source: http://www.petri.co.il/forums/showthread.php?t=52923
Hi
I'd like to ask for some help and discussion about forum member's
experiences and approaches to Windows file auditing. My network is a
Windows 2008 Domain. There are 35 machines in the domain.
I was playing around with this yesterday and enabled auditing on our
Windows 2008 Storage Server. I did this via the local security policy:
Security Settings>Local Policies>Audit Policies>Audit object
access and checked both success and failure. I had also set this via the
default domain policy.
Next, I turned on auditing for Authenticated Users for one folder and
all its subfolders. There were about 15 - 20 people accessing data from
this folder. I turned on the following Success Audit settings for the
folder: Traverse folder/execute file, List folder/read data, Create
files/write data, Create folders/append data, Delete subfolders and
files and Delete.
Just before I did this I saved and cleared the Security log and configured it to archive events when the log exceeded 20MB.
Everything worked as it should - I could see security events being
logged that showed Event ID's 5140 Share accessed, 4656 handle
requested, 4658 handle closed, 4663 attempt to access object, and 4660
object deleted.
What I was not was not expecting was that the security log would log so
many events. In one hour 380MB of logs had been archived. One of the
archived logs (remember they are 20MB each), was created and archived in
just 20 seconds, but on average it took about 10mins for the 20MB limit
to be reached.
So, after an hour's worth of logging I turned auditing off at both the
local and GPO level, and removed auditing from the folder.
Today, I enabled auditing via the local security policy only, leaving
the GPO auditing settings alone (Audit object access = Not defined), and
set up auditing for the same folder exactly as it was configured
yesterday. The logging is far less intense than it was yesterday. In
nearly three hours the log is just over 3MB in size which is quite
acceptable (or is it?).
So, what did I do wrong? Is it wrong to have both GPO and local security
policy audit settings duplicated? What sort of log size do others see
when object access auditing is turned on? Any good tips or tricks out
there that anyone would like to share?
Thanks!
source: http://www.petri.co.il/forums/showthread.php?t=52923
Tuesday, January 8, 2013
SBS 2008 and Terminal Server CALS Licensing
source: http://forums.techsoup.org/cs/community/f/20/p/27644/96161.aspx#96161
When you purchase SBS 2008 you actually get two licenses. One for the SBS 2008 running on one computer ( this is the SBS package which includes Windows Server 2008, Exchange, WSUS, Hyper-V, and other stuff) and also a license for a 2nd Windows Server 2008 that can run on an additional computer.
The main SBS computer's Client Access Licenses (CALs)- (in your case 5 ) can be used to access that computer locally, or to access it remotely using a feature called Remote Web Workplace (RWW). This is not terminal services.
If you install the Server 2008 license on a second computer and join it to the SBS domain, then you can install Terminal Services and the Terminal Services license manager on that second server. At that point you have to purchase Terminal Services CALs (TS CALs) and install them into the license manager. These are NOT the same as the server CALs that came with SBS 2008.
Terminal Services presents a remote desktop to each licensed user or device when they log in. Remote Web Workplace allows each user to control and use his workstation remotely just as if he was sitting at his desk.
I suggest buying the "Windows Small Business Server 2008 Administrator's Companion" by Russel and Crawford for additional understanding of SBS. Its not hard to use SBS, but you do need to learn some server technologies which can be more easily grasped by reading rather by trying to figure it out.
Hal
When you purchase SBS 2008 you actually get two licenses. One for the SBS 2008 running on one computer ( this is the SBS package which includes Windows Server 2008, Exchange, WSUS, Hyper-V, and other stuff) and also a license for a 2nd Windows Server 2008 that can run on an additional computer.
The main SBS computer's Client Access Licenses (CALs)- (in your case 5 ) can be used to access that computer locally, or to access it remotely using a feature called Remote Web Workplace (RWW). This is not terminal services.
If you install the Server 2008 license on a second computer and join it to the SBS domain, then you can install Terminal Services and the Terminal Services license manager on that second server. At that point you have to purchase Terminal Services CALs (TS CALs) and install them into the license manager. These are NOT the same as the server CALs that came with SBS 2008.
