If you haven't found out, the Windows Server 2003 Admin Pack does not work on Vista. This can be annoying for sys admins that aren't lucky enough to have Server 2008 installed everywhere. Luckily, there's a quick fix

1. Download and install the Server 2003 Admin Pack
2. Copy and and paste the following code into notepad and save it as "Adminpackfix.cmd" or something like that
   @echo off REM RegisterAdminPak.cmd REM (c) 2006 Microsoft Corporation. All rights reserved. set filelist=adprop.dll azroles.dll azroleui.dll ccfg95.dll set filelist=%filelist% certadm.dll certmmc.dll certpdef.dll certtmpl.dll set filelist=%filelist% certxds.dll cladmwiz.dll clcfgsrv.dll clnetrex.dll set filelist=%filelist% cluadmex.dll cluadmmc.dll cmproxy.dll cmroute.dll set filelist=%filelist% cmutoa.dll cnet16.dll debugex.dll dfscore.dll set filelist=%filelist% dfsgui.dll dhcpsnap.dll dnsmgr.dll domadmin.dll set filelist=%filelist% dsadmin.dll dsuiwiz.dll imadmui.dll lrwizdll.dll set filelist=%filelist% mprsnap.dll msclus.dll mstsmhst.dll mstsmmc.dll set filelist=%filelist% nntpadm.dll nntpapi.dll nntpsnap.dll ntdsbsrv.dll set filelist=%filelist% ntfrsapi.dll rasuser.dll rigpsnap.dll rsadmin.dll set filelist=%filelist% rscommon.dll rsconn.dll rsengps.dll rsjob.dll set filelist=%filelist% rsservps.dll rsshell.dll rssubps.dll rtrfiltr.dll set filelist=%filelist% schmmgmt.dll tapisnap.dll tsuserex.dll vsstskex.dll set filelist=%filelist% w95inf16.dll w95inf32.dll winsevnt.dll winsmon.dll set filelist=%filelist% winsrpc.dll winssnap.dll ws03res.dll for %%i in (%filelist%) do ( echo Registering %%i ... regsvr32 /s %%i ) echo. Echo Command Completed
3. Run the script as administrator and you're set

External Links

http://support.microsoft.com/kb/930056 - KB article about this subject. Gives you more specifics than I go into.
http://www.microsoft.com/downloads/details.aspx?familyid=e487f885-f0c7-436a-a392-25793a25bad7&displaylang=en - Server 2003 SP1 Admin Pack

While looking for what's happening at this years Defcon that I'll be attending, I stumbled across a blog entry from 360 Security talking about SeamlessRDP. After seeing how easy it is to setup and use, I don't know why I haven't heard more about it. But that's probably because I've never really looked into running Windows apps in Ubuntu.

What is SeamlessRDP

SeamlessRDP is an extension for remote desktop/terminal servers that allows a single application to be remoted into instead of the entire computer. In my scenario, I have an Ubuntu system and I run a virtual Windows XP in the background. I install SeamlessRDP onto the Windows VM and I can now run individual applications without messing around with the VM itself.

The company Cendio created SeamlessRDP when they were trying to get their own products to work with rdesktop. They realized that it could be of use to other in the community and released it under GPL.

How to

It's extremely easy to setup:

1. On the remote desktop server, download SeamlessRDP binary file.
2. Extract it to an easy to use location like C:\seamlessrdp
3. On the client, make sure you have at least version 1.5 of rdesktop installed (Hardy is all set). Download it from here if you need
4. Now you're ready to use it - here's an example of running Word 2007: rdesktop -A -s "c:\seamlessrdp\seamlessrdpshell.exe c:\program files\microsoft office\office12\winword.exe" 192.168.1.5:3389 -u administrator -p password
   Running Internet Explorer: rdesktop -A -s "c:\seamlessrdpshell.exe c:\program files\internet explorer\iexplore.exe" 192.168.1.5:3389 -u administrator -p password

I admit, I haven't done any research into other products or alternatives that may work better, so let me know if you find anything

External Links

http://www.cendio.com/seamlessrdp/ - Cendio's page about seamless RDP
http://www.rdesktop.org/ - rdesktop.org for the client
http://blog.ncircle.com/ - where I originally found the post

This is a simple one that goes back to a conversation I had with a consultant. We were talking about adding a computer to a domain and then moving the computer to the designated OU that was dedicated to that site. I made the comment that it might be even better to precreate the computer account in the appropriate OU and then you don't need to bug a domain administrator to do the moving around. His reply was something like "Yea I haven't had good luck with that." That's one of my favorite reasons for technical problems. It's kind of like saying, I tried it once, it didn't work, so it must be broken.

