stuart test blog

Microsoft have just released a new tool under the Sysinternals banner called Active Directory Explorer. Read the blurb from the website below for more information but based on this description, it sounds amazing! It’s odd then, that there is no other information about this new tool apart from the quote below.

This seems like a very advanced tool that would be hugely beneficial to anyone working with Active Directory. I’m intrigued by the idea of taking snapshots of your AD and then being able to load up those snapshots offline for browsing and diagnosis. My virtual environment at home isn’t up and running yet, but I will definitely be reporting some more information about this new tool soon.

Introduction

Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object’s schema, and execute sophisticated searches that you can save and re-execute.

AD Explorer also includes the ability to save snapshots of an AD database for off-line viewing and comparisons. When you load a saved snapshot, you can navigate and explorer it as you would a live database. If you have two snapshots of an AD database you can use AD Explorer’s comparison functionality to see what objects, attributes and security permissions changed between them.

AD Explorer works on Windows 2000 and higher.

Active Directory Explorer v1.0

As a follow-up to the secure USB drive post, I wanted to give some pointers on how to create secure, complex passwords.

Complexity…

In a Microsoft environment, a complex password must be at least six characters long, cannot contain three or more letters from the user’s username, and must contain characters from at least three of these five categories:

• Upper case characters – A, B, C, …, Z
• Lower case characters – a, b, c, …, z
• Numbers – 0, 1, 2, 3, …, 9
• Special characters – !, @, #, …
• Unicode characters – ?, þ, ?, …

Unicode characters are difficult to type, so we’ll ignore those for now as they are impractical, but if you stick with Microsoft’s recommendations here, you’re off to a good start.

First test…

Consider the following two passwords and think about which is more secure:

• July07
• HaUnChEofKslFnsoEasP

The second password is obviously more secure, but this doesn’t constitute a complex password as it only has characters from two of the five categories (upper and lower case.) The first password is considered a complex password as it has characters from three of the five categories, and it is six characters long. (This wouldn’t be an allowed, complex password if the user’s username was Julie or Julian, but that’s besides the point.)

Golden rule…

The golden rule when choosing a password is to not use a word that appears in the dictionary – not even when it is appended with numbers or special characters. Research has found that most people will throw in a couple of numbers at either the beginning or end of the password, and more often than not, these numbers relate to either the current date or an important date like birthdays, anniversaries, etc. So based on this, a better password would be “Ju07ly”. This doesn’t contain any dictionary words, it has three of the five character sets, and the numbers aren’t at the beginning or end of the password.

Common mistake…

A common practice when trying to come up with stronger passwords is to substitute letters with special characters. For example, you could choose your pets name, “Spotty” and turn it into this: “$p0ttY” This matches the requirements for a complex password, but the downside is that there are a bunch of commonly used special characters which any password cracker worth it’s money would factor into it’s algorithms. Some of the common ones are: @ for a, $ for s, 0 for o, ! for 1.

The other problem with choosing your pets name, is that hackers can use “social engineering” to obtain personal information from you which they could use to aid their password guessing. It wouldn’t be that difficult to find out your pet’s name, or any of your families or loved ones names. “$p0ttY” doesn’t look that difficult to guess now.

Looooong passwords…

The best way to overcome some of these problems is to use long passwords. As I showed in the example above, “HaUnChEofKslFnsoEasP” is much more secure than “July07” only because of it’s length of 20 characters. By my calculations there are 19,928,148,895,209,400,000,000,000,000 different password combinations using 20 characters with just upper and lower case. Compare this to just 56,800,235,584 combinations using 6 characters with upper case, lower case and numbers.

The rules…

Some of the rules we have so far are:

• Avoid using dictionary words, or names of people/places.
• Use long passwords – the longer the better.
• Use special characters, but not in an obvious way.
• Use both upper and lower case letters.

Don’t write it down…

The downside to obeying these rules is that you end up creating a password so complex, the only way to remember it is to write it down – usually on a piece of paper stuck on your monitor or under the mouse mat, or sometimes folded neatly in your wallet (with your bank cards!)