Terminal Services presents a remote desktop to each licensed user or device when they log in. Remote Web Workplace allows each user to control and use his workstation remotely just as if he was sitting at his desk.
I suggest buying the "Windows Small Business Server 2008 Administrator's Companion" by Russel and Crawford for additional understanding of SBS. Its not hard to use SBS, but you do need to learn some server technologies which can be more easily grasped by reading rather by trying to figure it out.
Hal
Saturday, January 5, 2013
How to Configure SBS 2008 to Host POP3/IMAP4
How to Configure SBS 2008 to Host POP3/IMAP4
19 Sep 2008 9:00 AM
[Today's post comes to us courtesy of Shawn Sullivan]
Today’s post will discuss the steps necessary to allow your SBS 2008 server to host POP3 and IMAP4 services for external clients. This process consists of four parts:
Enabling POP3/IMAP4 on SBS 2008
After SBS 2008 setup completes, the POP3 and IMAP4 services are both stopped and set to manual for startup type. You can run the services.msc console to start them and change the startup type to automatic.
Launch the Exchange Management Console as administrator and expand Server Configuration > Client Access and click on the POP3 and IMAP4 tab. Here you can view the banner string, binding, authentication, connection, and retrieval settings for both services.
Launch the Exchange Management Shell as administrator and run Get-ImapSettings | fl or Get-PopSettings | fl to get the complete list of configuration settings in one list.
By default, both the POP3 and IMAP4 services require a TLS authenticated connection using an X.509 certificate. Exchange setup creates a certificate matching the server’s internal fully qualified domain name (FQDN) and configures both services to use it for TLS. When you run the “Internet Address Management Wizard” to configure you external FQDN, another certificate matching your external address is created and configured for POP3 and IMAP4 services. You can view your exchange certificates in the Exchange Management Shell with Get-ExchangeCertficate:
You need to change the certificate that POP3 and IMAP4 uses for TLS to the certificate that has been created by the “Internet Management Address Wizard”. This is done either through the management console or shell.
Run the Set-PopSettings or Set-ImapSettings with the –X509CertificateName option and enter the name of the certificate:
Or open the properties of POP3 or IMAP4, click on the Authentication tab, enter the certificate name.
Port forwarding POP3/IMAP4 through your firewall to the SBS 2008 server
For POP3, you need to open either TCP 110 or 995. For IMAP4, open either TCP 143 or 993, depending on whether you are configuring the client to encrypt the traffic with SSL or not. Whatever ports you are opening, they need to point to the IP address of the SBS 2008 server.
Windows Firewall is enabled on SBS 2008 by default with exceptions for both POP3 and IMAP4. Configuration changes will not be necessary.
Configuring POP3/IMAP4 settings on the client
Other than choosing the FQDN of the server you are connecting to and configuring user account settings, there are a couple of things to note about client setup.
To comply with Exchange’s default settings, Microsoft clients like Outlook, Outlook Express, or Windows Mail will need to configure POP3 to connect using SSL (port 995).
For IMAP, Outlook 2007 will allow you to authenticate with TLS using port 143. Earlier versions of Outlook, Outlook Express, and Windows Mail will need to connect using SSL (port 993).
If you are configuring your SBS 2008 server as your outgoing SMTP server, then you will need to authenticate using TLS on port 587. Once again, full details in the following blog post: How to Configure Trusted SMTP Relay in Exchange on SBS 2008.
Today’s post will discuss the steps necessary to allow your SBS 2008 server to host POP3 and IMAP4 services for external clients. This process consists of four parts:
- Enabling the POP3/ IMAP4 services on the SBS 2008 server.
- Port forwarding POP3 /IMAP4 through the firewall to the SBS 2008 server.
- Configuring Exchange 2007 for authenticated client SMTP relay.
- Configuring POP3/IMAP4 and SMTP settings on the client.
Enabling POP3/IMAP4 on SBS 2008
After SBS 2008 setup completes, the POP3 and IMAP4 services are both stopped and set to manual for startup type. You can run the services.msc console to start them and change the startup type to automatic.
Launch the Exchange Management Console as administrator and expand Server Configuration > Client Access and click on the POP3 and IMAP4 tab. Here you can view the banner string, binding, authentication, connection, and retrieval settings for both services.
