Archive for the ‘Security’ Category

New server and already failing Services?!?

April 27, 2018

So if you’re anything like me, you’ll see these two after you have built the server (which is rather disappointing because it’s a shiny new server!);

  • Downloaded Map Manager
  • Google Update Service

Now I know you shouldn’t install Chrome but it’s one of those things that makes life a little easier so sue me.

Anyway its normal to get these alerts cos they start and stop quickly but Windows thinks that means they failed.

Normally we don’t care too much about monitoring these services so just remove them from the manager;

  • Go to Server Manager
  • Find Local Server / All Servers
  • Click Services
  • Top left click Services where it probably has “All”
  • Uncheck the offending Service you don’t want to monitor anymore.
  • Hey Presto… you will now never know if it’s failing ­čÖé

 

Advertisements

Meraki blocking File and Print on LAN

April 16, 2018

Trying to restrict a PC using group policy within Meraki.

I add the MAC addresses of wifi and Ethernet NIC’s and then proceed to restrict as much as I can through the reduced license that Meraki sell (not the bells and whistles version) and so I add everything I can think of that I would like to restrict…

Screen Shot 2018-04-16 at 4.45.18 PM

Which is all good… except when I try to get to the local file server.

Long story short, the “File Sharing” rule will kill any UNC or print connection!

Take out that rule and you’re good to get to the local shares and print to the local printer. The thing that got me was that I could ping the servers and printers – even setting up the printer too!

Anyway, in this case, delete rule #11 and you’re golden.

Windows Server 2016 Security Tab on OU’s

February 28, 2018

Why oh why Microsoft? By default, they decided to HIDE the security tab on Organizational Units. Sigh.

So in order to unhide (even though you’re a domain admin) you need to do the following;

  • Open Active Directory Users and Computers
  • Click View > Advanced Features.
  • Now, you will see the security tab when you get properties on an OU.

I really don’t know why this “feature” was added but there you have it.

Meraki VPN using AD

February 27, 2018

Key points;

  • Using Meraki VPN and want to use Active Directory.
  • Verified that it works with Meraki authentication.
  • Doesn’t work with Active Directory.

We had this issue with a client that had used an Windows Server 2003 AD server. Worked fine but I forgot how I had set it up and when we got them moved over to a shiny new 2016 server it broke the VPN and sharing.

Here’s the fix on the AD Server;

  • On new server create a self signed certificate.
    • If you don’t know how to do that follows these instructions;
    • Install IIS via Server Manager.
    • Once installed Click on Server Certificates under your IIS Server.
    • Click on Create Self-Signed Certificate.
    • Give it a name (can be anything) and choose Personal.
  • Now that you have a cert you can move to the next step which is Firewall.
  • Create a Firewall rule to open port 3268. This is the Meraki means of communication.

Now on the Meraki;

  • Go to Security Appliance > Client VPN
  • Under Authentication choose Active Directory.
  • Under Short domain, Server IP, “Domain Admin” and Password, fill those in with the relevant info. The Domain admin is the authentication user you’ll need to create to allow the Meraki to verify that the user is allowed.
  • At this point you will want to put the “Domain Admin” (not an actual domain admin! but the VPN authentication user) into a separate OU to wall off these VPN users. Instructions on how to do this will have to wait… I will update.

Should work now ­čÖé

Bitlocker Encryption without TPM

January 18, 2018

This happens with older computers that don’t have a built in chip but you can bypass the requirement with a GPEDIT change.

Start > Run > gpedit.msc

Goto;

  • Local Computer Policy
    • Computer Configuration
      • Administrative┬áTemplates
        • Windows Components
          • Bitlocker Drive Encryption
            • Operating System Drives

Double click on the entry Require additional authentication at startup and enable the rule. It will give you some other options in there if you want to fine tune but just enabling this will allow you to start the process of encrypting the whole disk.

Now go back to Control Panel > Bitlocker Drive Encryption (or right click the hard drive) and start the process for the option of Boot password or USB key.