Disable Remote Desktop/ Remote Assistance by GPO

Remote Desktop
Computer Configuration/ Administrative Templates/ Windows Components/ Terminal Services
Allow users to connect remotely using Terminal Services = Disable
Do not allow local administrators to customize permissions = Enable

Remote Assistance
Computer Configuration/ Administrative Templates/ System/Remote Assistance
Solicited Remote Assistance = Disable
Offer Remote Assistance = Disable

วิธีเปลี่ยน Port ของ Remote Desktop/ Terminal Server

ไปที่ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

ที่ subkey PortNumber ให้เปลี่ยนเป็น port ที่ต้องการ เช่น 3388 (default คือ port 3389)
เสร็จแล้ว reboot ก่อน 1 ครั้ง

การ connect จากเครื่อง Client ให้ใส่ port number หลังจากชื่อหรือ ip server เช่น

192.168.0.1:4000 หรือ myserver.com:8000

Configure RDP over SSL with SelfSSL

Windows 2003 Service Pack 1 included a new feature, RDP over SSL. This feature will allow you to use TLS authentication and encryption with your RDP connections using SelfSSL to create the SSL certificate. It still uses RDP and TCP port 3389 so your firewall rules should not need to be modified.

Before we get started there are a few pre-requisites on both the server side and client side that need to be met first.

Server-side

- The Terminal Server must run 2003 SP1
- The Terminal Server must have a certificate from a Windows CA or a 3rd Party CA
- The certificate must meet the following criteria
- Certificate is a computer certificate
- Certificate is for server authentication
- Certificate must have a private key
- Certificate is stored in the TS personal store
- Certificate has a Crytographic Service Provider that can be used for TLS/SSL

Client-side

- Must run Windows 2000, Windows XP, or Windows 2003
- Must use RDP Client 5.2, this can be found on the 2003 SP1 server under %systemroot%system32clientstsclientwin32msrdpcli.msi
- Must trust the root CA for the certificate

If you do not have a CA, don't wish to spend money on a "real" SSL cert, or just want to do some testing, you can use SelfSSL from the IIS 6.0 Resource Kit. Once you have downloaded and installed SelfSSL, run it with the following command

SelfSSL.exe /CN=domain.com /V:365



The command will create and install a certificate for domain.com that is valid for 365 days. If you do not have IIS installed, you may get an error message but you can ignore this message, the SSL certificate is still created and installed. The CN must be the name you will be accessing the TS with.

Next open up Administrative Tools, and launch the Terminal Server Configuration applet. Right-click RDP-Tcp and select properties.



Click Edit next to the Certificate, you will be shown the SSL certificate that SelfSSL created. Select it and click OK



Next, select SSL from the Security Layer drop down box and set the Encryption Level to High.



Now you will need to install the new RDP client on all workstations that will be accessing the Terminal Server. You will notice a new tab under the connection properties called Security. Select this tab and then choose Require Authentication from the drop down.



When you try to connect, you will be denied access because the SSL cert is not trusted. Click View Certificate, and then Install to install the certificate to the local machines certificate store.



Attempt to connect again and the connection will be allowed. You are now connected through RDP over SSL. If you are connected in full screen mode, you will see the SSL lock symbol next to the pushpin in the yellow toolbar.

For more information see:

Windows Time Services

เครื่องทุกเครื่องที่อยู่ใน Domain จะ Sync time มาจาก PDC Master แล้ว PDC Master ก็จะ Sync time มาจาก Time Server ภายนอกอีกทีปกติแล้วจะเป็น time.windows.com เราวิธีตรวจสอบว่า Sync time มาจากไหนได้จากคำสั่ง
net time /querysntp

For Windows XP
ถ้าต้องการเปลี่ยน time server ใช้คำสั่ง
net time /setsntp:pool.ntp.org
เสร็จแล้วสั่ง restart windows time service จากคำสั่ง
net stop w32time
net start w32time

For Windows Server 2003

net time /setsntp:pool.ntp.org
w32tm /config /update
w32tm /resync /rediscover /nowait

ถ้ายังไม่ได้ผลให้ลงโปรแกรม SP TimeSync ที่เครื่อง Domain Controller ที่เป็น PDC Master (หา PDC Master ได้จาก Active Directory User and Computer ตรง Operation Master) เลือก Version ที่เป็น Unicode สำหรับ Windows Server 2003

Terminal Server Performance Tweaks

The first thing to do is to override some desktop settings to reduce the amount of screen refreshes, which lowers bandwidth used, which makes the TS respond "faster". First we will remove Windows Resize Animation, when a user minimizes or maximizes a window it will be immediate, and not shrink slowly on its way down to the task bar. Open up the registry with regedit and browse to:

