Windows LAPS

Windows LAPS KB ID 0001822

Problem

We used to have Microsoft LAPS, now we have Windows LAPS! LAPS is a solution that lets’ you store admin passwords ‘elsewhere‘ be that in your local Active Directory or Azure Active Directory*. Unlike previously, where you had to deploy/install client software, it’s now built into Windows from the following versions.

  • Windows 11 22H2 – April 11 2023 Update
  • Windows 11 21H2 – April 11 2023 Update
  • Windows 10 – April 11 2023 Update
  • Windows Server 2022 – April 11 2023 Update
  • Windows Server 2019 – April 11 2023 Update

*Note: Is in the pipeline at time of writing traditional (on-premises) AD only is supported.

The premise is that instead of having a single (easily compromised) local admin password (or DSRM password on a DC) for your assets you can have a different password (that can be controlled with a complexity policy) for each client/server and that password is stored securely in Active Directory, (as an attribute of the computer object).

  Backup to Azure AD Backup to Local  (On-Premises) AD
Azure AD Joined Yes No
Local (On-Premises)  Joined No Yes
Hybrid Joined Yes (if not backed up to on-premises AD) Yes (if not backed up to Azure AD)
Workplace Joined No No

Solution: Windows LAPS

Firstly, FULLY update all the domain controllers in the domain.

On a DC you can load the LAPS module and look at the commandlets.

[box]

ipmo LAPS
gcm -Module

[/box]

From these commandlets the first one we need to use is Update-LapsAdSchema, this will extend the active directory schema and add the LAPS attributes to the computer objects.

[box]

Update-LapsAdSchema

[/box]

It will ask you con conform you can watch each step by pressing Y – or if you’re lazy (like me) simply press A {Enter}.

You can’t really see what it is doing, but if you’re interested, you can run the same command again with a -verbose switch on it to see exactly what going on.

OK, but what has that done? Well as I said above, the computer objects have been extended and they now have ALL have the following attributes.

Note: Yes, there’s now a LAPS tab also, but there won’t be anything in there yet.

The next commandlet we need, Set-LapsADComputerSelfPermission, will grant the computer object the rights to manage its own LAPS password, You can set this on the root of the domain if you wish. Here I have all my computer objects in an OU called PNL so I’m applying that right at the TOP LEVEL OU, and it will apply to all children OUs.

[box]

Set-LapsADComputerSelfPermission -Identity "OU=PNL,DC=pnl,DC=com"

[/box]

Setting Windows LAPS Settings via Group Policy

Create a new GPO (or edit an existing one) that links to the OU where your COMPUTER objects live. (remember if managing DSRM passwords you will also need to link the policy to the Domain Controllers OU also).

Edit the Policy and navigate to;

[box]

Computer configuration > Policies > Administrative Templates > System > LAPS

[/box]

Note: If you have a LAPS folder directly under Administrative Templates, that’s for the older Microsoft LAPS settings!

Policies to edit;

  1. Enable Password Backup for DSRM accounts : Enable
  2. Name of administrator account to manage : Enable  > laps.admin
  3. Configure Password Backup Directory : Enable > Active Directory

Note: If you already have a local admin account, built into you master computer image for example, you can use that account instead.

Further policy to edit;

  1. Password settings : Enable > (I accept the defaults)

The screen shot below shows how the policy should look before you exit the group policy editor.

Windows LAPS Local Admin

Here I’ve manually created the local user, you can either roll this out by script, GPO, or building the account into the your default image for OS deployment.

Retrieving Windows LAPS Passwords

Below you can see we can retrieve both a local Windows LAPS password for a client, or a DSRM password for a domain controller.

Simply click Show password and Copy password, and the password will be on the clipboard (as shown).

To get the password via PowerShell use the Get-LapsADPassword commandlet.

[box]

Get-LapsADPassword "PNL-Win11" -AsPlainText

[/box]

Troubleshooting Windows LAPS

The update also allows you to view LAPS event logs in the Event Viewer, like so.

