Saturday, 21 November 2009

Date and Time using GPO


How to use a GPO with a customized ADM file to force a specific date and time format.

 
 

Group policy management is one of the tools for Administrators that, in my experience, is not being used to its full potential enough. To name one example: publishing software (not assigning!) is something I do not see very often, even though it potentially is a great way of rolling out less 'business- critical' software. The problem there is that users are involved to do the install using add and remove software (or programs and features in Vista), and that may be where 'the train stops' since there would be extra training involved (or a decent intranet website with examples and video tutorials). Which of course take extra resources, money and time.

This article however covers a piece of Group Policy Management that does not involve training any users, so there's no reason not to deploy it (in your lab environment first ;-) This article targets MCSE level administrators, in particular; it extends on exam 70-294.

As I'm sure you know, it's possible to use .adm files (Administrative Template files) to make changes to systems available through Group Policies. In fact, I'm pretty sure most admins are familiar with the 'wuau.adm' file, which is the administrative template file for WSUS.

There's a lot more that can be done with these administrative templates! Actually, just about anything that can be changed by making registry changes can be made 'distributable' through Group Policies this way. The .adm files allow for a nice user-friendly interface to be 'generated' and this way make your changes available and usable to peer administrators in your organization. Keep a few things in mind though; first of all, be very careful when using localized versions of Windows. And secondly, always pilot your group policies. With that in mind it is always wise to first thoroughly test your new GPO's in the lab.

 
 

How to change time and date

 
 

In the example we'll be making an administrative template that allows for a specific date and time format to be forced on the OU (or domain or site) where the GPO is applied.

To be precise; we'll be making an .adm file that forces: 'dd.MM.yyyy' for date and 'HH:mm:ss' for time.

First we create .adm template so that these can be added to the group policy.

We'll skip the exact details of the creation of the .adm file, especially since Microsoft already has an excellent article online that gets you started quickly and has references for people wanting to try advanced features. For now we'll use the templates I have provided here, and if you're tempted to try your own implementations, make sure to visit the previously mentioned link as well as this one.

Once created the files will be put in the following location %SystemRoot%\inf (usually c:\windows\inf) on the domain controller where we apply the templates.

Filename: GP-Date-Edits.adm (or whatever you would like to call it)

Contains:


CLASS USER

 
 

CATEGORY "Control Panel"

CATEGORY "Regional Settings"

     POLICY "Specify Date Settings"

    KEYNAME "Control Panel\International"

            EXPLAIN !!expSetDateFormat

PART "Short date style" DROPDOWNLIST REQUIRED

VALUENAME "sShortDate"

ITEMLIST

    NAME "M/d/yy"     VALUE "M/d/yy"

    NAME "M/d/yyyy"     VALUE "M/d/yyyy"

    NAME "MM/dd/yy"     VALUE "MM/dd/yy"

    NAME "MM/dd/yyyy"     VALUE "MM/dd/yyyy"

    NAME "yy/MM/dd"     VALUE "yy/MM/dd"

    NAME "dd-MMM-yy"     VALUE "dd-MMM-yy"

                    NAME "dd.MM.yyyy"        VALUE "dd.MM.yyyy" DEFAULT

END ITEMLIST

END PART

PART "Long date style" DROPDOWNLIST REQUIRED

VALUENAME "sLongDate"

ITEMLIST

                NAME "dddd d MMMM yyyy"        VALUE "dddd d MMMM yyyy" DEFAULT

NAME "dddd MMMM dd, yyyy" VALUE "dddd MMMM dd yyyy"

NAME "MMMM dd yyyy" VALUE "MMMMdd yyyy"

NAME "dddd dd MMMM yyyy" VALUE "dddddd MMMM, yyyy"

NAME "dd MMMM yyyy" VALUE "dd MMMM yyyy"

END ITEMLIST

END PART

END POLICY

END CATEGORY

END CATEGORY

[strings]

expSetDateFormat="Specifies the format for client default date format"

 
 

 
 

Now we can apply the .adm file.

 
 

Note that in the group policy editor on the menu "view" and "filter" the following should be disabled:

"Only show policy settings that can be fully managed"



 
 

If this is not disabled, the manual GP settings will not show up.

Now we add the .adm file as a template on the (in this example) Citrix Server GPO, to do this right-click on the Administrative Templates and choose 'Add/remove templates':




 
 

Clicking 'add' allows you to add our template. This adds our custom created date possibility:



(notice all the different formats we defined in the template?)

