Windows – Open a Firewall Port with Group Policy

Define Inbound Port Exceptions

KB ID 0000979 

Problem

For everyone who simply does not disable the Windows firewall, then you need to be able to manage what ports are open on your machines. The simplest way to do this is via group policy. This week I had to open TCP port 9503 on the local firewall of my McAfee Move Offload Servers. Below I will open that port on all my machines, but in production I will only apply the GPO to the OU with my Move Offload servers in it.

Solution

1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.

2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.

3. Give the policy a sensible name so you can see what it is doing later.

4. Right click your new policy > Edit.

5. Navigate to;

[box]

Computer configuration > Policies >Administrative Templates > Network > Network Connections >Windows Firewall > Domain Profile > Windows Firewall: Define inbound port exceptions

[/box]

6. Open the policy and enable it > Show.

7. As this is a new policy the list will be empty, (you can return and add multiple entries to this policy later if you require further ports opening). In the example below I’ve opened port 9053, over TCP, the asterisk means ‘from anywhere’, I’ve Enabled the rule, and called it McAfee Move.

Port Exception Syntax

<Port>:<Transport>:<Scope>:<Name>

  • <Port>: Number in decimal from 0 to 65,335
  • <Transport>: TCP or UDP
  • <Scope>: Where the traffic is coming from, i.e 192.168.1.1, or 192.168.1.0/24, or simply ‘localsubnet’ or ‘*’ for everywhere. You can enter multiple values separated with a comma.
  • <Name>: A simple text entry to define what the exception is.

8. OK > Apply > OK > Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.

9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines.)

10. To make sure it has worked on the target machine > Windows Key+R > WF.msc {Enter} > Inbound Rules > Your rule should be visible.

11. If you open the rule you can see its been applied by group policy, and check the correct port has been defined.

 

Related Articles, References, Credits, or External Links

Windows Group Policy – Disable The Local Windows Firewall

Microsoft LAPS – Deployment and Configuration

KB ID 0001059 

Problem

Microsoft have released the Local Administrator Password Solution (LAPS). What is does is automatically change the load administrator password on workstations, (and servers if required) periodically. It then keeps those passwords securely in AD. Microsoft tried to mitigate attacks from the local admin account back in the days of Windows Vista by shipping with this account disabled, which is fine, but most large deployments I’ve worked on, I’ve been specifically asked to enable the local administrator account and set its password on deployment.

Some organisations create a different account and leave the local administrator account disabled, but they still suffer from the same problem, (all the machines have the same local admin password), and it gets known, if you have a disgruntled ex-employee they may know this password. Yes you can change them all periodically but it’s a bit of a faff. Note: LAPS can manage local accounts that are admin accounts but not necessarily the ‘administrator’ account.

The LAPS solution works by creating some new attributes on the computer object, ms-MCS-AdmPwd which actually stores the password, and ms-MCS-AdmPwdExpirationTime which is the time stamp for the password expiration. What LAPS sets out to do, is provide a random complex password for the local administrator account, and protect that password in AD by use of an AD ACL. In doing so it will protect your machines from a ‘Pass the Hash’ attack which can use common local administrators passwords to compromise a network.

Solution

 

Microsoft LAPS – Step 1 Setup a Management Machine

1. On a management machine download and install the LAPS software, Things will be easier if this machine is also running RSAT tools for Active Directory, and the Group Policy Management Console as well.

2. Be aware you get the documentation form the download page as well. Make sure you get the appropriate x86 or x64 bit version (LAPS supports Server 2003 SP1 and above).

3. Install the software and install ALL the options. (if you apply the defaults it will only install the GPO Extensions), which is what you would want on the ‘controlled machines’ but you want everything on the ‘controlling machine’.

Microsoft LAPS – Step 2 Deploy the software to the machines to be controlled.

