Skip Ribbon Commands
Skip to main content

Ondrej Sevecek's English Pages

:

Engineering and troubleshooting by Directory Master!
MCM: Directory
May 27
Users get error message when connecting to RDP host using RemoteGuard

RemoteGuard is a fine new technology for RDP running to and from Windows 2016 and Window 10.1607 which allows for some basic credential protection of users' NTLM password hashes and TGT tickets. In order to use the remote guard feature you must either start mstsc client with /remoteGuard command line switch or have that feature enforced by a client machine group policy setting.

It is a documented fact that the sole use of the /remoteGuard switch requires the connecting user to be member of local Administrators group on the remote RDP host. In case the user is not member of the local Administrators group on the remote RDP host machine, the user receives the following error message displayed on the remote desktop screen after connecting:

The requested session access is denied

If you want your users to connect while not being members of local Administrators group on the remote RDP server then you have to enforce the RemoteGuard use on the client side by using group policy (local or GPO) setting:

Computer Configuration
  Policies
    Administrative Templates
      System
        Credentials Delegation

Restrict delegation of credentials to remote servers
    Enabled + Require Remote Credential Guard

Yes, weirdly enough, but really the /remoteGuard command line switch is apparently different from the GPO setting. And yes, both are client side matters. The only thing that you need to enable on the RDP server host is the DisableRestrictedAdmin registry value which is the same for both remote guard and restricted admin features.

HKLM\System\CurrentControlSet\Control\LSA
DisableRestrictedAdmin = DWORD = 0
February 06
Rolling upgrade of Windows 2012 R2 failover cluster right up to Windows 2019

No. It is not supported​ to join Windows 2019 nodes into the 2012 R2 failover cluster. You can join there Windows 2016 but not the newer 2019.

Windows 2019 being added to an existing cluster expects the cluster to be running at the Windows 2016 functional level at least.

The newer 2019 version expects the cluster nodes to have self-signed certificates (ClusInfraCert) generated for their intra-cluster SChannel (TLS) communication on port TCP 3343. Which is not the case with the older 2012 R2 version nodes that only use Kerberos for node authentication and communication protection.

If you want to join the Windows 2019 into the 2012 R2 cluster you will get an error (after some timeout) stating simply that the 2019 cannot communicate with any node of the existing cluster.

August 22
How to disable all existing Windows Firewall rules with a single NETSH command

This simple it is in fact:

NETSH ADVFIREWALL FIREWALL SET RULE all NEW enable=no

Cheers!

December 13
RD Gateway error event 210 caused by NLB configured with no affinity

You may get the error 210 in the TerminalServices-Gateway Admin log on a Remote Desktop Gateway server (RD Gateway) saying that Http transport: IN channel could not find a corresponding OUT channel. This error may happen if you operate a load balanced RD Gateway farm and the load balancing mechanism does not use any affinity. RD Gateway requires at least the single affinity to be used.

The no affinity setting means that any TCP connection being established from a client may end up at any load balanced farm member. The RD Gateway on the other hand must establish two TCP connections, one for inbound and the other for outbound transport, while both connections must hit the same RD GW farm member. Thus we must configure the load balancing technology (usually the NLB) to connect all TCP connections from a single client to the same NLB farm member.

November 23
Cannot install group managed service account - unspecified error

If you try to install a group managed service account (gMSA) on a server by using the Install-ADServiceAccount cmdlet you may receive an error message saying:

Cannot install service account. An unspecified error has occured

 

This may happen if you didn't create the group managed service account by using the parameter -KerberosEncryptionType with value of AES128 or AES256. The Kerberos etype parameter is not mandatory and need not to be specified if you do not restrict possible Kerberos etypes on the server. But if the server, which you plan to install the service account on, restricts Kerberos encryption types to AES only, you have to configure the encryption types on the gMSA as well.

If you want to check if your server restricts the available Kerberos etypes, you can check the following local security policy value:

Security settings - Local Policies - Security Options
    Network Security: Configure encryption types allowed for Kerberos

 

If you see that only AES encryption types are allowed in the server's policy, you must use the -KerberosEncryptionType parameter and specify either the AES128 or the AES256.

August 29
How to install Windows 10 (1511, 1607, 1703) UI languague packs

You can install user interface language pack (MUI pack, UI pack) into any default language mutation of Windows 10 of any build. You can even install English (en-us) language pack into a non-English Windows 10.

First you naturally need to download the language pack. In my MVP/MCT case, I downloaded it from MSDN subscriber downloads portal. It comes in the form of ISO file containing all the available language packs in the form of individual CAB files both for x64 and x86 builds.

ISO can be opened within Windows Explorer so no problem mounting it from GUI and accessing its contents from command line later.

