Friday, December 01, 2006
DNS Suffix Search List Registry Location
HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\SearchList
Sunday, November 26, 2006
View an EXE's DLL Dependencies
Use the "Depends.exe" application in Windows Server 2003 Support Tools.
Saturday, November 18, 2006
Sunday, November 12, 2006
VBScript Define and Call Subroutines
Define a Subroutine
Sub subroutineName (passedArg1, passedArg2,....)
Dim .....
Set .....
End Sub
Call a Subroutine
Call subroutineName (inputArg1, inputArg2)
Sub subroutineName (passedArg1, passedArg2,....)
Dim .....
Set .....
End Sub
Call a Subroutine
Call subroutineName (inputArg1, inputArg2)
PowerShell
http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx
Vista Bitlocker Drive Encryption
Technical Overview
http://www.microsoft.com/technet/windowsvista/security/bittech.mspx
http://www.microsoft.com/technet/windowsvista/security/bittech.mspx
Saturday, November 11, 2006
Download WMI Admin Tools link
http://www.microsoft.com/downloads/details.aspx?FamilyId=6430F853-1120-48DB-8CC5-F2ABDC3ED314&displaylang=en
Change Default Script Host
Change default script host to CScript:
CScript.exe //H:CScript
Change default script host to WScript:
CScript.exe //H:WScript
CScript.exe //H:CScript
Change default script host to WScript:
CScript.exe //H:WScript
Sunday, October 29, 2006
Using ADSI Authentication / Encryption
http://www.microsoft.com/technet/scriptcenter/resources/qanda/dec04/hey1213.mspx
http://windowssdk.msdn.microsoft.com/en-us/library/ms677047.aspx
http://windowssdk.msdn.microsoft.com/en-us/library/ms679913.aspx
http://windowssdk.msdn.microsoft.com/en-us/library/ms677047.aspx
http://windowssdk.msdn.microsoft.com/en-us/library/ms679913.aspx
ADSI SSL Port
When performing secure authentication with SSL using a bind in ADSI, the Servers SSL port must be 636.
See microsoft support article:
http://support.microsoft.com/kb/817583
See microsoft support article:
http://support.microsoft.com/kb/817583
Link to ADSI SDK 2.5
Its old but still very useful:
http://www.microsoft.com/technet/archive/winntas/downloads/adsi25.mspx?mfr=true
http://www.microsoft.com/technet/archive/winntas/downloads/adsi25.mspx?mfr=true
Sunday, October 22, 2006
Citrix Default Ports
Citrix XML Service: 80
Citrix SSL Relay: 443
ICA Session (Client<->Server): 1494
ICA Browsing (Client/Server<->Server): 1604 UDP
IMA (Server<->Server): 2512
IMA (Management Console<->Server): 2513
Session Reliability (Client<->Server): 2598
Access Suite License Server (Server<->License Server): 27000
Citrix SSL Relay: 443
ICA Session (Client<->Server): 1494
ICA Browsing (Client/Server<->Server): 1604 UDP
IMA (Server<->Server): 2512
IMA (Management Console<->Server): 2513
Session Reliability (Client<->Server): 2598
Access Suite License Server (Server<->License Server): 27000
Sunday, October 15, 2006
Common TCP/UDP Port Numbers
Citrix Client TCP 1494
DNS Lookup UDP 53 (Dynamic DNS registration uses TCP 53)
FTP TCP/UDP 20 & 21
GC TCP 3268
HTTP TCP 80
HTTPS TCP 443
IMAP4 TCP 143
Kerberos TCP/UDP 88
Kpasswd TCP/UDP 464
LDAP TCP 389
MSN Messenger TCP 1863
NNTP TCP 119
NTP UDP 123
POP3 TCP 110
RDP TCP 3389
SMTP TCP 25
TELNET TCP/UDP 23
DNS Lookup UDP 53 (Dynamic DNS registration uses TCP 53)
FTP TCP/UDP 20 & 21
GC TCP 3268
HTTP TCP 80
HTTPS TCP 443
IMAP4 TCP 143
Kerberos TCP/UDP 88
Kpasswd TCP/UDP 464
LDAP TCP 389
MSN Messenger TCP 1863
NNTP TCP 119
NTP UDP 123
POP3 TCP 110
RDP TCP 3389
SMTP TCP 25
TELNET TCP/UDP 23
Saturday, July 29, 2006
AD / Server / XP Commands to remember
netdom [query fsmo - displays fsmo roles & their holders]
replmon (GUI)
repadmin
dcdiag [/fix]
netdiag [/fix]- can use /fix to reregister AD dns srv records
dsastat - compares 2 DCs to verify convergence (specify directory partition)
dsquery / dsmod / dsadd...
ntdsutil
adprep
sigverif.exe - Display a list of installed unsigned drivers
sfc.exe - system file checker- verifies all wfp (windows file protection) files are intact and in correct place.
fixboot.exe (recovery console) - rewrites boot.ini
ftonline - recovers data from fault tolerant disk configurations created in earlier versions of windows (eg NT4).