Launch the Exchange Management Shell as administrator and run Get-ImapSettings | fl or Get-PopSettings | fl to get the complete list of configuration settings in one list.
By default, both the POP3 and IMAP4 services require a TLS authenticated connection using an X.509 certificate. Exchange setup creates a certificate matching the server’s internal fully qualified domain name (FQDN) and configures both services to use it for TLS. When you run the “Internet Address Management Wizard” to configure you external FQDN, another certificate matching your external address is created and configured for POP3 and IMAP4 services. You can view your exchange certificates in the Exchange Management Shell with Get-ExchangeCertficate:
You need to change the certificate that POP3 and IMAP4 uses for TLS to the certificate that has been created by the “Internet Management Address Wizard”. This is done either through the management console or shell.
Run the Set-PopSettings or Set-ImapSettings with the –X509CertificateName option and enter the name of the certificate:
Or open the properties of POP3 or IMAP4, click on the Authentication tab, enter the certificate name.
Port forwarding POP3/IMAP4 through your firewall to the SBS 2008 server
For POP3, you need to open either TCP 110 or 995. For IMAP4, open either TCP 143 or 993, depending on whether you are configuring the client to encrypt the traffic with SSL or not. Whatever ports you are opening, they need to point to the IP address of the SBS 2008 server.
Windows Firewall is enabled on SBS 2008 by default with exceptions for both POP3 and IMAP4. Configuration changes will not be necessary.
Configuring POP3/IMAP4 settings on the client
Other than choosing the FQDN of the server you are connecting to and configuring user account settings, there are a couple of things to note about client setup.
To comply with Exchange’s default settings, Microsoft clients like Outlook, Outlook Express, or Windows Mail will need to configure POP3 to connect using SSL (port 995).
For IMAP, Outlook 2007 will allow you to authenticate with TLS using port 143. Earlier versions of Outlook, Outlook Express, and Windows Mail will need to connect using SSL (port 993).
If you are configuring your SBS 2008 server as your outgoing SMTP server, then you will need to authenticate using TLS on port 587. Once again, full details in the following blog post: How to Configure Trusted SMTP Relay in Exchange on SBS 2008.
source: http://blogs.technet.com/b/sbs/archive/2008/09/19/how-to-configure-sbs-2008-to-host-pop3-imap4.aspx
Friday, December 7, 2012
Here is how to unbrick your tplink TL-WR1043ND (and possibly others too)
First you will need to download putty and tftpd server
next you will need to find a USB to TTL cable
Once you have your cable refer to this picture to hook it up
http://wiki.openwrt.org/_media/inbox/wr1043ndserial.jpg
or look at your board and you will see 4 pin sockets...
P1 - [vcc3.3v] [gnd] [rx] [tx]
SOme just stick a cable and tape it in each socket, I did a 5 min solder job and got in a staple pin in each socket and trimmed off the excess with a nail cutter.
Also i ordered a $3 usb to serial / ttl cable from China and it worked like a charm. mine is a 2303hx prolific.
REMEMBER TO REVERSE THE Tx and Rx with your cable !!! IMPORTANT !!!
NOTE: I didn't use the VCC connection only the GND Tx and Rx if you use the VCC use +3.3v connection
Once you have hooked up your cable correctly follow these instructions and you will be fine.
1. Download modified original firmware that has first 0x20200 cut off, or use any sysupgrade firmware. (I used a sysupgrade firmware)
2. Gain access to the serial port and hook it up to your computer using RS-232 / USB --> TTL adapter.
3. Install Putty, setup Serial connection, set COM port appropiately to your adapter in step 2 and do not click Open yet (baud rate: 115200 8N1 and set Flow Control to None)
4. set networkcard of computer to ip address: 192.168.0.5 , subnetmask 255.255.255.0 and no gateway
5. Install TFTP32 server (google it) on your computer, connect computer with ethernet cable to LAN switch port on router.
6. Make sure the "Current Directory" in TFTP32 is set to folder with modified original firmware renamed to "code.bin"
7. In Putty, click open and plug in Power cord to router... you should see bootloader coming up now...
8. You will see something like this:
No valid address in Flash. Using fixed address
: cfg1 0xf cfg2 0x7114
eth0 up
eth0
Autobooting in 1 seconds## Booting image bf0200000...
