion or ESX/ESXi virtual machine.

Source: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2036142

In the context of Active Directory Domain Controllers, Microsoft makes the following recommendations for securing virtual domain controllers:

If you implement virtual domain controllers, you should ensure that domain controllers run on separate physical hosts than other virtual machines in the environment. Even if you use a third-party virtualization platform, consider deploying virtual domain controllers on Hyper-V Server in Windows Server 2012 or Windows Server 2008 R2, which provides a minimal attack surface and can be managed with the domain controllers it hosts rather than being managed with the rest of the virtualization hosts. If you implement System Center Virtual Machine Manager (SCVMM) for management of your virtualization infrastructure, you can delegate administration for the physical hosts on which domain controller virtual machines reside and the domain controllers themselves to authorized administrators. You should also consider separating the storage of virtual domain controllers to prevent storage administrators from accessing the virtual machine files.

Source: Best Practices for Securing Active Directory

It will be interesting to see whether Microsoft change their support statement in future versions of Windows.  I’ve not seen anything in Windows Server 2012 R2 to indicate a change, so it might be a while yet.

After an absence of a couple of years, the Wellington Windows Infrastructure User Group has been brought back to life!  If you’re in Wellington on Wednesday 4th July, come along and watch me and Daniel Bowbyes presenting on some Windows Server 2012 goodness.

http://www.mscommunities.co.nz/Events/Wellington-Windows-Infrastructure-User-Group—Win.aspx

I’ve had the script shown below for quite a while, but as I recently tested it successfully against Windows Server 2012 AD (Release Candidate), I thought I would share it with the community.

Note that I have only tested it with single domain forests.

Import-Module activedirectory

[string] $menu = @'

    Active Directory FSMO Role Holder mover script
    Please select an option from the list below

    1) Move all roles
    2) Move the Schema Master (forest)
    3) Move the Domain Master (forest)
    4) Move the Infrastructure Master (current domain)
    5) Move the PDC Emulator (current domain)
    6) Move the RID Master (current domain)

Select an option.. [1-6]?
'@

Write-host "Last command: " $opt -foregroundcolor Blue
$opt = Read-Host $menu
$target = Read-Host "Target DC for the role(s)?"

switch ($opt)    {
    1 { Move-ADDirectoryServerOperationMasterRole $target DomainNamingMaster, SchemaMaster, PDCEmulator, InfrastructureMaster, RIDMaster -confirm:$false }
    2 { Move-ADDirectoryServerOperationMasterRole $target SchemaMaster -confirm:$false }
    3 { Move-ADDirectoryServerOperationMasterRole $target DomainNamingMaster -confirm:$false }
    4 { Move-ADDirectoryServerOperationMasterRole $target InfrastructureMaster -confirm:$false }
    5 { Move-ADDirectoryServerOperationMasterRole $target PDCEmulator -confirm:$false }
    6 { Move-ADDirectoryServerOperationMasterRole $target RIDMaster -confirm:$false }
    default { write-host "You haven't selected any of the available options."; exit }
} # End switch loop

 

Recently, I have been working in an Windows Server 2008 R2 AD environment that has a number of RODCs in branch offices.   The environment uses DFSR (i.e. not FRS) for SYSVOL replication an I wondered whether I could simply remove the connection objects named “RODC Connection (FRS)”.  To me, the use of “FRS” in the name indicated that it was a probably a legacy object.  Rather than going ahead with the removal, I thought I would first check on-line and with some fellow MVPs as well as Microsoft employees.  Here’s what I found….

The FRS connection objects are not required by DFS Replication” in the RODC Frequently Asked Questions article on Technet (note: this has since been reworded).

http://technet.microsoft.com/en-us/library/cc754956(v=WS.10).aspx

I also found this statement in the Directory Services Team Blog…

Despite the mention only of FRS in this article, the 0×40 value is required for both DFSR and FRS

http://blogs.technet.com/b/askds/archive/2010/10/08/friday-mail-sack-cluedo-edition.aspx#rodc

The two statements are contradictory and it was only after helpful clarification from Microsoft’s Kurt Hudson that it transpires the connection object is required for SYSVOL replication using either method (i.e. FRS or DFSR).  In other words if you are using DRSR for SYSVOL don’t delete these connection objects or you will need to manually recreate them (being sure to set the 0×40 bit in the options attribute as described in the DS team blog article).

I fired up an RODC on Windows Server 2010 Release Candidate yesterday and was pleased to see the connection object has been renamed to avoid confusion.

Windows Server 2008 R2

RODC_Connections_2008R2

Windows Server 2012 Release Candidate

RODC_Connection_Objects

Well done Kurt!  It’s great to see this sort of thing getting resolved.