1. To be honest this could not be simpler, I just sent the software out as a standard software package via GPO, (watch the video above if you don’t know how to do that). You can script the install and it will also manually install with a /quiet switch to avoid any user interaction. But if you have any amount of machines, GPO is the way to go.

To manually install quietly;

[box]

msiexec /i \\Server\Share\laps.x64.msi /quiet

or simply

msiexec /i c:\laps.x64.msi /quiet

[/box]

2. To check if the client has received the LAPS software, look in Add/Remove programs and you should see it listed (Run > appwiz.cpl {Enter}).

Microsoft LAPS – Step 3 Extend Active Directory Schema

1. It goes without saying that to do this you need to be a member of ‘Schema Admins’. On the management machine run the following two PowerShell commands, to add the two new attributes mentioned above;

[box]

Import-Module AdmPwd.PS
Update-AdmPwdADSchema 

[/box]

Microsoft LAPS – Step 4 Check/Set Permissions to Read Local Admin Passwords

1. On my test network below you can see I’ve got a couple of test Windows 8 machines in an OU called ‘Domain Computers’, this is the OU that I will be working with.

2. The first thing I need to do is grant the rights to the computers themselves to be able to update the password in Active Directory. (If you have nested OU’s, simply apply on the top level OU). Change the value in red to suit your own OU/OU’s.

[box]Set-AdmPwdComputerSelfPermission -OrgUnit ‘Domain Computers‘[/box]

3. To see who has rights to view the passwords in AD (for a given OU), use the following command. Below you can see the default of SYSTEM and Domain Admins is displayed.

[box]Find-AdmPwdExtendedRights -Identity ‘Domain Computers‘[/box]

4. To grant read password permissions to a particular group, use the following syntax, below I have an AD group called HelpDesk setup and I’m adding them into the AD ACL to be able to read local administrator passwords for the Domain Computers OU.

[box]Set-AdmPwdReadPasswordPermission -Orgunit ‘Domain Computers‘ -AllowedPrincipals PeteNetLiveHelpDesk[/box]

Note: If you have multiple groups you can separate/delimit them with a comma.

Microsoft LAPS – Step 5 – Deploy the GPO Extensions to ‘Controlled’ Machines.

1. On the management machine, create a new GPO object, and link it to the OU containing the computers/servers you want to apply the password settings to.

2. Edit the GPO.

3. Navigate to;

[box]Computer Configuration > Policies > Administrative Templates > LAPS[/box]

4. The policy that turns LAPS on is the last one ‘Enable local admin password management’ > Enable it.

5. The actual complexity and age of the password is set in the ‘Password Settings’ policy, > Enable it and accept the defaults.

Note: the other two policies are;

Name of the administrator account to manage: Use if you you have manually created another common admin account on all your machines NOT if you have renamed the local administrator account.

Do not allow password expiration time longer than required by policy: Set to Enabled.

Microsoft LAPS – Step 6 – View the Local Admin Passwords for Controlled Machines.

1. You can do this from PowerShell with the following command;

[box]Get-AdmPwdPassword -ComputerName hostname[/box]

2. Or if you have installed the Fat client, you can launch that from; [box]C:\Program Files\LAPS\AdmPwdUI.exe[/box]

3. Or as it’s an AD object attribute, you can view it on the Computers AD object.

Related Articles, References, Credits, or External Links

NA

McAfee ePO – Client Firewall Exceptions to Allow Agent Deployment

KB ID 0000952 

Problem

It’s been a while, since I deployed ePO, and as I’ve got a big McAfee roll-out coming up I thought I’d better run it up on the test bench and see how much it’s changed since version 4. As the prospective client is going to use Server 2012 and Windows 8, that’s what I tested it with.

Despite my best efforts the the McAfee agent (8.6) refused to deploy to the clients as long as I had the windows firewall on. A quick Google turned up a myriad of suggestions for ports and services, and most of them were for older versions of ePO or were simply incorrect.

