How to set the default location for NLA.

Problem: 

 Users do not have Internet access after connecting to wireless networks. Network Location Awareness (NLA) appears to hang on identifying network.

Additionally, defining the default location is important because it directly impacts firewall rules. It’s not prudent policy to open client ports on an untrusted hotspot.

 Solution: 

 Use Group Policy to pre-define the default network location for unidentified AND identifying networks.
GPO: Computer Configuration → Policies →Windows Settings → Security Settings →Network List Manager Policies → (a) Unidentified Networks and (b) Identifying Networks.

Network Name:  

• Outbound:  Most outbound traffic permitted.
• Inbound:  Unsolicited SMB (e.g., file and print sharing). 

Problem:

Microsoft Office is vulnerable to memory corruption vulnerabilities.  Malicious emails, sent in rich text format (RTF), can provide attackers remote code execution (RCE).  In other words, RTF emails are not safe!

Versions:  

Common vulnerability and exposure (CVE) CVE-2016-0127 impacts Office 2007, Office 2010, and Office 2013.

Solution:  

1. Run Windows Updates on a regular basis.    
2. Enable Microsoft Office File Block Policy to block RTF documents.

Disable RTF in Office 2007:  

Disable RTF in Office 2010:  

Problem:  How to auto-config RemoteApp webfeed on Thin PC.

Solution:  Push the RemoteApp webfeed URL via GPO registry

1. Launch Registry Editor with regedit.
2. Locate the following hive:  HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft
3. Create a new key in the above hive:  Name the key:  Workspaces.
4. Create a new key in the newly created Workspaces hive.  Name the key:  ResourceType.
5. Restart.

Problem:  

Import VMWare virtual machine (VM) into Hyper-V hypervisor.  Convert VMDK virtual disk into VHDX disk.

Solution:  

Use Microsoft Virtual Machine Converter (MVMC) 3.1 to import and convert the VMWare ESXi VM into Hyper-V.

Background:   

The MVMC GUI provides a simple import wizard.  Please note, the GUI only imports VMWare hypervisors (including ESXi) connected to VMSphere.  MVMC PowerShell commands can convert stand-alone ESX and ESXi VMs.

Convert:

1. Download MVMC.  The Microsoft download sites lists MVMC as 3.0.  N.B., the file installs version 3.1.
2. Install MVMC on Hyper-V host.
3. Uninstall VMTools from VMDK VM.
4. Copy VMDK to Hyper-V host.
5. Open PowerShell.  Import MVMC PowerShell library.
   
   Import-Module "C:\Program Files\Microsoft Virtual Machine Converter\MvmcCmdlet.psd1"
6. Use PowerShell to convert VMDK to VHD.  N.B., Do not use VMDK_Flat file!
   
   PS D:\TMP> ConvertTo-MvmcVirtualHardDisk -SourceLiteralPath "D:\VMS\DEV.vmdk" -DestinationLiteralPath "S:\VMS" -VhdType DynamicHardDisk
7. Create new VM in Hyper-V.  Add newly created (i.e., system) disk to IDE adapter.  Additional disks can use the SCSI adapter.  This is the time to configure dynamic memory or add additional CPUs.
   N.B., Do not resize the disk until after the VM starts at least once in Hyper-V!
8. Start-up VM.  Install Hyper-V tools.  Restart.
9. Optional:  New NIC "hardware" causes problems with retaining preexisting static IPs.  Resolve problem by deleting the network adapter and restating.  Windows creates a new network adapter upon start-up.  Manually add IP addresses into new adapter.

Summary:  

Create a domain security group that manages local administrators.  This process allows domain users (i.e., non-domain administrators) to administer computers. 

Problem:  

System Administrators log onto workstations and servers with their domain admin account.  Casual use of domain administrator accounts put the entire organization at risk of compromise from malware, keyloggers, and hash attacks.

Additionally, attackers may compromise services or scheduled tasks run with local system privileges.  This can provide a foothold that compromises the system. 

Goal:  

Prevents network administrators from using their Domain Admin accounts for general purposes.  Implement a general purpose administrative account.