Once applied we can see it in the 'settings' overview:




I promised we would do time as well as date…: For the time format the procedure is the same, but the .adm file could contain something like:

CLASS USER

 
 

CATEGORY "Control Panel"

CATEGORY "Regional Settings"

     POLICY "Specify Time Settings"

    KEYNAME "Control Panel\International"

            EXPLAIN !!expSetTimeFormat

PART "Short date style" DROPDOWNLIST REQUIRED

VALUENAME "sTimeFormat"

ITEMLIST

                NAME 24-Hour     VALUE "HH:mm:ss" DEFAULT

                NAME 12-Hour     VALUE "H:mm:ss"

END ITEMLIST

END PART

END POLICY

END CATEGORY

END CATEGORY

[strings]

expSetTimeFormat="Specifies the format for client default time format"

Wednesday, 18 November 2009

pride and prejudice family tree

Friday, 6 November 2009

Endian Firewall Root Default Password


ENDIAN FIREWALL DEFAULT ROOT PASSWORD


 

User name : root

Password : endian

Thursday, 5 November 2009

Microsoft ISA server 2006 Installation


MICROSOFT ISA SERVER 2006

Series Index


 

  1. Getting started with Microsoft ISA Server 2006, Part 1: Introduction
  2. Getting started with Microsoft ISA Server 2006, Part 2: Environment Setup
  3. Getting started with Microsoft ISA Server 2006, Part 3: Installation
  4. Getting started with Microsoft ISA Server 2006, Part 4: Service Pack 1
  5. Getting started with Microsoft ISA Server 2006, Part 5: Network Layout Concept
  6. Getting started with Microsoft ISA Server 2006, Part 6: Configure Network Layout
  7. Getting started with Microsoft ISA Server 2006, Part 7: Create DNS Lookup Rule
  8. Getting started with Microsoft ISA Server 2006, Part 8: Create Web Access Rule
  9. Getting started with Microsoft ISA Server 2006, Part 9: Client Configuration
  10. Getting started with Microsoft ISA Server 2006, Part 10: Logging
  11. Getting started with Microsoft ISA Server 2006, Part 11: HTTP Filtering

  12. Getting started with Microsoft ISA Server 2006, Part 12: Block Windows Live Messenger


INTRODUCTION


 

History of ISA Server

The history of ISA Server starts from Microsoft Proxy Server 1.0 and Microsoft Proxy Server 2.0 which both were released in 1997. They were merely designed to provide internet access (Internet Sharing) and came in only one edition of each version. Microsoft Proxy Server 1.0 only has basic functionality and many limitations. The second version improves many features from the previous version. It supports Windows NT account integration, many more protocols, packet filtering capability.

Then, ISA Server 2000 was released in 2001. And in 2004 for ISA Server 2004 and ISA Server 2006 in 2006. Each product has two editions: Standard and Enterprise. ISA Server 2004 introduced multi-networking support, integrated virtual private networking (VPN) configuration, Application-Layer Firewall support, support for the H.323 protocol, Active Directory Integration, SecureNAT, Secure Server Publishing, and improved reporting and management features. The rules based configuration was also considerably simplified on ISA Server 2000. ISA Server 2004 Enterprise Edition included array support, integrated Network Load Balancing (NLB), and Cache Array Routing Protocol (CARP). One of the core capabilities of ISA Server 2004 was its ability to securely publish Web servers. ISA Server 2006 is an updated version of ISA Server 2004. It doesn't has major difference compare to ISA Server 2004. Most features and interface of both versions are quite similar.

The future version of ISA Server is Forefront Threat Management Gateway which runs only on 64-bot platform and Windows Server 2008. At this time, the current version is beta 3.


 


 


 

Features of ISA Server 2006

Microsoft ISA Server 2006 has 2 editions: Standard and Enterprise. The major different of the two editions are scalability and network load balancing capable. The standard edition can be installed on a single server up to 4 CPUs and memory (RAM) limits at 2 GB. See Comparison of Standard and Enterprise Editions for ISA Server 2006 for more information.

Here is the summary features of ISA Server 2006:

  1. Multi-layer firewall. Provides three types of firewall functionality: packet filtering (also called circuit-layer), stateful filtering, and application layer filtering.
  2. Application layer filtering. Provides deep content filtering through built-in application filters.
  3. Virtual private networking capability.
  4. Intrusion detection capability. Flood protection such as denial of service (DoS) and distributed denial of service (DDoS) attacks, IP spoofing protection, etc.
  5. Supports various authentication. Authenticate users with built-in Windows, LDAP, RADIUS, or RSA SecurID authentication.
For more details, see Key features of ISA Server 2006.