Then, you run the following command against your desired MUI CAB pack to be installed:

dism /online /add-package:"E:\x64\langpacks\Microsoft-Windows-Client-Language-Pack_x64_en-us.cab"

After DISM finishes you must restart the operation system and only then you should be able to open the Languages control panel and select the newly installed UI language as the primary choice.

April 20
Very slow RDP remote app start over Remote Desktop Gateway connections

I have just solved one interesting case. The customer has a great powerful RDP session-based application farm based on Windows 2012 R2. The farm runs several session collections with RemoteApps. The RDP RemoteApps are published through RDWeb and connected over RD Gateway when access from the internet. Everything is using trusted TLS/SSL certificates bought from a public CA such as GlobalSign or Symantec etc.

Everything worked smoothly and fast except for the application startup time when accessed from the internet. RDWeb itself was fast enough. But once you clicked an application it sometimes took even three minutes to start the application. After that, smooth play, no delays anymore. Apparently the RD Gateway was the problem because this didn't happen from LAN when you avoided the RD gateway, at least not that severely.

Digging deeper into the problem, both the RD Gateway and the RD Connection Broker were both had some of their own part in the problem.

The reason was certificate revocation checking which timed-out

The reason identified itself when I enabled auditing for windows firewall connections (the Filtering Platform Connection audit subcategory) and compared and correlated it with the events in the TerminalServices-Gateway/Operational event log. The Security event log showed repeated and frequent TCP connections to remote port 80 (HTTP apparently) started by system processes such as lsass.exe or svchost.exe. Weirdly the connections were going to public internet IP addresses.

And yes, when I checked the TLS/SSL certificate CRL paths and their URLs, these IP addresses showed to be the CRL distribution points of the public CAs which issued their RDP certificates.

Ok, it seemed like the system was trying to verify certificate revocation of its own server certificates (why the hell?) by downloading their respective CRL files. The problem was the farm servers didn't have internet access actually. So all the connections were only starting (SYN-SENT), then each was timing-out for 21 seconds (as is the standard TCP connection establishment timeout) and failed. And again and again with every client connection being established.

As it appears, the RDP gateway and sometimes even the RD connection broker servers are trying to verify its own server certificates revocation status by downloading CRLs.

The solution

The solution could be either to allow the servers download the public CRL files from internet over HTTP TCP 80 (if you need, you can configure them to use an HTTP proxy server with netsh winhttp commnad).

Or to make sure that they either cannot resolve their public DNS names at all.

Or if the servers must be able to resolve the public DNS names, then make sure that the following TCP connection fails immediatelly, instead of waiting for the 21 seconds timeout.

If you have a network firewall in place, you must change the blocked port setting from stealth or drop to reject. Or you can configure an explicit blocking Outbound Rule in the servers' Windows Firewall. The outbound blocking rules are good in this regard as they prevent the blocked TCP connection immediatelly and do not let the applications time-out.

March 31
Windows registry values (NoAutoMount) for forensic disk imaging

You may want to use disk imaging tools such as my favourite WinHex for capturing forensically sound disk images from arbitratily attached USB/SATA/mSATA/M.2/SAS/etc. harddrives even if you do not have a hardware based write-blocker device. In order to prevent the operating system from switching the just attached disks to Online mode and mounting any file systems, you should configure the following registry values:

HKLM\System\CurrentControlSet\Services\mountmgr
  NoAutoMount = REG_DWORD = 1

HKLM\System\CurrentControlSet\Services\partmgr\Parameters
  SanPolicy = REG_DWORD = 3

Note that the NoAutoMount value goes really directly into the mountmgr registry key, while the SanPolicy value must be set in the Parameters subkey of the partmgr driver.

If you have the registry configured this way, the newly attached disk drives remain in the default Offline mode which means that thay are read/only.

If you want to switch the disks to the writable Online mode, you can always do so with diskpart's command online disk. Note although that making disk Online means immediate mounting any respective filesystem even if no disk letter may be assigned yet.

If you wanted to mount any file system while keeping the disk in read/only mode, you can achieve this with diskpart's command attributes disk set readonly prior to switching the disk into the online mode.

Thus having the disk in the offline mode means always read/only, while having the disk in the online mode may mean read/only or writable, depending on the disk's attribute setting which you can change yet before making the disk online.