Solution:  

Implement GPO restricted groups provide administrator (i.e., non-domain admin) to manage computers. Steps:

1. Create new security group in AD.  This group will be used to manage computers.  Add domain users to this group as needed.
    
2. Create Restricted Group GPO.
   
   Computer Configuration\Policies \Windows Settings\Security Settings\Restricted Groups\
   
   
3. Right click on Restricted Groups.  Left click on Add Group. 

• Members of this group (i.e., domain group):  New AD security group created in Step 1.
•  The Group is a member of (i.e., local group):  This is the local security group for each workstation (e.g., Administrators).

      4.  Assign new GPO to AD OU.  Wait for change to propagate.
  No more unnecessary use of domain admin accounts.  That's It!

References:

https://support.microsoft.com/en-us/kb/279301
http://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx

Problem: 

   Staff receive Windows Update message when logging onto the RDP server.  This problem confuses end users and causes unnecessary calls to help desk. 

Background: 

   Remote desktop servers receive regular updates on Patch Tuesday. However, this problem was accentuated after Microsoft changed their patching policy to expedite out-of-band patches. 

Solution: 

Create new GPO policy to hide Windows Update messages on the RDP server.

    GPO Setting Path:  

      User Configuration\Policies\Administrative Templates\Windows Components\Windows Update

    GPO Policy:   

      Remove access to use all Windows Update features 

    GPO Attribute:  

     Enabled: 0. Do not show notifications. 

Note:  

   This is a User Configuration setting -not a Computer Configuration.  Enable Loopback processing to ensure changes apply to all users that logon.  

    GPO Loopback Path:

      Computer Configuration\Policies\Administrative Templates\System/Group Policy\

    GPO Loopback Policy: 

     Configure user Group Policy loopback processing mode

    GPOLoopback Attribute:

     Enabled

   

Problem:  Hosted Cache server's SSL certificate expired.  New certificate has a different thumbprint.  Error when linking the new certificate thumbprint to BranchCache server.

Error:  SSL Certificate add failed, Error: 183.  Cannot create a file when that file already exists.

Solution:  You cannot associate a new certificate to the BranchCache server until the old certificate information is deleted from HTTP.sys.  Use the following commands to correct the problem:

C:\Users\Administrator> netsh http delete sslcert ipport=0.0.0.0:443
SSL Certificate successfully deleted 

Link the new certificate after the old certificate is deleted from HTTP.sys:

netsh http add sslcert ipport=0.0.0.0:443 certhash=xxxxxxxxxxxxxxxx appid={d673f5ee-a714-454d-8de2-492e4c1bd8f8}

Error:  "The trust relationship between this workstation and the primary domain failed".  

Background:  Domain logon fails because the computer password is outdated.  The machine password updates every 30 days.  This problem occurs when adding a computer to the domain with the same name, or restoring a computer from backup (e.g., VM snapshot).

Solution:    First and foremost, ensure computers have a local Administrator account and password before this problem occurs!

• Create a unique (i.e., new) administrator account and password for each computer.  
• Document the information.
• Disable the default local "administrator" account. 

Use the local administrator account to log onto the computer after the domain authentication fails.  One of the following steps will fix this issue:

Netdom:
netdom.exe resetpwd /s: /ud: /pd:*
= a domain controller in the joined domain
= DOMAIN\User format with rights to change the computer password

 Netdom is not available with every version of Windows.

• Standard with Windows 2008 R2.
• Standard with Vista.
• Install Netdom on Windows 7 with the Remote Server Administration Tools (RSTAT).
• Powershell replaces netdom,exe in Windows 2012 and Windows 8

PowerShell:
Reset-ComputerMachinePassword [-Credential ] [-Server ]

Note:  "-Server" represents the local domain controller.

GUI:

Alternately, Microsoft recommends removing the computer from the domain:

Control Panel > System > Computer Name > Change settings > Add computer to a workgroup > Restart > Repeat process and add computer to the domain.




References:

https://support.microsoft.com/en-us/kb/2771040
https://support.microsoft.com/en-us/kb/325850
https://technet.microsoft.com/en-us/library/hh849751.aspx