Interoperability Microsoft LAPS and Window LAPS

If you have the older Microsoft LAPS running (i.e. Your end clients have the LAPS client software being deployed to them, then when the Apr 23 LAPS update is deployed to them and used, BOTH Systems may stop working. To fix this you need to disable Legacy LAPS by setting the following registry key on your clients.

[box]

HKLM > Software > Microsoft > Windows > CurrentVersion > LAPS > Config

[/box]

Create a new 32 bit DWORD value called BackupDirectory and set its value to 0 (zero).

Once the Azure AD element is fully released and supported, I’ll loop back and include that also.

Related Articles, References, Credits, or External Links

Microsoft LAPS – Deployment and Configuration

MS: What is Windows LAPS Overview

Cisco ASDM and Windows 10

KB ID 0001150

Problem

Most of the time I’m on my mac for work, but sometimes when the ADSM fails, I switch to a windows VM (in VMware Fusion). I recently upgraded to Windows 10, and for the most part that’s been a painless process.

I did notice though, that when I try to run the ADSM, it will let me install the software, then sit there doing nothing?

Note: Also see, ASDM on Windows 10: ‘Cannot find Javaw.exe?’

Solution

Install the ADSM if you have not previously done so, then navigate to C:\Program Files (x86)\ Cisco Systems\ASDM > Locate the adsm-launcher.jar file and create a shortcut to it on the desktop.

Now use that to launch the ASDM and, (after a few seconds, it is Java) it should load.

And for those of you muggles who don’t work at command line, your life can be filled with GUI goodness.

Related Articles, References, Credits, or External Links

NA

Is Virtual Center 4.1 Supported on Windows Server 2008 R2?

KB ID 0000379 

Problem

ES! it is, if in doubt see the compatibility matrix. But you have tried to install it and seen an error?

Error: This product can only be installed on the following 64-bit operating systems: Windows XP SP2 or above Windows Server 2003 Windows Server 2008

Solution

Essentially this just a bad error message that bears no resemblance the the actual problem!

The REAL REASON you are seeing this error is because you re trying to install vCenter on a domain controller.

This happens because, as part of the vCenter 4.1 setup the following takes place,

And if the server is a Domain controller, AD LDS cannot be installed. You will notice that if you watch the “Roles” section during the install of vCenter, that a role drops onto the list.

Final Thoughts

For anyone who thinks “Well Ill put vCenter on first then make the server a domain controller”. That won’t work either, if you try that you will see this error,

Error: The TCP ports shown below are required by Active Directory Domain Services, but are already in use on this computer. 389 ldap

To be honest a more descriptive error message would help. (Cheers VMware!). It’s not as if you cant do it…

Same thing on Server 2008

Related Articles, References, Credits, or External Links

NA

SEM – SPAMfighter Exchange Module – Installation and Configuration with Exchange 2013

KB ID 0000824 

Problem

“I seem to get a lot of spam”, and “I get a lot more spam than I used to” are right up there with “My computer is running slow”. It’s a problem that, eats up users time and fills your mail stores with junk, and time/disk space costs money.

SEM is tiny! In a world where a graphics driver is now over 100MB the entire install suite is less than 11MB. This is going into my test network so testing its ability to limit spam is NOT the point of this exercise, I’m looking at the ease of installation, configuration, and administration.

SEM Pre-Requisites

1. Exchange 2000, 2003, 2007, 2010, or 2013.

2. Windows Server 2000, 2003, 2003 R2, 2008, 2008 R2, or 2012.

3. .Net framework version 2.0 (SP1).

4. MDAC (Microsoft Data Access Components) version 2.7.

5. Internet Information Services.

Solution

Before You Start

1. If you have already installed the Microsoft Anti Spam agents you might want to remove them, (not that you have to). If you don’t know you can run the following command;

[box]
Get-TransportAgent[/box]

If you just have the four below then you DO NOT have the extra agents installed.

2. If yours looks like the one below, then YOU DO have them installed.

3. As stated you don’t have to remove them but if you want to simply execute the following two commands;

[box]

cd "Program FilesMicrosoftExchange ServerV15Scripts"
./Uninstall-AmtispamAgents.ps1

[/box]

4. Answer each question, then run;

[box]
services.msc[/box]

5. Restart the Microsoft Exchange Transport service.

Install SPAMfighter

6. Download the installer, and run it.

7. The installer is pretty straight forward > Next > Accept the EULA > Next > Enter your details > Next > Accept or change the install location > Next.