Solution

Basically you need to to do two things with the firewall;

  • Allow in ICMP echo requests
  • Allow in File and Printer sharing

Set Firewall to Allow McAfee Agent deployment via Group Policy

This is the simplest option, especially if you have a lot of client to deploy to.

1. On your Domain Controller > Launch the Group Policy Management Console > Create a new policy (or edit an existing one), that is linked either to the root of the domain, or the OU that your computers are in.

2. Edit The policy, and navigate to;

[box]Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow ICMP exceptions[/box]

3. Set to Enabled > Select ‘Allow inbound echo request’ > Apply > OK.

4. In the same location select ‘Windows Firewall: Allow inbound file and printer sharing exception’.

5. Enable this policy > Then enter the IP address of the ePO server > Apply > OK.

6. Then either reboot the clients, wait a couple of hours, or manually run “gpupdate /force” on them. Then Re-deploy your McAfee agent.

Set Firewall to Allow McAfee Agent deployment on an Individual Machine

1. Windows Key +R > cmd {Enter} > firewall.cpl {Enter}.

2. Allow an app or feature though Windows Firewall.

3. Locate ‘File and Printer Sharing’ and enable (Note: Here I’ve enabled for Domain, Public, and Private, you may only want to select Domain) > OK.

4. Advanced Settings > Inbound Rules > New Rule.

5. Custom > Next.

6. All Programs > Next.

7. Protocol Type = ICMPv4 > Customize > Echo Request > OK > Next.

8. Enter the IP address of your ePO server > Next.

9. Allow the connection > Next.

10. Select as appropriate > Next.

11. Give the rule a sensible name > Finish.

12. Re-deploy your McAfee agent.

Related Articles, References, Credits, or External Links

NA

 

Microsoft Edge Can’t Be Opened Using The Built-In Administrator Account

KB ID 0001096 

Problem

Not only the built in administrator account, if you try and open Microsoft Edge whilst logged in as the Domain Administrator you will also see the same error message.

To be honest this is a good thing, you shouldn’t be doing something potentially dangerous like going on the Internet as the administrator anyway. However for my test Windows 10 machine on the bench I’m not really bothered, I just want it to work,

Solution

Enable Microsoft Edge for Administrators (one machine)

1. From the Start/Run menu type and execute secpol.msc (local security policy editor).

2. Navigate to;

[box]Security Settings > Local Policies > Security Options > User Account control: Admin Approval Mode for the Built-in Administrator account[/box]

3. Set the policy to ‘Enabled’ >Apply > OK.

4. Reboot.

5. Boom! There it is.

Enable Microsoft Edge for Administrators (Multiple Domain Machines via GPO)

Warning: With great power comes great responsibility, if you have some test machines in one OU and you want to do this for them, thats fine. But REMEMBER this setting is a good thing DO NOT go linking this GPO to the root of your domain!

1. On a DC or a machine with the RSAT tool installed, Launch Group Policy Editor. Create a new GPO or edit and existing one.

2. Navigate to;

[box]Computer Configuration >Policies > Windows Settings > Security Settings > Local Policies > Security Options > User Account control: Admin Approval Mode for the Built-in Administrator account[/box]

3. Set the policy to ‘Enabled’ > Apply > OK.

4. Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU, or simply run ‘gpupdate /force’ on the target machine, (or you could also wait a couple of hours, or simply reboot the target machines).

Enable Microsoft Edge for Administrators (one machines via the registry)

‘Home’ editions of windows have local policy editing options, for those you will have to edit the registry directly.

1. Open regedit.

2. Navigate to;

[box]HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft >Windows > CurrentVersion > Policies > System[/box] Locate and set the value of ‘FilterAdministratorToken’ (Note: You may need to create the 32-bit DWORD,) to 1.

3. Navigate to;

[box]HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Policies > System > UIPI[/box]

Locate and set the value of ‘(Default)’ to 1.

Related Articles, References, Credits, or External Links

NA