Methods…

So how do we create passwords that are both easily remembered and secure? Here’s one method…

Think of a short sentence that is easily remembered, for example: “My favourite movie is Titanic” or: “My husband never puts his socks away.” Then think of a way to shorten it into just one word like this: “My favourite movie is Titanic” becomes “MfmiT” This is too short, so perhaps we could make it: “MyfavmovisTitan” This is now 15 characters long and contains upper and lower case characters. We can now use special characters to increase the complexity: “My fav-mov=Titan” The password is now 16 characters long, has three different special characters, and is also relatively easy to remember.

Another method to create a strong password, is to come up with two passwords and then just join them together. For example, using our two bad examples from earlier, we can create this password: “July07$p0ttY” Even though each password by itself is not that strong, the two combined make a much stronger password.

Useful tools…

Once you’ve come up with a password that you think is strong, you can use the password strength checker from Microsoft to test it out.

SecurityStats.com also has a password checker with a bunch of other tips too.

Microsoft’s new integrated infrastructure management product, System Center Essentials 2007, has recently been released in NZ. It’s a management solution for small and medium sized businesses that provides similar functionality to Microsoft’s enterprise products like SMS and MOM, with additional features relevant to the smaller businesses.

This should turn out to be popular in NZ as it targets a huge portion of companies that have up to 30 servers and less than 500 computers. Out of the box it includes licenses to manage 10 servers and 50 computers with additional license packs available to be purchased up to the 30/500 limit.

Here are some links which provide a good starting point to learn about the product:

• Microsoft System Center -> System Center Essentials
• System Center Essentials Wiki
• The Sean Blog : System Center Essentials 30/500

On the topic of books… The Windows Server Division Weblog has details on the newly released about to be released book called Introducing Windows Server 2008

Here’s the list of chapters:

1. Introduction
2. Usage Scenarios
3. Windows Server Virtualization
4. Managing Windows Server 2008
5. Managing Server Roles
6. Windows Server Core
7. Active Directory Enhancements
8. Terminal Services Enhancements
9. Clustering Enhancements
10. Implementing Network Access Protection
11. Internet Information Services 7.0
12. Other Features and Enhancements
13. Deploying Windows Server 2008
14. Additional Resources

• Step-by-Step Guide: Demonstrate DHCP NAP Enforcement in a Test Lab
• Step-by-Step Guide: Demonstrate IPsec NAP Enforcement in a Test Lab

Jeff Jones (Strategy Director in the Microsoft Security Technology Unit) has written a post about Server Core and how its reduced footprint increases security dramatically. The key here is “reduced attack surface area” as all of the most insecure areas of a server have been removed, such as IIS, Internet Explorer, Windows Media Player, etc…

However, pulling all these components out of a server have also reduced its functionality, which is why only the following roles are available: (taken from the excellent Server Core Step By Step Guide)

• Active Directory Domain Services
• Active Directory Lightweight Directory Services (AD LDS)
• Dynamic Host Configuration Protocol (DHCP) Server
• DNS Server
• File Services
• Print Server
• Streaming Media Services

I’m a big fan of this approach and I can’t wait for Server Core to be improved so that the GUI is completely removed. I also hope that the modulisation of the components is improved so that the Web Server role becomes available as a Server Core option. It would seem to me that one of the best scenarios to implement a server with a “reduced attack surface area” would be on a public-facing web server.

Now that I have a new Server Core installation ready for setup, I read through the Step by Step guide a bit more and continued on to the initial setup.