8. The product will install.

9. At this point it’s downloading definitions form the internet, and it will take a while.

10. When complete it needs to setup a user that the services will run under. Just supply a password > Next.

Note: This user (by default) is added to the local administrators group, and the Exchange Organization Management group.

11. Finish.

12. The management console installs on TCP port 5000, so if you need to access it through a firewall you will need to open that port.

13. Toolbars Tab: From here, I’ll jump straight to the configuration section, this drops you straight onto the Plugins tab. From here you can change the logo that will be displayed with the toolbar (this is NOT visible with Outlook 2013). You can also change the URL it points to and adding rights to users.

14. Toolbar Tab > Outlook Toolbar: On a client running Outlook > Download Outlook Toolbar > Run the installer.

Note: The installer is a .exe file, I would have preferred a .msi file, so I could deploy this out (on mass), to domain clients via GPO.

15. Next > Accept the EULA > Next > Next.

16. Finish.

17. Now when you launch Outlook you can see the plugin loading.

18. You will now have an extra toolbar with the following options.

BE AWARE: You install the OWA toolbar ONCE on the Exchange CAS server.

19. Toolbars > Outlook Web Application: Install OWA toolbar.

20. Yes.

21. Now when your clients access OWA, you have the toolbar.

22. Latest news: Essentially this is just an RSS feed from the manufacturer to keep you abreast of software updates etc. If you have some RSS aggregation software you can add this same feed.

23. Mailbox Tab > Mailboxes: Here it will list all the mailboxes, by default the ‘Default policy’ will be applied and virus filtering will NOT be enabled (this is an add on license). you can also access statistics for this particular mailbox, and view quarantined emails. The User filter settings are for applying an exception for this one mailbox (I’ll cover this later). If you can’t locate a particular user there is also a search function.

24. Mailbox Tab > Usergroups: Usergroups are used to apply policies, any new group requires you to maintain membership manually. But if your Active Directory is well designed, you can select your SPAMfighter groups based on your OU structure.

SEM – SPAMfighter – Configuring and Working with Policies

This is pretty intuitive, and the default policy comes preconfigured and already applied, though with all filtering systems it will probably take you a little while to get it streamlined to your requirements. The policies section has four main tabs;

Filter Settings: What tools you are going to use to look for spam.
Accept Actions: What it will do if it finds nothing.
Block Actions: What it will do if it finds something.
User Filter settings: Exceptions to the filters for one or more users.
Mailboxes: Puts you straight back to the mailbox section you saw earlier.

25. Out of the box there are five filters enabled.

26. But there are four further filters that you can add to the policies.

SPAMfighter – Filters

27. VIRUSfighter Antivirus Filter for SPAMfighter Exchange Module: Remember this is an ‘Add on’ so it would only apply to mailboxes that have this enabled. It’s on its most conservative setting, and will replace the infected email with safe content.

28. SPAMfighter Sender Filter > Whitelist:Simply add either a particular email address you want to allow or add in an entire domain.

29. If your lists get a little unwieldy you can import or export them, and chose weather to overwrite them or append the imported list to your existing list.

30. And where there is a Whitelist there is a Blacklist, it’s configured exactly the same.

31. Automatic Whitelist: This is a brilliant feature! It dynamically adds the addresses our users send to to the Whitelist, and maintains the cache for 10 days (which you can alter). I’m surprised this is disabled by default.

Note: This will be enabled by default in the next release.

32. SPAMfighter Content Filter > Whitelist phrases: Gives you the power to automatically Whitelist emails based on a phrase they contain i.e. Your corporate email disclaimer or default signature.

33. SPAMfighter Content Filter > Blacklist phrases: As the warning says be careful with this section, this is the sort of thing that is handy for blocking “We attempted to deliver your parcel but were unable to” emails that urge you to click an attached zip file full of infected spyware nastiness.

