Tom Decaluwé

When you logon to your Vista system using the standard user and use RUNAS to elevate to a new token you will not be able to export GPPE settings.

When you try to export by dragging a GPPE setting to a folder you will see a standard copy arrow icon appear but when you drop the setting an XML document will NOT appear.

in the below window i was logged on as user demonet\tom => local admin on the vista box and used runas to run the GPMC as demoent\tom-a => domain administrator. Whe dragging and dropping a GPPE setting it failed.

however when I logon interactively with demonet\tom-a => domain admin and run the GPMC, try to export it does work.

you should pay special attention to the icon when you export a GPPE setting by drag and drop

So what's happening behind the scene when using drag and drop and how can you work arround this?

1. Scenario 1: "I log on to Vista using my domain admin and drag and drop"

When you drag and drop a file from the MMC to the desktop or any other location you can see MMC.EXE create a temp file in the users profile\appdata\lcoal\temp\*.xml and when you drop the file you can see explorer.exe is called and creates a copy of the .xml file in the target location.

Pay special attentino to the user doing the operation, as you can see both mmc.exe and explorer.exe run as the same user as you would expect.

1. Scenario 2: "I log on to Vista using my client user demonet\tom and run mmc.exe as my domain admin demonet\tom-a"

As you may know in the good old xp days and befor it was possible to give explorer.exe a runas thus running two versions of the exe with two different credentials. However for some low level security reaons this is nolonger possible in Vista. In windows Vista an instance of explorer.exe is loaded when you logon to the desktop and from that point on all instances running on the desktop of that user will run with those credentials.

When you run mmc.exe as a demonet\tom-a user and mmc.exe tries to fier off an instance as explorer.exe with the demonet\tom-a account it fails.

So to tackle this problem we will need to fix two issues:

- demonet\tom will need to have  read access to the demonet\tom-a profile\AppData\Local\Temp directory.

- we will need to figure out a way to have mmc run with the demonet\tom-a account and have the explorer.exe process run as demonet\tom

Grand read rights to demonet\tom =>

by default you don't have read access to a differnet users profile, you can however easily add this right by logon as demonet\tom, use explorer to go down to the tom-a profile, double click the prifle and eleveate your rights when prompted. When doing this in the background you are actually granting demonet\tom read rights to all directories within the demonet\tomd-a profile

Run both processes with different credentials =>

The work around for this is very simple, don't use drag and drop but use the propper cut and past.

if we look at this process you can clearly see the MMC is running as demonet\tomd-a the domain admin account but the explorer.exe process runs under my standard user account demonet\tom

That's all, you can now use the export feature for GPPE even when using two user accounts on your vista client.

Event Name: "The ultimate secure domain controller" This event will be held in cooperation with the community winsec.be

Topic: During this event we will focus on Windows 2008 Active Directory while zooming in on  AD security, RODC deployment, server core and bitlocker.

Speaker Bio:

Paul is an Architect for Avanade working on all things directory (whether Active or not), identity management and security on the Microsoft platform. Paul is also a founding member of the winsec.be Microsoft community that focuses on evangelizing Microsoft IAM solutions, and on security solutions for the Windows platform. Prior to joining Avanade, Paul was a consultant with HP/Compaq and was showing his directory roots at Banyan.

Paul is a Microsoft Certified Master on Directory Technologies, and an MVP for Identity Lifecycle Manager.

Event Dates:

(*) Please note that both events are complementary, meaning you can follow one or both events individually.

you can register for these event by sending an email to tom@decaluwe.eu, incluede what events you will attend, seats are limited so register ASAP!

For more info: www.it-talks.be

One of the most hated, loved and certainly intrusive new features in windows Vista must have been UAC (what happens when you screen goes all gray and you need to confirm your and admin).

Eventhough vista has been out there for quite some timen know, many people still don't fully understand how it works and how to work with UAC in a production environment.

In this series of posts I'll try to show you how UAC works, how you can make it work (better) for you and why you should consider this a good feature.

Why the great pain and where it fits into your network

There are thousands of posts on what UAC is all about so i will not recap on the basics. To start off i would however like to clearly illustrate where UAC fits into you network.

UAC removes the need for having two users accounts to logon to your windows client. One was a box standard user and the other would have admin rights on the client. However it does NOT remove the need for domain based admins to have two accounts on the domain, one to do day to day operations and one with domain admin or other delegatedrights on the domain.

UAC temporarally "limits" the right that a (local/domain/...) admin has on the client but does not remove the rights that you have over the network and on the domain if you have delegate rights or are a domain admin.

Any good admin will always have two accounts:

1) Standard account => this account will be used on a day to day basis and when you have a vista with UAC can and should be a member of the local admins group on one or more client systems on the network depending on you role within the organisation. If you are still using pre UAC clients you should NOT grant this user local admin rights on the client and concider using the second account or a third accound for performing administrative tasks on your client.

This account would typically be based on your name and also have your day to day mailbox attached to it. eg. John

2) Admin account => this account will be used to manage servers or access domain resources on the network that require more rights than a standard user. This account would typically be a member of domain admins or other delegated rights.