Convert c:/fs : ntfs (CLI ntfs conversion)
replmon (GUI)
repadmin
dcdiag [/fix]
netdiag [/fix]- can use /fix to reregister AD dns srv records
dsastat - compares 2 DCs to verify convergence (specify directory partition)
dsquery / dsmod / dsadd...
ntdsutil
adprep
sigverif.exe - Display a list of installed unsigned drivers
sfc.exe - system file checker- verifies all wfp (windows file protection) files are intact and in correct place.
fixboot.exe (recovery console) - rewrites boot.ini
ftonline - recovers data from fault tolerant disk configurations created in earlier versions of windows (eg NT4).
Convert c:/fs : ntfs (CLI ntfs conversion)
Very simple vb script to copy a file
Dim objFSOSet
objFSO = CreateObject ("Scripting.FileSystemObject")
objFSO.CopyFile "C:\test.txt", "D:\"
Also works for UNC paths:
Dim objFSOSet
objFSO = CreateObject ("Scripting.FileSystemObject")
objFSO.CopyFile "C:\test.txt", _ "\\AnotherPC\share$\Folder\test.txt"
objFSO = CreateObject ("Scripting.FileSystemObject")
objFSO.CopyFile "C:\test.txt", "D:\"
Also works for UNC paths:
Dim objFSOSet
objFSO = CreateObject ("Scripting.FileSystemObject")
objFSO.CopyFile "C:\test.txt", _ "\\AnotherPC\share$\Folder\test.txt"
Wednesday, June 07, 2006
Subnets and Subnetting
Subnetting is the process of altering the length of a subnet mask in order to accomodate more networks within an address space.
A subnet mask defines the number of network bits that are relevant for an address. For example the standard class C private network address 192.168.1.0 has a subnet mask of 255.255.255.0. Note that 192.168.1.0 is a network adress, not a host address, as the binary host part of the address is all 0's . If we convert the subnet mask and network address into binary we get:
Network Address: 11000000 10110000 00000001 00000000
Subnet mask: 11111111 11111111 11111111 00000000
The subnet mask is 24 bits (commonly denoted /24). This tells us that the first 24 bits of the network address represents the network part of the address, and the remaining 8 bits represents the host part of the address.
To calculate the maximum number of hosts this network can accomodate, simply fill the binary host part of the address with '1's. Thus,
Highest ip possible: 11000000 10110000 00000001 11111111
: 192.168.1.255
However, this is not quite right as we cannot have an all 1's host part as this is reserved for the broadcast address for the network (if we sent a data packet addressed to 192.168.1.255, all the hosts on the subnet would receive it).
Therefore the highest ip address on the 192.168.1.0/24 network is:
11000000 10110000 00000001 11111110
192.168.1.254.
Also we now know that the 192.168.1.0/24 network can accomodate 254 hosts. This can be calculated more quickly using the formula:
Why is this important?
Computers can only communicate directly with each other if they are on the same network (the same subnet). So if HostA had IP address 192.168.1.1/24 and HostB had an IP address of 192.168.1.2, they could communicate directly without the need of a router.
However if the network part of an IP address is different for two hosts, they can only communicate using a router sat between them.
For example, if HostA has an IP address of 192.168.1.1/24 and HostB has an IP address of 192.168.2.1/24, they cannot communicate without the use of a router. Note we are still using the subnet mask of 255.255.255.0 here.
Lets make some subnets
Lets start with the reserved private address space 10.0.0.0. This is a class A address space with a default subnet mask of 255.0.0.0 - only 8 bits represent the the network part of the address and 24 bits reresent the host part of the address. Thus the maximum number of hosts on this network is:
[The colon represents the end of the network part of the address]
A subnet mask defines the number of network bits that are relevant for an address. For example the standard class C private network address 192.168.1.0 has a subnet mask of 255.255.255.0. Note that 192.168.1.0 is a network adress, not a host address, as the binary host part of the address is all 0's . If we convert the subnet mask and network address into binary we get:
Network Address: 11000000 10110000 00000001 00000000
Subnet mask: 11111111 11111111 11111111 00000000
The subnet mask is 24 bits (commonly denoted /24). This tells us that the first 24 bits of the network address represents the network part of the address, and the remaining 8 bits represents the host part of the address.
To calculate the maximum number of hosts this network can accomodate, simply fill the binary host part of the address with '1's. Thus,
Highest ip possible: 11000000 10110000 00000001 11111111
: 192.168.1.255
However, this is not quite right as we cannot have an all 1's host part as this is reserved for the broadcast address for the network (if we sent a data packet addressed to 192.168.1.255, all the hosts on the subnet would receive it).
Therefore the highest ip address on the 192.168.1.0/24 network is:
11000000 10110000 00000001 11111110
192.168.1.254.