 

Environment Setup

In the first part, you learn an overview of ISA Server 2006. Before going to the real example on ISA Server 2006, you should know system environment which I'm going to use on this series. On this post, you will know the hardware and software requirements for ISA Server 2006. And you will see the server and network configurations.


 

System Requirements

Below is the minimum requirements for ISA Server 2006 Standard Edition or ISA Server 2006 Enterprise Edition.

Server Configuration

There are three servers which I will use throughout this series. I already have the following servers in the network:

Network Configuration

I try to keep the network configuration simple as possible. You will see on the left side of the ISA Server 2006 server are my internal network (LAN). It contains clients and a server of my network. On the right side of the ISA Server 2006 server is the external network. It connects to the router which connects to the Internet.

The image below is the network diagram of my example.


What's Next?


 


 

INSTALLATION


 

Getting started with Microsoft ISA Server 2006, Part I: Installation

Introduction

Microsoft Internet Security & Acceleration Server 2006 is a firewall and proxy product from Microsoft. It can protects local network from hackers, limit access for internet access, improve internet speed for users and also logging any connections that pass through ISA Server.
Or you can say that ISA Server is a gateway between intranet(LAN) and internet so it has more than one network interfaces usually it has 2 or 3 network interfaces depends on network topology(Edge firewall, 3-Leg Perimeter, etc.) in your organization.


 

This post will show how to install ISA Server 2006 Standard Edition on a Windows 2003 Server which has 2 network interfaces: one is connected to internal network(LAN) and the other connected to external(Internet). The diagram is as below:



 

Step-by-step

  1. Open ISA setup program.

  2. Click Next.

  3. Enter your license information. Click Next.

  4. Select Setup Type. If you want to customize features or change installed directory, select Custom. Otherwise, select Typical. I leave Typical for convenience.

  5. On Internal Network, you must enter your internal IP address range. You can do this by adding manually or select from network adapter. Before click Next, ensure that your network addressed was configured correctly.

  6. On Firewall Client Connections, if you haven't upgrade from previous ISA Server(ISA 2000 or 2004), leave the check box uncheck and click Next. Otherwise, check the check box before continue.

  7. On Service Warning, click Next. Notice that some of services will be restarted or disabled while installing.

  8. Click Install.

  9. Wait for install finishes.

  10. You can check "Invoke ISA Server Management when the wizard closes" if you want to configure ISA now.

  11. Now you have finished installing ISA Server 2006. For configure the ISA details, continue on the next part.


 


 


 


 


 

Getting started with Microsoft ISA Server 2006, Part II: Configure Network Topology

Network Topology

From Part I, you have finished install ISA Server 2006. Before using the server, you need to do some configurations first. On Getting Started with ISA Server 2006 page on ISA Server Management, there are 5 steps for set up ISA Server as the figure below.



 


 

To use ISA Server, only first 2 steps on the figure above are needed to be configured so this part will shows how to configure Network Topology on ISA Server which is the first step in the figure above. For the second step, I will cover in the next part(part III). Also, you need to enable client to access ISA Server by configure on clients,too. Client Configuration will be covered in part IV.


 

Step-by-step

Next, I will create a new web access rule for all users in internal network to access internet(external network) with only HTTP (port 80) and HTTPS (port 443) protocols.


 


 


 


 


 

Getting started with Microsoft ISA Server 2006, Part III: Create Firewall Policy Rule


 

Firewall Policy

From part II, you have configured Network Topology. Now you need to create a policy rule to allow traffic pass through the ISA Server.

By default, ISA Server is configured with default rule which blocks all traffics pass through ISA Server. But you can customize rules to match your policy in organization. On each rule, you can customize to allow or deny access, protocols, source and destination addresses, users (ISA Server can integrated with Active Directory), time to use the rule, content types.