A good practice is this account name would be to keep it identical to your standard user and add a -a or other marker. eg. John-a

UAC only protects at the local client level not the network/domain level

UAC is a great security enhancement that helps secure your CLIENT by stripping the local admin privilages but it does not remove, restrict or limit your network and domain based privilages for you domain admin membership.

To illustrate this do the following:

1) Logon to you domain joined vista client
2) try and access an administrative share on your server eg. \\server\c$ => you should get access without any prompt

 
3) try and access the computer manager => you'll see UAC prompt you for credential elevation

4) To prove my case lets have a look at the first portion of the token (SID entries) by running whoami /groups /fo list

 

Standard user output	UAC upgraded Admin
GROUP INFORMATION ----------------- Group Name: DEMONET\Domain Admins Type:       Group SID:        S-1-5-21-3034410144-160669762-3500342714-512 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: DEMONET\Enterprise Admins Type:       Group SID:        S-1-5-21-3034410144-160669762-3500342714-519 Attributes: Group used for deny only	GROUP INFORMATION ----------------- Group Name: DEMONET\Domain Admins Type:       Group SID:        S-1-5-21-3034410144-160669762-3500342714-512 Attributes: Mandatory group, Enabled by default, Enabled group Group Name: DEMONET\Enterprise Admins Type:       Group SID:        S-1-5-21-3034410144-160669762-3500342714-519 Attributes: Mandatory group, Enabled by default, Enabled group

I have limited this extract to three important groups, and i'll be illustrating the output in more details in future posts on UAC but you should pay special attention twho how you can see UAC does strip the access level on the enterprise admin membership but does NOT strip on the domain access group.

Administrators should be aware of tihis fact and thus should know that UAC does not limit the network rights if you are  member of the Domins group or any other delegated rights.

Having two seporate accounts should still be considered a best practice even with UAC in play.

 

UAC core components

In the core UAC is all about split tokens and two interfaces that help you jump from one token to another:

- concent user interface
- secure desktop

We will be looking at all these components and more in the next posts.

As many of you I often run vista in a Virtual environment and one of the things i'm always interested in doing is tweaking the virtual demo system for better performance. One quick way to do this is by disabeling DEP.

The primary benefit of DEP is to help prevent code execution from data pages. Software-enforced DEP can help prevent malicious code from taking advantage of exception-handling mechanisms in Windows. If you want more info on DEP you can read link1 or link2

Here is a quick way to use BCDedit to setup a dual boot one with DEP enabled and one with DEP disabled and default boot into DEP disabled mode. You should make this a default config in your Virtual DEMO environment (don't disable DEP on your production systems)

What we want to do is copy the current OS boot option, disale DEP, set the new boot option as default

step 1: "Run a cmd-box as administrator"

step 2: bcdedit => list the current boot options

As you can see here there are two major portions

- windows boot manager => used to be the [boot loader] in boot.ini  and manages de default os, boot time timeout

- windows boot loarder => each OS boot version has a seporate bootloader with a unique indentifier

As you can see here there is only one OS boot option available at this time.

step 3: copy the default boot option => bcdedit /copy {current} /d "Vista No DEP"

pay special attention to the new identifier GUID being created

step 4: re-list and view the result

step 5: disable DEP on the newly created option => bcdedit /set {d011765b-9a3f-11dd-b0be-005056c00008} nx Alwaysoff

step 6: set the newly created boot option as default => bcdedit /default {d011765b-9a3f-11dd-b0be-005056c00008}

step 7: set the default boot time to 5 seconds => bcdedit /timeout 15

step 8: re-list and view the end result

Notice the 15 seconds timeout, the indentifier on teh No DEP entry has changed to default and the nx option is AlwaysOff.

This might not help you run vista on a PIII system but it will slightly speedup your virtual lab.

If you have upgraded to office 2007 you may have noticed a slight change in the default behaviour. With office 2003 when opening a doc, xls, ppt file link in IE the document by default opend integrated inside IE. When you install/upgrade to office 2007 this is nologer the case and a seporate window and instance of word, excel or powerpoint is opend. This might be the behaviour you prefer but for one of my line of business applications this posed to be a problem.

I could have used scripting,… to solve this problem but for those of you who have played with the new Group Policy preferences feature you know this is exactly what GPPE is made to do. One of the great new features in GPPE is the fact that you can export/import GPPE’s to XML files. A great new feature for sharing GPPE’s and i’ll be posting many more starter gpo’s and GPPE’s in the future but. Download my Office_BrowserFlags_GGPES here

Today we will be using the new import / export feature in GPPE to add the reg keys to all your clients configureing office documents to open integrated in IE.

To import the GPPE’s:

The only way you can manage GPPE’s is by using GPMC v2.0 on windows Vista SP1 box with RSAT tools installed or using a windows 2008 server and installing the GPMC.

!!! There is no way to manage GPPE’s from any other version of GPMC or OS !!!

Step1: download and unzip the GPPE template XML files from the link above

Step2: open the group policy object you want to add the GPPE’s to. This can be an existing gpo object or a new one. In this demo I created a new Comp_GPPE policy and linked it to my computer OU as this seems the most logical place to put it, but there is nothing to stop you from creating a user based GPPE and targeting it to specific users.