Then type following fast: tpl
Now you will get into the command prompt and you're able to execute commands.
9. Erase the firmware before writing it again using following command: erase 0xbf020000 +7c0000
10. Download new modified original firmware from computer to the router: tftpboot 0x81000000 code.bin
11. Write the downloaded firmware to flash using: cp.b 0x81000000 0xbf020000 0x7c0000
12. Boot the original firmware again: bootm 0xbf020000
13. Let the router finish booting up and wait for everything to stop loading
14. push ctrl + c than hit enter and now you should see the openwrt login screen
Your router should be unbricked again!
First you will need to download putty and tftpd server
next you will need to find a USB to TTL cable
Once you have your cable refer to this picture to hook it up
http://wiki.openwrt.org/_media/inbox/wr1043ndserial.jpg
or look at your board and you will see 4 pin sockets...
P1 - [vcc3.3v] [gnd] [rx] [tx]
SOme just stick a cable and tape it in each socket, I did a 5 min solder job and got in a staple pin in each socket and trimmed off the excess with a nail cutter.
Also i ordered a $3 usb to serial / ttl cable from China and it worked like a charm. mine is a 2303hx prolific.
REMEMBER TO REVERSE THE Tx and Rx with your cable !!! IMPORTANT !!!
NOTE: I didn't use the VCC connection only the GND Tx and Rx if you use the VCC use +3.3v connection
Once you have hooked up your cable correctly follow these instructions and you will be fine.
1. Download modified original firmware that has first 0x20200 cut off, or use any sysupgrade firmware. (I used a sysupgrade firmware)
2. Gain access to the serial port and hook it up to your computer using RS-232 / USB --> TTL adapter.
3. Install Putty, setup Serial connection, set COM port appropiately to your adapter in step 2 and do not click Open yet (baud rate: 115200 8N1 and set Flow Control to None)
4. set networkcard of computer to ip address: 192.168.0.5 , subnetmask 255.255.255.0 and no gateway
5. Install TFTP32 server (google it) on your computer, connect computer with ethernet cable to LAN switch port on router.
6. Make sure the "Current Directory" in TFTP32 is set to folder with modified original firmware renamed to "code.bin"
7. In Putty, click open and plug in Power cord to router... you should see bootloader coming up now...
8. You will see something like this:
No valid address in Flash. Using fixed address
: cfg1 0xf cfg2 0x7114
eth0 up
eth0
Autobooting in 1 seconds## Booting image bf0200000...
Then type following fast: tpl
Now you will get into the command prompt and you're able to execute commands.
9. Erase the firmware before writing it again using following command: erase 0xbf020000 +7c0000
10. Download new modified original firmware from computer to the router: tftpboot 0x81000000 code.bin
11. Write the downloaded firmware to flash using: cp.b 0x81000000 0xbf020000 0x7c0000
12. Boot the original firmware again: bootm 0xbf020000
13. Let the router finish booting up and wait for everything to stop loading
14. push ctrl + c than hit enter and now you should see the openwrt login screen
Your router should be unbricked again!
On step 1 it asks to use a specific file, but where to get it?
Or what is sysupgrade firmware? Is the same of a firmware from dd-wrt?
4 2012-11-25 16:33:00 (edited by Qopzeep 2012-11-25 16:36:23)
Thanks so much 
! I followed the guide and my router is now UNBRICKED! Here a little info for future router-brickers:
Instead of ordering a serial cable, which would've taken a few days to get here, I used my Arduino duemilanove as a serial cable. This worked great, for more details see this post: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=725420. An Arduino diecimilia and I presume an Arduino Uno would work as well. Also, I didn't need to solder my wires to the board. I just used tin wires (the stiff ones, not the ones made from many small wires twisted together) and put them through the appropriate holes on the router board. Then I bent the wires so they couldn't move. Finally, I taped them down for good measure. No soldering required!
When wiring up Tx and Rx cables to the router, pay attention to what the terminal says. If it outputs characters like these:
etc., you've wired Tx and Rx the wrong way round. Switch them and you should be ok. The little Tx LED on your Arduino should light up everytime the router enters the boot cycle.