  1. New Access Rule Wizard appears, enter the name of access rule. Click Next.

  2. On Rule Action, select Allow. Click Next.

  3. On Protocols, click Add. Add Protocols window appears, expand Common protocols and select HTTP and HTTPS.

  4. On Access Rule Sources, click Add. Add Network Entities window appears, expand Networks and select Internal.

  5. On Access Rule Destinations, add External network.

  6. On User Sets, leave All Users. Click Next.

  7. Click Finish to complete create new rule.

  8. Again, don't forget to apply your setting on ISA Server to take effect. Click Apply.

  9. Next part will be about client configuration to access to ISA Server

 

Getting started with Microsoft ISA Server 2006, Part IV: Configure Client Type


 

After completed part III, you have done basic configurations on ISA Server. In this part, you're going to configure on client computer to be one of these types: SecureNAT Client, Firewall Client or Web Proxy Client. You can see more detail in topic below.


 

Client Types

The table below compares the ISA Server clients.

Feature\ Client types
SecureNAT client
Firewall client
Web Proxy client
Installation requiredSome network configuration changes may be requiredYesNo, Web browser configuration required
Operating system supportAny operating system that supports Transmission Control Protocol/Internet Protocol (TCP/IP)Only Windows platformsAll platforms, but by way of Web application
Protocol supportApplication filters for multiple connection protocols requiredAll Winsock applicationsHypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), File Transfer Protocol (FTP), and Gopher
User-level authenticationSome network configuration changes requiredYesYes
Server applicationsNo configuration or installation requiredConfiguration file requiredNot applicable
Configurations

On this section, I will how to configure each client type on a client computer. You only select one of these three client types configurations.


 


 

Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter


 

Have you ever need to block users using MSN or Yahoo Messenger? Or block them to using free email services? Or even block them to post anythings on web boards? Or block them to using bit torrent to download files? This topic can answer these questions by using Microsoft ISA Server 2006.

From Part I to IV, you have finished simple configurations on Microsoft ISA Server 2006 to work in your network. But ISA Server can do a lot more than that. Another benefit of ISA Server is that it can filter HTTP traffic. If you know attributes of each HTTP traffic, you can block MSN/Yahoo Messenger, Bit torrent, web mail, disallow post on web boards, etc by allow or block HTTP traffic using HTTP filter. I think most of the readers may not familiar what HTTP traffic look like so let's see about HTTP traffic in the next section.


 

Note: This topic isn't require in order to running ISA Server, only Part I to IV are sufficient. But this topic will be benefits in most organization to improve security.


 

HTTP Traffic

HTTP Traffic on ISA Server is a data that pass through ISA Server using HTTP protocol (by default is on port 80) which is the protocol that is used by most applications. On each HTTP connection, there will be a header information about client that send to server or server to client. These information are such as Request Methods (GET, POST ,etc.), HTTP Versions (1.0,1.1,1.2), User-Agent (Mozilla/4.0, Firefox, etc.), Content-Type (application/xml, image/jpeg, text/xml, etc.), etc. I will not go into deep detail about HTTP protocol if you want more information, you can find at Wikipedia – HTTP. With these header information, ISA Server can filter HTTP traffic to allow or block specific application or traffic.

To see some sample of HTTP traffic, you can use sniffer program to capture each data packet that pass in/out a computer. The popular one is Ethereal. I have installed Ethereal on a computer which running a web server. Let see the different example of each HTTP header information below.

When client sends request to the web server by browser the Internet Explorer to http://bkkexternal (bkkexternal is the computer that runs a web server).
Detail: The request method is GET. URI is /. The User-Agent is Mozilla (compatible: MSIE 6.0).


This the response header from the above request.
Detail: The response code is 200 (OK). The server is running by Apache 2.2.4. The Content-Type is text/xml


When you submit a form on the browser to the web server.
Detail: The request method is POST. The client host is bkkmisc01. The Content-Type is application/x-www-form-urlencoded.


Note: "/r/n" is tag that tells end of a line, a control line feed.


 

Configurations

To configure HTTP filter, you need to know what attribute and value need to be configured. On this post, I will show only the following:

  1. Block specific browser: Firefox.
  2. Block MSN Messenger, Windows Live Messenger.
  3. Block download file .torrent.
  4. Block AOL Messenger.
  5. Block Yahoo Messenger.
  6. Block Kazaa.
  7. Block free web mail. (e.g. hotmail.com, mail.yahoo.com, etc.)
  8. Block post on web boards.
Step-by-step

Summary

This is the end of this serie. After complete this serie, starting from install ISA Server, configure the network topology, configure basic rule, configure client types and configure HTTP filter, now you have basic knowledge and understanding how to operate ISA Server on your own. But there are some configurations, I don't cover for instance how to configure cache on ISA Server, how to implement VPN, etc.