HKLMSYSTEMCurrentControlSetControlTerminalServerWinStationsRDP-TcpUserOverrideControl PanelDesktop

And change these values:

"AutoEndTasks" REG_SZ "1" (terminates programs that aren’t responding)
"CursorBlinkRate" REG_SZ "-1" (prevents the cursor from blinking, cutting down on screen redraws)
"DragFullWindows" REG_SZ "0" (disables "show contents" while dragging a window)
"MenuShowDelay" REG_SZ "10" (delay for showing submenus)
"WaitToKillAppTimeout" REG_SZ "20000" (number of milliseconds to wait before terminating an application that has stopped responding)
"SmoothScroll Dword" REG_DWORD "00000000" (disables smooth scrolling)
"Wallpaper" REG_SZ "(none)" (disables wallpaper)

Now browse over to:

HKLMSYSTEMCurrentControlSetControlTerminalServerWinStationsRDP-TcpUserOverrideControl PanelDesktopWindowMetrics

And change this value:

"MinAnimate" REG_SZ "0" (disables the animation when resizing a window)

If any of these keys, subkeys or values do not exist, create them. This will not really improve server performance but it will enhance the user experience and make it appear to be faster to end users, which hopefully cuts down on complaints. For your convenience I have written a REG file which you can get here. Save as tsperf.reg and run it on the terminal server.

Terminal Services Command Line Administration

Managing your Windows 2003 Terminal Server can be done faster and easier with a few simple command line tools. There are a lot of them so hang on!

Change User - When installing applications on a terminal server you must be in Install Mode. To toggle the system between Install and Execute Modes, you can use the Change User commands.

To switch to Install Mode:
CHANGE USER /install

To switch to Execute Mode:
CHANGE USER /execute

Change Logon - To quickly disable or enable the ability to logon to the terminal server you can use the Change Logon command. This will not affect currently logged on users.

To enable new logons:
CHANGE LOGON /enable

To disable new logons:
CHANGE LOGON /disable

Query TermServer - Lists all terminal servers in the current domain.

QUERY TERMSERVER [/domain:domain] [/address][/continue]

/domain:domain - specifies the domain (current logged on domain is default)
/address - lists the IP address of the terminal server
/continue - removes the pause between ouput screens

Query Session - Lists all current sessions running on a terminal server.

QUERY SESSION [sessionname username sessionid][/server:servername] [/mode] [/flow] [/connect] [/counter]

sessionname is the name of the session that you want to query
username is the name of the user you want to query
sessionid is the ID of the session you want to query
/server:servername is the name of the server you are querying
/mode outputs the current line settings
/flow outputs the current flow control settings
/connect outputs the current connection settings
/counter outputs the counter information for the server

Query User or Quser - Lists all current users on a terminal server

QUERY USER [username sessionname sessionid] [/server:servername]

sessionname is the name of a specific session that you want to query
username is the name of the specific user you want to query
sessionid is the ID of the specific session you want to query
/server:servername is the name of the server you are querying

Query Process - Lists all processes running on the terminal server.

QUERY PROCESS [ x processid username sessionname /id:nn programname] [/server:servername] [/system]

x lists information on all processes (note - replace x with an asterisk)
processid lists information about only the specific process ID
username lists processes running under the context of a specific user
sessionname lists processes running under the context of a specific session
/ID:nn lists processes running in the session with the specified session ID number
programname lists all processes started by the specified executable
/server:servername is the name of the server you are querying—the default is the server
you are logged on to
/system lists processes running under the system context

TSShutdn - Will shutdown/reboot the terminal server after a specified delay.

TSSHUTDN [wait_time] [/server:servername] [/reboot] [/powerdown] [/delay:logoffdelay] [/v]

wait_time is the number of seconds to wait after notifying the users that the terminal
server is about to shut down before forcibly logging them off (the default is 30 seconds)
/server:servername is the name of the server to reboot/shutdown (the default is the server
to which you are connected)
/reboot reboots the server
/powerdown powers down the server after Windows has shutdown; the server’s BIOS
must support this command
/delay:logoffdelay the number of seconds to wait after logging out all users before
shutting down the system (the default is 30 seconds)
/v displays verbose information about actions being performed

Logoff - Will logoff the specified user off the terminal server and close the session. Caution, if you don't specify a user it will log you off!

LOGOFF [sessionid sessionname] [/server:servername] [/v]

sessionid is the ID of the session you want to logoff
sessionname is the name of the session you want to logoff
/server:servername specifies the name of server on which the session you want to logoff is running /v displays verbose information about actions being performed

Reset Session - Will kill the specified users session without warning which can be useful when a users session is stuck. Caution, if you don't specify a user it will kill your session!