Also, I used software called 'Termite', instead of Putty, because Putty wouldn't work for me :S you can get Termite here if Putty won't play ball with you either: http://www.compuphase.com/software_termite.htm.
To understand how to open your router, follow the excellent guide on the OpenWRT wiki: http://wiki.openwrt.org/toh/tp-link/tl-wr1043nd#openingclosing.the.case.
I didn't have the option to CTRL+C in Termite, but after I was sure the router was performing normally again, I unplugged it from the power, then removed the wires to the Arduino, and plugged the power back in. I could now access the Luci (=web) interface of OpenWRT!
@hugoleosp as sysupgrade, I used the latest beta from the download section. It's 12.09 beta 2, available here: http://downloads.openwrt.org/attitude_a … actory.bin. This is for OpenWRT, however, not DD-WRT. If you prefer the latter, I'd download and use their latest release.
! I followed the guide and my router is now UNBRICKED! Here a little info for future router-brickers:Instead of ordering a serial cable, which would've taken a few days to get here, I used my Arduino duemilanove as a serial cable. This worked great, for more details see this post: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=725420. An Arduino diecimilia and I presume an Arduino Uno would work as well. Also, I didn't need to solder my wires to the board. I just used tin wires (the stiff ones, not the ones made from many small wires twisted together) and put them through the appropriate holes on the router board. Then I bent the wires so they couldn't move. Finally, I taped them down for good measure. No soldering required!
When wiring up Tx and Rx cables to the router, pay attention to what the terminal says. If it outputs characters like these:
Ýý Ỳỳ Ŷŷ Y̊ẙ Ÿÿ Ỹỹ Ẏẏ Ȳȳ Úú Ùù Ŭŭ Ûû Ǔǔ Ůů Üü Ǘǘ Ǜǜ Ǚǚ Ǖǖ Űű Ũũ Ṹṹ Ųų Ūū Ṻṻ Ủủ Ȕȕ Ȗȗ Ưư Ứứ Ừừ Ữữ Ửử Ựự
Ụụ Ṳṳ Ṷṷ
etc., you've wired Tx and Rx the wrong way round. Switch them and you should be ok
. The little Tx LED on your Arduino should light up everytime the router enters the boot cycle. Also, I used software called 'Termite', instead of Putty, because Putty wouldn't work for me :S you can get Termite here if Putty won't play ball with you either: http://www.compuphase.com/software_termite.htm.
To understand how to open your router, follow the excellent guide on the OpenWRT wiki: http://wiki.openwrt.org/toh/tp-link/tl-wr1043nd#openingclosing.the.case.
I didn't have the option to CTRL+C in Termite, but after I was sure the router was performing normally again, I unplugged it from the power, then removed the wires to the Arduino, and plugged the power back in. I could now access the Luci (=web) interface of OpenWRT
!@hugoleosp as sysupgrade, I used the latest beta from the download section. It's 12.09 beta 2, available here: http://downloads.openwrt.org/attitude_a … actory.bin. This is for OpenWRT, however, not DD-WRT. If you prefer the latter, I'd download and use their latest release.
Wednesday, November 28, 2012
Enabling File and Folder Auditing
Double click on the Audit Object Access item in the list to display the corresponding properties page and choose whether successful, failed, or both types of access to files or folders may be audited:
Once the settings are configured click on Apply to commit the changes and then OK to close the properties dialog. With file and folder auditing enabled the next task is to select which files and folders are to be audited.
Configuring which Files and Folders are to be Audited
Once file and folder access auditing has been enabled the next step is to configure which files and folders are to be audited. As with permissions, auditing settings are inherited unless otherwise specified. By default, configuring auditing on a folder will result in access to all child subfolders and files also being audited. Just as with inherited permissions, the inheritance of auditing settings can be tuned off for either all, or individual files and folders.
