Search This Blog

Tuesday, November 28, 2017

"Protected Users" group in Active Directory to protect privileged accounts

I usually follow the updates to Active Directory, but only recently I found out that since Windows Server 2012 R2 there is a new secuirty group called "Protected Users" in Active Directory to protect the most privileged accounts in AD.

User accounts when put into this group will be forced not to use weaker encryption types and will be forced to re-authenticate every four hours:

  • The member of the Protected Users group cannot authenticate by using NTLM, Digest Authentication, or CredSSP. On a device running Windows 8.1, passwords are not cached, so the device that uses any one of these Security Support Providers (SSPs) will fail to authenticate to a domain when the account is a member of the Protected User group.
  • The Kerberos protocol will not use the weaker DES or RC4 encryption types in the pre-authentication process. This means that the domain must be configured to support at least the AES cipher suite.
  • The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This means that former connections to other systems may fail if the user is a member of the Protected Users group.
  • The default Kerberos Ticket Granting Tickets (TGTs) lifetime setting of four hours is configurable by using Authentication Policies and Silos, which can be accessed through the Active Directory Administrative Center (ADAC). This means that when four hours has passed, the user must authenticate again.

DPM 2012 R2 Agent not reachable only on domain controllers

I had an interesting issue lately with DPM 2012 R2 agents becoming unreachable on domain controllers. All other protected servers were unaffected.
I started with usual thins - checked the network connectivity and DNS, but everything seemed to be OK. Also I reinstalled the client on domain controllers, but the agent was still unreachable.

Finally it turned out that in the domain Builtin - Users group following members need to included: Domain Users, Authenticated Users and INTERACTIVE, in my case two of those were missing. I added them back, refreshed the agent status in DPM console and issue was resolved instantly.

Friday, November 17, 2017

Microsoft update classifications and security update rating definitions explained

If you are working with deploying updates for Microsoft systems, then you definitely know that there are several types of update classifications, like:

  • Security Updates
  • Critical Updates
  • Updates
  • Definition updates
  • ...

And lately new classifications have appeared:
  • Security-only update
  • Monthly Rollup
  • Preview of Monthly rollup
In addition to this Security updates are classified as Critical, Important, Moderate and Low.

If you ever wondered what each means, then here are explanations for you:

Should I disable builtin domain Administrator account?

Builtin domain Administrator account is special account and it behaves unlike other accounts in Active Directory.

  • It cannot be deleted
  • It cannot be locked out (although you will get an event in Event Log that it was locked, but actually it is not)
  • It will be enabled if you log into Directory Services Restore Mode or Safe Mode

To summarize - I would recommend to disable the account, because you always will get a chance to unlock it in Safe Mode if such time comes.

Second best option is to have a SIEM system or other notification mechanism in place which alerts you if accounts are locked out, this will allow you to notice brute force attacks to Administrator account early.

Thursday, November 16, 2017

Best practices for configuring domain controller primary and secondary DNS servers

I get this question quite frequently - how should I configure DNS servers for domain controllers in IP config.

  • DC should have another DNS server listed as primary DNS
  • DC should have listed itself at least somewhere in DNS search order
  • DC should use loopback address when pointing to itself

Tuesday, November 14, 2017

How to extend Windows Server 2008 / R2 and SQL Server 2008 / R2 support lifecycle

Windows Server 2008 / 2008 R2 and SQL Server 2008 / 2008 R2 end of support dates are coming in huge steps, so you really should be thinking of how to migrate these to newer versions.

If migration for these Windows and SQL Server versions is not possible and will not be in near future, there is a way to extend the support and it is called Premium Assurance. Yes, you have to pay for this, but at least you will stay supported and get security updates. And you can do this for six more years.

Anyway, I do recommend to save this as a very last option.

More info here

Saturday, November 11, 2017

Windows Server 2016 Standard Edition licensing changes in virtual environment

As you probably have heard Windows Server 2016 has core-based licensing, meaning that every physical CPU core has to be licensed.

Windows Server 2016 also introduces some changes how virtual operating system instances are licensed. Especially you have to take into account this rule:

Standard Edition provides rights for up to 2 Operating System Environments or Hyper-V containers when all physical cores in the server are licensed. For each additional 1 or 2 VMs, all the physical cores in the server must be licensed again.

If you have a 20 CPU core server, this means that if you purchase Standard edition licenses for 20 cores, you are eligible for 2 OSes, if you need two more OSes on the same physical server you will need to license all 20 cores once again.

Sunday, November 5, 2017

Test network connectivity with Powershell (Replace Telnet Client)

You don't need to install Telnet Client on Windows Client and Server OSes to check if TCP port on remote machine is available from it.

Simply use this Poweshell command (replace ComputerName and Port with your own values)

Test-NetConnection -ComputerName -Port 53

The output will be something like this:

ComputerName           :
RemoteAddress          :
RemotePort             : 53
InterfaceAlias         : Ethernet
SourceAddress          :
PingSucceeded          : True
PingReplyDetails (RTT) : 73 ms
TcpTestSucceeded       : True

This works for Windows 8 / 2012 and later OSes.

As always use Get-Help to get more info about the cmdlet.

Saturday, November 4, 2017

Can I do a packet trace on Azure Virtual Network Gateway?

Recently I had an networking issue with routing on Azure Virtual Network Gateway, and I wanted to understand if the gateway correctly routes the traffic.

As I was informed by Microsoft Support, at the moment of writing there is no option to check this by yourself and you need to reach out to Microsoft support to get the packet traces.

Also this has been asked by a lot of customers, but Microsoft is still struggling to implement this, no promised deadline yet.