A sample DISKPART transaction may look like this:

DISKPART

  list disk
  REM :the previous command listed your disks, the newly attached disk should be offline, note its number

  select disk XX
  REM :select the number of your offline attached disk instead of typing XX

  attributes disk
  REM :the previous command should have displayed some attributes, mainly the fact that the disk is in read/only state

  attributes disk set readonly
  REM :we make the read/only setting permanent for the selected disk by storing this information in the local computer registry
  REM :note that this does not modify anything on the disk yet and note also that the setting stays in the local computer registry
  REM :and does not roam with the disk if unplugged and moved to another computer

  online disk
  REM :makes the disk online allowing file systems to be mounted, although the disk remains in read/only mode and thus the file systems
  REM :are read only as well. No disk letters assigned yet due to the NoAutoMount registry value

  assign
  REM :only now disk letters assigned, the disk and its file systems still remain in read/only mode

February 05
Once again, how to enable Secure Boot in UEFI BIOS configuration

I have already covered all the steps in a previous article about UEFI Secure Boot configuration and Windows 2016 installation from USB flash drive. Here I will just repeat what are the necessary steps to undertake in the UEFI BIOS in order to have the Secure Boot enabled in Windows 2016 or Windows 10. I have just experienced another motherboard which taught me it once again (it was Gigabyte H170-D3H motherboard with the original F4 and later with F20 and later with F21 BIOS update):

Basic requirements

  •  CSM disabled - the compatibilitu support mode (CSM) must be disabled or it would allow nonUEFI boot media and boot loaders to be started which would effectively make the secure boot a nonsense
  • require Administrator password to enter BIOS - this is another requirement as well. Without having the BIOS configuration password protected, secure boot is again without a logic
  • Windows 8/10 Features setting enabled - you have to enable either the Windows 8/10 or the Windows 8/10 WHQL setting for the Windows 8/10 Features configuration option (you will find it on the BIOS tab). For me, both options worked to boot into the Secure Boot. I was not able to find any documentation about any differences in the two of them. So select whichever you like more :-)
  • Secure Boot enabled - sure you have to change the setting to enabled :-) it is not enable by default
  • Intel TXT - if the option is not present in the BIOS at all, it seems like it is supported automatically. I didn't need to do anything regarding this so called trusted execution technology.

The crucial thing to enable the Secure Boot

You must always Provision Factory Default keys! Even if you have just received your machine from manufacturing, you have to do it yourself. This cannot be done if the Secure Boot Mode is set to Standard. So the crucial technique is to first enable the Customized mode for secure boot, then provision the factory default keys manually and only then switch back to the Standard mode:

  1. switch the Attempt Secure Boot to Enabled
  2. switch the Secure Boot Mode to Customized - it enables the Key Management submenu
  3. go into the Key Management sub menu
  4. switch the Provision Factory Default keys to Enabled
  5. go back up
  6. switch the Secure Boot Mode to Standard

And you are all done.

January 05
Display password (password reveal button) keyboard shortcut

We have the password reveal button (aka show password button) in most password entry GUIs since Windows 8. It is the small eye icon showing at the end of password entry edit boxes which, when you mouse-click onto it, reveals the currenlty typed password which would normally be hidden under the stars or dots. People like to lookup the value in order to prevent failed password attempts especially when the computer is configured with several national keyboards or just to be sure. Internet Explorer have had the button included since its version 8 regardless of Windows version.

Is there a keyboard shortcut that would allow you to display the password as you type instead of leaving the keyboard and scrabble around for the mouse? Moreover we server oriented geeks sometimes do not even have mouse available at all.

How to display the password using a keyboard shortcut

Yes there is. Only since Windows 10 and Windows Server 2016. But finally.

Alt-F8

On the other hand, secure corporate environments may, according to some information security standards such as the ISO/IEC/EN/CSN 27001/27002, need to disable the password reveal button completelly. As people get accustomed to always showing their password for prior confirmation, they may forget about others watching. There are also survailence cameras etc.

How to disable the password reveal button

There is a Group Policy setting to disable this option available ever since the button exists (Windows 8 and latter). You will find it in a GPO (Group Policy Object) exactly here:

Computer Configuration
  Policies
    Administrative Templates
      Windows Components
        Credential User Interface
          Do not display the password reveal button

and

Computer Configuration
  Policies
    Administrative Templates
      Windows Components
        Internet Explorer
          Security Features
            Do not display the password reveal button

If you want to disable the show password button both in general user interface and in Internet Explorer you simply Enable both settings. It applies to the new Edge browser as well.

1 - 10Next
 

 About this blog

 
Ondrej Sevecek 

Ondrej Sevecek is technical consultant, writer and speaker specialising in network security, PKI, identity management and Active Directory on Microsoft Windows platform. Ondrej is Microsoft Certified Master (MCM:Directory and MCSM:Directory) and the  Most Valuable Professional (MVP: Enterprise Security). He also maintains his CISA and CHFI:Computer Hacking Forensic Investigator and CEH:Certified Ethical Hacker certifications.

Ondrej is also MCT and gives lectures in the greatest of European training centers GOPAS.