To configure auditing for a specific file or folder begin by right clicking on it in Windows Explorer and selecting Properties. In the properties dialog, select the Security tab and click on Advanced. In the Advanced Security Settings dialog select the Auditing tab. Auditing requires elevated privileges. If not already logged in as an administrator click the Continue button to elevate privileges for the current task. At this point, the Auditing dialog will display the Auditing entries list containing any users and groups for which auditing has been enabled as shown below:
To add new users or groups whose access attempts to the select file or folder are to be audited click on the Add...' button to access the Select User or Group dialog. Enter the names of groups or users to audit, or Everyone to audit access attempts by all users. Click on OK to display the Auditing Entries for dialog as illustrated below:
Use the drop down list to control whether the auditing setting is to be applied to the current file or folder, or whether it should propagate down to all children files and/or sub-folders. Finally, select which types of access are to be audited and, for each type, whether successful, failed or both kinds of attempt are to be audited. Once configured, click on OK to dismiss current dialog and then Apply the new auditing settings in the Auditing Entries dialog.
From this point on, access attempts on the selected file or folder by the specified users and groups of the types specified will be recorded in the server's security logs which may be accessed using the Events Viewer, accessible from Computer Management.
src: http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access
Tuesday, November 20, 2012
Easy way to install XP on several laptops?
|
I'd go with the idea of creating an
nLite'd XP disc. This gives you the most control over what is installed
on the laptops on the first hit, and will minimize the number of visits
to Windows Update, reboots and prompts along the way. It will also let
you trim down the install footprint, and allow you to specify the common
settings.
First, determine the flavour(s) of Windows XP that you want to install on these 9 laptops. If you're considering making them all Pro or Home, then it's even less work for you. Each flavour would obviously need its own nLite'd disc. If I were doing this job, I'd do this:
I'm definitely a fan of nLite.
I'm not sure how many laptops you have to install, but I usually get an eOpen license from Microsoft.
They give you one license key that can be use on as many XP installs as you've purchased. You're also not restricted by the OEM licenses which say you can't transfer XP to a new computer. If you get Software Assurance with the eOpen licenses you automatically get upgrades to Vista, and Windows 7 for free. eOpen copies of Windows are clean--they have no junkware installed by OEMs. You can take the eOpen copy of Windows and run it through nLite to create an unattended install. If the computers are joining a domain, you can also use group policy to automatically install needed software. My nLited copy of XP will automatically wipe the HD, create one big partition, install a clean copy of XP without any prompts, and join the computers to a domain. Once joined, they automatically have Symantec AV, Office 2007, Java, Flash, etc... installed. The entire workstation is usually ready in about 45-60 minutes with no prompting. source: http://serverfault.com/questions/75563/easy-way-to-install-xp-on-several-laptops |
Monday, November 5, 2012
Edit all users start menu and desktop - add remove/delete shortcuts
Option 1:
%systemdrive%\ProgramData\Microsoft\Windows\Start Menu
with admin rights on TS in explorer
Option 2:
All users default profile desktop
c:\users\Public\
Option 3:
src: http://social.technet.microsoft.com/Forums/en/winserverTS/thread/c06e553e-8903-48ef-bd07-e47b832ad264
This...Is...Beautiful...Thank You!!
%systemdrive%\ProgramData\Microsoft\Windows\Start Menu
with admin rights on TS in explorer
Option 2:
All users default profile desktop
c:\users\Public\
Option 3:
src: http://social.technet.microsoft.com/Forums/en/winserverTS/thread/c06e553e-8903-48ef-bd07-e47b832ad264
To All,
There have been so good suggestions. But if you are using Windows 2008 AD and 2008 Terminal server, there is a much easier and better way to do this through GPO.
1. Open the GPO that is applied to your Terminal Servers OU
2. Go to Preferences under the User Configuration part of the GPO
3. Preferences - Control Panel Settings - Start Menu
4. Right Click - New - Start Menu (Windows XP) or Start Menu (Windows Vista or Later)
5. Make all the setting changes you wish to see on the Start Menu (no Network, Administrative Tools, etc.). You will want to choose Vista or later to remove Administrative Tools.
6. Set the order in which you wish to have it applied if you should have more than one. I recommend making it first in the order.
7. Gpupdate /force...possibly reboot Terminal Server
8. Done.
This...Is...Beautiful...Thank You!!
Subscribe to:
Comments (Atom)