34. SPAMfighter Content Filter > Whitelist Attachments: Here you can upload an attachments (like your company logo from your email signatures) and the system will whitelist and allow through emails containing them.

35. SPAMfighter Content Filter > Blacklist Attachments: Thankfully this is disabled by default, the list of file extensions is quite long, and contains some commonly used file extensions, You will need to do some planning and testing with this one if you want to enable it.

36. SPAMfighter Community Filter: This will filter mail based on mails that have already been blocked by other SPAMfighter users, it uses a scoring/weighting system. You simply set a threshold the higher you set it the more mail will be stopped, this will require some fine tuning.

37. SPAMfighter Language Filter:This is enabled by default, but no languages are selected (which is sensible). If you are never expecting any emails in Chinese you can block them here.

SPAMfighter Filters that you can Manually Add to the Policy.

38. SPAMfighter IP-address Filter: Pretty much does what it says on the tin! Though blocking spammers by IP address is a little hard to manage, and it’s pretty easy to spoof an IP address anyway, which is probably when this is not on the default policy.

39. SPAMfighter Sender Policy Framework Filter: Personally I think you would be crazy to turn this on! If you don’t know what an SPF record is then read the following article.

Setting up the Correct DNS Records for your Web or Mail Server

40. SPAMfighter DNSBL Filter: A DNSBL is a dynamic DNS list of known spammers, if you are familiar with RBL block lists this is similar.

41. SPAMfighter Combined Spam Score Filter: All the other filters check the mail and give it a score, if the score is higher than a certain threshold this this filter will aggregate all those scores and block the mail.

SPAMfighter – Policies > Accept Actions

42. If the mail makes it through all the filters, then this section decides what happens with it.

43. And that is adding information to the mail header that says the mail was scanned and accepted.

SPAMfighter – Policies > Block Actions

44. If the mail gets blocked by any of the filters, this section decides how that is handled.

Note: You can add other actions from the drop-down list below if this does not do what you require.

45. Just as for the accept policy action, this modifies the email header, though this one says the mail was blocked.

46. SPAMfighter Move To Folder Policy Action > Mailboxes : The second default policy action takes that filtered email and places it within a folder called SPAMfighter within the users mailbox.

Note: You can redirect that mail to another mailbox if that is your preference.

47. The system for Public Folders (if you use them) is identical.

48. Contacts: As is says contacts do not have a mailbox, but you can redirect filters contact mail to a specific mailbox should you wish.

49. User Filter Settings: This section can create an exception for one particular user, it simply creates another policy that you can apply to that user.

50. You can create new policies and apply then to particular users or usergroups, and make the system as granular as you like.

51. Statistics: On my test network I didn’t have any throughput on which to pull some meaningful statistics.

52. Statistics > Notifications: You can have daily/weekly/monthly reports emailed to you.

53. If you decide to purchase, the licenses are priced per mailbox. Prices start at £14.50 each (or £29.00 with the Antivirus) And go down to £2.45 (or £4.90 with Antivirus) depending on the amount you buy. They are available for 1, 2, and 3 year periods. For an up to date price list go here.

Related Articles, References, Credits, or External Links

NA

Running Windows Server 8 in VMware ESXi

KB ID 0000590 

Problem

The very fist time I tried this was on ESXi 4.1, if you try and install Windows 8 Server on that platform, you will see the following.

Your computer ran into a problem and needs to restart. If you’d like to know more, you can search online later for this code: HAL_INITIALIZATION_FAILED It’s collecting error info and will restart in: x seconds

Note: You will also see this in VMware player, and VMware workstation 7.

Solution

Some internet searching told me that as far as VMware was concerned, I needed to be running VMware Workstation version 8, so I installed Workstation 8 and, accepting the fact I got the same install error that the windows 8 consumer preview gives you, (the fix is the same). It works flawlessly (unless you install the VMware tools).

Running Windows “8” Server in ESXi

I knew that the developer preview worked on ESXi 5, And VMware Workstation 8 uses VMware hardware version 8. So I guessed that it would run under ESXi 5. I set the machine type to “Windows 7 x64”, and it installed it, to my surprise it ran straight away.