Step3 : copy the XML file using standard windows file copy and past it into the GPPE item are as illustrated. Do this for all reg keys you want, doc, docx, xls, xlsx, ppt, pptx

you can use the GUI interface or the shortcut CTRL + V to import the GPPE object

 

Repeat this operation for all the GPPE objects you want, wait for the default refersh interval and presto, all your clients will start opening Office document integrated in IE. No more need for scripting,… And don’t forget you can use all the enhanced GPPE features to tweak and tune even more.

Tom

--------------------------------------

--------------------------------------

To export the GPPE’s:

If you are intrested in kno

wing how to export GPPE object so you can share them with others, it’s as simple as dragging and dropping the GPPE object from the GPMC interface to your desktop or other file system location.

And feel free to open the XML document in notepad and poke around ;-)

Welcome to my first blog post! Some of you might know me as community leader for IT-Talks or presenter at community events. With this blog I hope to share some of my knowledge and experiances on a regular basis with the world. This blog site will be a mix of many technologies with great need to knows and nice to knows.

One of my great pasions is certainly wireshark so I thought this would be a great way to start this blog.

Scenario:

A while back we added an extra router to our remote office. After adding the router we tested connectivity using ping wich worked great, however when we tested dameware, the remote controle tool we use on our support desk we were unable to get connected. There was no firewalling implemented on the network or on the clients so the situation seemed very puzzeling.

On the left side you have the computer in the remote office (A = 172.16.14.1) on the right side you see the computer system in our main office used by our service desk user (B = 192.168.22.217).

After double checking ping we ran a telnet server on the client on the A client and to our surprise telnet was working fine, so what was going on? Wireshark to the rescue!

The analysis:

We started up wireshark on the client A and initiated a connection from B, below is the result we got befor the application timed out. So what is this telling us:

-

1. first 3 packets => connection establishment

 

The three way handshake was establishing perfectly, so clearly there was no firewall blocking the connection.

2. First 2 data packets

 As you can see here the first 2 data packets where running perfectly and A was talking to B and B was replying back

3. The next data packets

Starting with packet 6 you can see things start to go wrong, packet 6->8 are all from A to B but we can’t see any reply’s comming back from B to A. After X time you can see A start to panick as B is not replying back so A starts to send retransmissoins. Why are they not going through?

The problem:

I can tell the problem started with packet 6 because packet 9 and on is retransmitting that seq number.

The answer is in the last column I added for the conveniance of this post. As you can see packets 1 down to 5 are all small packets and go great but once the packet start getting bigger we start to see the retransmits. You should know that the normal MTU of a packet is 1500 bytes – 20 bytes IP header – 20 bytes TCP header leaving 1460 bytes for data. (At the bottom of this post i’ll illustrate the differnet LEN value’s wireshark shows us.)

Our packet was 1434 in size below the 1460 max size so this should work fine except it wasn’t. We used the ping command using –l parameter to determin the maximum packt that was traversing the network and this turned out to be 1360 bytes. So where was this discrepency comming from? The issue is the VPN overhead on the network and the lack of auto MTU scaling as you will read later. Depending on the vpn technology you use there is extra ip overhead on the network. In our case we lose 100 bytes leaving us with a 1360 MTU.

When sending packets greater than the MTU there are two possible mechanisems to sovle the issue:

     1. Fragment packets => this would cause our oversized packet to be chopped up in smaller packets, however as you can see here the don’t fragment flag is set so this option be used.

    

     2. Destination host unreachable packet => a device receiving packets greater than the MTU should send a packet back to the client instructing it to send smaller packets but we are clearly not getting any other packets.

The Answer:

To solve the issue you could do 2 things:

• instruct the clients to use smaller MTU’, this was not feasable as we had no ensurance we could manage all clients.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\<ID for Adapter>\Connection Key: Tcpip\Parameters\Interfaces\ID for Adapter\MTU Value Type: REG_DWORD Number

• instruct the newly installed routers to use smaller MTYU’s, we automated our remote switch configuration and reset the MTU’s on all switches.

I hope you have enjoyed this first post on my blog and stay tuned for more tech posts.

Tom

For more tech info checkout our community site on www.it-talks.be

-----------------------------------

-----------------------------------

The packet size shown by wireshark

1. packet list

In the packet view you see LEN=1380, this means the DATA portion of this packet is 1380 bytes in size. This does not take into account the size of the headers in the packet

2. packet detail view

 


in my last custom column and in the data view portion of the the packet you see LEN=1434. This is the actual amount of data put on the wire meaing DATA bytes + header bytes, where do the bytes come from?

Where does the descrepency come from?

1380 + 20 + 20 = 1420   => so where do the extra 14 bytes come from? OSI layer 2 Datalink.

As you can see in this screenshot the Layer 2 data counts exactly back to the missing 14 bytes




Note how i click on the ethernet line in the packet detail view wireshark automatically slectes the corresponding data bytes in the data windows, and feel free to could the amount of hex numbers, it should be 14.