 

Getting started with Microsoft ISA Server 2006, Part 4: Service Pack 1

Update Service Pack 1

From Part 3: Installation, I have installed ISA Server 2006 enterprise edition on the server. At this time, there is a service pack for ISA Server 2006 which you can download from Microsoft website. So I am going to show how to update the server to ISA Server 2006 Service Pack 1 on this post.
Note: There are others security updates for ISA Server 2006 available besides the service pack which I will not cover on this series. So you should check and update them on your own.


 

There are many new features and enhancements on the ISA Server 2006 service pack 1:
New Features

Enhancements

For more information about this service pack, see Microsoft Article 943462.

Step-by-step

  1. Download the file from Microsoft Internet Security and Acceleration (ISA) Server 2006 Service Pack 1.

  2. Double-click the downloaded file, ISA2006-KB943462-X86-ENU.msp, to run the setup wizard.

  3. On Welcome to the Update for Microsoft ISA Server 2006 Service Pack 1, click Next.

  4. On License Agreement, select I accept the terms in the license agreement and click Next.

  5. On Locate Configuration Storage Server, you have to specify the Configuration Storage Server. On this example, I leave it as default and click Next.

  6. On Ready to Install the Program, click Install.

  7. On Installing Microsoft ISA Server 2006 Service Pack 1, wait until the installation completes.

  8. On Installation Wizard Completed, click Finish.

  9. There is a pop-up message asks you to restart the system for the configuration changes made to ISA Server 2006 to take effect. Click Yes to restart it now.

  10. Once the system is restarted, you can see the version of ISA Server 2006 is updated by open ISA Server Management. Click Start -> Programs -> Microsoft ISA Server -> ISA Server Management.

  11. On ISA Server Management, click Help -> About Microsoft ISA Server 2006.

  12. On About Microsoft ISA Server 2006, you see the current version of ISA Server 2006. The version of ISA Server 2006 Service Pack 1 is 5.0.5723.493.


 

Getting started with Microsoft ISA Server 2006, Part 5: Network Layout Concept


 

Configure Network Layout

From Part 3: Installation and Part 4: Service Pack 1, you learn how to install and update ISA Server 2006. Next, it is time to configure the ISA Server 2006. On this post, I am going to show how to configure networking environment for ISA Server 2006 by selecting from the pre-defined network templates.


 

By default, ISA Server 2006 comes with five pre-defined network templates. You can select one of them that match your networking environment. Let's see each of them in details.

  1. Edge Firewall
    This is a standard network topology for small to medium organization. The ISA Server is a main gateway controlling traffic between the intranet (LAN) and the Internet networks. The ISA Server needs 2 network interface cards.

  2. 3-Leg Perimeter
    This is a standard network topology for medium to large organization. There is an additional network which is a perimeter network connects to ISA server compare to the edge firewall. The perimeter network or DMZ (Demilitarized Zone) is a network that is less secure for serving Web server, E-Mail server, DNS server and other services to the Internet users and also the internal users. The ISA Server needs 3 network interface cards.

  3. Front Firewall
    This is a network topology for organization that security is high priority. In this case, there are more than one firewall. When a hacker attacks the front firewall and it compromises, there is still a back firewall to protect the internal network. This template, ISA Server acts as front firewall server between the Internet and the perimeter network and needs 2 network interface cards.

  4. Back Firewall
    This network template is similar as the front firewall template except that the ISA Server that you're configuring is the back firewall which stands between the internal and the perimeter networks.This template, ISA Server needs 2 network interface cards.

  5. Single Network Adapter
    This is a network template for ISA Server to be act as Proxy server only. ISA Server can do caching to improve performance for users using the Internet in organization. This template, ISA Server requires only a single network interface card as the name of the template.

Note: About front and back Firewall templates, you have more than one firewalls. It is best practice not to use the same firewall model. For example, you should have the front firewall as hardware base from one company and the back firewall as software base from another company, or vice versa. If a hacker breaks the front firewall, then the hacker will takes an extra time to break another firewall to reach our internal network since the hacker cannot use the same technique to break the back firewall.


 

Getting started with Microsoft ISA Server 2006, Part 6: Configure Network Layout


 

Configure Network Layout

you learn about network templates. On this post, I will show how to configure networking environment of the ISA Server 2006 using edge firewall template which is the most suitable template for this example. You can see the network diagram of the example on 


 

Step-by-step