And Installing VMware tools went smoothly as well.

Related Articles, References, Credits, or External Links

Windows 8 (Server and Client) Black Screen (Post VMware Tools Install)

Windows 8 -“Windows cannot read the <ProductKey> setting from the unattend answer file.

Windows and Cisco (IPSEC) VPN Client

KB ID 0000693 

Problem

I’d been running Windows 8 for a while now. But was the first time I needed to use my Cisco VPN Client software. So I was not happy when this happened.

Note: Using VPN Client version 5.0.07.0440

Secure VPN Connection terminated locally by the Client. Reason 442: Failed to enable Virtual Adapter.

Solution

As it turns out this is a known problem with Windows 8, and there is a work-around.

1. Press Windows Key+R to open the run prompt > regedit {enter}

2. Navigate to;

[box] HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>CVirtA [/box]

Locate the DisplayName > Edit its value > Delete all the text to the LEFT of “Cisco Systems VPN Adapter for 64bit Windows.”

2. So it looks like this.

3. Then it should work as before.

 

Related Articles, References, Credits, or External Links

Download Cisco VPN Client Software

Is Exchange 2010 Supported on VMware?

KB ID 0000333 

Problem

At time of writing (30/09/10) it seems I cant get a definitive answer! My colleague tried to log a third line support call with Microsoft this week, as soon as they found out that Exchange 2010 was running in a VMware environment, they (literally) hung up on him.

Solution

Well Microsoft’s own documentation says it IS

Reference:

Fair enough Exchange 2010 is supported on a “Third party Hypervisor ONLY if its been validated in the “Windows Server Virtualization Validation Program“”.

Lets check that then,

Reference:

Quote ” Products that have passed the SVVP requirements for Windows Server 2008 R2 are considered supported on Windows Server 2008 and Windows Server 2003 SP2 and later Service Packs, both x86 (32-bit), and x64 (64-bit).”

And The platform it was running on IS listed (ESXi 4.0 U1).

When presented with this evidence the response was “We will try and fix it on a “Best Endeavour” basis” and the problem (which had nothing to do with VMware, it was actually Microsoft Threat Management Gateway that caused the problem!) was resolved.

Sorry Microsoft that is just not good enough! My company pay handsomely for their gold partnership status, and we expect to get third line support on the products we sell. The product is either supported or it is NOT, don’t publish that it is, then use the fact that is running on third party virtualisation to get the problem off your support call queue. Because somewhere there is an Engineer/Consultant who has persuaded THEIR client to part with money to buy YOUR product.

I openly invite Microsoft – Third Line Exchange Support, The Exchange Development team and anyone else to respond to me. I will publish any pertinent response.

Related Articles, References, Credits, or External Links

Technet Exchange 2010 Requirements Windows Server Virtualization Validation Program VMware Platforms Supported and passed SVVP

ASA 5500 AnyConnect – Change Preferred Encryption Cipher Order

KB ID 0001058 

Problem

A few days ago I wrote about disabling SSL v3.0 to force your clients to connect with the more secure TLS v1.0. But what if your AnyConnect clients chose to connect with a weaker encryption cipher? The ciphers your firewall offer (by default) will vary depending on what OS your ASA is running.

Solution

1. To see what your cipher you are connected with look on the statistics tab, below we are connecting with the AES 128 encryption protocol and using SHA1 for hashing.

2. Where as here we are connecting with the more secure AES 256 and using SHA1 for hashing.

2. I force this by use of the ‘ssl encryption {option 1} {option 2} {etc.}’ approach. Below the first command indicated had AES 128 as the first encryption cipher, and the second command has AES 256, by specifying which order, you specify the order that the ASA offers the remote AnyConnect client.

WARNING: Removing ciphers can cause problems connecting to ASDM see this article.

Ciphers supported by AnyConnect 4

TLS 1.3 is supported in the software, but not supported on ASA until version 9.3(2)

  • DHE-RSA-AES256-SHA256
  • DHE-RSA-AES128-SHA256
  • AES256-SHA256
  • AES128-SHA256

 

 

Related Articles, References, Credits, or External Links

NA