RESET SESSION [sessionname sessionid] [/server:servername] [/v]

sessionid is the ID of the session you want to logoff
sessionname is the name of the session you want to logoff
/server:servername specifies the name of server on which the session you want to logoff is running /v displays verbose information about actions being performed

MSG - Will popup a message on the specified user(s) terminal server session.

MSG [username sessionname sessionid @filename x ][/server:servername] [/time:seconds] [/v] [/w] message

username is the name of the user to whom you are sending the message
sessionname is the session name to which you want to send the message
sessionid is the ID number of the session to which you want to send the message
@filename is the name of a text file containing usernames, sessionnames, or session IDs
to which you want to send the message
x sends the message to all users on the current or specified server (note - replace x with an asterisk)
/server:servername specifies the server where recipients of the message are connected
/time:seconds the number of seconds to display the message before the popup closes itself
/v displays information about the message as it is sent
/w causes the popup window to wait for the user to click OK before closing
message is the text of the message to send

Shadow - Will allow you to shadow or take control of a users session.

SHADOW [sessionname sessionid] [/server:servername] [/v]

sessionid is the ID of the session you want to logoff
sessionname is the name of the session you want to logoff
/server:servername specifies the name of server on which the session you want to logoff is running /v displays verbose information about actions being performed

TSProf - Will update, copy or display the Terminal Server users profile path and/or data.

TSPROF /update [/domian:domainname /local] /profile:path username

TSPROF /copy [/domian:domainname /local] [/profile:path] src_user dest_user

TSPROF /q [/domian:domainname /local] username

/update populates the user domainnameusername’s Terminal Services profile path
/copy copies the Terminal Services profile from the source (src_user) to a different user (dest_user)
/q displays the Terminal Services Profile path for the specified user

Failure Codes ของ Event ID 675 และ 680 ใน Security log

Audit Account Logon - Means people connecting across the network
Audit Logon Events - Means a keyboard logon, someone at the very Domain Controller

675 Pre-authentication failed. This event is generated on a Key Distribution Center (KDC) when a user types in an incorrect password.
680 Successful or Failed logon attempt.

ถ้าต้องการจะดู Failure Codes ของ Event 675 กับ 680 จะต้องเลือกทั้ง Success และ Failuer Event

Event ID 680 จะใช้ log เหตุการณ์ success หรือ failure logon ซึ่งจะมี NT Status Code อยู่ 6 code ที่บอกรายละเอียดของ Event ID 680 นี้ เราสามารถใช้ในการตรวจสอบและแก้ปัญหาที่เกิดขึ้นได้

0xC000006A - This code means that a user has tries to log on and entered the password incorrectly.

0xC000006F - This code means that the user was prevented from logging on due to a logon time restriction.

0xC0000064 - This code appears when someone tries to logon with a non-existant account.

0xC0000070 - This code appears when a user attempts to logon to a computer that they are not allowed to logon to.

0xC0000071 - This code appears when the users password has expired.

0xC0000072 - This code appears when a user has entered the wrong password too many times and the account has been disabled.

สำหรับ Event ID 675
0x6 The username does not exist
0x17 The account has expired
0x18 Username exists, but password is wrong
0x25 Workstation's clock is out of synch

Share and NTFS permission

ตั้งแต่ Windows XP SP1 กับ Windows 2003 เป็นต้นมา จะกำหนด default share permission ให้เป็น Read Only จากเดิมที่เป็น Full Controll สำหรับ Everyone Group แต่อย่างไรก็ตามเราควรที่จะเอา Everyone ออกแล้วใส่เป็น Authenticated Users หรือ Domain Users group จะดีกว่า

นอกจากนี้ควรกำหนด NTFS Permission ที่ Root Drive ให้ Administrator มีสิทธิ Full Controll และเอา User หรือ Group อื่นออก เพิ่อความปลอดภัยและง่ายในการสืบทอดสิทธิในภายหลัง เช่น home directory เป็นต้น

การใช้ Group Policy Security Filter apply GPO ให้กับ Group หรือ User

โดยปกติแล้ว GPO จะสามารถ apply ได้กับเฉพาะ Local PC, Domain, OU เท่านั้น แต่มีวิธีที่จะทำให้ GPO สามารถ apply ให้กับ Group หรือ User ได้โดยใช้ Group Policy Security Filter เข้ามาช่วย โดยการสร้าง GPO ขึ้นในระดับ Domain แล้วใช้การกำหนดสิทธิให้ Group/User ที่ต้องการบังคับใช้ GPO ให้มีสิทธิ Read, Apply Group Policy