Also we now know that the 192.168.1.0/24 network can accomodate 254 hosts. This can be calculated more quickly using the formula:
(2n-2) where the 'n' represents the number of bits in the host part of the address. So we would calculate:
(28-2) which equals 254 (remember there are 24 network bits and 8 host bits in the example).
Why is this important?
Computers can only communicate directly with each other if they are on the same network (the same subnet). So if HostA had IP address 192.168.1.1/24 and HostB had an IP address of 192.168.1.2, they could communicate directly without the need of a router.
However if the network part of an IP address is different for two hosts, they can only communicate using a router sat between them.
For example, if HostA has an IP address of 192.168.1.1/24 and HostB has an IP address of 192.168.2.1/24, they cannot communicate without the use of a router. Note we are still using the subnet mask of 255.255.255.0 here.
Lets make some subnets
Lets start with the reserved private address space 10.0.0.0. This is a class A address space with a default subnet mask of 255.0.0.0 - only 8 bits represent the the network part of the address and 24 bits reresent the host part of the address. Thus the maximum number of hosts on this network is:
(224-2) which equals 16777214. That is a lot of hosts.
Lets imagine that we have a company with 700 offices all over the country. Each office is going to need its own subnet within the 10.0.0.0/8 private address space.
In order to subnet the 10.0.0.0 address space we need to extend the subnet mask (borrow bits from the host part).
We increase the length of the subnet mask by 9 bits to /17 (8+9). This gives us a maximum of
(29-2) -10 = 502 possible subnets, which is not enough. So we increase the subnet mask by 10 bits [mask=/18] :
(210-2) -10 = 1022 possible subnets, which is enough!
Using a Subnet Mask of /18 leaves 14 bits for the host part of the address, so each subnet can accomodate (214-2) = 16382 Hosts.
The binary representation of an 18 bit subnet mask is:
11111111 11111111 11000000 00000000
Subnet mask = 255.255.192.0
What will be the network address of the first subnet?
00001010 00000000 00:000000 00000000
[The colon represents the end of the network part of the address]
10.0.0.0
Why do we keep the 10 at the front? Well we are working here with the 10.0.0.0/8 private address space which is one of the three standard reserved address spaces for internal use (not visible to the Internet - Internet routers ignore these addresses).
What will be the network address of the second subnet?
00001010 00000000 01:000000 00000000[The colon represents the end of the network part of the address]
10.0.64.0
What will be the network address of the third subnet?
00001010 10000000 10:000000 00000000
[The colon represents the end of the network part of the address]
10.0.128.0
Wednesday, May 17, 2006
EFS Recovery Agents
Steps To Enable an EFS Recovery Agent in a Windows Server 2003 Domain
- Install a CA (Certificate Authority) in your domain.
- Open the Certificate Templates snap-in in an MMC, Right-click the "EFS Recovery Agent" certificate and select "Duplicate Template". The Certificate Templates snap-in shows all pre-defined certificates which a CA is capable of publishing.
- Give the new template a suitable name (e.g. company_name EFS Recovery Agent).
- In the proerties tab of the new template, on the General tab, check the box "Publish Certificate in Active Directory". On the Security Tab, Check Allow for read and enroll permissions for your DRA group or user.
- If you now open your Certificate Authority MMC and look the Certificates currently being published, you should see your new duplicated EFS Recovery Agent template.
- Log on to a machine as the user who is going to become a DRA (Data Recovery Agent) for the domain.
- Open an MMC and add the "Certificates" snap-in.
- Right-click Personal - All Tasks - Request New Certificate.
- Select "Next", highlight the "EFS Recovery Agent" certificate and click Next.
- Add a friendly name and description for the new certificate (e.g. username DRA Cert). Click Finish.
- You should see a dialog box indicating the certificate was issued successfully.
- Create / Modify a GPO linked to the domain default policy or to an OU in which Users reside. Go to the Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System. Right click the "Encrypting File System" node and select "Add data recovery Agent...".
- Click Next and then "Browse Directory". Search for the user to whom who you have enrolled the new EFS Recovery Agent certificate.
- N.B In testing I have found that sometimes I got an error message when adding the DRA user into the GPO. The error message states "The selected user has no certificates suitable for Encrypted File System Recovery and cannot be added as a recovery agent. Select another user." Since we have published the certificate template in AD this shoud not occur. However this can be overcome by exporting the DRA's certificate (only the public key is required) and using the "Browse Folders" button in the GPO DRA creation, selecting the certificate file rather than browsing for the user in AD. To export the DRA's certificate simply logon as that user, open the "Certificates" snap-in, right-click the relevant certificate and select All Tasks - "Export...". This can be saved to a file share to make life easier (be sure not to include the private key in the export though, as if this is left on your disk after import represents a serious security risk).
- After completing the wizard, test the setup by having a different user encrypt data on another computer using EFS.
- The new DRA should be able to access that data beause when the files were encryted the DRA's public key would have also been used to encrypt the FEK (File Ecryption Key).
Subscribe to:
Posts (Atom)