Why Do This?

Anyways, the real reason that you would want to do this is if you have a team of IT staff where a few have domain administrators rights but most of them are just local admins on the workstations to provide support and install software. Adding a computer to the domain would be a normal task for these kind of support staff.

Problem

So you have a brand new computer that you want to add to your network. You assign on of the non domain admins to install necessary software and join it to the domain. When he adds it to the domain, the computer is dumped into the "computers" folder in AD where the appropriate group policies and delegated access is NOT applied. You want the new computer to go into a separate OU but you don't want to grant the user access to move or manipulate Active Directory AND you want to delegate the entire process to the admins so that you don't need to be involved in the specifics. So what do you do?

Solution

If you precreate the computer in the appropriate OU in Active Directory, when that computer is joined to the domain, it will have the group policies and permissions that it needs. As a domain admin, you can precreate the computer account yourself but you'd rather delegate access the IT support team. Here's how you do it:

Delegate Control To Non-Domain Admins

1. Open Active Directory Users and Computers
2. Right click on the OU and then click All Tasks>Delegate Control
3. Click Add and put in the appropriate user or group (IT Admins)
4. Click "create a custom task to delegate"
5. Click "only the following objects in this folder"
6. Check Computer Objects
7. Check "Create selected objects in this folder"
8. Under "Show these permissions" uncheck everything and click "Next"

You've now granted non-admins access to create computers inside of that OU.

Pre-Create New Computer

These are the tasks for the non-admin to perform using the Server 2003 Admin Pack

1. In Active Directory Users and Computers, right click the target OU the computer should go to and choose New>Computer
2. Name the computer
3. Under "The following users or group can join this computer to the domain" choose a group that has appropriate access like "IT Admins" or "Domain Users" to allow anyone do it.
   This is the step that is usually missed. If you don't do this, then by default Domain Admins are the only one that can add the computer to the domain.
4. Click Next

Now on the client you go through the normal process of adding the computer to the domain.

Clearing out the last logged on user from the login screen is is a very simple task that I like to set on my domains and as the local policies for workgroup computers. It helps out in two different ways: first as a matter of security because an attacker walking up to the computer doesn't necessarily know a user name to log in with and second it helps to teach the user what their user name is because we all know if we don't type it in every day, we forget it. [see saved passwords]

Overview

For those of you that know mostly what you're doing and just need a reminder, here it is. The policy setting you need to change is located under:

• Computer Configuration > Windows Settings > and Security Settings > Local Policies >Security Options
• Edit the "Interactive Logon: Do not display last user name in logon screen" entry and check "define this setting" and "enabled."

On a Windows Domain Controller

1. Under Administrative Tools open the Group Policy Management
2. Find the group policy you want to change select it, right click, and choose "Edit".
3. Expand Computer Configuration, Windows Settings, and Security Settings
4. Expand Local Policies node, and then click Security Options.
5. Edit the "Interactive Logon: Do not display last user name in logon screen" entry and check "define this setting" and "enabled."
6. The setting will take affect on the next time the clients reboots. As a reminder, it can take varying amounts of time for group policies to be applied.

On a Local Vista Machine

1. In the Control Panel, click System and Maintenance and open the Administrative Tools
2. Open the Local Security Policy .
3. Expand Computer Configuration, Windows Settings, and Security Settings
4. Expand Local Policies node, and then click Security Options.
5. Edit the "Interactive Logon: Do not display last user name in logon screen" entry and check "define this setting" and "enabled."

External Links:

http://support.microsoft.com/kb/310125 - Link to the MS KB article

I was having dinner with some of the IT guys from a client I work for and I brought up the suggestion that they do MAC filtering for all of their network devices as an added security measure. The only problem was they were using Windows Server 2003 for the DHCP server which, natively, does not support MAC filtering. That's where the DHCP Server Callout DLL comes in.