1. Change the admin password
   As I mentioned in a previous post, when you create a new Server Core installation you are greeted with a logon box asking for a username and password. To log in you must use Administrator with a blank password and you’re presented with a command prompt window. Type the following to get a prompt to change the admin password:
   net user administrator *
2. Set a static IP address
   This step wouldn’t be necessary if we were already running a DHCP server and wanted to use that to hand out IP addresses, but seeing as we’re setting up the first server in our domain, we need this one to have a static IP address. First step to perform is to run the following command to get the list of network adapters connected to the server:
   netsh interface ipv4 show interfaces
   Make a note of the “Idx” number of the connection as you’ll need this for the next command:
   netsh interface ipv4 set address name="Idx number" source=static address="ip address" mask="subnet mask" gateway="gateway address"
   You then need to add DNS servers to the IP configuration, but because this server will be my first DNS server, I’ll set the address to the localhost address like this:
   netsh interface ipv4 add dnsserver name="Idx number" address="127.0.0.1" index=1
   You can add further DNS servers if you wish by running the same command above while incrementing the index value at the end.
   You can check that the command has worked by running a standard “ipconfig” command.
3. Rename the server
   I’m going to give this server the very creative name of: vmscdc1 (VMware, Server Core, Domain Controller 1) using the following command:
   Netdom renamecomputer CurrentComputerName /NewName:vmscdc1
   I forgot to mention that you need to get the current computer name first, using the hostname command. Once the command has run, it’s time to reboot the computer.

The next step will be to create the domain, which I’ll cover in the next post.

Well this is interesting – my first, first-hand experience with Server Core. There’s only one command prompt window rather than the two that was present in previous betas. There is still a GUI, and you can run several apps such as Notepad, Task Manager, Regedit, which are probably the three most useful GUI apps I can think of off the top of my head, so that’s all good.

When you first log in to the server after install, you’re presented with a Vista-like logon window. I correctly assumed I would need to log in with “Administrator” and a blank password although this isn’t obvious. (No, I haven’t read the docs yet!) Once you’re logged in, you just get the command prompt window, but I think it would be better to get you into some sort of utility to force you change your password to something more secure.

Next issue I ran in to was how to install VMware Tools, or – did I need to install VMware Tools? I decided to give it a crack and found this article on the VMware support site which explains how to install the Tools silently from the command prompt. I used the following command as I didn’t want to install the Shared Folders feature, which I never want on a server: “msiexec -i “D:\VMware Tools.msi” ADDLOCAL=ALL REMOVE=Hgfs /qn” This didn’t go 100% well, as there were a couple of error messages that popped up about missing DLLs but I guess that would be expected with a Server Core system. The VM then rebooted and when it came back up, VMware Tools were installed.

At this point I thought I’d take a break and read through the Server Core Step by Step Guide. First I read this:

A server running a Server Core installation supports the following server roles:

• Active Directory Domain Services (AD DS)
• Active Directory Lightweight Directory Services (AD LDS)
• DHCP Server
• DNS Server
• File Services
• Print Server
• Streaming Media Services

So no web server role – which actually makes sense because I remember that the Dot Net Framework isn’t supported on Server Core, which is also the reason why PowerShell isn’t supported on Server Core either. But a Server Core Web Server seems ideal though because it is most vulnerable to attack (internet facing) so you would want it as stripped down as possible. So as my initial idea of the web server wasn’t going to work, I decided to forge ahead and create a domain controller for a new domain. (To be continued)

Longhorn 1 – Stuart 0

First round of Longhorn didn’t go well, but I’ve only got myself to blame. I installed a Standard edition of Longhorn into VMware Server which all went fine. Then I jumped straight into the new Server Manger, and went a bit crazy and selected a whole bunch of roles at once.

Needless to say, the installation of the roles failed and I couldn’t be bothered trouble-shooting it so I just deleted the vm and decided to think of a better way to test. So I’ve decided to set up a bunch of servers for specific roles instead. The first one that I’ll be doing is a dedicated web server running the new IIS 7. I’ll also try it with just the Server Core version installed as there’s no need for a GUI shell on a web server.

We’ll see how this one goes, but other roles I’ll set up later will be a dedicated terminal server, and perhaps a trusty old file server too.

Most people are expecting Longhorn to eventually become officially known as Windows Server 2008, but it looks like Microsoft have inadvertently let the cat out of the bag by posting a link to the “Windows Server 2008 Reviewers Guide” on the WinHEC press site. Eagle-eyed Mary Jo Foley picked up on it and grabbed a screenshot before Microsoft sneakily changed the link back to it’s current name, Longhorn.

Of course, perhaps Microsoft did this on purpose to throw us eager bloggers off their scent, and there’s still a chance that it will be called Longhorn Server… (but I doubt it.)