1. เปิด Properties ของ Domain ขึ้นมา ไปที่ tab Group Policy Object กดปุ่ม Properties ของ GPO จะเปิด Windows ใหม่ขึ้นมา ไปที่ Security tab
2. จะเห็น Authenticated Users ได้สิทธิเป็น Read and Apply Group Policy ซึ่งจะหมายถึงทุกๆ Users ที่สามารถ Login เข้า Domain สำเร็จ จะโดนบังคับโดย GPO
3. ให้เอา check box Apply Group Policy ของ Authenticated Users ออก ให้มีสิทธิ Read ได้อย่างเดียว
4. add User หรือ Group ที่ต้องการให้ GPO มีผลบังคับใช้เข้าไป ให้มีสิทธิ Read and Apply Group Policy แทน
5. GPO จะ apply ไปบน User หรือ group นั้นเท่านั้น ถึงแม้ว่าจะเป็น Group Policy ที่สร้างขึ้นในระดับ Domain ก็ตาม

Secure Windows 2003 DC

By locking down access to the DC and its files, there are a number of Group Policy settings you should apply. The first set are located under Computer Configuration Windows Settings Security Settings Local Policies

User Rights Assignment
- Allow logon locally - allow only administrative groups i.e. Domain Admins
- Allow logon through Terminal Services - allow only administrative groups i.e. Domain Admin
- Back up files and folders - allow only administrative groups i.e. Domain Admins

Security Options
- Network access: Allow anonymous SID/Name translation - Disabled
- Network access: Do not allow anonymous enumeration of SAM accounts and shares - Enabled
- Network access: Let Everyone permissions apply to anonymous users - Disabled
- Network security: LAN Manager authentication level - Send NTLMv2 response only
- Network security: Do not store LAN Manager hash value on next password change - Enabled

Disable Windows Firewall and System Restore via GPO.

Disable Windows Firewall
เปิด GPO properties ขึ้นมาแล้วไปที่ Computer Configuration/Administrative Template/Network/Network Connection/Windows Firewall/ Domain Profile/Windows Firewall:Protect all Network Connection = disable

Disable System Restore
อยู่ที่ Computer Configuration/Administrative Template/System/System Restore/Turn Off System Restore = Enable และ Turn Off Configuration = Enable

Disable Simple File Sharing by Custom Administrative Template

;Disable Simple File Sharing by Custom Administrative Template

CLASS MACHINE
CATEGORY !!category
CATEGORY !!WindowsExplorer
POLICY !!SimpleFileSharing
KEYNAME "SYSTEM\CurrentControlSet\Control\Lsa"
EXPLAIN !!SimpleFileSharing_Explain

VALUENAME "ForceGuest"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0

END POLICY
END CATEGORY
END CATEGORY

[strings]
category="Custom Policy Settings"
SimpleFileSharing="Simple File Sharing"
WindowsExplorer="Windows Explorer"
SimpleFileSharing_Explain="Enable to enable Use simple file sharing.Disable to disable Use simple file sharing."

;end

1. save file ให้มีนามสกุลเป็น .adm แล้ว copy ไปใส่ใน folder c:\windows\inf
2. เปิด active directory user and computer ขึ้นมาเพื่อ set GPO ให้กับ OU
3. เปิด Properties ของ GPO ขึ้นมา browse ไปที่ Computer Setting/Administrative Template/ คลิกขวา เลือก Add Remove Template เลือก Add แล้ว Browse ไปที่ .adm ที่สร้างขึ้น
4. จะมี Custom Policy Setting เพิ่มขึ้นมาให้เลือก Enable/Disable Simple File Sharing ได้
5. เปิด Command Promt สั่ง gpupdate /force /target:computer เพื่อสั่งให้ Client มา update policy ใหม่ไป

Note
- Simple File Sharing จะทำ authentication โดยใช้ User = guest
- ถ้า enable simple file sharing จะทำให้มองไม่เห็นแถบ Security สำหรับเอาไว้ set permission ดังนั้นจึงควร disable simple file sharing + disable guest account

วิธีแก้ W3073 Unable to logon as user. (USER=administrator, EC=logon failure: unknown user name or bad password.)

The W3073 is caused by the ARCserve system account password being incorrect - run up server admin and specify the correct security credentials, stop and start the services by cstop.bat and cstart.bat

การดูรายละเอียดของ User โดยใช้ Acctinfo.dll (thelazyadmin.com)

หา download ได้ฟรีจาก Windows 2003 Resource Kit แล้วสั่ง
regsvr32 %systemroot%\system32\acctinfo.dll
จะทำให้ในแถบ User Properties ของ Active Directory User and Computer มีแถบ Additional Account Info เพิ่มขึ้นมา