This is a DLL that was created by the Microsoft DHCP team to allow access to certain parts of DHCP that were not before. In this case, MAC filtering.

Why filter MAC addresses

The idea of DHCP MAC filtering is that when a foreign system tries to connect to your network, they are not given an IP address unless their network card is on the list of allowed systems. In order for them to get on the network, they have to see a member of the IT department.

This protects a guest from accidentally spreading infections of spyware, viruses, or trojans not to mention it helps the IT department keep track of who and what goes on the network. [Please notice how I say accidentally because MAC spoofing would easily circumvent this security measure]

Install The Callout DLL

Overview:

• Install the DLL
• Create the necessary registry keys
• Populate the list of allowed or denied MAC addresses
• Restart the DHCP

Download and Install

1. Download and install the files: Download
   The MACFilterCallout.dll was installed to %SystemRoot%\system32 along with a file named SetupDHCPMacFilter.rtf.This includes very basic instructions.
2. Run the MacFilterCallout.msi and go through the steps to install it. All this does is extract the two files to your %systemroot%\system32\ folder.

Create the registry keys:

Choose one of two ways:
Option 1: Manually create the following registry keys:

Key Name	Key Type	Description
CalloutDlls	REG_MULTI_SZ	The location of the MacFilterCallout.dll
CalloutEnabled	DWORD	0 = Disable MacFilterCallout 1 = Enable MacFilterCallout
CalloutErrorLogFile	REG_MULTI_SZ	Log path. If this registry key is not specified, callout dll will output errors %WINDIR%\System32\Log.txt
CalloutInfoLogFile	REG_MULTI_SZ	Info log path. If this key is not present, no information messages will be logged.
CalloutMACAddressListFile	REG_MULTI_SZ	This is the name and location of the MAC filtering list you're going to be creating next.

Option 2: Merge the keys that I've made for you: Download

Download the file above, extract the contents, and merge the registry file that I created for you.

Here are the values the .REG file contains. Make sure they match up to your environment.

Key Name	Value
CalloutDlls	C:\windows\system32\MacFilterCallout.dll
CalloutEnabled	1
CalloutErrorLogFile	C:\windows\system32\MacFilterCallout.log
CalloutInfoLogFile	C:\windows\system32\MacFilterCalloutInfo.log
CalloutMACAddressListFile	C:\windows\system32\MAClist.txt

NOTE: If you are not using C:\windows as your windows directory, you will have to edit the registry to fit your system.

Create the MAC list

As I showed above, the key CalloutMACAddressListFile points to a location where you need to create a specially formatted text file that contacts which MAC addresses to filter.You can only choose to allow a certain set of MAC's or DENY them. Here is the format of that file:

MAC_ACTION = {ALLOW / DENY} 0cdc1c6d1266 05dc2de01023 ...

Note: You must include the { }'s around either the ALLOW or DENY action

Help Populating the MAC list

If you are going to use the ALLOW action you're most likely going to want to find all of the valid MAC addresses on the network. Here are some suggestions for ways you can do this:

• Nmap + ARP- with the command nmap -PR 192.168.0.0/24 or whatever your network is, it will do an arp scan of the network. Then doing an "arp -a > arptable.txt" gives you tab delimited file perfect for opening as a spread sheet and extracting the list of MAC addresses you need to use
• DHCP logs - use your existing DHCP server logs [usually under c:\windows\system32\dhcp\] to find all the MAC addresses in the last week.
• Switch logs - if you have a good enough switch, it will keep track of which MAC addresses are using the devices.

Note: Obviously be careful how you create this list. If the CEO of the company has a laptop that you happened to forget to put onto the allow list, he may not be happy with your new security measure.

Want to know what the MSI Installer REALLY does?

One major pet peeve of mine is when you download a program and it installs without telling you what it did. That's how this MSI works. Here's what it does:

• copies the dll to %system%/system32/
• copies the rtf to %system%/system32/
• registers BOTH the dll and the rtf as shared DLL's
• adds some interesting registry keys like on named "CompleteMacLevel" that I don't know what it does.
  

I know that may not help anything but it makes me feel a little better.

External Links

http://blogs.technet.com/teamdhcp/archive/2007/10/03/dhcp-server-callout-dll-for-mac-address-based-filtering.aspx - DHCP server team's blog with the original article